Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Text | 5.59 MB |
Contents
authorization-attribute (ISP domain view)
service-type (ISP domain view)
session-time include-idle-time
authorization-attribute (local user view/user group view)
display local-guest waiting-approval
local-guest auto-delete enable
local-user-export class network guest
local-user-import class network guest
password (device management user view)
password (network access user view)
reset local-guest waiting-approval
service-type (local user view)
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute vendor-id 2011 version
data-flow-format (RADIUS scheme view)
primary accounting (RADIUS scheme view)
primary authentication (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
timer quiet (RADIUS scheme view)
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
user-name-format (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
data-flow-format (HWTACACS scheme view)
primary accounting (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
timer quiet (HWTACACS scheme view)
timer realtime-accounting (HWTACACS scheme view)
timer response-timeout (HWTACACS scheme view)
user-name-format (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
dot1x re-authenticate server-unreachable keep-online
dot1x smarton timer supp-timeout
display mac-authentication connection
mac-authentication re-authenticate server-unreachable keep-online
mac-authentication timer auth-delay
mac-authentication user-name-format
reset mac-authentication statistics
display port-security mac-address block
display port-security mac-address security
port-security authorization ignore
port-security authorization-fail offline
port-security mac-address aging-type inactivity
port-security mac-address dynamic
port-security mac-address security
port-security timer autolearn aging
port-security timer disableport
snmp-agent trap enable port-security
app-id (Facebook authentication server view)
app-id (QQ authentication server view)
app-id (WeChat authentication server view)
app-key (Facebook authentication server view)
app-key (QQ authentication server view)
app-key (WeChat authentication server view)
display portal auth-error-record
display portal auth-fail-record
display portal captive-bypass statistics
display portal dns free-rule-host
display portal extend-auth-server
display portal local-binding mac-address
display portal mac-trigger user
display portal mac-trigger-server
display portal packet statistics
display portal permit-rule statistics
display portal redirect statistics
display portal safe-redirect statistics
exclude-attribute (MAC binding server view)
exclude-attribute (portal authentication server view)
ip (portal authentication server view)
ipv6 (portal authentication server view)
port (MAC binding server view)
port (portal authentication server view)
portal { ipv4-max-user | ipv6-max-user }
portal apply mac-trigger-server
portal auth-error-record enable
portal auth-error-record export
portal auth-fail-record enable
portal auth-fail-record export
portal authorization strict-checking
portal captive-bypass optimize delay
portal client-gateway interface
portal client-traffic-report interval
portal dual-stack traffic-separate enable
portal free-all except destination
portal ipv6 free-all except destination
portal oauth user-sync interval
portal safe-redirect forbidden-file
portal safe-redirect forbidden-url
portal safe-redirect user-agent
portal traffic-accounting disable
portal traffic-backup threshold
portal user-logoff after-client-offline enable
reset portal auth-error-record
reset portal captive-bypass statistics
reset portal local-binding mac-address
reset portal packet statistics
reset portal redirect statistics
reset portal safe-redirect statistics
server-detect (portal authentication server view)
server-detect (portal Web server view)
server-type (MAC binding server view)
server-type(portal server view/portal Web server view)
display password-control blacklist
password-control { aging | composition | history | length } enable
password-control alert-before-expire
password-control expired-user-login
password-control login idle-time
password-control login-attempt
password-control super composition
password-control update-interval
reset password-control blacklist
reset password-control history-record
Public key management commands
display public-key local public
display pki certificate access-control-policy
display pki certificate attribute-group
display pki certificate domain
display pki certificate renew-status
display pki certificate request-status
pki certificate access-control-policy
pki certificate attribute-group
display ipsec { ipv6-policy | policy }
display ipsec { ipv6-policy-template | policy-template }
ipsec { ipv6-policy | policy }
ipsec { ipv6-policy | policy } isakmp template
ipsec { ipv6-policy | policy } local-address
ipsec { ipv6-policy-template | policy-template }
ipsec logging negotiation enable
ipsec sa global-soft-duration buffer
ike invalid-spi-recovery enable
ike logging negotiation enable
ike signature-identity from-certificate
match local address (IKE keychain view)
match local address (IKE profile view)
match local (IKEv2 profile view)
match local address (IKEv2 policy view)
match vrf (IKEv2 profile view)
ssh server acl-deny-log enable
ssh server authentication-retries
ssh server authentication-timeout
ssh server compatible-ssh1x enable
certificate-chain-sending enable
certificate-authentication enable
description (SSL VPN AC interface view)
display sslvpn ip-tunnel statistics
display sslvpn port-forward connection
execution (port forwarding item view)
force-logout max-onlines enable
ip-tunnel log connection-close
password-authentication enable
reset counters interface sslvpn-ac
reset sslvpn ip-tunnel statistics
service enable (SSL VPN context view)
service enable (SSL VPN gateway view)
vpn-instance (SSL VPN context view)
vpn-instance (SSL VPN gateway view)
aspf apply policy (interface view)
aspf apply policy (zone pair view)
description (application group view)
display application statistics
display application statistics top
display apr signature information
display port-mapping pre-defined
display port-mapping user-defined
display session aging-time application
display session aging-time state
display session relation-table
display session statistics ipv4
display session statistics ipv6
display session statistics multicast
display session table multicast ipv4
display session table multicast ipv6
reset session statistics multicast
reset session table multicast ipv4
reset session table multicast ipv6
session aging-time application
session log { bytes-active | packets-active }
session state-machine mode loose
display connection-limit ipv6-stat-nodes
display connection-limit statistics
display connection-limit stat-nodes
reset connection-limit statistics
network (IPv4 address object group view)
network (IPv6 address object group view)
service (service object group view)
display object-policy accelerate
display object-policy statistics zone-pair security
display object-policy zone-pair security
reset object-policy statistics
rule (IPv4 object policy view)
rule (IPv6 object policy view)
Attack detection and prevention commands
attack-defense local apply policy
attack-defense login reauthentication-delay
attack-defense signature log non-aggregate
attack-defense top-attack-statistics enable
display attack-defense flood statistics ip
display attack-defense flood statistics ipv6
display attack-defense policy ip
display attack-defense policy ipv6
display attack-defense scan attacker ip
display attack-defense scan attacker ipv6
display attack-defense scan victim ip
display attack-defense scan victim ipv6
display attack-defense statistics interface
display attack-defense statistics local
display attack-defense top-attack-statistics
display client-verify protected ip
display client-verify protected ipv6
display client-verify trusted ip
display client-verify trusted ipv6
display whitelist object-group
http-flood detect non-specific
icmp-flood detect non-specific
icmpv6-flood detect non-specific
reset attack-defense policy flood
reset attack-defense statistics interface
reset attack-defense statistics local
reset attack-defense top-attack-statistics
reset client-verify protected statistics
signature { large-icmp | large-icmpv6 } max-length
syn-ack-flood detect non-specific
threshold-learn auto-apply enable
threshold-learn tolerance-value
ip source binding (interface view)
ipv6 source binding (interface view)
ARP attack protection commands
Unresolvable IP attack protection commands
arp resolving-route probe-count
arp resolving-route probe-interval
display arp source-suppression
Source MAC-based ARP attack detection commands
ARP packet source MAC consistency check commands
ARP active acknowledgement commands
arp restricted-forwarding enable
display arp detection statistics
reset arp detection statistics
ARP scanning and fixed ARP commands
ARP gateway protection commands
display crypto-engine statistics
AAA commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
General AAA commands
aaa nas-id profile
Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing NAS-ID profile.
Use undo aaa nas-id profile to delete a NAS-ID profile.
Syntax
aaa nas-id profile profile-name
undo aaa nas-id profile profile-name
Default
No NAS-ID profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the NAS-ID profile name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Configure a NAS-ID profile to maintain NAS-ID and VLAN bindings on the device.
During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.
You can configure a NAS-ID in NAS-ID profile view or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:
1. NAS-ID bound with VLANs in a NAS-ID profile.
2. NAS-ID in an ISP domain.
If no NAS-ID is selected, the device uses the device name as the NAS-ID.
Examples
# Create a NAS-ID profile named aaa.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa]
Related commands
nas-id
nas-id bind vlan
port-security nas-id-profile
portal nas-id-profile
aaa session-id mode
Use aaa session-id mode to specify the format for attribute Acct-Session-Id.
Use undo aaa session-id mode to restore the default.
Syntax
aaa session-id mode { common | simplified }
undo session-id mode
Default
The device uses the common mode for attribute Acct-Session-Id.
Views
System view
Predefined user roles
network-admin
Parameters
common: Specifies the common format for attribute Acct-Session-Id. In this format, the Acct-Session-Id attribute is a string with a minimum length of 38 characters. This string contains the prefix (indicating the access type), date and time, sequence number, LIP address of the access node, device ID, and job ID of the access process.
simplified: Specifies the simple format for attribute Acct-Session-Id. In this format, the Acct-Session-Id attribute is a string of 16 characters. This string contains the prefix (indicating the access type), month, sequence number, device ID, and LIP address of the access node.
Usage guidelines
Configure the format for attribute Acct-Session-Id to meet the requirements of the RADIUS servers.
Examples
# Specify the simple format for attribute Acct-Session-Id.
<Sysname> system-view
[Sysname] aaa session-id mode simplified
aaa session-limit
Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method.
Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method.
Syntax
In non-FIPS mode:
aaa session-limit { ftp | http | https | ssh | telnet } max-sessions
undo aaa session-limit { ftp | http | https | ssh | telnet }
In FIPS mode:
aaa session-limit { https | ssh } max-sessions
undo aaa session-limit { https | ssh }
Default
The maximum number of concurrent users is 32 for the SSH and Telnet services.
The maximum number of concurrent users is 64 for the FTP, HTTP, and HTTPS services.
Views
System view
Predefined user roles
network-admin
Parameters
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ssh: SSH users.
telnet: Telnet users.
max-sessions: Specifies the maximum number of concurrent login users. The value range for this argument is from 1 to 32 for the SSH and Telnet services, and is from 1 to 64 for the FTP, HTTP, and HTTPS services.
Usage guidelines
After the maximum number of concurrent login users for a user type exceeds the upper limit, the system denies the subsequent users of this type.
Examples
# Set the maximum number of concurrent FTP users to 4.
<Sysname> system-view
[Sysname] aaa session-limit ftp 4
accounting advpn
Use accounting advpn to specify accounting methods for ADVPN users.
Use undo accounting advpn to restore the default.
Syntax
In non-FIPS mode:
accounting advpn { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting advpn
In FIPS mode:
accounting advpn { local | radius-scheme radius-scheme-name [ local ] }
undo accounting advpn
Default
The default accounting methods of the ISP domain are used for ADVPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting advpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local accounting for ADVPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting advpn local
# In ISP domain test, perform RADIUS accounting for ADVPN users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting advpn radius-scheme rd local
Related commands
accounting default
local-user
radius scheme
accounting command
Use accounting command to specify the command line accounting method.
Use undo accounting command to restore the default.
Syntax
accounting command hwtacacs-scheme hwtacacs-scheme-name
undo accounting command
Default
The default accounting methods of the ISP domain are used for command line accounting.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The command line accounting feature works with the accounting server to record all valid commands that have been successfully executed on the device.
Command line accounting can use only a remote HWTACACS server.
Examples
# In ISP domain test, perform command line accounting based on HWTACACS scheme hwtac.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting command hwtacacs-scheme hwtac
Related commands
accounting default
command accounting (Fundamentals Command Reference)
hwtacacs scheme
accounting default
Use accounting default to specify default accounting methods for an ISP domain.
Use undo accounting default to restore the default.
Syntax
In non-FIPS mode:
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting default
In FIPS mode:
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo accounting default
Default
The default accounting method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default accounting method is used for all users that support this method and do not have an accounting method configured.
Local accounting is only used for monitoring and controlling the number of local user connections. It does not provide the statistics function that the accounting feature generally provides.
You can specify one primary default accounting method and multiple backup default accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting default radius-scheme radius-scheme-name local none command specifies the primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default accounting method and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
accounting ipoe
Use accounting ipoe to specify accounting methods for IPoE users.
Use undo accounting ipoe to restore the default.
Syntax
In non-FIPS mode:
accounting ipoe { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting ipoe
In FIPS mode:
accounting ipoe { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] | local | radius-scheme radius-scheme-name [ local ] }
undo accounting ipoe
Default
The default accounting methods of the ISP domain are used for IPoE users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting ipoe radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The following guidelines apply to broadcast accounting:
· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time. If a primary server is unavailable, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
Examples
# In ISP domain test, perform local accounting for IPoE users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ipoe local
# In ISP domain test, perform RADIUS accounting for IPoE users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ipoe radius-scheme rd local
# In ISP domain test, broadcast accounting requests of IPoE users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ipoe broadcast radius-scheme rd1 radius-scheme rd2 local
Related commands
accounting lan-access
Use accounting lan-access to specify accounting methods for LAN users.
Use undo accounting lan-access to restore the default.
Syntax
In non-FIPS mode:
accounting lan-access { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting lan-access
In FIPS mode:
accounting lan-access { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] | local | radius-scheme radius-scheme-name [ local ] }
undo accounting lan-access
Default
The default accounting methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The following guidelines apply to broadcast accounting:
· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time. If a primary server is unavailable, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
Examples
# In ISP domain test, perform local accounting for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access local
# In ISP domain test, perform RADIUS accounting for LAN users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access radius-scheme rd local
# In ISP domain test, broadcast accounting requests of LAN users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access broadcast radius-scheme rd1 radius-scheme rd2 local
accounting default
local-user
radius scheme
accounting login
Use accounting login to specify accounting methods for login users.
Use undo accounting login to restore the default.
Syntax
In non-FIPS mode:
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting login
In FIPS mode:
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo accounting login
Default
The default accounting methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
Accounting is not supported for FTP, SFTP, and SCP users.
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting login radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local accounting for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login local
# In ISP domain test, perform RADIUS accounting for login users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login radius-scheme rd local
Related commands
accounting default
hwtacacs scheme
local-user
radius scheme
accounting portal
Use accounting portal to specify accounting methods for portal users.
Use undo accounting portal to restore the default.
Syntax
In non-FIPS mode:
accounting portal { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting portal
In FIPS mode:
accounting portal { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] | local | radius-scheme radius-scheme-name [ local ] }
undo accounting portal
Default
The default accounting methods of the ISP domain are used for portal users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting portal radius-scheme radius-scheme-name local none command specifies a primary default RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The following guidelines apply to broadcast accounting:
· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time. If a primary server is unavailable, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
Examples
# In ISP domain test, perform local accounting for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal local
# In ISP domain test, perform RADIUS accounting for portal users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal radius-scheme rd local
# In ISP domain test, broadcast accounting requests of portal users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal broadcast radius-scheme rd1 radius-scheme rd2 local
Related commands
accounting default
local-user
radius scheme
accounting ppp
Use accounting ppp to specify accounting methods for PPP users.
Use undo accounting ppp to restore the default.
Syntax
In non-FIPS mode:
accounting ppp { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] | hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo accounting ppp
In FIPS mode:
accounting ppp { broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo accounting ppp
Default
The default accounting methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
broadcast: Broadcasts accounting requests to servers in RADIUS schemes.
radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name2: Specifies the backup broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
The following guidelines apply to broadcast accounting:
· The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time. If a primary server is unavailable, the device sends accounting requests to the secondary servers of the scheme in the order the servers are configured.
· The accounting result is determined by the primary broadcast RADIUS scheme. The accounting result from the backup scheme is used as reference only. If the primary scheme does not return any result, the device considers the accounting as a failure.
Examples
# In ISP domain test, perform local accounting for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp local
# In ISP domain test, perform RADIUS accounting for PPP users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp radius-scheme rd local
# In ISP domain test, broadcast accounting requests of PPP users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp broadcast radius-scheme rd1 radius-scheme rd2 local
Related commands
accounting default
hwtacacs scheme
local-user
radius scheme
accounting quota-out
Use accounting quota-out to configure access control for users that have used up their data quotas.
Use undo accounting quota-out to restore the default.
Syntax
accounting quota-out { offline | online }
undo accounting quota-out
Default
The device logs off users that have used up their data quotas.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs off users that have used up their data quotas.
online: Does not perform actions on users that have used up their data quotas.
Examples
# In ISP domain test, configure the device not to perform actions on users that have used up their data quotas.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting quota-out online
accounting sslvpn
Use accounting sslvpn to specify accounting methods for SSL VPN users.
Use undo accounting sslvpn to restore the default.
Syntax
In non-FIPS mode:
accounting sslvpn { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting sslvpn
In FIPS mode:
accounting sslvpn { local | radius-scheme radius-scheme-name [ local ] }
undo accounting sslvpn
Default
The default accounting methods of the ISP domain are used for SSL VPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local accounting.
none: Does not perform accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary accounting method and multiple backup accounting methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the accounting sslvpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS accounting method and two backup methods (local accounting and no accounting). The device performs RADIUS accounting by default and performs local accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local accounting for SSL VPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting sslvpn local
# In ISP domain test, perform RADIUS accounting for SSL VPN users based on scheme rd and use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting sslvpn radius-scheme rd local
Related commands
accounting default
local-user
radius scheme
accounting start-fail
Use accounting start-fail to configure access control for users that encounter accounting-start failures.
Use undo accounting start-fail to restore the default.
Syntax
accounting start-fail { offline | online }
undo accounting start-fail
Default
The device does not perform actions on users that encounter accounting-start failures.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
offline: Logs off users that encounter accounting-start failures.
online: Does not perform actions on users that encounter accounting-start failures.
Examples
# In ISP domain test, configure the device not to perform actions on users that encounter accounting-start failures.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting start-fail online
accounting update-fail
Use accounting update-fail to configure access control for users that have failed all their accounting-update attempts.
Use undo accounting update-fail to restore the default.
Syntax
accounting update-fail { [ max-times max-times ] offline | online }
undo accounting update-fail
Default
The device does not perform actions on users that have failed all their accounting-update attempts.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
max-times max-times: Specifies the maximum number of consecutive accounting-update failures allowed by the device for each user. The value range for the max-times argument is 1 to 255, and the default value is 1.
offline: Logs off users that have failed all their accounting-update attempts.
online: Does not perform actions on users that have failed all their accounting-update attempts.
Examples
# In ISP domain test, configure the device not to perform actions on users that have failed all their accounting-update attempts.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting update-fail online
authentication advpn
Use authentication advpn to specify authentication methods for ADVPN users.
Use undo authentication advpn to restore the default.
Syntax
In non-FIPS mode:
authentication advpn { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication advpn
In FIPS mode:
authentication advpn { local | radius-scheme radius-scheme-name [ local ] }
undo authentication advpn
Default
The default authentication methods of the ISP domain are used for ADVPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication advpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authentication for ADVPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication advpn local
# In ISP domain test, perform RADIUS authentication for ADVPN users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication advpn radius-scheme rd local
Related commands
authentication default
local-user
radius scheme
authentication default
Use authentication default to specify default authentication methods for an ISP domain.
Use undo authentication default to restore the default.
Syntax
In non-FIPS mode:
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication default
In FIPS mode:
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authentication default
Default
The default authentication method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authentication method is used for all users that support this method and do not have an authentication method configured.
You can specify one primary default authentication method and multiple backup default authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default authentication method and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication default radius-scheme rd local
Related commands
hwtacacs scheme
ldap scheme
local-user
radius scheme
authentication ike
Use authentication ike to specify extended authentication methods for IKE users.
Use undo authentication ike to restore the default.
Syntax
In non-FIPS mode:
authentication ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication ike
In FIPS mode:
authentication ike { local | radius-scheme radius-scheme-name [ local ] }
undo authentication ike
Default
The default authentication methods of the ISP domain are used for IKE extended authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ike radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, configure the device to perform local authentication through IKE extended authentication.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ike local
# In ISP domain test, perform IKE extended authentication based on RADIUS scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ike radius-scheme rd local
Related commands
authentication default
local-user
radius scheme
authentication ipoe
Use authentication ipoe to specify authentication methods for IPoE users.
Use undo authentication ipoe to restore the default.
Syntax
In non-FIPS mode:
authentication ipoe { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication ipoe
In FIPS mode:
authentication ipoe { local | radius-scheme radius-scheme-name [ local ] }
undo authentication ipoe
Default
The default authentication methods of the ISP domain are used for IPoE users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ipoe radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authentication for IPoE users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ipoe local
# In ISP domain test, perform RADIUS authentication for IPoE users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ipoe radius-scheme rd local
Related commands
authentication lan-access
Use authentication lan-access to specify authentication methods for LAN users.
Use undo authentication lan-access to restore the default.
Syntax
In non-FIPS mode:
authentication lan-access { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication lan-access
In FIPS mode:
authentication lan-access { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] }
undo authentication lan-access
Default
The default authentication methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authentication for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access local
# In ISP domain test, perform RADIUS authentication for LAN users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access radius-scheme rd local
authentication default
hwtacacs scheme
ldap scheme
local-user
radius scheme
authentication login
Use authentication login to specify authentication methods for login users.
Use undo authentication login to restore the default.
Syntax
In non-FIPS mode:
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication login
In FIPS mode:
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authentication login
Default
The default authentication methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication login radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authentication for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login local
# In ISP domain test, perform RADIUS authentication for login users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login radius-scheme rd local
Related commands
authentication default
hwtacacs scheme
ldap scheme
local-user
radius scheme
authentication portal
Use authentication portal to specify authentication methods for portal users.
Use undo authentication portal to restore the default.
Syntax
In non-FIPS mode:
authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication portal
In FIPS mode:
authentication portal { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] }
undo authentication portal
Default
The default authentication methods of the ISP domain are used for portal users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication portal radius-scheme radius-scheme-name local none command specifies the default primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authentication for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication portal local
# In ISP domain test, perform RADIUS authentication for portal users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication portal radius-scheme rd local
Related commands
authentication default
ldap scheme
local-user
radius scheme
authentication ppp
Use authentication ppp to specify authentication methods for PPP users.
Use undo authentication ppp to restore the default.
Syntax
In non-FIPS mode:
authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authentication ppp
In FIPS mode:
authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authentication ppp
Default
The default authentication methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authentication for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ppp local
# In ISP domain test, perform RADIUS authentication for PPP users based on scheme rd and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ppp radius-scheme rd local
Related commands
authentication default
hwtacacs scheme
local-user
radius scheme
authentication sslvpn
Use authentication sslvpn to specify authentication methods for SSL VPN users.
Use undo authentication sslvpn to restore the default.
Syntax
In non-FIPS mode:
authentication sslvpn { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authentication sslvpn
In FIPS mode:
authentication sslvpn { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] }
undo authentication sslvpn
Default
The default authentication methods of the ISP domain are used for SSL VPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authentication method and multiple backup authentication methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication sslvpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid. The device does not perform authentication when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authentication for SSL VPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication sslvpn local
# In ISP domain test, perform LDAP authentication for SSL VPN users based on scheme ldp and use local authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication sslvpn ldap-scheme ldp local
Related commands
authentication default
ldap scheme
local-user
radius scheme
authentication super
Use authentication super to specify methods for user role authentication.
Use undo authentication super to restore the default.
Syntax
authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name } *
undo authentication super
Default
The default authentication methods of the ISP domain are used for user role authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid.
If you specify a scheme to provide the method for user role authentication, the following rules apply:
· If an HWTACACS scheme is specified, the device uses the entered username for role authentication. The username must already exist on the HWTACACS server to represent the highest user level that a user can obtain. For example, to obtain a level-3 user role of which username is test, the device uses the string test@domain-name or test for role authentication, depending on whether the domain name is required.
· If a RADIUS scheme is specified, the device uses the username $enabn$ on the RADIUS server for role authentication of any usernames. The variable n represents a user role level. For example, to obtain a level-3 user role, the device uses the username string $enab3$.
For more information about user role authentication, see Fundamentals Configuration Guide.
Examples
# In ISP domain test, perform user role authentication based on HWTACACS scheme tac.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-isp-test] authentication super hwtacacs-scheme tac
Related commands
authentication default
hwtacacs scheme
radius scheme
authorization advpn
Use authorization advpn to specify authorization methods for ADVPN users.
Use undo authorization advpn to restore the default.
Syntax
In non-FIPS mode:
authorization advpn { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization advpn
In FIPS mode:
authorization advpn { local | radius-scheme radius-scheme-name [ local ] }
undo authorization advpn
Default
The default authorization methods of the ISP domain are used for ADVPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization advpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for ADVPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization advpn local
# In ISP domain test, perform RADIUS authorization for ADVPN users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization advpn radius-scheme rd local
Related commands
authorization default
local-user
radius scheme
authorization command
Use authorization command to specify command authorization methods.
Use undo authorization command to restore the default.
Syntax
In non-FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] [ none ] | local [ none ] | none }
undo authorization command
In FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }
undo authorization command
Default
The default authorization methods of the ISP domain are used for command authorization.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role. The commands are executed successfully if the user role has permission to the commands.
Usage guidelines
Command authorization restricts login users to execute only authorized commands by employing an authorization server to verify whether or not each entered command is permitted.
When local command authorization is configured, the device compares each entered command with the user's configuration on the device. The command is executed only when it is permitted by the user's authorized user role.
The commands that can be executed are controlled by both the access permission of user roles and command authorization of the authorization server. Access permission only controls whether the authorized user roles have access to the entered commands, but it does not control whether the user roles have obtained authorization to these commands. If a command is permitted by the access permission but denied by command authorization, this command cannot be executed.
You can specify one primary command authorization method and multiple backup command authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization command hwtacacs-scheme hwtacacs-scheme-name local none command specifies the default HWTACACS authorization method and two backup methods (local authorization and no authorization). The device performs HWTACACS authorization by default and performs local authorization when the HWTACACS server is invalid. The device does not perform command authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, configure the device to perform local command authorization.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command local
# In ISP domain test, perform command authorization based on HWTACACS scheme hwtac and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local
Related commands
authorization accounting (Fundamentals Command Reference)
hwtacacs scheme
local-user
authorization default
Use authorization default to specify default authorization methods for an ISP domain.
Use undo authorization default to restore the default.
Syntax
In non-FIPS mode:
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization default
In FIPS mode:
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authorization default
Default
The default authorization method of an ISP domain is local.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after users pass authentication:
· Non-login users can access the network.
· Login users obtain the level-0 user role. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.
· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The default authorization method is used for all users that support this method and do not have an authorization method configured.
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization default radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization default radius-scheme rd local
Related commands
hwtacacs scheme
local-user
radius scheme
authorization ike
Use authorization ike to specify authorization methods for IKE extended authentication.
Use undo authorization ike to restore the default.
Syntax
In non-FIPS mode:
authorization ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization ike
In FIPS mode:
authorization ike { local | radius-scheme radius-scheme-name [ local ] }
undo authorization ike
Default
The default authorization methods of the ISP domain are used for IKE extended authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization ike radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for IKE extended authentication.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ike local
Related commands
authorization default
local-user
authorization ipoe
Use authorization ipoe to specify authorization methods for IPoE users.
Use undo authorization ipoe to restore the default.
Syntax
In non-FIPS mode:
authorization ipoe { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization ipoe
In FIPS mode:
authorization ipoe { local | radius-scheme radius-scheme-name [ local ] }
undo authorization ipoe
Default
The default authorization methods of the ISP domain are used for IPoE users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ipoe radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for IPoE users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ipoe local
# In ISP domain test, perform RADIUS authorization for IPoE users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ipoe radius-scheme rd local
Related commands
authorization lan-access
Use authorization lan-access to specify authorization methods for LAN users.
Use undo authorization lan-access to restore the default.
Syntax
In non-FIPS mode:
authorization lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization lan-access
In FIPS mode:
authorization lan-access { local | radius-scheme radius-scheme-name [ local ] }
undo authorization lan-access
Default
The default authorization methods of the ISP domain are used for LAN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization. An authenticated LAN user directly accesses the network.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access local
# In ISP domain test, perform RADIUS authorization for LAN users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access radius-scheme rd local
authorization default
local-user
radius scheme
authorization login
Use authorization login to specify authorization methods for login users.
Use undo authorization login to restore the default.
Syntax
In non-FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization login
In FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authorization login
Default
The default authorization methods of the ISP domain are used for login users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. The following default authorization information applies after users pass authentication:
· Login users obtain the level-0 user role. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.
· The working directory for FTP, SFTP, and SCP login users is the root directory of the NAS. However, the users do not have permission to access the root directory.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization login radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login local
# In ISP domain test, perform RADIUS authorization for login users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login radius-scheme rd local
Related commands
authorization default
hwtacacs scheme
local-user
radius scheme
authorization portal
Use authorization portal to specify authorization methods for portal users.
Use undo authorization portal to restore the default.
Syntax
In non-FIPS mode:
authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization portal
In FIPS mode:
authorization portal { local | radius-scheme radius-scheme-name [ local ] }
undo authorization portal
Default
The default authorization methods of the ISP domain are used for portal users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization. An authenticated portal user directly accesses the network.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme.
You can specify one primary authorization method and multiple backup authorization methods.
When the default authorization method is invalid, the device attempts to use the backup authorization methods in sequence. For example, the authorization portal radius-scheme radius-scheme-name local none command specifies the default RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization portal local
# In ISP domain test, perform RADIUS authorization for portal users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization portal radius-scheme rd local
Related commands
authorization default
local-user
radius scheme
authorization ppp
Use authorization ppp to specify authorization methods for PPP users.
Use undo authorization ppp to restore the default.
Syntax
In non-FIPS mode:
authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] }
undo authorization ppp
In FIPS mode:
authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] }
undo authorization ppp
Default
The default authorization methods of the ISP domain are used for PPP users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization ppp radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ppp local
# In ISP domain test, perform RADIUS authorization for PPP users based on scheme rd and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ppp radius-scheme rd local
Related commands
authorization default
hwtacacs scheme
local-user
radius scheme
authorization sslvpn
Use authorization sslvpn to specify authorization methods for SSL VPN users.
Use undo authorization sslvpn to restore the default.
Syntax
In non-FIPS mode:
authorization sslvpn { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization sslvpn
In FIPS mode:
authorization sslvpn { ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ local ] }
undo authorization sslvpn
Default
The default authorization methods of the ISP domain are used for SSL VPN users.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform authorization. Authenticated SSL VPN users can access the network directly.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
You can specify one primary authorization method and multiple backup authorization methods.
When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization sslvpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid.
Examples
# In ISP domain test, perform local authorization for SSL VPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization sslvpn local
# In ISP domain test, perform LDAP authorization for SSL VPN users based on scheme ldp and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization sslvpn ldap-scheme ldp local
Related commands
authorization default
ldap scheme
local-user
radius scheme
authorization-attribute (ISP domain view)
Use authorization-attribute to configure authorization attributes for users in an ISP domain.
Use undo authorization-attribute to restore the default of an authorization attribute.
Syntax
authorization-attribute { acl acl-number | car inbound cir committed-information-rate [ pir peak-information-rate ] outbound cir committed-information-rate [ pir peak-information-rate ] | idle-cut minute [ flow ] | igmp max-access-number max-access-number | ip-pool pool-name | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | mld max-access-number max-access-number | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-group-profile session-group-profile-name | session-timeout minutes | url url-string | user-group user-group-name | user-profile profile-name | vpn-instance vpn-instance-name }
undo authorization-attribute { acl | car | idle-cut | igmp | ip-pool | ipv6-pool | ipv6-prefix | mld | primary-dns | secondary-dns | session-group-profile | session-timeout | url | user-group | user-profile | vpn-instance }
Default
No authorization attributes are configured for users in the ISP domain and the idle cut feature is disabled.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies an ACL to filter traffic for users. The value range for the acl-number argument is 2000 to 5999. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the ACL applies before portal authentication. This option is applicable only to IPoE, LAN, and portal users.
car: Specifies a CAR action for users. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the CAR action applies before portal authentication. This keyword is applicable only to IPoE, portal, and PPP users.
inbound: Specifies the upload rate of users.
outbound: Specifies the download rate of users.
cir committed-information-rate: Specifies the committed information rate in kbps, in the range of 1 to 4194303.
pir peak-information-rate: Specifies the peak information rate in kbps, in the range of 1 to 4194303. If you do not specify this option, the CAR action does not restrict users by peak information rate.
idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 600. This option is applicable only to IPoE, portal, PPP, and wireless LAN users.
flow: Specifies the minimum traffic that must be generated in the idle timeout period in bytes. The value range is 1 to 10240000, and the default value is 10240.
igmp max-access-number max-access-number: Specifies the maximum number of IGMP groups that an IPv4 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to IPoE, portal, and PPP users.
ip-pool pool-name: Specifies an IPv4 address pool for users. The pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to IKE, IPoE, portal, and PPP users.
ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool for users. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters. This option is applicable only to IPoE, portal, and PPP users.
ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix for users. The value range for the ipv6-prefix prefix-length argument is 1 to 128. This option is applicable only to IPoE and PPP users.
mld max-access-number max-access-number: Specifies the maximum number of MLD groups that an IPv6 user can join concurrently. The value range for the max-access-number argument is 1 to 64. This option is applicable only to IPoE, portal, and PPP users.
primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server for users. This option is applicable only to IPoE and PPP users.
primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server for users. This option is applicable only to IPoE and PPP users.
secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server for users. This option is applicable only to IPoE and PPP users.
secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server for users. This option is applicable only to IPoE and PPP users.
session-group-profile session-group-profile-name: Specifies an authorization session group profile for users. The session-group-profile-name argument is a case-sensitive string of 1 to 31 characters. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the session group profile applies before portal authentication. This option is applicable only to IPoE, portal, and PPP users.
session-timeout minutes: Specifies the session timeout timer for users, in minutes. The value range for the minutes argument is 1 to 4294967295. The device logs off a user when the user's session timeout timer expires. This option is applicable only to PPP, portal, IPoE, and LAN users.
url url-string: Specifies the redirect URL for users. Users are redirected to the URL the first time they access the network after they pass authentication. The url-string argument is a case-sensitive string of 1 to 255 characters. This option is applicable only to PPP users.
user-group user-group-name: Specifies a user group for users. The user-group-name argument is a case-insensitive string of 1 to 32 characters. Authenticated users obtain all attributes of the user group.
user-profile profile-name: Specifies an authorization user profile. The profile-name argument is a case-sensitive string of 1 to 31 characters. Typically, the attribute applies to authenticated users. If you configure the attribute in a portal preauthentication domain, the user profile applies before portal authentication. This option is applicable only to IPoE, LAN, portal, and PPP users.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the users belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. When a user passes authentication, it has permission to access the network resources in the specified VPN. This option is applicable only to PPP and IPoE users.
Usage guidelines
When the idle cut feature is configured, the device periodically detects the traffic of each online user. The device logs out users that do not meet the minimum traffic requirement in the idle timeout period. When the idle cut feature is disabled on the device, the idle cut feature of the server takes effect. The server considers a user idle if the user's traffic is less than 10240 bytes in a configurable idle timeout period.
If the server or NAS does not authorize any attributes to an authenticated user, the device authorizes the attributes in the ISP domain to the user. To specify authorization attributes in the ISP domain, use the authorization-attribute command.
You can configure multiple authorization attributes for users in an ISP domain. If you execute the command multiple times with the same keyword specified, the most recent configuration takes effect.
Examples
# Configure the idle cut feature for users in ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization-attribute idle-cut 30 10240
Related commands
display domain
basic-service-ip-type
Use basic-service-ip-type to specify the types of IP addresses that PPPoE and L2TP users must rely on to use the basic services.
Use undo basic-service-ip-type to restore the default.
Syntax
basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } *
undo basic-service-ip-type
Default
PPPoE and L2TP users do not rely on any types of IP addresses to use the basic services.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
ipv4: Specifies the IPv4 address type.
ipv6: Specifies the IPv6 address type.
ipv6-pd: Specifies the IPv6-PD address type. This type of IPv6 addresses are generated based on the DHCPv6 server-assigned prefix.
Usage guidelines
This command takes effect only when the device acts as a PPPoE server or L2TP LNS.
A PPPoE or L2TP user might request multiple services of different IP address types. By default, the device logs off the user if the user does not obtain an IP address. This command enables the device to allow the user to come online if the user has obtained IP addresses of all the specified types for the basic services.
The device does not allow a PPPoE or L2TP user to come online if the user does not obtain IP addresses of all the specified types for the basic services. For example, if you execute the basic-service-ip-type ipv6 command, the device does not allow a PPPoE or L2TP user to come online if the user does not obtain an IPv6 address.
If you specify both the ipv6 and ipv6-pd keywords, the device does not allow a PPPoE or L2TP user that fails IPv6 address negotiation or PD negotiation to come online.
Examples
# In ISP domain test, specify PPPoE and L2TP users to rely on IPv4 addresses to use the basic services.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] basic-service-ip-type ipv4
dhcpv6-follow-ipv6cp
Use dhcpv6-follow-ipv6cp to set the DHCPv6 request timeout timer for PPPoE and L2TP users.
Use undo dhcpv6-follow-ipv6cp to restore the default.
Syntax
dhcpv6-follow-ipv6cp timeout delay-time
undo dhcpv6-follow-ipv6cp
Default
The DHCPv6 request timeout timer for PPPoE and L2TP users is 60 seconds.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
timeout delay-time: Specifies the DHCPv6 request timeout timer, in the range of 30 to 120 seconds.
Usage guidelines
This command takes effect only when the device acts as a PPPoE server or L2TP LNS.
After the device finishes IPv6CP negotiation with a PPPoE or L2TP user, PPP instructs DHCPv6 to assign an IPv6 address to the user. The user cannot come online if the IP address assignment fails within the DHCPv6 request timeout timer and the user basic service relies on an IPv6 address.
As a best practice, increase the DHCPv6 request timeout timer in the following situations:
· The network communication is unstable.
· The ISP domain serves a large number of PPPoE and L2TP users.
Examples
# In ISP domain test, set the DHCPv6 request timeout timer to 90 seconds for PPPoE and L2TP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] dhcpv6-follow-ipv6cp timeout 90
Related commands
basic-service-ip-type
display domain
Use display domain to display ISP domain configuration.
Syntax
display domain [ isp-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. If you do not specify an ISP domain, this command displays the configuration of all ISP domains.
Examples
# Display the configuration of all ISP domains.
<Sysname> display domain
Total 2 domains
Domain: system
State: Active
Default authentication scheme: Local
Default authorization scheme: Local
Default accounting scheme: Local
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out action: Offline
Service type: HSI
Session time: Exclude idle time
NAS-ID: N/A
DHCPv6-follow-IPv6CP timeout: 60 seconds
Authorization attributes :
Idle cut: Disabled
IGMP access number: 4
MLD access number: 4
Domain: dm
State: Active
Login authentication scheme: RADIUS=rad
Login authorization scheme: HWTACACS=hw
Super authentication scheme: RADIUS=rad
Command authorization scheme: HWTACACS=hw
LAN access authentication scheme: RADIUS=r4
PPP accounting scheme: RADIUS=r1, (RADIUS=r2), HWTACACS=tc, Local
Portal authentication scheme: LDAP=ldp
IPoE authentication scheme: RADIUS=rad, Local, None
SSL VPN authentication scheme: LDAP=ldp, Local, None
SSL VPN authorization scheme: LDAP=ldp, Local
SSL VPN accounting scheme: None
Default authentication scheme: LDAP=rad, Local, None
Default authorization scheme: Local
Default accounting scheme: None
Accounting start failure action: Online
Accounting update failure action: Online
Accounting quota out action: Offline
Service type: HSI
Session time: Include idle time
NAS-ID: test
User basic service IP type: IPv4 IPv6 IPv6-PD
DHCPv6-follow-IPv6CP timeout: 44 seconds
Authorization attributes :
Idle cut : Enabled
Idle timeout: 2 minutes
Flow: 10240 bytes
Session timeout: 34 minutes
IP pool: appy
User profile: test
Inbound CAR: CIR 64000 bps PIR 640000 bps
Outbound CAR: CIR 64000 bps PIR 640000 bps
ACL number: 3000
User group: ugg
IPv6 prefix: 1::1/34
IPv6 pool: ipv6pool
Primary DNS server: 6.6.6.6
Secondary DNS server: 3.6.2.3
URL: http://portal
VPN instance: vpn1
Session timeout: Disabled
IGMP access number: 12
MLD access number: 35
Default domain name: system
Table 1 Command output
|
Field |
Description |
|
Domain |
ISP domain name. |
|
State |
Status of the ISP domain. |
|
Default authentication scheme |
Default authentication method. |
|
Default authorization scheme |
Default authorization method. |
|
Default accounting scheme |
Default accounting method. |
|
Access control for users that encounter accounting-start failures: · Online—Does not perform actions on the users. · Offline—Logs off the users. |
|
|
Maximum number of consecutive accounting-update failures allowed by the device for each user in the domain. |
|
|
Access control for users that have failed all their accounting-update attempts: · Online—Does not perform actions on the users. · Offline—Logs off the users. |
|
|
Access control for users that have used up their data quotas: · Online—Does not perform actions on the users. · Offline—Logs off the users. |
|
|
Service type |
Service type of the ISP domain, including HSI, STB, and VoIP. |
|
Online duration sent to the server for users that went offline due to connection failure or malfunction: · Include idle time—The online duration includes the idle timeout period. · Exclude idle time—The online duration does not include the idle timeout period. |
|
|
NAS-ID |
NAS-ID of the device. This field displays N/A if no NAS-ID is set in the ISP domain. |
|
User basic service IP type |
Types of IP addresses that PPPoE and L2TP users rely on to use the basic services: · IPv4. · IPv6. · IPv6-PD. |
|
DHCPv6-follow-IPv6CP timeout |
DHCPv6 request timeout timer (in seconds) that starts after IPv6CP negotiation for PPPoE and L2TP users. |
|
Login authentication scheme |
Authentication methods for login users. |
|
Login authorization scheme |
Authorization methods for login users. |
|
Login accounting scheme |
Accounting methods for login users. |
|
Authorization attributes |
Authorization attributes for users in the ISP domain. |
|
Idle cut |
Idle cut feature status: · Enabled—The feature is enabled. The device logs off users that do not meet the minimum traffic requirements in an idle timeout period. · Disabled—The feature is disabled. It is the default idle cut state. |
|
Idle timeout |
Idle timeout period, in minutes. |
|
Flow |
Minimum traffic that a login user must generate in an idle timeout period, in bytes. |
|
Session timeout |
Session timeout time for users in the ISP domain, in minutes. |
|
IP pool |
Name of the IPv4 address pool authorized to users. |
|
User profile |
Name of the authorization user profile. |
|
Authorized inbound CAR: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. |
|
|
Authorized outbound CAR: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. |
|
|
Authorization ACL for users. |
|
|
Authorization user group for users. |
|
|
IPv6 address prefix authorized to users. |
|
|
Name of the IPv6 address pool for users. |
|
|
IPv4 address of the primary DNS server for users. |
|
|
IPv4 address of the secondary DNS server for users. |
|
|
Primary DNSV6 server |
IPv6 address of the primary DNS server for users. |
|
Secondary DNSV6 server |
IPv6 address of the secondary DNS server for users. |
|
Redirect URL for users. |
|
|
Name of the authorization VPN instance for users. |
|
|
Maximum number of IGMP groups that an IPv4 user can join concurrently. |
|
|
Maximum number of MLD groups that an IPv6 user can join concurrently. |
|
|
RADIUS |
RADIUS scheme. |
|
HWTACACS |
HWTACACS scheme. |
|
LDAP |
LDAP scheme. |
|
Local |
Local scheme. |
|
None |
No authentication, no authorization, or no accounting. |
|
Authentication methods for obtaining another user role without reconnecting to the device. |
|
|
Command authorization scheme |
Command line authorization methods. |
|
Command accounting scheme |
Command line accounting method. |
|
Authentication methods for LAN users. |
|
|
LAN access authorization scheme |
Authorization methods for LAN users. |
|
Accounting methods for LAN users. |
|
|
PPP authentication scheme |
Authentication methods for PPP users. |
|
PPP authorization scheme |
Authorization methods for PPP users. |
|
PPP accounting scheme |
Accounting methods for PPP users. |
|
Authentication methods for portal users. |
|
|
Authorization methods for portal users. |
|
|
Accounting methods for portal users. |
|
|
IKE authentication scheme |
IKE extended authentication methods. |
|
IKE authorization scheme |
Authorization methods for IKE extended authentication. |
|
Authentication methods for IPoE users. |
|
|
Authorization methods for IPoE users. |
|
|
Accounting methods for IPoE users. |
|
|
Authentication methods for SSL VPN users. |
|
|
Authorization methods for SSL VPN users. |
|
|
Accounting methods for SSL VPN users. |
|
|
ADVPN authentication scheme |
Authentication methods for ADVPN users. |
|
ADVPN authorization scheme |
Authorization methods for ADVPN users. |
|
ADVPN accounting scheme |
Accounting methods for ADVPN users. |
domain
Use domain to create an ISP domain and enter its view, or enter the view of an existing ISP domain.
Use undo domain to delete an ISP domain.
Syntax
domain isp-name
undo domain isp-name
Default
A system-defined ISP domain exists. The domain name is system.
Views
System view
Predefined user roles
network-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:
· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
Usage guidelines
All ISP domains are in active state when they are created.
You can modify settings for the system-defined ISP domain system, but you cannot delete this domain.
An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users.
Examples
# Create an ISP domain named test and enter ISP domain view.
<Sysname> system-view
[Sysname] domain test
Related commands
display domain
domain default enable
domain if-unknown
state (ISP domain view)
domain default enable
Use domain default enable to specify the default ISP domain. Users without any domain name included in the usernames are considered in the default domain.
Use undo domain default enable to restore the default.
Syntax
domain default enable isp-name
undo domain default enable
Default
The default ISP domain is the system-defined ISP domain system.
Views
System view
Predefined user roles
network-admin
Parameters
isp-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The ISP domain must already exist.
Usage guidelines
The system has only one default ISP domain.
An ISP domain cannot be deleted when it is the default ISP domain. Before you use the undo domain command, change the domain to a non-default ISP domain by using the undo domain default enable command.
Examples
# Create an ISP domain named test, and configure the domain as the default ISP domain.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] quit
[Sysname] domain default enable test
Related commands
display domain
domain
domain if-unknown
Use domain if-unknown to specify an ISP domain that accommodates users that are assigned to nonexistent domains.
Use undo domain if-unknown to restore the default.
Syntax
domain if-unknown isp-domain-name
undo domain if-unknown
Default
No ISP domain is specified to accommodate users that are assigned to nonexistent domains.
Views
System view
Predefined user roles
Parameters
isp-domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:
· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
Usage guidelines
The device chooses an authentication domain for each user in the following order:
· The authentication domain specified for the access module.
· The ISP domain in the username.
· The default ISP domain of the device.
If the chosen domain does not exist on the device, the device searches for the ISP domain that accommodates users assigned to nonexistent domains. If no such ISP domain is configured, user authentication fails.
|
|
NOTE: Support for the authentication domain configuration depends on the access module. |
Examples
# Specify ISP domain test to accommodate users that are assigned to nonexistent domains.
<Sysname> system-view
[Sysname] domain if-unknown test
Related commands
display domain
nas-id
Use nas-id to set the NAS-ID in an ISP domain.
Use undo nas-id to restore the default.
Syntax
nas-id nas-identifier
undo nas-id
Default
No NAS-ID is set in an ISP domain.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.
Usage guidelines
During RADIUS authentication, the device uses a NAS-ID to set the NAS-Identifier attribute of RADIUS packets so that the RADIUS server can identify the access location of users.
You can configure a NAS-ID in NAS-ID profile view or in ISP domain view. The device selects the NAS-ID for the NAS-Identifier attribute in the following order:
1. NAS-ID bound with VLANs in a NAS-ID profile.
2. NAS-ID in an ISP domain.
If no NAS-ID is selected, the device uses the device name as the NAS-ID.
Examples
# Set the NAS-ID to test for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] nas-id test
Related commands
aaa nas-id profile
nas-id bind vlan
Use nas-id bind vlan to bind a NAS-ID with a VLAN.
Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding.
Syntax
nas-id nas-identifier bind vlan vlan-id
undo nas-id nas-identifier bind vlan vlan-id
Default
No NAS-ID and VLAN bindings exist.
Views
NAS-ID profile view
Predefined user roles
network-admin
Parameters
nas-identifier: Specifies a NAS-ID, a case-sensitive string of 1 to 31 characters.
vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
Usage guidelines
You can configure multiple NAS-ID and VLAN bindings in a NAS-ID profile.
A NAS-ID can be bound with more than one VLAN, but a VLAN can be bound with only one NAS-ID. If you configure multiple bindings for the same VLAN, the most recent configuration takes effect.
Examples
# Bind NAS-ID 222 with VLAN 2 in NAS-ID profile aaa.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2
Related commands
aaa nas-id profile
service-type (ISP domain view)
Use service-type to specify the service type for users in an ISP domain.
Use undo service-type to restore the default.
Syntax
service-type { hsi | stb | voip }
undo service-type
Default
The service type is hsi for users in an ISP domain.
Views
ISP domain view
Predefined user roles
Parameters
hsi: Specifies the High-Speed Internet (HSI) service. This service is applicable to PPP, 802.1X, and IPoE leased line users.
stb: Specifies the Set Top Box (STB) service. This service is applicable to STB users.
voip: Specifies the Voice over IP (VoIP) service. This service is applicable to IP phone users.
Usage guidelines
You can configure only one service type for one ISP domain.
When the HSI service is specified, the multicast feature of the access module is disabled to save system resources.
When the STB service is specified, the multicast feature of the access module is enabled to improve the performance of the multicast module.
When the VoIP service is specified, the QoS module increases the priority of voice traffic to reduce the transmission delay for IP phone users.
For 802.1X and PPP (excluding PPPoE) users, the system uses the HSI service forcibly even if the STB or VoIP service is specified.
Examples
# Specify the STB service for users in ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] service-type stb
session-time include-idle-time
Use session-time include-idle-time to configure the device to include the idle timeout period in the user online duration sent to the server.
Use undo session-time include-idle-time to restore the default.
Syntax
session-time include-idle-time
undo session-time include-idle-time
Default
The device excludes the idle timeout period from the user online duration sent to the server.
Views
ISP domain view
Predefined user roles
Usage guidelines
Whether to configure the device to include the idle timeout period in the user online duration sent to the server, depending on the accounting policy in your network. Typically, the idle timeout period is assigned by the authorization server after users pass authentication. For portal users, the idle timeout period set for the online portal user detection feature takes priority over the server-assigned idle timeout period. For more information about online detection for portal users, see portal authentication configuration in Security Configuration Guide.
If the user goes offline due to connection failure or malfunction, the user online duration sent to the server is not the same as the actual online duration.
· If the session-time include-idle-time command is used, the device adds the idle timeout period to the actual online duration. The online duration sent to the server is longer than the actual online duration of the user.
· If the undo session-time include-idle-time command is used, the device excludes the idle timeout period from the actual online duration. The online duration sent to the server is shorter than the actual online duration of the user.
Examples
# Configure the device to include the idle timeout period in the online duration sent to the server for users in ISP domain test.
[Sysname] domain test
[Sysname-isp-test] session-time include-idle-time
Related commands
display domain
state (ISP domain view)
Use state to set the status of an ISP domain.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
An ISP domain is in active state.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
active: Places the ISP domain in active state to allow the users in the ISP domain to request network services.
block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.
Usage guidelines
By blocking an ISP domain, you disable offline users of the domain from requesting network services. However, the online users are not affected.
Examples
# Place ISP domain test in blocked state.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block
Related commands
display domain
user-address-type
Use user-address-type to specify the user address type in the ISP domain.
Use undo user-address-type to restore the default.
Syntax
user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 }
undo user-address-type
Default
No user address type is specified for the ISP domain.
Views
ISP domain view
Predefined user roles
Parameters
ds-lite: Specifies the DS-Lite address type.
ipv6: Specifies the IPv6 address type.
nat64: Specifies the NAT64 address type.
private-ds: Specifies the private-DS address type.
private-ipv4: Specifies the private IPv4 address type.
public-ds: Specifies the public-DS address type.
public-ipv4: Specifies the public IPv4 address type.
Usage guidelines
Any change to the user address type does not affect online users.
Examples
# Specify the user address type as private-ds for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] user-address-type private-ds
Related commands
display domain
Local user commands
access-limit
Use access-limit to set the maximum number of concurrent logins using the local user name.
Use undo access-limit to restore the default.
Syntax
access-limit max-user-number
undo access-limit
Default
The number of concurrent logins using the local user name is not limited.
Views
Local user view
Predefined user roles
network-admin
Parameters
max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024.
Usage guidelines
This command takes effect only when local accounting is configured for the local user. The command does not apply to FTP, SFTP, or SCP users. These users do not support accounting.
For this command to take effect on network access users, you also need to execute the accounting start-fail offline command in ISP domain view.
Examples
# Set the maximum number of concurrent logins to 5 for the local user account named abc.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-manage-abc] access-limit 5
Related commands
accounting start-fail offline
display local-user
authorization-attribute (local user view/user group view)
Use authorization-attribute to configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user.
Use undo authorization-attribute to restore the default of an authorization attribute.
Syntax
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | ip ipv4-address | ip-pool ipv4-pool-name | ipv6 ipv6-address | ipv6-pool ipv6-pool-name | ipv6-prefix ipv6-prefix prefix-length | { primary-dns | secondary-dns } { ip ipv4-address | ipv6 ipv6-address } | session-timeout minutes | sslvpn-policy-group group-name | url url-string | user-profile profile-name | user-role role-name | vlan vlan-id | vpn-instance vpn-instance-name | work-directory directory-name } *
undo authorization-attribute { acl | callback-number | idle-cut | ip | ip-pool | ipv6 | ipv6-pool | ipv6-prefix | primary-dns { ip | ipv6 } | secondary-dns { ip | ipv6 } | session-timeout | sslvpn-policy-group | url | user-profile | user-role role-name | vlan | vpn-instance | work-directory } *
Default
The working directory for FTP, SFTP, and SCP users is the root directory of the NAS. However, the users do not have permission to access the root directory.
The local users created by a network-admin or level-15 user are assigned the network-operator user role.
Views
Local user view
User group view
Predefined user roles
network-admin
Parameters
acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL.
callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the device uses this number to call the user.
idle-cut minute: Sets an idle timeout period in minutes. The value range for the minute argument is 1 to 120. The device logs off an online user if the user's idle period exceeds the specified idle timeout period.
ip ipv4-address: Assigns a static IPv4 address to a user after it passes authentication. This option is available only in local user view.
ip-pool ipv4-pool-name: Specifies an IPv4 address pool. The ipv4-pool-name argument is a case-insensitive string of 1 to 63 characters.
ipv6 ipv6-address: Assigns a static IPv6 address to a user after it passes authentication. This option is available only in local user view.
ipv6-pool ipv6-pool-name: Specifies an IPv6 address pool. The ipv6-pool-name argument is a case-insensitive string of 1 to 63 characters.
ipv6-prefix ipv6-prefix prefix-length: Specifies an IPv6 address prefix. The value range for the prefix-length argument is 1 to 128.
primary-dns ip ipv4-address: Specifies the IPv4 address of the primary DNS server.
primary-dns ipv6 ipv6-address: Specifies the IPv6 address of the primary DNS server.
secondary-dns ip ipv4-address: Specifies the IPv4 address of the secondary DNS server.
secondary-dns ipv6 ipv6-address: Specifies the IPv6 address of the secondary DNS server.
session-timeout minutes: Specifies the session timeout timer, in minutes. The value range for the minutes argument is 1 to 1440. The device logs off a user after the timer expires for the user.
sslvpn-policy-group group-name: Specifies an SSL VPN policy group. The group-name argument is a case-insensitive string of 1 to 31 characters. For information about SSL VPN policy groups, see "Configuring SSL VPN."
url url-string: Specifies a PPPoE Active Discovery Message (PADM) URL. Users are redirected to the URL after they pass authentication. The url-string argument is a case-sensitive string of 1 to 255 characters.
user-profile profile-name: Specifies an authorization user profile by its name. The profile-name argument is a case-sensitive string of 1 to 31 characters. The name can contain only letters, digits, and underscores (_). The user profile restricts the behavior of an authenticated user. For more information, see Security Configuration Guide.
user-role role-name: Specifies an authorized user role. The role-name argument is a case-sensitive string of 1 to 63 characters. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local user view, and is not available in user group view.
vlan vlan-id: Specifies an authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After passing authentication and being authorized a VLAN, a local user can access only the resources in this VLAN.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. After passing authentication, a user has permission to access the network resources in the specified VPN.
work-directory directory-name: Specifies an FTP, SFTP, or SCP working directory. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist.
Usage guidelines
Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.
· For PPP users, only the following authorization attributes take effect: callback-number, idle-cut, ip, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-timeout, url, user-profile, and vpn-instance.
· For IPoE users, only the following authorization attributes take effect: acl, idle-cut, ip-pool, ipv6-pool, ipv6-prefix, primary-dns, secondary-dns, session-timeout, user-profile, and vpn-instance. If the IPoE users access the network through leased lines, the vpn-instance authorization attribute does not take effect.
· For portal users, only the following authorization attributes take effect: acl, idle-cut, ip-pool, ipv6-pool, session-timeout, and user-profile.
· For LAN users, only the following authorization attributes take effect: acl, idle-cut, session-timeout, user-profile, and vlan. The idle-cut authorization attribute takes effect only on wireless users.
· For Telnet, terminal, and SSH users, only the idle-cut, user-role, and work-directory authorization attributes take effect.
· For HTTP and HTTPS users, only the user-role authorization attribute takes effect.
· For FTP users, only the user-role and work-directory authorization attributes take effect.
· For SSL VPN users, only the sslvpn-policy-group authorization attribute takes effect.
· For IKE users, only the ip-pool authorization attribute takes effect.
· For other types of local users, no authorization attribute takes effect.
Authorization attributes configured for a user group are intended for all local users in the group. You can group local users to improve configuration and management efficiency. An authorization attribute configured in local user view takes precedence over the same attribute configured in user group view.
To make sure FTP, SFTP, and SCP users can access the directory after a master/subordinate or active/standby switchover, do not specify chassis or slot information for the working directory.
To make sure a user has only the user roles authorized by using this command, use the undo authorization-attribute user-role command to remove the default user role.
The security-audit user role has access to the commands for managing security log files and security log file system. To display all the accessible commands of the security-audit user role, use the display role name security-audit command. For more information about security log management, see Network Management and Monitoring Configuration Guide. For more information about file system management, see Fundamentals Configuration Guide.
You cannot delete a local user if the local user is the only local user that has the security-audit user role.
The security-audit user role is mutually exclusive with other user roles.
· When you assign the security-audit user role to a local user, the system requests confirmation for deleting all the other user roles of the user.
· When you assign other user roles to a local user that has the security-audit user role, the system requests confirmation for deleting the security-audit user role for the local user.
Examples
# Configure the authorized VLAN of network access user abc as VLAN 2.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] authorization-attribute vlan 2
# Configure the authorized VLAN of user group abc as VLAN 3.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc] authorization-attribute vlan 3
# Assign the security-audit user role to device management user xyz as the authorized user role.
<Sysname> system-view
[Sysname] local-user xyz class manage
[Sysname-luser-manage-xyz] authorization-attribute user-role security-audit
This operation will delete all other roles of the user. Are you sure? [Y/N]:y
Related commands
display local-user
display user-group
bind-attribute
Use bind-attribute to configure binding attributes for a local user.
Use undo bind-attribute to remove binding attributes of a local user.
Syntax
bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location interface interface-type interface-number | mac mac-address | vlan vlan-id } *
undo bind-attribute { call-number | ip | location | mac | vlan } *
Default
No binding attributes are configured for a local user.
Views
Local user view
Predefined user roles
network-admin
Parameters
call-number call-number: Specifies a calling number for PPP user authentication. The call-number argument is a string of 1 to 64 characters. This option applies only to PPP users.
subcall-number: Specifies the subcalling number. The total length of the calling number and the subcalling number cannot be more than 62 characters.
ip ip-address: Specifies the IP address to which the user is bound. This option applies only to 802.1X users.
location interface interface-type interface-number: Specifies the interface to which the user is bound. The interface-type argument represents the interface type, and the interface-number argument represents the interface number. To pass authentication, the user must access the network through the bound interface. This option applies only to SSL VPN users that log in through iNode clients, IPoE users, LAN users, portal users, and PPP users.
mac mac-address: Specifies the MAC address of the user in the format H-H-H. This option applies only to IPoE, LAN, portal, and PPP users.
vlan vlan-id: Specifies the VLAN to which the user belongs. The vlan-id argument is in the range of 1 to 4094. This option applies only to IPoE, LAN, portal, and PPP users.
Usage guidelines
To perform local authentication of a user, the device matches the actual user attributes with the configured binding attributes. If the user has a non-matching attribute or lacks a required attribute, the user will fail authentication.
Binding attribute check takes effect on all access services. Configure the binding attributes for a user based on the access services and make sure the device can obtain all attributes to be checked from the user's packet. For example, you can configure an IP address binding for an 802.1X user, because 802.1X authentication can include the user's IP address in the packet. However, you cannot configure IP address bindings for MAC authentication users, because MAC authentication does not use IP addresses.
The binding interface type must meet the requirements of the local user. Configure the binding interface based on the service type of the user.
· If the user is an 802.1X user, specify the 802.1X-enabled Layer 2 Ethernet interface through which the user accesses the device.
· If the user is a MAC authentication user, specify the MAC authentication-enabled Layer 2 Ethernet interface through which the user accesses the device.
· If the user is a portal user, specify the portal-enabled interface through which the user accesses the device. Specify the Layer 2 Ethernet interface if portal is enabled on a VLAN interface and the portal roaming enable command is not configured.
Examples
# Bind IP address 3.3.3.3 with network access user abc.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] bind-attribute ip 3.3.3.3
Related commands
display local-user
company
Use company to specify the company of a local guest.
Use undo company to restore the default.
Syntax
company company-name
undo company
Default
No company is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
company-name: Specifies the company name, a case-sensitive string of 1 to 255 characters.
Examples
# Specify company yyy for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] company yyy
Related commands
display local-user
description
Use description to configure a description for a network access user.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a network access user.
Views
Network access user view
Predefined user roles
network-admin
Parameters
text: Configures a description, case-sensitive string of 1 to 255 characters.
Examples
# Configure the description as Manager of MSC company for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] description Manager of MSC company
# Configure the description as Manager of MSC company for network access user 123.
<Sysname> system-view
[Sysname] local-user 123 class network
[Sysname-luser-network-123] description Manager of MSC company
Related commands
display local-user
display local-guest waiting-approval
Use display local-guest waiting-approval to display pending registration requests for local guests.
Syntax
display local-guest waiting-approval [ user-name user-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The name cannot contain a domain name. If you do not specify a guest, this command displays pending registration requests for all local guests.
Usage guidelines
On the Web registration page, users submit local guest registration requests for approval. The guest manager can add supplementary information to the guest accounts and approves the requests. The device then creates local guest accounts based on the approved requests.
Examples
# Display all pending registration requests for local guests.
<Sysname> display local-guest waiting-approval
Total 1 guest informations matched.
Guest user Smith:
Full name : Smith Li
Company : YYY
Email : Smith@yyy.com
Phone : 139189301033
Description: The employee of YYY company
Table 2 Command output
|
Field |
Description |
|
Total 1 guest informations matched. |
Number of local guests that have pending registration requests. |
|
Full name |
Full name of the local guest. |
|
Company |
Company name of the local guest. |
|
|
Email address of the local guest. |
|
Phone |
Phone number of the local guest. |
|
Description |
Description of the local guest. |
Related commands
reset local-guest waiting-approval
display local-user
Use display local-user to display the local user configuration and online user statistics.
Syntax
display local-user [ class { manage | network [ guest ] } | idle-cut { disable | enable } | service-type { advpn | ftp | http | https | ike | ipoe | lan-access | pad | portal | ppp | ssh | sslvpn | telnet | terminal } | state { active | block } | user-name user-name class { manage | network [ guest ] } | vlan vlan-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
class: Specifies the local user type.
manage: Device management user.
network: Network access user.
guest: Guest user account.
idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled.
service-type: Specifies the local users that use a specific type of service.
· advpn: ADVPN tunnel users.
· ftp: FTP users.
· http: HTTP users.
· https: HTTPS users.
· ike: IKE users that access the network through IKE extended authentication.
· ipoe: IPoE users that access the network through Layer 2 or Layer 3 leased lines or STBs.
· lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.
· pad: X.25 PAD users.
· portal: Portal users.
· ppp: PPP users.
· ssh: SSH users.
· sslvpn: SSL VPN users.
· telnet: Telnet users.
· terminal: Terminal users that log in through console ports, AUX ports, or async ports.
state { active | block }: Specifies local users in active or blocked state. A local user in active state can access network services, but a local user in blocked state cannot.
user-name user-name: Specifies all local users using the specified username. The username must be a case-sensitive string of 1 to 55 characters that does not contain the domain name.
vlan vlan-id: Specifies all local users in a VLAN. The vlan-id argument is in the range of 1 to 4094.
Usage guidelines
If you do not specify any parameters, this command displays information about all local users.
Examples
# Display information about all local users.
<Sysname> display local-user
Device management user root:
State: Active
Service type: SSH/Telnet/Terminal
Access limit: Enabled Max access number: 3
Current access number: 1
User group: system
Bind attributes:
Authorization attributes:
Work directory: flash:
User role list: network-admin
Password control configurations:
Password aging: Enabled (3 days)
Network access user jj:
State: Active
Service type: Lan-access
User group: system
Bind attributes:
IP address: 2.2.2.2
Location bound: GigabitEthernet1/0/1
MAC address: 0001-0001-0001
VLAN ID: 2
Calling number: 2:2
Authorization attributes:
Idle timeout: 33 minutes
Work directory: flash:
ACL number: 2000
User profile: pp
User role list: network-operator, level-0, level-3
SSL VPN policy group: spg
Network access guest user user1:
State: Active
Service type: LAN access/Portal
User group: guest1
Full name: Jack
Company: cc
Email: Jack@cc.com
Phone: 131129237
Description: A guest from company cc
Sponsor full name: Sam
Sponsor department: security
Sponsor email: Sam@aa.com
Period of validity::
Start date and time: 2015/04/01-08:00:00
Expiration date and time:2015/04/03-18:00:00
Total 3 local users matched.
Table 3 Command output
|
Field |
Description |
|
State |
Status of the local user: active or blocked. |
|
Service type |
Service types that the local user can use, including ADVPN, FTP, HTTP, HTTPS, IKE, IPoE, LAN access, PAD, portal, PPP, SSH, SSL VPN, Telnet, and terminal. |
|
Access limit |
Whether the concurrent login limit is enabled. |
|
Max access number |
Maximum number of concurrent logins using the local user name. |
|
Current access number |
Current number of concurrent logins using the local user name. |
|
User group |
Group to which the local user belongs. |
|
Bind attributes |
Binding attributes of the local user. |
|
IP address |
IP address of the local user. |
|
Binding port of the local user. |
|
|
MAC address |
MAC address of the local user. |
|
VLAN ID |
Binding VLAN of the local user. |
|
Calling number of the ISDN user. |
|
|
Authorization attributes |
Authorization attributes of the local user. |
|
Idle timeout |
Idle timeout period of the user, in minutes. |
|
Session-timeout |
Session timeout timer of the user, in minutes. |
|
Callback number |
Authorized PPP callback number of the local user. |
|
Work directory |
Directory that the FTP, SFTP, or SCP user can access. |
|
ACL number |
Authorization ACL of the local user. |
|
VLAN ID |
Authorized VLAN of the local user. |
|
User profile |
Authorization user profile of the local user. |
|
User role list |
Authorized roles of the local user. |
|
SSL VPN policy group authorized to the local user. |
|
|
IPv4 address authorized to the local user. |
|
|
IPv6 address |
IPv6 address authorized to the local user. |
|
IPv6 prefix |
IPv6 address prefix authorized to the local user. |
|
IP pool |
IPv4 address pool authorized to the local user. |
|
IPv6 pool |
IPv6 address pool authorized to the local user. |
|
IPv4 address of the primary DNS server for the local user. |
|
|
IPv4 address of the secondary DNS server for the local user. |
|
|
Primary DNSV6 server |
IPv6 address of the primary DNS server for the local user. |
|
Secondary DNSV6 server |
IPv6 address of the secondary DNS server for the local user. |
|
URL |
PADM URL of the local user. |
|
VPN instance |
Authorization VPN instance of the local user. |
|
Password aging |
This field appears only when password aging is enabled. The aging time is displayed in parentheses. |
|
Password length |
This field appears only when password length control is enabled. The minimum password length is displayed in parentheses. |
|
Password composition |
This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password. |
|
Password complexity |
This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times. |
|
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
|
Action for exceeding login attempts |
Action to take on the user that failed to log in after using up all login attempts. |
|
Full name |
Name of the local guest. |
|
Company |
Company name of the local guest. |
|
|
Email address of the local guest. |
|
Phone |
Phone number of the local guest. |
|
Description |
Description of the local guest. |
|
Sponsor full name |
Name of the guest sponsor. |
|
Sponsor department |
Department of the guest sponsor. |
|
Sponsor email |
Email address of the guest sponsor. |
|
Period of validity |
Validity period of the local guest. |
|
Start date and time |
Date and time from which the local guest begins to take effect. |
|
Expiration date and time |
Date and time at which the local guest expires. |
display user-group
Use display user-group to display user group configuration.
Syntax
display user-group { all | name group-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all user groups.
name group-name: Specifies a user group by its name, a case-insensitive string of 1 to 32 characters.
Examples
# Display the configuration of all user groups.
<Sysname> display user-group all
Total 2 user groups matched.
User group: system
Authorization attributes:
Work directory: flash:
User group: jj
Authorization attributes:
Idle timeout: 2 minutes
Callback number: 2:2
Work directory: flash:/
ACL number: 2000
VLAN ID: 2
User profile: pp
SSL VPN policy group: policygroup1
Password control configurations:
Password aging: Enabled (2 days)
Table 4 Command output
|
Field |
Description |
|
Authorization attributes |
Authorization attributes of the user group. |
|
Idle timeout |
Idle timeout period, in minutes. |
|
Session-timeout |
Session timeout timer, in minutes. |
|
Callback number |
Authorized PPP callback number. |
|
Work directory |
Directory that FTP, SFTP, or SCP users in the group can access. |
|
ACL number |
Authorization ACL. |
|
VLAN ID |
Authorized VLAN. |
|
User profile |
Authorization user profile. |
|
SSL VPN policy group authorized to the user group. |
|
|
IPv6 address prefix authorized to the user group. |
|
|
IP pool |
IPv4 address pool authorized to the user group. |
|
IPv6 pool |
IPv6 address pool authorized to the user group. |
|
IPv4 address of the primary DNS server authorized to the user group. |
|
|
IPv4 address of the secondary DNS server authorized to the user group. |
|
|
Primary DNSV6 server |
IPv6 address of the primary DNS server authorized to the user group. |
|
Secondary DNSV6 server |
IPv6 address of the secondary DNS server authorized to the user group. |
|
URL |
PADM URL for the user group. |
|
Authorization VPN instance for the user group. |
|
|
Password control configurations |
Password control attributes that are configured for the user group. |
|
Password aging |
This field appears only when password aging is enabled. The aging time is displayed in parentheses. |
|
Password length |
This field appears only when password length control is enabled. The minimum password length is displayed in parentheses. |
|
Password composition |
This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: · Minimum number of character types that the password must contain. · Minimum number of characters from each type in the password. |
|
Password complexity |
This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: · Whether the password can contain the username or the reverse of the username. · Whether the password can contain any character repeated consecutively three or more times. |
|
Maximum login attempts |
Maximum number of consecutive failed login attempts. |
|
Action for exceeding login attempts |
Action to take on the user that failed to log in after using up all login attempts. |
Use email to configure an email address for a local guest.
Use undo email to restore the default.
Syntax
email email-string
undo email
Default
No email address is configured for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
email-string: Specifies the email address for the local guest, a case-sensitive string of 1 to 255 characters. For example, sec@abc.com. The address must comply with RFC 822.
Usage guidelines
The local guest uses the email address to receive notifications from the device.
Examples
# Configure the email address as abc@yyy.com for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] email abc@yyy.com
Related commands
display local-user
full-name
Use full-name to configure the name of a local guest.
Use undo full-name to restore the default.
Syntax
full-name name-string
undo full-name
Default
No name is configured for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters.
Examples
# Configure the name as abc Snow for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] full-name abc Snow
Related commands
display local-user
group
Use group to assign a local user to a user group.
Use undo group to restore the default.
Syntax
group group-name
undo group
Default
A local user belongs to user group system.
Views
Local user view
Predefined user roles
network-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Examples
# Assign device management user 111 to user group abc.
<Sysname> system-view
[Sysname] local-user 111 class manage
[Sysname-luser-manage-111] group abc
Related commands
display local-user
local-guest auto-delete enable
Use local-guest auto-delete enable to enable the guest auto-delete feature.
Use undo local-guest auto-delete enable to restore the default.
Syntax
local-guest auto-delete enable
undo local-guest auto-delete enable
Default
The guest auto-delete feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to automatically delete the local guest accounts when they expire.
Examples
# Enable the guest auto-delete feature.
<Sysname> system-view
[Sysname] local-guest auto-delete enable
Related commands
validity-datetime
local-guest email format
Use local-guest email format to configure the subject and body for the email notifications of local guest information.
Use undo local-guest email format to delete the configured subject or body for the email notifications of local guest information.
Syntax
local-guest email format to { guest | manager | sponsor } { body body-string | subject sub-string }
undo local-guest email format to { guest | manager | sponsor } { body | subject }
Default
No subject or body is configured for the email notifications of local guest information.
Views
System view
Predefined user roles
network-admin
Parameters
to: Specifies the email recipient.
guest: Specifies the local guest.
manager: Specifies the guest manager.
sponsor: Specifies the guest sponsor.
body body-string: Configures the body content. The body-string argument is a case-sensitive string of 1 to 255 characters.
subject sub-string: Configures the email subject. The sub-string argument is a case-sensitive string of 1 to 127 characters.
Usage guidelines
Email notifications need to be sent to notify the local guests, guest sponsors, or guest managers of the guest account information or guest registration requests. Use this command to configure the subject and body for the email notifications to be sent by the device.
You can configure one subject and one body for each email recipient. If you configure the subject or body content multiple times for the same recipient, the most recent configuration takes effect.
You must configure both the subject and body for each recipient.
Examples
# Configure the subject and body for the email notifications to send to the local guest.
<Sysname> system-view
[Sysname] local-guest email format to guest subject Guest account information
[Sysname] local-guest email format to guest body A guest account has been created for your use. The username, password, and valid dates for the account are given below.
Related commands
local-guest email sender
local-guest email smtp-server
local-guest manager-email
local-guest send-email
local-guest email sender
Use local-guest email sender to configure the email sender address in email notifications of local guests sent by the device.
Use undo local-guest email sender to restore the default.
Syntax
local-guest email sender email-address
undo local-guest email sender
Default
No email sender address is configured for the email notifications of local guests.
Views
System view
Predefined user roles
network-admin
Parameters
email-address: Specifies the email sender address, a case-sensitive string of 1 to 255 characters.
Usage guidelines
If you do not specify the email sender address, the device cannot send email notifications.
The device supports only one email sender address. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the email sender address as abc@yyy.com for email notifications of local guests.
<Sysname> system-view
[Sysname] local-guest email sender abc@yyy.com
Related commands
local-guest email format
local-guest email smtp-server
local-guest manager-email
local-guest send-email
local-guest email smtp-server
Use local-guest email smtp-server to specify an SMTP server to send email notifications of local guests.
Use undo local-guest email smtp-server to restore the default.
Syntax
local-guest email smtp-server url-string
undo local-guest email smtp-server
Default
No SMTP server is specified to send email notifications of local guests.
Views
System view
Predefined user roles
network-admin
Parameters
url-string: Specifies the path of the SMTP server, a case-sensitive string of 1 to 255 characters. The path must comply with the standard SMTP protocol and start with smtp://.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the SMTP server at smtp://www.test.com/smtp to send local guest email notifications.
<Sysname> system-view
[Sysname] local-guest email smtp-server smtp://www.test.com/smtp
Related commands
local-guest email format
local-guest email sender
local-guest manager-email
local-guest send-email
local-guest generate
Use local-guest generate to create local guests in batch.
Syntax
local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time
Views
System view
Predefined user roles
network-admin
Parameters
username-prefix name-prefix: Specifies the name prefix. The name-prefix argument is a case-sensitive string of 1 to 45 characters. The prefix cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@).
password-prefix password-prefix: Specifies a prefix for the plaintext password. The password-prefix argument is a case-sensitive string of 1 to 53 characters. If you do not specify a password prefix, the device generates passwords randomly for the local guests.
suffix suffix-number: Specifies the start suffix number of the username and password. The suffix-number argument is a numeric string of 1 to 10 digits.
group group-name: Specifies a user group by the name. The group-name argument is a case-sensitive string of 1 to 32 characters. If you do not specify a user group, the guests are assigned to the system-defined user group system.
count user-count: Specifies the number of local guests to be created. The value range for the user-count argument is 1 to 256.
validity-datetime: Specifies the validity period of the local guests. The expiration date and time must be later than the start date and time.
start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the end date and time of the validity period.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
Usage guidelines
Account names of batch created local guests start with the same string specified by the name prefix, and end with a different number as the suffix. The system increases the start suffix number by 1 for each new local guest created in the batch.
The device generates plaintext passwords by using the password prefix and suffix number in the same way it batch creates the local guest names.
Consider the system resources when you specify the number of local guests to create. The device might fail to create all accounts for a large batch of local guests because of insufficient resources.
If a local guest to be created has the same name as an existing local guest on the device, the new guest overrides the existing guest.
Examples
# Create 20 local guests in batch with user names abc01 through abc20 for user group visit. The user accounts are effective from 2014/10/01 00:00:00 to 2015/10/02 12:00:00.
<Sysname> system-view
[Sysname] local-guest generate username-prefix abc suffix 01 group visit count 20 validity-datetime 2014/10/01 00:00:00 to 2015/10/02 12:00:00
Related commands
local-user
display local-user
local-guest manager-email
Use local-guest manager-email to configure the email address of the guest manager.
Use undo local-guest manager-email to restore the default.
Syntax
local-guest manager-email email-address
undo local-guest manager-email
Default
No email address is configured for the guest manager.
Views
System view
Predefined user roles
network-admin
Parameters
email-address: Specifies the email address, a case-sensitive string of 1 to 255 characters. For example, sec@abc.com. The address must comply with RFC 822.
Usage guidelines
Use this command to specify the email address to which the device sends the local guest registration requests for approval.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the email address of the guest manager as xyz@yyy.com.
<Sysname> system-view
[Sysname] local-guest manager-email xyz@yyy.com
Related commands
local-guest email format
local-guest email sender
local-guest email smtp-server
local-guest send-email
local-guest send-email
Use local-guest send-email to send emails to a local guest or guest sponsor.
Syntax
local-guest send-email user-name user-name to { guest | sponsor }
Views
User view
Predefined user roles
network-admin
Parameters
user-name user-name: Specifies a local guest by user name, a case-sensitive string of 1 to 55 characters. The name cannot contain a domain name.
to: Specifies the email recipient.
guest: Specifies the local guest.
sponsor: Specifies the guest sponsor.
Usage guidelines
Guest managers can use this command to inform local guests or guest sponsors of the guest password and validity period information.
Examples
# Send an email to notify local guest abc of the guest password and validity period information.
<Sysname> local-guest send-email user-name abc to guest
Related commands
sponsor-email
local-guest timer
Use local-guest timer to set the waiting-approval timeout timer for local guests.
Syntax
local-guest timer waiting-approval time-value
undo local-guest timer waiting-approval
Default
The setting is 24 hours.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Sets the waiting-approval timeout timer in the range of 1 to 720, in hours.
Usage guidelines
The waiting-approval timeout timer starts when the registration request of a local guest is sent for approval. If the request is not approved within the timer, the device deletes the registration request.
Examples
# Set the waiting-approval timeout timer to 12 hours.
<Sysname> system-view
[Sysname] local-guest timer waiting-approval 12
local-user
Use local-user to add a local user and enter its view, or enter the view of an existing local user.
Use undo local-user to delete local users.
Syntax
local-user user-name [ class { manage | network [ guest ] } ]
undo local-user { user-name class { manage | network [ guest ] } | all [ service-type { advpn | ftp | http | https | ike | ipoe | lan-access | pad | portal | ppp | ssh | sslvpn | telnet | terminal } | class { manage | network [ guest ] } ] }
Default
No local users exist.
Views
System view
Predefined user roles
network-admin
Parameters
user-name: Specifies the local user name, a case-sensitive string of 1 to 55 characters that does not contain the domain name. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@). The name also cannot be a, al, or all.
class: Specifies the local user type.
manage: Device management user that can configure and monitor the device after login. Device management users can use FTP, HTTP, HTTPS, Telnet, SSH, terminal, and PAD services.
network: Network access user that accesses network resources through the device. Network access users can use ADVPN, IKE, IPoE, LAN access, portal, PPP, and SSL VPN services.
guest: Guest that can access network resources through the device during a specific validity period. Guests can use LAN and portal services.
all: Specifies all users.
service-type: Specifies the local users that use a specific type of service.
· advpn: ADVPN tunnel users.
· ftp: FTP users.
· http: HTTP users.
· https: HTTPS users.
· ike: IKE users that access the network through IKE extended authentication.
· ipoe: IPoE users that access the network through Layer 2 or Layer 3 leased lines or STBs.
· lan-access: LAN users that typically access the network through an Ethernet, such as 802.1X users.
· pad: X.25 PAD users.
· portal: Portal users.
· ppp: PPP users.
· ssh: SSH users.
· sslvpn: SSL VPN users.
· telnet: Telnet users.
· terminal: Terminal users that log in through console ports, AUX ports, or async ports.
Usage guidelines
If you do not specify the class { manage | network } option, this command adds a device management user.
Examples
# Add a device management user named user1 and enter local user view.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1]
# Add a network access user named user2 and enter local user view.
<Sysname> system-view
[Sysname] local-user user2 class network
[Sysname-luser-network-user2]
# Add a local guest named user3 and enter local guest view.
<Sysname> system-view
[Sysname] local-user user3 class network guest
[Sysname-luser-network(guest)-user3]
Related commands
display local-user
service-type (local user view)
local-user-export class network guest
Use local-user-export class network guest to export local guest account information to a .csv file in the specified path.
Syntax
local-user-export class network guest url url-string
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters.
Usage guidelines
You can import the user account information back to the device or to other devices that support the local-user-import class network guest command. Before the import, you can edit the .csv file as needed. However, you must follow the restrictions in "local-user-import class network guest."
The device supports TFTP and FTP file transfer modes. Table 5 describes the valid URL formats of the .csv file.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP user name and password: · Without FTP user name and password: |
Specify an FTP server by IP address or hostname. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv. |
Examples
# Export local guest account information to the guest.csv file in the ftp://1.1.1.1/user/ path.
<Sysname> system-view
[Sysname] local-user-export class network guest url ftp://1.1.1.1/user/guest.csv
Related commands
local-user-import class network guest
local-user-import class network guest
Use local-user-import class network guest to import local guest account information from a .csv file in the specified path to the device to create local guests based on the imported information.
Syntax
local-user-import class network guest url url-string validity-datetime start-date start-time to expiration-date expiration-time [ auto-create-group | override | start-line line-number ] *
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the source file path. The url-string argument is a case-insensitive string of 1 to 255 characters.
validity-datetime: Specifies the guest validity period of the local guests. The expiration date and time must be later than the start date and time.
start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the start time of the validity period, in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the end date and time of the validity period.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
auto-create-group: Enables the device to automatically create user groups for the imported local guests if the groups in the imported information do not exist on the device. If you do not specify this keyword, the device adds all imported local guests to the system-defined user group system.
override: Enables the device to override the existing account with the same name as an imported guest account. If you do not specify this keyword, the device retains the existing account and does not import the local guest with the same name.
start-line line-number: Specifies the number of the line at which the account import begins. If you do not specify a line number, this command imports all accounts in the .csv file.
Usage guidelines
The .csv file contains multiple parameters for each account and the parameters must be strictly arranged in the following order:
· Username—User name of the guest account. The user name cannot be empty and cannot contain any of the following characters: forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign (@). Any invalid character results in account import failure and interruption.
· Password—Password of the guest account. If the password is empty, the device generates a random password for the guest.
· User group—User group to which the guest belongs. If the user group is empty, the device assigns the guest to the system-defined user group system.
· Guest full name—Name of the guest.
· Guest company—Company of the guest.
· Guest email—Email address of the guest.
· Guest phone—Phone number of the guest.
· Guest description—Description of the guest.
· Sponsor full name—Name of the guest sponsor.
· Sponsor department—Department of the guest sponsor.
· Sponsor email—Email address of the guest sponsor.
Separate different account entries by a carriage return and separate each parameter value in an account entry by a comma (,). If the value of a parameter contains a comma (,), you must enclose the value within a pair of quotation marks ("") to avoid ambiguity. For example,
Jack,abc,visit,Jack Chen,ETP,jack@etp.com,1399899,"The manager of ETP, come from TP.",Sam Wang,Ministry of personnel,Sam@yy.com
The device supports TFTP and FTP file transfer modes. Table 6 describes the valid URL formats of the .csv file.
|
Protocol |
URL format |
Description |
|
TFTP |
tftp://server/path/filename |
Specify a TFTP server by IP address or hostname. For example, specify the file path as tftp://1.1.1.1/user/user.csv. |
|
FTP |
· With FTP user name and password: · Without FTP user name and password: |
Specify an FTP server by IP address or hostname. The device ignores the domain name in the FTP user name. For example, specify the file path as ftp://1:1@1.1.1.1/user/user.csv or ftp://1.1.1.1/user/user.csv. |
Examples
# Import guest account information from the ftp://1.1.1.1/user/guest.csv file and specify a validity period for the imported guests.
<Sysname> system-view
[Sysname] local-user-import class network guest url ftp://1.1.1.1/user/guest.csv validity-datetime 2014/10/01 00:00:00 to 2014/10/02 12:00:00
Related commands
display local-user
local-user-export class network guest
password (device management user view)
Use password to configure a password for a local user.
Use undo password to restore the default.
Syntax
In non-FIPS mode:
password [ { hash | simple } string ]
undo password
In FIPS mode:
password
Default
In non-FIPS mode, a device management user does not have a password and can pass authentication after entering the correct username and passing attribute checks.
In FIPS mode, a device management user does not have a password and cannot pass authentication.
Views
Device management user view
Predefined user roles
network-admin
Parameters
hash: Specifies a password encrypted by the hash algorithm.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password string. This argument is case sensitive.
· In non-FIPS mode:
¡ The hashed form of the password is a string of 1 to 110 characters.
¡ The plaintext form of the password is a string of 1 to 63 characters.
· In FIPS mode, the password is in plaintext form and is a string of 15 to 63 characters. The string must contain digits, uppercase letters, lowercase letters, and special characters (see "Password control commands").
Usage guidelines
If you do not specify any parameters, you enter the interactive mode to set a plaintext password.
In non-FIPS mode, a device management user for which no password is specified can pass authentication after entering the correct username and passing attribute checks. To enhance security, configure a password for each device management user.
In FIPS mode, a password is required for a device management user to pass authentication. You must set the password in interactive mode.
Examples
# Set the password to 123456TESTplat&! in plaintext form for device management user user1.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] password simple 123456TESTplat&!
# Configure the password in interactive mode for device management user test.
<Sysname> system-view
[Sysname] local-user test class manage
[Sysname-luser-manage-test] password
Password:
confirm :
Related commands
display local-user
password (network access user view)
Use password to configure a password for a network access user.
Use undo password to restore the default.
Syntax
password { cipher | simple } string
undo password
Default
A network access user does not have a password and can pass authentication after entering the correct username and passing attribute checks.
Views
Network access user view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password string. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
As a best practice to enhance security, configure a password for each network access user.
Examples
# Set the password to 123456TESTuser&! in plaintext form for network access user user1.
<Sysname> system-view
[Sysname] local-user user1 class network
[Sysname-luser-network-user1] password simple 123456TESTuser&!
Related commands
display local-user
phone
Use phone to specify the phone number of a local guest.
Use undo phone to restore the default.
Syntax
phone phone-number
undo phone
Default
No phone number is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
phone-number: Specifies the phone number, a string of 1 to 32 characters.
Examples
# Specify the phone number as 138-137239201 for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] phone 138-137239201
Related commands
display local-user
reset local-guest waiting-approval
Use reset local-guest waiting-approval to clear pending registration requests for local guests.
Syntax
reset local-guest waiting-approval [ user-name user-name ]
Views
User view
Predefined user roles
network-admin
Parameters
user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The name cannot contain a domain name. If you do not specify a guest, this command clears information about all registration requests for local guests.
Examples
# Clear information about all registration requests for local guests.
<Sysname> reset local-guest waiting-approval
Related commands
display local-guest waiting-approval
service-type (local user view)
Use service-type to specify the service types that a local user can use.
Use undo service-type to delete service types configured for a local user.
Syntax
In non-FIPS mode:
service-type { advpn | ftp | ike | ipoe | lan-access | { http | https | pad | ssh | telnet | terminal } * | portal | ppp | sslvpn }
undo service-type { advpn | ftp | ike | ipoe | lan-access | { http | https | pad | ssh | telnet | terminal } * | portal | ppp | sslvpn }
In FIPS mode:
service-type { advpn | ike | ipoe | lan-access | { https | pad | ssh | terminal } * | portal | ppp | sslvpn }
undo service-type { advpn | ike | ipoe | lan-access | { https | pad | ssh | terminal } * | portal | ppp | sslvpn }
Default
A local user is not authorized to use any service.
Views
Local user view
Predefined user roles
network-admin
Parameters
advpn: Authorizes the user to use the ADVPN service.
ftp: Authorizes the user to use the FTP service. By default, the user can use the root directory of the FTP, SFTP, or SCP server. The authorized directory can be modified by using the authorization-attribute work-directory command.
http: Authorizes the user to use the HTTP service.
https: Authorizes the user to use the HTTPS service.
ike: Authorizes the user to use the IKE extended authentication service.
ipoe: Authorizes the user to use the IPoE service.
lan-access: Authorizes the user to use the LAN access service. The users are typically Ethernet users, for example, 802.1X users.
pad: Authorizes the user to use the PAD service.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service.
terminal: Authorizes the user to use the terminal service and log in from a console, AUX, or async port.
portal: Authorizes the user to use the Portal service.
ppp: Authorizes the user to use the PPP service.
sslvpn: Authorizes the user to use the SSL VPN service.
Usage guidelines
You can assign multiple service types to a user.
Examples
# Authorize device management user user1 to use the Telnet and FTP services.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] service-type telnet
[Sysname-luser-manage-user1] service-type ftp
Related commands
display local-user
sponsor-department
Use sponsor-department to specify the department of the guest sponsor for a local guest.
Use undo sponsor-department to restore the default.
Syntax
sponsor-department department-string
undo sponsor-department
Default
No department is specified for the guest sponsor.
Views
Local guest view
Predefined user roles
network-admin
Parameters
department-string: Specifies the department name, a case-sensitive string of 1 to 127 characters.
Examples
# Specify the department as test for the guest sponsor of local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-department test
Related commands
display local-user
sponsor-email
Use sponsor-email to specify the email address of the guest sponsor for a local guest.
Use undo sponsor-email to restore the default.
Syntax
sponsor-email email-string
undo sponsor-email
Default
No email address is specified for the guest sponsor.
Views
Local guest view
Predefined user roles
network-admin
Parameters
email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822.
Examples
# Specify the email address as Sam@a.com for the guest sponsor of local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-email Sam@a.com
Related commands
display local-user
sponsor-full-name
Use sponsor-full-name to specify the guest sponsor name for a local guest.
Use undo sponsor-full-name to restore the default.
Syntax
sponsor-full-name name-string
undo sponsor-full-name
Default
No guest sponsor name is specified for a local guest.
Views
Local guest view
Predefined user roles
network-admin
Parameters
name-string: Specifies the guest sponsor name, a case-sensitive string of 1 to 255 characters.
Examples
# Specify the guest sponsor name as Sam Li for local guest abc.
<Sysname> system-view
[Sysname] local-user abc class network guest
[Sysname-luser-network(guest)-abc] sponsor-full-name Sam Li
Related commands
display local-user
state (local user view)
Use state to set the status of a local user.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
A local user is in active state.
Views
Local user view
Predefined user roles
network-admin
Parameters
active: Places the local user in active state to allow the local user to request network services.
block: Places the local user in blocked state to prevent the local user from requesting network services.
Usage guidelines
This command applies only to the local user.
Examples
# Place device management user user1 in blocked state.
<Sysname> system-view
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] state block
Related commands
display local-user
user-group
Use user-group to create a user group and enter its view, or enter the view of an existing user group.
Use undo user-group to delete a user group.
Syntax
user-group group-name
undo user-group group-name
Default
A system-defined user group exists. The group name is system.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A user group consists of a group of local users and has a set of local user attributes. You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group.
A user group that has local users cannot be deleted.
You can modify settings for the system-defined user group system, but you cannot delete the user group.
# Create a user group named abc and enter user group view.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc]
Related commands
display user-group
validity-datetime
Use validity-datetime to specify the validity period for a network access user.
Use undo validity-datetime to restore the default.
Syntax
validity-datetime start-date start-time to expiration-date expiration-time
undo validity-datetime
Default
The validity period for a network access user does not expire.
Views
Network access user view
Predefined user roles
network-admin
Parameters
start-date: Specifies the date on which the network access user becomes effective. The date is in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
start-time: Specifies the time on the day when the network access user becomes effective. The time is in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
to: Specifies the expiration date and time for the network access user.
expiration-date: Specifies the expiration date in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for the MM argument is 1 to 12. The value range for the DD argument varies with the specified month. The value range for the YYYY argument is 2000 to 2035.
expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00.
Usage guidelines
The expiration date and time must be later than the start date and time.
Expired network access user accounts cannot be used for authentication.
Examples
# Specify the validity period for network access user abc.
<Sysname> system-view
[Sysname] local-user abc class network
[Sysname-luser-network-abc] validity-datetime 2014/10/01 00:00:00 to 2015/10/02 12:00:00
Related commands
display local-user
RADIUS commands
aaa device-id
Use aaa device-id to configure the device ID.
Use undo aaa device-id to restore the default.
Syntax
aaa device-id device-id
undo aaa device-id
Default
The device ID is 0.
Views
System view
Predefined user roles
network-admin
Parameters
device-id: Specifies a device ID in the range of 1 to 255.
Usage guidelines
RADIUS uses the value of the Acct-Session-ID attribute as the accounting ID for a user. The device generates an Acct-Session-ID value that includes the device ID for each online user.
If you modify the device ID, the new device ID does not take effect on users that have been online during the change.
Examples
# Configure the device ID as 1.
<Sysname> system-view
[Sysname] aaa device-id 1
accounting-on enable
Use accounting-on enable to configure the accounting-on feature.
Use undo accounting-on enable to disable the accounting-on feature.
Syntax
accounting-on enable [ interval interval | send send-times ] *
undo accounting-on enable
Default
The accounting-on feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
interval interval: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the interval argument is 1 to 15, and the default setting is 3 seconds.
send send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value range for the send-times argument is 1 to 255, and the default setting is 50.
Usage guidelines
The accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a device reboot. Upon receiving the accounting-on packet, the RADIUS server logs out all online users so they can log in again through the device.
Execute the save command to ensure that the accounting-on enable command takes effect at the next reboot. For information about the save command, see Fundamentals Command Reference.
Parameters set by using the accounting-on enable command take effect immediately.
Examples
# Enable the accounting-on feature for RADIUS scheme radius1, and set the retransmission interval to 5 seconds and the transmission attempts to 15.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on enable interval 5 send 15
Related commands
display radius scheme
accounting-on extended
Use accounting-on extended to enable the extended accounting-on feature.
Use undo accounting-on extended to disable the extended accounting-on feature.
Syntax
accounting-on extended
undo accounting-on extended
Default
The extended accounting-on feature is disabled.
Views
RADIUS scheme view
Predefined user roles
network-admin
network-operator
Usage guidelines
The extended accounting-on feature enhances the accounting-on feature by applying to the scenario that a card reboots but the device does not reboot. For the extended accounting-on feature to take effect, you must enable the accounting-on feature.
The extended accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after a card reboot. The packet contains both the device and card identifiers. Upon receiving the accounting-on packet, the RADIUS server logs out all online users that access the device through the card. If no users have come online through the card, the device does not send an accounting-on packet to the RADIUS server after the card reboots.
The device uses the packet retransmission interval and maximum transmission attempts set by using the accounting-on enable command for this feature.
The extended accounting-on feature requires the RADIUS server to run on IMC.
The extended accounting-on feature is applicable to IPoE, LAN, and PPP (L2TP LAC-side) users. Data of these users is saved to the cards through which the users access the device.
Execute the save command to ensure that the accounting-on extended command takes effect at the next card reboot. For information about the save command, see Fundamentals Command Reference.
Examples
# Enable the extended accounting-on feature for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on extended
Related commands
accounting-on enable
display radius scheme
attribute 15 check-mode
Use attribute 15 check-mode to configure the Login-Service attribute check method for SSH, FTP, and terminal users.
Use undo attribute 15 check-mode to restore the default.
Syntax
attribute 15 check-mode { loose | strict }
undo attribute 15 check-mode
Default
The strict check method applies for SSH, FTP, and terminal users.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
loose: Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services.
strict: Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively.
Usage guidelines
Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users.
Examples
# Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 15 check-mode loose
Related commands
display radius scheme
attribute 25 car
Use attribute 25 car to configure the device to interpret the RADIUS class attribute (attribute 25) as CAR parameters.
Use undo attribute 25 car to restore the default.
Syntax
attribute 25 car
undo attribute 25 car
Default
The RADIUS class attribute is not interpreted as CAR parameters.
Views
RADIUS scheme view
Predefined user roles
Usage guidelines
Configure the device to interpret the RADIUS class attribute if the RADIUS server uses the attribute to deliver CAR parameters for user-based traffic monitoring and control.
Examples
# In RADIUS scheme radius1, configure the device to interpret the RADIUS class attribute as CAR parameters.
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 25 car
Related commands
display radius scheme
attribute 31 mac-format
Use attribute 31 mac-format to configure the MAC address format for RADIUS attribute 31.
Use undo attribute 31 mac-format to restore the default.
Syntax
attribute 31 mac-format section { six | three } separator separator-character { lowercase | uppercase }
undo attribute 31 mac-format
Default
A MAC address is in the format of HH-HH-HH-HH-HH-HH. The MAC address is separated by hyphens (-) into six sections with letters in upper case.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
section: Specifies the number of sections that a MAC address contains.
six: Specifies the six-section format HH-HH-HH-HH-HH-HH.
three: Specifies the three-section format HHHH-HHHH-HHHH.
separator separator-character: Specifies a case-sensitive character that separates the sections.
lowercase: Specifies the letters in a MAC address to be in lower case.
uppercase: Specifies the letters in a MAC address to be in upper case.
Usage guidelines
Configure the MAC address format for RADIUS attribute 31 to meet the requirements of the RADIUS servers.
Examples
# In RADIUS scheme radius1, specify the MAC address format as hh:hh:hh:hh:hh:hh for RADIUS attribute 31.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 31 mac-format section six separator : lowercase
Related commands
display radius scheme
attribute convert (RADIUS DAS view)
Use attribute convert to configure a RADIUS attribute conversion rule.
Use undo attribute convert to delete RADIUS attribute conversion rules.
Syntax
attribute convert src-attr-name to dest-attr-name { { coa-ack | coa-request } * | { received | sent } * }
undo attribute convert [ src-attr-name ]
Default
No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
coa-ack: Specifies the CoA acknowledgment packets.
coa-request: Specifies the CoA request packets.
received: Specifies the received DAE packets.
sent: Specifies the sent DAE packets.
Usage guidelines
The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.
The conversion rules take effect only when the RADIUS attribute translation feature is enabled.
When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:
· The source and destination RADIUS attributes in a rule must use the same data type.
· The source and destination RADIUS attributes in a rule cannot use the same name.
· A source RADIUS attribute can be converted only by one criterion, packet type or direction.
· One source RADIUS attribute cannot be converted to multiple destination attributes.
If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.
Examples
# In RADIUS DAS view, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute in the received DAE packets with the H3c-User-Roles attribute.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] attribute convert Hw-Server-String to H3c-User-Roles received
Related commands
attribute translate
attribute convert (RADIUS scheme view)
Use attribute convert to configure a RADIUS attribute conversion rule.
Use undo attribute convert to delete RADIUS attribute conversion rules.
Syntax
attribute convert src-attr-name to dest-attr-name { { access-accept | access-request | accounting } * | { received | sent } * }
undo attribute convert [ src-attr-name ]
Default
No RADIUS attribute conversion rules exist. The system processes RADIUS attributes according to the principles of the standard RADIUS protocol.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
src-attr-name: Specifies the source RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
dest-attr-name: Specifies the destination RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
access-accept: Specifies the RADIUS Access-Accept packets.
access-request: Specifies the RADIUS Access-Request packets.
accounting: Specifies the RADIUS accounting packets.
received: Specifies the received RADIUS packets.
sent: Specifies the sent RADIUS packets.
Usage guidelines
The device replaces the attribute in packets that match a RADIUS attribute conversion rule with the destination RADIUS attribute in the rule.
The conversion rules take effect only when the RADIUS attribute translation feature is enabled.
When you configure RADIUS attribute conversion rules, follow these restrictions and guidelines:
· The source and destination RADIUS attributes in a rule must use the same data type.
· The source and destination RADIUS attributes in a rule cannot use the same name.
· A source RADIUS attribute can be converted only by one criterion, packet type or direction.
· One source RADIUS attribute cannot be converted to multiple destination attributes.
If you do not specify a source RADIUS attribute, the undo attribute convert command deletes all RADIUS attribute conversion rules.
Examples
# In RADIUS scheme radius1, configure a RADIUS attribute conversion rule to replace the Hw-Server-String attribute of received RADIUS packets with the H3c-User-Roles attribute.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute convert Hw-Server-String to H3c-User-Roles received
Related commands
attribute translate
attribute reject (RADIUS DAS view)
Use attribute reject to configure a RADIUS attribute rejection rule.
Use undo attribute reject to delete RADIUS attribute rejection rules.
Syntax
attribute reject attr-name { { coa-ack | coa-request } * | { received | sent } * }
undo attribute reject [ attr-name ]
Default
No RADIUS attribute rejection rules exist.
Views
RADIUS DAS view
Predefined user roles
network-admin
Parameters
attr-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
coa-ack: Specifies the CoA acknowledgment packets.
coa-request: Specifies the CoA request packets.
received: Specifies the received DAE packets.
sent: Specifies the sent DAE packets.
Usage guidelines
Configure RADIUS attribute rejection rules for the following purposes:
· Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes.
· Ignore unwanted attributes in the RADIUS packets received from a RADIUS server.
The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
A RADIUS attribute can be rejected only by one criterion, packet type or direction.
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules.
Examples
# In RADIUS DAS view, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the DAE packets to be sent.
<Sysname> system-view
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] attribute reject Connect-Info sent
Related commands
attribute translate
attribute reject (RADIUS scheme view)
Use attribute reject to configure a RADIUS attribute rejection rule.
Use undo attribute reject to delete RADIUS attribute rejection rules.
Syntax
attribute reject attr-name { { access-accept | access-request | accounting } * | { received | sent } * }
undo attribute reject [ attr-name ]
Default
No RADIUS attribute rejection rules exist.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
attr-name: Specifies a RADIUS attribute by its name, a case-insensitive string of 1 to 63 characters. The attribute must be supported by the system.
access-accept: Specifies the RADIUS Access-Accept packets.
access-request: Specifies the RADIUS Access-Request packets.
accounting: Specifies the RADIUS accounting packets.
received: Specifies the received RADIUS packets.
sent: Specifies the sent RADIUS packets.
Usage guidelines
Configure RADIUS attribute rejection rules for the following purposes:
· Delete attributes from the RADIUS packets to be sent if the destination RADIUS server does not identify the attributes.
· Ignore unwanted attributes in the RADIUS packets received from a RADIUS server.
The RADIUS attribute rejection rules take effect only when the RADIUS attribute translation feature is enabled.
A RADIUS attribute can be rejected only by one criterion, packet type or direction.
If you do not specify a RADIUS attribute, the undo attribute reject command deletes all RADIUS attribute rejection rules.
Examples
# In RADIUS scheme radius1, configure a RADIUS attribute rejection rule to delete the Connect-Info attribute from the RADIUS packets to be sent.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute reject Connect-Info sent
Related commands
attribute translate
attribute remanent-volume
Use attribute remanent-volume to set the data measurement unit for the Remanent_Volume attribute.
Use undo attribute remanent-volume to restore the default.
Syntax
attribute remanent-volume unit { byte | giga-byte | kilo-byte | mega-byte }
undo attribute remanent-volume unit
Default
The data measurement unit is kilobyte for the Remanent_Volume attribute.
Views
RADIUS scheme view
Predefined user roles
network-admin
network-operator
Parameters
byte: Specifies the unit as byte.
giga-byte: Specifies the unit as gigabyte.
kilo-byte: Specifies the unit as kilobyte.
mega-byte: Specifies the unit as megabyte.
Usage guidelines
Make sure the measurement unit is the same as the user data measurement unit on the RADIUS server.
Examples
# In RADIUS scheme radius1, set the data measurement unit to kilobyte for the Remanent_Volume attribute.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute remanent-volume unit kilo-byte
Related commands
display radius scheme
attribute translate
Use attribute translate to enable the RADIUS attribute translation feature.
Use undo attribute translate to disable the RADIUS attribute translation feature.
Syntax
attribute translate
undo attribute translate
Default
The RADIUS attribute translation feature is disabled.
Views
RADIUS DAS view
RADIUS scheme view
Predefined user roles
network-admin
Usage guidelines
To cooperate with RADIUS servers of different vendors, enable the RADIUS attribute translation feature. Configure RADIUS attribute conversion rules and rejection rules to ensure that RADIUS attributes in the packets exchanged between the device and the server are supported by both sides.
Examples
# Enable the RADIUS attribute translation feature for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute translate
Related commands
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute vendor-id 2011 version
Use attribute vendor-id 2011 version to specify the version of the RADIUS servers with a vendor ID of 2011.
Use undo attribute vendor-id 2011 version to restore the default.
Syntax
attribute vendor-id 2011 version { 1.0 | 1.1 }
undo attribute vendor-id 2011 version
Default
The version is 1.0.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
1.0: Specifies version 1.0.
1.1: Specifies version 1.1.
Usage guidelines
For the device to correctly interpret RADIUS attributes from the servers with a vendor ID of 2011, specify a server version the same as the actual version of the RADIUS servers.
Examples
# In RADIUS scheme radius1, specify the version of the RADIUS servers with a vendor ID of 2011 as version 1.1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute vendor-id 2011 version 1.1
Related commands
client
display radius scheme
client
Use client to specify a RADIUS DAC.
Use undo client to remove the specified RADIUS DAC.
Syntax
client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vendor-id 2011 version { 1.0 | 1.1 } | vpn-instance vpn-instance-name ] *
undo client { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
No RADIUS DACs are specified.
Views
RADIUS DAS view
Predefined user roles
Parameters
ip ipv4-address: Specifies a DAC by its IPv4 address.
ipv6 ipv6-address: Specifies a DAC by its IPv6 address.
key: Specifies the shared key for secure communication between the RADIUS DAC and DAS. Make sure the shared key is the same as the key configured on the RADIUS DAC. If the RADIUS DAC does not have any shared key, do not specify this option.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain characters from digits, uppercase letters, lowercase letters, and special characters.
vendor-id 2011: Specifies the vendor-ID of the DAC as 2011.
version: Specifies the version of the DAC.
1.0: Specifies the DAC version as version 1.0.
1.1: Specifies the DAC version as version 1.1.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS DAC belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
The device discards DAE packets sent from DACs that are not specified for the DAS.
You can execute the client command multiple times to specify multiple DACs for the DAS.
To work with a DAC with vendor-ID 2011 and version 1.0, you do not need to specify the vendor-ID or version attribute. To work with a DAC with vendor-ID 2011 and version 1.1, you must specify the vendor-id 2011 version 1.1 keywords.
Examples
# Specify DAC 10.110.1.2 in VPN instance abc. Set the shared key to 123456 in plaintext form for secure communication between the DAS and DAC.
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] client ip 10.110.1.2 key simple 123456 vpn-instance abc
Related commands
radius dynamic-author server
port
data-flow-format (RADIUS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In RADIUS scheme radius1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet
display radius scheme
display radius scheme
Use display radius scheme to display RADIUS scheme configuration.
Syntax
display radius scheme [ radius-scheme-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a RADIUS scheme, this command displays the configuration of all RADIUS schemes.
Examples
# Display the configuration of all RADIUS schemes.
<Sysname> display radius scheme
Total 1 RADIUS schemes
------------------------------------------------------------------
RADIUS scheme name : radius1
Index : 0
Primary authentication server:
IP : 2.2.2.2 Port: 1812
VPN : vpn1
State: Active
Test profile: 132
Probe username: test
Probe interval: 60 minutes
Primary accounting server:
IP : 1.1.1.1 Port: 1813
VPN : Not configured
State: Active
Second authentication server:
IP : 3.3.3.3 Port: 1812
VPN : Not configured
State: Block
Test profile: Not configured
Second accounting server:
IP : 3.3.3.3 Port: 1813
VPN : Not configured
State: Block (Mandatory)
Accounting-On function : Enabled
extended function : Enabled
retransmission times : 5
retransmission interval(seconds) : 2
Timeout Interval(seconds) : 3
Retransmission Times : 3
Retransmission Times for Accounting Update : 5
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(seconds) : 22
NAS IP Address : 1.1.1.1
VPN : Not configured
User Name Format : with-domain
Data flow unit : Megabyte
Packet unit : One
Attribute 15 check-mode : Strict
Attribute 25 : CAR
Attribute Remanent-Volume unit : Mega
RADIUS server version (vendor ID 2011) : 1.0
Attribute 31 MAC format : hh:hh:hh:hh:hh:hh
------------------------------------------------------------------
Table 7 Command output
|
Field |
Description |
|
Index |
Index number of the RADIUS scheme. |
|
Primary authentication server |
Information about the primary authentication server. |
|
Primary accounting server |
Information about the primary accounting server. |
|
Second authentication server |
Information about the secondary authentication server. |
|
Second accounting server |
Information about the secondary accounting server. |
|
IP |
IP address of the server. If no server is configured, this field displays Not configured. |
|
Port |
Service port number of the server. If no port number is specified, this field displays the default port number. |
|
VPN |
MPLS L3VPN instance to which the server belongs. If no VPN instance is specified for the server, this field displays Not configured. |
|
State |
Status of the server: · Active—The server is in active state. · Block—The server is changed to blocked state automatically. · Block (Mandatory)—The server is set to blocked state manually. |
|
Test profile used for RADIUS server status detection. |
|
|
Username used for RADIUS server status detection. |
|
|
Server status detection interval, in minutes. |
|
|
Accounting-On function |
Whether the accounting-on feature is enabled. |
|
extended function |
Whether the extended accounting-on feature is enabled. |
|
retransmission times |
Number of accounting-on packet transmission attempts. |
|
retransmission interval(seconds) |
Interval at which the device retransmits accounting-on packets, in seconds. |
|
Timeout Interval(seconds) |
RADIUS server response timeout period, in seconds. |
|
Retransmission times |
Maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. |
|
Retransmission Times for Accounting Update |
Maximum number of accounting attempts. |
|
Server Quiet Period(minutes) |
Quiet period for the servers, in minutes. |
|
Realtime Accounting Interval(seconds) |
Interval for sending real-time accounting updates, in seconds. |
|
NAS IP Address |
Source IP address for outgoing RADIUS packets. |
|
VPN |
MPLS L3VPN instance to which the RADIUS scheme belongs. If no VPN instance is specified for the server, this field displays Not configured. |
|
User Name Format |
Format for the usernames sent to the RADIUS server. Possible values include: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
|
Measurement unit for data flow. |
|
|
Measurement unit for packets. |
|
|
Attribute 15 check-mode |
RADIUS Login-Service attribute check method for SSH, FTP, and terminal users: · Strict—Matches Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal services, respectively. · Loose—Matches the standard Login-Service attribute value 0 for SSH, FTP, and terminal services. |
|
RADIUS attribute 25 interpretation status: · Standard—The attribute is not interpreted as CAR parameters. · CAR—The attribute is interpreted as CAR parameters. |
|
|
Data measurement unit for the RADIUS Remanent_Volume attribute. |
|
|
RADIUS server version (vendor ID 2011) |
Version of the RADIUS servers with a vendor ID of 2011: · 1.0. · 1.1. |
|
Attribute 31 MAC format |
MAC address format for RADIUS attribute 31. |
display radius statistics
Use display radius statistics to display RADIUS packet statistics.
Syntax
display radius statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display RADIUS packet statistics.
<Sysname> display radius statistics
Auth. Acct. SessCtrl.
Request Packet: 0 0 0
Retry Packet: 0 0 -
Timeout Packet: 0 0 -
Access Challenge: 0 - -
Account Start: - 0 -
Account Update: - 0 -
Account Stop: - 0 -
Terminate Request: - - 0
Set Policy: - - 0
Packet With Response: 0 0 0
Packet Without Response: 0 0 -
Access Rejects: 0 - -
Dropped Packet: 0 0 0
Check Failures: 0 0 0
Table 8 Command output
|
Field |
Description |
|
Auth. |
Authentication packets. |
|
Acct. |
Accounting packets. |
|
SessCtrl. |
Session-control packets. |
|
Request Packet |
Number of request packets. |
|
Retry Packet |
Number of retransmitted request packets. |
|
Timeout Packet |
Number of request packets timed out. |
|
Access Challenge |
Number of access challenge packets. |
|
Account Start |
Number of start-accounting packets. |
|
Account Update |
Number of accounting update packets. |
|
Account Stop |
Number of stop-accounting packets. |
|
Terminate Request |
Number of packets for logging off users forcibly. |
|
Set Policy |
Number of packets for updating user authorization information. |
|
Packet With Response |
Number of packets for which responses were received. |
|
Packet Without Response |
Number of packets for which no responses were received. |
|
Access Rejects |
Number of Access-Reject packets. |
|
Dropped Packet |
Number of discarded packets. |
|
Check Failures |
Number of packets with checksum errors. |
Related commands
reset radius statistics
key (RADIUS scheme view)
Use key to set the shared key for secure RADIUS authentication or accounting communication.
Use undo key to delete the shared key for secure RADIUS authentication or accounting communication.
Syntax
key { accounting | authentication } { cipher | simple } string
undo key { accounting | authentication }
Default
No shared key is configured for secure RADIUS authentication or accounting communication.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies the shared key for secure RADIUS accounting communication.
authentication: Specifies the shared key for secure RADIUS authentication communication.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
Usage guidelines
The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers.
The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.
Examples
# In RADIUS scheme radius1, set the shared key to ok in plaintext form for secure accounting communication.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key accounting simple ok
Related commands
display radius scheme
nas-ip (RADIUS scheme view)
Use nas-ip to specify a source IP address for outgoing RADIUS packets.
Use undo nas-ip to delete the source IP address of the specified type for outgoing RADIUS packets.
Syntax
nas-ip { ipv4-address | ipv6 ipv6-address }
undo nas-ip [ ipv6 ]
Default
The source IP address of an outgoing RADIUS packet is that specified by using the radius nas-ip command in system view.
If the radius nas-ip command is not configured, the source IP address is the IP address of the outbound interface.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
Usage guidelines
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
As a best practice to avoid RADIUS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing RADIUS packets.
If you use both the nas-ip command and radius nas-ip command, the following guidelines apply:
· The setting configured by using the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The setting configured by using the radius nas-ip command in system view applies to all RADIUS schemes.
· The setting in RADIUS scheme view takes precedence over the setting in system view.
A RADIUS scheme can have only one source IPv4 address and one source IPv6 address for outgoing RADIUS packets.
If you do not specify the ipv6 keyword for the undo nas-ip command, the command deletes the source IPv4 address for outgoing RADIUS packets.
Examples
# In RADIUS scheme radius1, specify the IP address 10.1.1.1 as the source IP address for outgoing RADIUS packets.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] nas-ip 10.1.1.1
Related commands
display radius scheme
radius nas-ip
port
Use port to specify the RADIUS DAS port.
Use undo port to restore the default.
Syntax
port port-number
undo port
Default
The RADIUS DAS port number is 3799.
Views
RADIUS DAS view
Predefined user roles
Parameters
port-number: Specifies a UDP port number in the range of 1 to 65535.
Usage guidelines
The destination port in DAE packets on the DAC must be the same as the RADIUS DAS port on the DAS.
Examples
# Enable the RADIUS DAS to listen to UDP port 3790 for DAE requests.
[Sysname] radius dynamic-author server
[Sysname-radius-da-server] port 3790
Related commands
client
radius dynamic-author server
primary accounting (RADIUS scheme view)
Use primary accounting to specify the primary RADIUS accounting server.
Use undo primary accounting to restore the default.
Syntax
primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo primary accounting
Default
The primary RADIUS accounting server is not specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server.
port-number: Specifies the service port number of the primary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.
key: Specifies the shared key for secure communication with the primary RADIUS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary RADIUS accounting server are the same as those configured on the server.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN instance settings.
The shared key configured by using this command takes precedence over the shared key configured with the key accounting command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If you use the primary accounting command to modify or delete the primary accounting server to which the device is sending a start-accounting request, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for accounting.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. It does not buffer the stop-accounting requests. The device can generate incorrect accounting results.
Examples
# In RADIUS scheme radius1, specify the primary accounting server with IP address 10.110.1.2, UDP port number 1813, and plaintext shared key 123456TESTacct&!.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple 123456TESTacct&!
Related commands
display radius scheme
key (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
primary authentication (RADIUS scheme view)
Use primary authentication to specify the primary RADIUS authentication server.
Use undo primary authentication to restore the default.
Syntax
primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name ] *
undo primary authentication
Default
The primary RADIUS authentication server is not specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication server.
port-number: Specifies the service port number of the primary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.
key: Specifies the shared key for secure communication with the primary RADIUS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument specifies the test profile name, which is a case-sensitive string of 1 to 31 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the service port and shared key settings of the primary RADIUS authentication server are the same as those configured on the server.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN instance settings.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command.
When you specify a test profile for the primary authentication server, make sure the test profile already exists on the device. Otherwise, the device cannot detect the server status.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If you use the primary authentication command to modify or delete the primary authentication server during an authentication process, communication with the primary server times out. The device tries to communicate with an active server that has the highest priority for authentication.
Examples
# In RADIUS scheme radius1, specify the primary authentication server with IP address 10.110.1.1, UDP port number 1812, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key simple 123456TESTauth&!
Related commands
display radius scheme
key (RADIUS scheme view)
radius-server test-profile
secondary authentication (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
radius attribute extended
Use radius attribute extended to define an extended RADIUS attribute.
Use undo radius attribute extended to delete user-defined extended RADIUS attributes.
Syntax
radius attribute extended attribute-name [ vendor vendor-id ] code attribute-code type { binary | date | integer | interface-id | ip | ipv6 | ipv6-prefix | octets | string }
undo radius attribute extended [ attribute-name ]
Default
No user-defined extended RADIUS attributes exist.
Views
System view
Predefined user roles
network-admin
Parameters
attribute-name: Specifies the RADIUS attribute name, a case-insensitive string of 1 to 63 characters. The name must be unique among all RADIUS attributes, including the standard and extended RADIUS attributes.
vendor vendor-id: Specifies a vendor ID in the range of 1 to 65535. If you do not specify a vendor ID, the device processes the RADIUS attribute as a standard RADIUS attribute.
code attribute-code: Specifies the code of the RADIUS attribute in the attribute set. The value range for the attribute-code argument is 1 to 255.
type: Specifies a data type for the attribute content.
binary: Binary type.
date: Date type.
integer: Integer type.
interface-id: Interface ID type.
ip: IPv4 address type.
ipv6: IPv6 address type.
ipv6-prefix: IPv6 address prefix type.
octets: Octet type.
string: String type.
Usage guidelines
To support the proprietary RADIUS attributes of other vendors, perform the following tasks:
1. Use this command to define the attributes as extended RADIUS attributes.
2. Use the attribute convert command to map the extended RADIUS attributes to attributes supported by the system.
3. Use the attribute translate command to enable the RADIUS attribute translation feature for the mappings to take effect.
To cooperate with RADIUS servers of a third-party vendor, map attributes that cannot be identified by the server to server-supported attributes.
Two RADIUS attributes cannot have the same combination of attribute name, vendor ID, and attribute ID.
If you do not specify a RADIUS attribute name, the undo radius attribute extended command deletes all user-defined extended RADIUS attributes.
Examples
# Define a string-type extended RADIUS attribute with name Owner-Password, vendor ID 122, and attribute ID 80.
<Sysname> system-view
[Sysname] radius attribute extended Owner-Password vendor 122 code 80 type string
Related commands
attribute convert (RADIUS DAS view)
attribute convert (RADIUS scheme view)
attribute reject (RADIUS DAS view)
attribute reject (RADIUS scheme view)
attribute translate
radius dscp
Use radius dscp to change the DSCP priority of RADIUS packets.
Use undo radius dscp to restore the default.
Syntax
radius [ ipv6 ] dscp dscp-value
undo radius [ ipv6 ] dscp
Default
The DSCP priority of RADIUS packets is 0.
Views
System view
Predefined user roles
Parameters
ipv6: Specifies the IPv6 RADIUS packets. If you do not specify this keyword, the command sets the DSCP priority for the IPv4 RADIUS packets.
dscp-value: Specifies the DSCP priority of RADIUS packets, in the range of 0 to 63. A larger value represents a higher priority.
Usage guidelines
Use this command to set the DSCP priority in the ToS field of RADIUS packets for changing their transmission priority.
Examples
# Set the DSCP priority of IPv4 RADIUS packets to 10.
[Sysname] radius dscp 10
radius dynamic-author server
Use radius dynamic-author server to enable the RADIUS DAS feature and enter RADIUS DAS view.
Use undo radius dynamic-author server to disable the RADIUS DAS feature.
Syntax
radius dynamic-author server
undo radius dynamic-author server
Default
The RADIUS DAS feature is disabled.
Views
System view
Predefined user roles
Usage guidelines
When you enable the RADIUS DAS feature, the device listens to UDP port 3799 to receive DAE packets from specified DACs.
Examples
# Enable the RADIUS DAS feature and enter RADIUS DAS view.
[Sysname] radius dynamic-author server
[Sysname-radius-da-server]
Related commands
client
port
radius nas-ip
Use radius nas-ip to specify a source IP address for outgoing RADIUS packets.
Use undo radius nas-ip to delete a source IP address for outgoing RADIUS packets.
Syntax
radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
undo radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.
Views
System view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IP address, do not specify this option.
Usage guidelines
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
As a best practice to avoid RADIUS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing RADIUS packets.
If you use both the nas-ip command and radius nas-ip command, the following guidelines apply:
· The setting configured by the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme.
· The setting configured by the radius nas-ip command in system view applies to all RADIUS schemes.
· The setting in RADIUS scheme view takes precedence over the setting in system view.
You can specify a maximum of 16 source IP addresses, including the following IP addresses:
· Zero or one public-network source IPv4 address.
· Zero or one public-network source IPv6 address.
· Private-network source IP addresses.
Each VPN instance can have a maximum of one private-network source IPv4 address and one private-network source IPv6 address.
Examples
# Specify IP address 129.10.10.1 as the source address for outgoing RADIUS packets.
<Sysname> system-view
[Sysname] radius nas-ip 129.10.10.1
Related commands
nas-ip (RADIUS scheme view)
radius scheme
Use radius scheme to create a RADIUS scheme and enter its view, or enter the view of an existing RADIUS scheme.
Use undo radius scheme to delete a RADIUS scheme.
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
Default
No RADIUS schemes exist.
Views
System view
Predefined user roles
network-admin
Parameters
radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A RADIUS scheme can be used by more than one ISP domain at the same time.
The device supports a maximum of 16 RADIUS schemes.
Examples
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1]
Related commands
display radius scheme
radius session-control client
Use radius session-control client to specify a RADIUS session-control client.
Use undo radius session-control client to remove the specified RADIUS session-control clients.
Syntax
radius session-control client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo radius session-control client { all | { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
Default
No RADIUS session-control clients are specified. The device searches all RADIUS scheme settings to verify session-control packets.
Views
System view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies a session-control client by its IPv4 address.
ipv6 ipv6-address: Specifies a session-control client by its IPv6 address.
key: Specifies the shared key for secure communication with the session-control client.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the RADIUS session-control client belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the client is on the public network, do not specify this option.
all: Specifies all session-control clients.
Usage guidelines
This command takes effect only when the RADIUS session-control feature is enabled.
Specify a RADIUS server that runs on IMC as a session-control client on the device to verify the session-control packets sent from the RADIUS server. The device matches the received packets to the session-control client based on IP and VPN instance settings, and then uses the client shared key to validate the packets.
The IP, VPN instance, and shared key settings of the session-control client must be the same as the settings of the RADIUS server.
The system supports multiple RADIUS session-control clients.
Examples
# Specify a session-control client with IP address 10.110.1.2 and shared key 12345 in plaintext form.
<Sysname> system-view
[Sysname] radius session-control client ip 10.110.1.2 key simple 12345
Related commands
radius session-control enable
radius session-control enable
Use radius session-control enable to enable the RADIUS session-control feature.
Use undo radius session-control enable to disable the RADIUS session-control feature.
Syntax
radius session-control enable
undo radius session-control enable
Default
The RADIUS session-control feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The RADIUS session-control feature enables the device to receive RADIUS session-control packets on UDP port 1812 from a RADIUS server that runs on IMC.
Examples
# Enable the RADIUS session-control feature.
<Sysname> system-view
[Sysname] radius session-control enable
radius-server test-profile
Use radius-server test-profile to configure a test profile for detecting the RADIUS server status.
Use undo radius-server test-profile to delete a RADIUS test profile.
Syntax
radius-server test-profile profile-name username name [ interval interval ]
undo radius-server test-profile profile-name
Default
No RADIUS test profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters.
username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters.
interval interval: Specifies the interval for sending a detection packet, in minutes. The value range for the interval argument is 1 to 3600, and the default value is 60.
Usage guidelines
You can execute this command multiple times to configure multiple test profiles.
If you specify a nonexistent test profile for a RADIUS server, the device does not detect the status of the server until you create the test profile on the device.
You can specify the same test profile for multiple RADIUS servers.
When you delete a test profile, the device stops detecting the status of the RADIUS servers that use the test profile.
Examples
# Configure a test profile named abc for RADIUS server status detection. The detection packet uses admin as the username and is sent every 10 minutes.
[Sysname] radius-server test-profile abc username admin interval 10
Related commands
primary authentication (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
reset radius statistics
Use reset radius statistics to clear RADIUS statistics.
Syntax
reset radius statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear RADIUS statistics.
<Sysname> reset radius statistics
Related commands
display radius statistics
retry
Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server.
Use undo retry to restore the default.
Syntax
retry retries
undo retry
Default
The maximum number of RADIUS packet transmission attempts is 3.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to 20.
Usage guidelines
Because RADIUS uses UDP packets to transmit data, the communication is not reliable.
· If the device does not receive a response to its request from the RADIUS server within the response timeout period, it retransmits the RADIUS request.
· If the device does not receive a response from the RADIUS server after the maximum number of transmission attempts is reached, the device considers the request a failure.
If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module:
· The maximum number of RADIUS packet transmission attempts.
· The RADIUS server response timeout period.
· The number of RADIUS servers in the RADIUS scheme.
When the device sends a RADIUS request to a new RADIUS server, it checks the total amount of time it has taken to transmit the RADIUS packet. If the amount of time has reached 300 seconds, the device stops sending the RADIUS request to the next RADIUS server. As a best practice, consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period.
Examples
# In RADIUS scheme radius1, set the maximum number of RADIUS packet transmission attempts to 5.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry 5
Related commands
radius scheme
timer response-timeout (RADIUS scheme view)
retry realtime-accounting
Use retry realtime-accounting to set the maximum number of accounting attempts.
Use undo retry realtime-accounting to restore the default.
Syntax
retry realtime-accounting retries
undo retry realtime-accounting
Default
The maximum number of accounting attempts is 5.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of accounting attempts, in the range of 1 to 255.
Usage guidelines
Typically, a RADIUS accounting server checks whether a user is online by using a timeout timer. If the server does not receive a real-time accounting request for a user in the timeout period, it considers that a line or device failure has occurred. The server stops accounting for the user.
To work with the RADIUS server, the NAS needs to send real-time accounting requests to the server before the timer on the server expires and to keep pace with the server in disconnecting the user when a failure occurs. The NAS disconnects from a user according to the maximum number of accounting attempts and specific parameters.
For example, the RADIUS server response timeout period is 3 seconds (set with the timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time accounting interval is 12 minutes (set with the timer realtime-accounting command), and the maximum number of accounting attempts is five (set with the retry realtime-accounting command). In this case, the device generates an accounting request every 12 minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If the device receives no response after transmitting the request three times, it considers the accounting attempt a failure, and makes another accounting attempt. If five consecutive accounting attempts fail, the device cuts the user connection.
Examples
# In RADIUS scheme radius1, set the maximum number of accounting attempts to 10.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry realtime-accounting 10
Related commands
retry
timer realtime-accounting (RADIUS scheme view)
timer response-timeout (RADIUS scheme view)
secondary accounting (RADIUS scheme view)
Use secondary accounting to specify a secondary RADIUS accounting server.
Use undo secondary accounting to remove a secondary RADIUS accounting server.
Syntax
secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] *
undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary RADIUS accounting servers are specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server.
port-number: Specifies the service port number of the secondary RADIUS accounting server. The value range for the UDP port number is 1 to 65535. The default setting is 1813.
key: Specifies the shared key for secure communication with the secondary RADIUS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of each secondary RADIUS accounting server are the same as those configured on the corresponding server.
A RADIUS scheme supports a maximum of 16 secondary RADIUS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN instance settings.
The shared key configured by this command takes precedence over the shared key configured with the key accounting command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for accounting.
If you remove an actively used accounting server, the device no longer sends users' real-time accounting requests and stop-accounting requests. The device does not buffer the stop-accounting requests, either.
Examples
# In RADIUS scheme radius1, specify a secondary accounting server with IP address 10.110.1.1 and UDP port 1813.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813
# In RADIUS scheme radius2, specify two secondary accounting servers with the IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813
[Sysname-radius-radius2] secondary accounting 10.110.1.2 1813
Related commands
display radius scheme
key (RADIUS scheme view)
primary accounting (RADIUS scheme view)
vpn-instance (RADIUS scheme view)
secondary authentication (RADIUS scheme view)
Use secondary authentication to specify a secondary RADIUS authentication server.
Use undo secondary authentication to remove a secondary RADIUS authentication server.
Syntax
secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | test-profile profile-name | vpn-instance vpn-instance-name ] *
undo secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary RADIUS authentication servers are specified.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication server.
port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812.
key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 117 characters. The plaintext form of the key is a string of 1 to 64 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 117 characters. The plaintext form of the key is a string of 15 to 64 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
test-profile profile-name: Specifies a test profile for detecting the RADIUS server status. The profile-name argument represents the test profile name, which is a case-sensitive string of 1 to 31 characters.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of each secondary RADIUS authentication server are the same as those configured on the corresponding server.
A RADIUS scheme supports a maximum of 16 secondary RADIUS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
When you specify a test profile for secondary authentication servers, make sure the test profile already exists on the device. Otherwise, the device cannot detect the server status.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN instance settings.
The shared key configured by this command takes precedence over the shared key configured with the key authentication command.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
If you use the secondary authentication command to modify or delete a secondary authentication server during an authentication process, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for authentication.
Examples
# In RADIUS scheme radius1, specify a secondary authentication server with IP address 10.110.1.2 and UDP port 1812.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812
# In RADIUS scheme radius2, specify two secondary authentication servers with the IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1812.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.1 1812
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812
Related commands
display radius scheme
key (RADIUS scheme view)
primary authentication (RADIUS scheme view)
radius-server test-profile
vpn-instance (RADIUS scheme view)
snmp-agent trap enable radius
Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS.
Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.
Syntax
snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *
undo snmp-agent trap enable radius [ accounting-server-down | accounting-server-up | authentication-error-threshold | authentication-server-down | authentication-server-up ] *
Default
All RADIUS SNMP notifications are disabled.
Views
System view
Predefined user roles
network-admin
Parameters
accounting-server-down: Sends a notification when the RADIUS accounting server becomes unreachable.
accounting-server-up: Sends a notification when the RADIUS accounting server becomes reachable.
authentication-error-threshold: Sends a notification when the number of authentication failures exceeds the specified threshold. The threshold is represented by the ratio of the authentication failures to the total number of authentication attempts. The value range is 1 to 100, and the default value is 30. This threshold can only be configured through the MIB.
authentication-server-down: Sends a notification when the RADIUS authentication server becomes unreachable.
authentication-server-up: Sends a notification when the RADIUS authentication server becomes reachable.
Usage guidelines
If you do not specify any keywords, this command enables or disables all types of notifications for RADIUS.
When SNMP notifications for RADIUS are enabled, the SNMP agent supports the following notifications generated by RADIUS:
· RADIUS server unreachable notification—The RADIUS server cannot be reached. RADIUS generates this notification if it cannot receive any response to an accounting or authentication request within the specified RADIUS request transmission attempts.
· RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires.
· Excessive authentication failures notification—RADIUS generates this notification when the number of authentication failures to the total number of authentication attempts exceeds the specified threshold.
Examples
# Enable the SNMP agent to send RADIUS accounting server unreachable notifications.
<Sysname> system-view
[Sysname] snmp-agent trap enable radius accounting-server-down
state primary
Use state primary to set the status of a primary RADIUS server.
Syntax
state primary { accounting | authentication } { active | block }
Default
A primary RADIUS server is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies the primary RADIUS accounting server.
authentication: Specifies the primary RADIUS authentication server.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
During an authentication or accounting process, the device first tries to communicate with the primary server if the primary server is in active state. If the primary server is unavailable, the device performs the following operations:
· Changes the status of the primary server to blocked.
· Starts a quiet timer for the server.
· Tries to communicate with a secondary server in active state.
When the quiet timer of the primary server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active.
When the primary server and all secondary servers are in blocked state, the device tries to communicate with the primary server.
This command can affect the RADIUS server status detection feature when a valid test profile is specified for a primary RADIUS authentication server.
· If you set the status of the server to blocked, the device stops detecting the status of the server.
· If you set the status of the server to active, the device starts to detect the status of the server.
Examples
# In RADIUS scheme radius1, set the primary authentication server to the blocked state.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state primary authentication block
Related commands
display radius scheme
radius-server test-profile
state secondary
state secondary
Use state secondary to set the status of a secondary RADIUS server.
Syntax
state secondary { accounting | authentication } [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }
Default
A secondary RADIUS server is in active state.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies a secondary RADIUS accounting server.
authentication: Specifies a secondary RADIUS authentication server.
ipv4-address: Specifies the IPv4 address of a secondary RADIUS server.
ipv6 ipv6-address: Specifies the IPv6 address of a secondary RADIUS server.
port-number: Sets the service port number of a secondary RADIUS server. The value range for the UDP port number is 1 to 65535. The default port numbers for authentication and accounting are 1812 and 1813, respectively.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary RADIUS server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
If you do not specify an IP address, this command changes the status of all configured secondary RADIUS servers.
If the device finds that a secondary server in active state is unreachable, the device performs the following operations:
· Changes the status of the secondary server to blocked.
· Starts a quiet timer for the server.
· Tries to communicate with another secondary server in active state.
When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.
This command can affect the RADIUS server status detection feature when a valid test profile is specified for a secondary RADIUS authentication server.
· If you set the status of the server to blocked, the device stops detecting the status of the server.
· If you set the status of the server to active, the device starts to detect the status of the server.
Examples
# In RADIUS scheme radius1, set all the secondary authentication servers to the blocked state.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state secondary authentication block
Related commands
display radius scheme
radius-server test-profile
state primary
timer quiet (RADIUS scheme view)
Use timer quiet to set the quiet timer for the servers specified in a RADIUS scheme.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The server quiet timer period is 5 minutes in a RADIUS scheme.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.
Usage guidelines
Make sure the server quiet timer is set correctly.
· A timer that is too short might result in frequent authentication or accounting failures. This is because the device will continue to attempt to communicate with an unreachable server that is in active state.
· A timer that is too long might temporarily block a reachable server that has recovered from a failure. This is because the server will remain in blocked state until the timer expires.
Examples
# In RADIUS scheme radius1, set the quiet timer to 10 minutes for the servers.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer quiet 10
Related commands
display radius scheme
timer realtime-accounting (RADIUS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting interval [ second ]
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
interval: Specifies the real-time accounting interval in the range of 0 to 71582.
second: Specifies the measurement unit as second. If you do not specify this keyword, the real-time accounting interval is measured in minutes.
Usage guidelines
When the real-time accounting interval on the device is not zero, the device sends online user accounting information to the RADIUS accounting server at the configured interval.
When the real-time accounting interval on the device is zero, the device sends online user accounting information to the RADIUS accounting server at the real-time accounting interval configured on the server. If the real-time accounting interval is not configured on the server, the device does not send online user accounting information.
A short interval helps improve accounting precision but requires many system resources.
Table 9 Recommended real-time accounting intervals
|
Number of users |
Real-time accounting interval |
|
1 to 99 |
3 minutes |
|
100 to 499 |
6 minutes |
|
500 to 999 |
12 minutes |
|
1000 or more |
15 minutes or longer |
Examples
# In RADIUS scheme radius1, set the real-time accounting interval to 51 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer realtime-accounting 51
Related commands
retry realtime-accounting
timer response-timeout (RADIUS scheme view)
Use timer response-timeout to set the RADIUS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The RADIUS server response timeout period is 3 seconds.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
seconds: Specifies the RADIUS server response timeout period, in the range of 1 to 10 seconds.
Usage guidelines
If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request, it resends the request so that the user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval.
If the client times out during the authentication process, the user is immediately logged off. To avoid user logoffs, the value multiplied by the following items cannot be larger than the client timeout period defined by the access module:
· The maximum number of RADIUS packet transmission attempts.
· The RADIUS server response timeout period.
· The number of RADIUS servers in the RADIUS scheme.
When the device sends a RADIUS request to a new RADIUS server, it checks the total amount of time it has taken to transmit the RADIUS packet. If the amount of time has reached 300 seconds, the device stops sending the RADIUS request to the next RADIUS server. As a best practice, consider the number of RADIUS servers when you configure the maximum number of packet transmission attempts and the RADIUS server response timeout period.
Examples
# In RADIUS scheme radius1, set the RADIUS server response timeout timer to 5 seconds.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer response-timeout 5
Related commands
display radius scheme
retry
user-name-format (RADIUS scheme view)
Use user-name-format to specify the format of the username to be sent to a RADIUS server.
Use undo user-name-format to restore the default.
Syntax
user-name-format { keep-original | with-domain | without-domain }
undo user-name-format
Default
The ISP domain name is included in the usernames sent to the RADIUS servers.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
keep-original: Sends the username to the RADIUS server as the username is entered.
with-domain: Includes the ISP domain name in the username sent to the RADIUS server.
without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.
Usage guidelines
A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username sent to a RADIUS server.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the RADIUS server will consider two users in different ISP domains but with the same userid as one user.
For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect. The device does not change the usernames from clients before forwarding them to the RADIUS server.
If the RADIUS scheme is used for roaming wireless users, specify the keep-original keyword. Otherwise, authentication of the wireless users might fail.
Examples
# In RADIUS scheme radius1, configure the device to remove the domain name from the usernames sent to the RADIUS servers.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] user-name-format without-domain
Related commands
display radius scheme
vpn-instance (RADIUS scheme view)
Use vpn-instance to specify an MPLS L3VPN instance for a RADIUS scheme.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The RADIUS scheme belongs to the public network.
Views
RADIUS scheme view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by the name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN instance specified for a RADIUS scheme applies to all authentication and accounting servers in that scheme. If a VPN instance is also configured for an individual RADIUS server, the VPN instance specified for the RADIUS scheme does not take effect on that server.
Examples
# Specify VPN instance test for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] vpn-instance test
Related commands
display radius scheme
HWTACACS commands
data-flow-format (HWTACACS scheme view)
Use data-flow-format to set the data flow and packet measurement units for traffic statistics.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
Traffic is counted in bytes and packets.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Usage guidelines
The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting results might be incorrect.
Examples
# In HWTACACS scheme hwt1, set the data flow and packet measurement units for traffic statistics to kilobyte and kilo-packet, respectively.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet
display hwtacacs scheme
display hwtacacs scheme
Use display hwtacacs scheme to display the configuration or statistics of HWTACACS schemes.
Syntax
display hwtacacs scheme [ hwtacacs-scheme-name [ statistics ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an HWTACACS scheme, this command displays the configuration of all HWTACACS schemes.
statistics: Displays the HWTACACS service statistics. If you do not specify this keyword, the command displays the configuration of the HWTACACS scheme.
Examples
# Displays the configuration of all HWTACACS schemes.
<Sysname> display hwtacacs scheme
Total 1 HWTACACS schemes
------------------------------------------------------------------
HWTACACS Scheme Name: hwtac
Index : 0
Primary authentication server:
IP : 2.2.2.2 Port: 49 State: Active
VPN Instance: 2
Single-connection: Enabled
Primary authorization server:
IP : 2.2.2.2 Port: 49 State: Active
VPN Instance: 2
Single-connection: Disabled
Primary accounting server:
IP : Not Configured Port: 49 State: Block
VPN Instance: Not configured
Single-connection: Disabled
VPN Instance : 2
NAS IP Address : 2.2.2.3
Server Quiet Period(minutes) : 5
Realtime Accounting Interval(minutes) : 12
Response Timeout Interval(seconds) : 5
Username Format : with-domain
Data flow unit : Byte
Packet unit : One
------------------------------------------------------------------
Table 10 Command output
|
Field |
Description |
|
Index |
Index number of the HWTACACS scheme. |
|
Primary authentication server |
Primary HWTACACS authentication server. |
|
Primary authorization server |
Primary HWTACACS authorization server. |
|
Primary accounting server |
Primary HWTACACS accounting server. |
|
Secondary authentication server |
Secondary HWTACACS authentication server. |
|
Secondary authorization server |
Secondary HWTACACS authorization server. |
|
Secondary accounting server |
Secondary HWTACACS accounting server. |
|
IP |
IP address of the HWTACACS server. If no server is configured, this field displays Not configured. |
|
Port |
Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number. |
|
Single-connection |
Single connection status: · Enabled—Establish only one TCP connection for all users to communicate with the server. · Disabled—Establish a TCP connection for each user to communicate with the server. |
|
State |
Status of the HWTACACS server: active or blocked. |
|
VPN Instance |
MPLS L3VPN instance to which the HWTACACS server or scheme belongs. If no VPN instance is specified for the server or scheme, this field displays Not configured. |
|
NAS IP Address |
Source IP address for outgoing HWTACACS packets. |
|
Server Quiet Period(minutes) |
Quiet period for the primary servers, in minutes. |
|
Realtime Accounting Interval(minutes) |
Real-time accounting interval, in minutes. |
|
Response Timeout Interval(seconds) |
HWTACACS server response timeout period, in seconds. |
|
Username Format |
Format for the usernames sent to the HWTACACS server. Possible values include: · with-domain—Includes the domain name. · without-domain—Excludes the domain name. · keep-original—Forwards the username as the username is entered. |
|
Data flow unit |
Measurement unit for data flows: · Byte. · Kilobyte. · Megabyte. · Gigabyte. |
|
Packet unit |
Measurement unit for packets: · One. · Kilo. · Mega. · Giga. |
# Display statistics for HWTACACS scheme tac.
<Sysname> display hwtacacs scheme tac statistics
HWTACACS scheme name: tac
Primary authentication server : 111.8.0.244
Round trip time: 20 seconds
Request packets: 1
Login request packets: 1
Change-password request packets: 0
Request packets including plaintext passwords: 0
Request packets including ciphertext passwords: 0
Response packets: 2
Pass response packets: 1
Failure response packets: 0
Get-data response packets: 0
Get-username response packets: 0
Get-password response packets: 1
Restart response packets: 0
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Continue packets: 1
Continue-abort packets: 0
Pending request packets: 0
Timeout packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Primary authorization server :111.8.0.244
Round trip time: 1 seconds
Request packets: 1
Response packets: 1
PassAdd response packets: 1
PassReply response packets: 0
Failure response packets: 0
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Pending request packets: 0
Timeout packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Primary accounting server :111.8.0.244
Round trip time: 0 seconds
Request packets: 2
Accounting start request packets: 1
Accounting stop request packets: 1
Accounting update request packets: 0
Pending request packets: 0
Response packets: 2
Success response packets: 2
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Timeout response packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Secondary authentication server: 1.1.1.1
Round trip time: 0 seconds
Request packets: 0
Login request packets: 0
Change-password request packets: 0
Request packets including plaintext passwords: 0
Request packets including ciphertext passwords: 0
Response packets: 0
Pass response packets: 0
Failure response packets: 0
Get-data response packets: 0
Get-username response packets: 0
Get-password response packets: 0
Restart response packets: 0
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Continue packets: 0
Continue-Abort packets: 0
Pending request packets: 0
Timeout packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Secondary authorization server: 1.1.1.1
Round trip time: 0 seconds
Request packets: 0
Response packets: 0
PassAdd response packets: 0
PassReply response packets: 0
Failure response packets: 0
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Pending request packets: 0
Timeout packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Secondary accounting server: 1.1.1.1
Round trip time: 0 seconds
Request packets: 0
Accounting start request packets: 0
Accounting stop request packets: 0
Accounting update request packets: 0
Pending request packets: 0
Response packets: 0
Success response packets: 0
Error response packets: 0
Follow response packets: 0
Malformed response packets: 0
Timeout response packets: 0
Unknown type response packets: 0
Dropped response packets: 0
Table 11 Command output
|
Field |
Description |
|
Primary authentication server |
Primary HWTACACS authentication server. |
|
Primary authorization server |
Primary HWTACACS authorization server. |
|
Primary accounting server |
Primary HWTACACS accounting server. |
|
Secondary authentication server |
Secondary HWTACACS authentication server. |
|
Secondary authorization server |
Secondary HWTACACS authorization server. |
|
Secondary accounting server |
Secondary HWTACACS accounting server. |
|
Round trip time |
The time interval during which the device processed a pair of request and response. The unit is second. |
|
Request packets |
Total number of sent request packets. |
|
Login request packets |
Number of sent login request packets. |
|
Change-password request packets |
Number of sent request packets for changing passwords. |
|
Request packets including plaintext passwords |
Number of request packets that include plaintext passwords. |
|
Request packets including ciphertext passwords |
Number of request packets that include ciphertext passwords. |
|
Response packets |
Total number of received response packets. |
|
Pass response packets |
Number of response packets indicating successful authentication. |
|
Failure response packets |
Number of response packets indicating authentication or authorization failure. |
|
Get-data response packets |
Number of response packets for obtaining user data. |
|
Get-username response packets |
Number of response packets for obtaining usernames. |
|
Get-password response packets |
Number of response packets for obtaining passwords. |
|
Restart response packets |
Number of response packets for reauthentication. |
|
Error response packets |
Number of error-type response packets. |
|
Follow response packets |
Number of follow-type response packets. |
|
Malformed response packets |
Number of malformed response packets. |
|
Continue packets |
Number of sent Continue packets. |
|
Continue-abort packets |
Number of sent Continue-abort packets. |
|
Pending request packets |
Number of request packets waiting for a response. |
|
Timeout packets/Timeout response packets |
Number of timeout response packets. |
|
Unknown type response packets |
Number of unknown-type response packets. |
|
Dropped response packets |
Number of dropped response packets. |
|
PassAdd response packets |
Number of received PassAdd response packets. The packets indicate that all requested authorization attributes are assigned and additional authorization attributes are added. |
|
PassReply response packets |
Number of received PassReply response packets. The device uses the specified authorization attributes in the packets to replace the requested authorization attributes. |
|
Accounting start request packets |
Number of accounting start request packets. |
|
Accounting stop request packets |
Number of accounting stop request packets. |
|
Accounting update request packets |
Number of accounting update request packets. |
|
Success response packets |
Number of accounting success response packets. |
Related commands
reset hwtacacs statistics
hwtacacs nas-ip
Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo hwtacacs nas-ip to delete a source IP address for outgoing HWTACACS packets.
Syntax
hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
undo hwtacacs nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
The source IP address of an HWTACACS packet sent to the server is the IP address of the outbound interface.
Views
System view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the source IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. To configure a public-network source IP address, do not specify this option.
Usage guidelines
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
As a best practice to avoid HWTACACS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing HWTACACS packets.
If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:
· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.
· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
· The setting in HWTACACS scheme view takes precedence over the setting in system view.
You can specify a maximum of 16 source IP addresses, including the following IP addresses:
· Zero or one public-network source IPv4 address.
· Zero or one public-network source IPv6 address.
· Private-network source IP addresses.
Each VPN instance can have only one private-network source IPv4 address and one private-network source IPv6 address.
Examples
# Specify IP address 129.10.10.1 as the source address for HWTACACS packets.
<Sysname> system-view
[Sysname] hwtacacs nas-ip 129.10.10.1
Related commands
nas-ip (HWTACACS scheme view)
hwtacacs scheme
Use hwtacacs scheme to create an HWTACACS scheme and enter its view, or enter the view of an existing HWTACACS scheme.
Use undo hwtacacs scheme to delete an HWTACACS scheme.
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
Default
No HWTACACS schemes exist.
Views
System view
Predefined user roles
network-admin
Parameters
hwtacacs-scheme-name: Specifies the HWTACACS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
An HWTACACS scheme can be used by more than one ISP domain at the same time.
You can configure a maximum of 16 HWTACACS schemes.
Examples
# Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1]
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Use undo key to delete the shared key for secure HWTACACS authentication, authorization, or accounting communication.
Syntax
key { accounting | authentication | authorization } { cipher | simple } string
undo key { accounting | authentication | authorization }
Default
No shared key is configured for secure HWTACACS authentication, authorization, or accounting communication.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
accounting: Specifies the shared key for secure HWTACACS accounting communication.
authentication: Specifies the shared key for secure HWTACACS authentication communication.
authorization: Specifies the shared key for secure HWTACACS authorization communication.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext form of the key is a string of 15 to 255 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
Usage guidelines
The shared keys configured on the device must match those configured on the HWTACACS servers.
Examples
# In HWTACACS scheme hwt1, set the shared key to 123456TESTauth&! in plaintext form for secure HWTACACS authentication communication.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&!
# Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication.
[Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&!
# Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication.
[Sysname-hwtacacs-hwt1] key accounting simple 123456TESTacct&!
Related commands
display hwtacacs scheme
nas-ip (HWTACACS scheme view)
Use nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo nas-ip to delete the source IP address of the specified type for outgoing HWTACACS packets.
Syntax
nas-ip { ipv4-address | ipv6 ipv6-address }
undo nas-ip [ ipv6 ]
Default
The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view.
If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound interface.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address, which must be an address of the device. The IP address cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address, which must be a unicast address of the device and cannot be a loopback address or a link-local address.
Usage guidelines
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address. Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of the packet is the IP address of a managed NAS.
· If the source IP address of the packet is the IP address of a managed NAS, the server processes the packet.
· If the source IP address of the packet is not the IP address of a managed NAS, the server drops the packet.
As a best practice to avoid HWTACACS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing HWTACACS packets.
If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply:
· The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme.
· The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes.
· The setting in HWTACACS scheme view takes precedence over the setting in system view.
You can specify only one source IPv4 address and one source IPv6 address for an HWTACACS scheme.
If you do not specify the ipv6 keyword for the undo nas-ip command, the command deletes the source IPv4 address for outgoing HWTACACS packets.
Examples
# In HWTACACS scheme hwt1, specify IP address 10.1.1.1 as the source address for outgoing HWTACACS packets.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1
Related commands
hwtacacs nas-ip
primary accounting (HWTACACS scheme view)
Use primary accounting to specify the primary HWTACACS accounting server.
Use undo primary accounting to restore the default.
Syntax
primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary accounting
Default
The primary HWTACACS accounting server is not specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies an IPv4 address of the primary HWTACACS accounting server.
ipv6 ipv6-address: Specifies an IPv6 address of the primary HWTACACS accounting server.
port-number: Specifies the service port number of the primary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the primary HWTACACS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext form of the key is a string of 15 to 255 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the primary HWTACACS accounting server use the same TCP connection to exchange accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the primary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of the primary HWTACACS accounting server are the same as those configured on the server.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN instance settings.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify the primary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary accounting 10.163.155.12 49 key simple 123456TESTacct&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
secondary accounting (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
Use primary authentication to specify the primary HWTACACS authentication server.
Use undo primary authentication to restore the default.
Syntax
primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary authentication
Default
The primary HWTACACS authentication server is not specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server.
port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the primary HWTACACS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext form of the key is a string of 15 to 255 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the primary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the primary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of the primary HWTACACS authentication server are the same as those configured on the server.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN instance settings.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify the primary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple 123456TESTauth&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
primary authorization
Use primary authorization to specify the primary HWTACACS authorization server.
Use undo primary authorization to restore the default.
Syntax
primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo primary authorization
Default
The primary HWTACACS authorization server is not specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the primary HWTACACS authorization server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authorization server.
port-number: Specifies the service port number of the primary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the primary HWTACACS authorization server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext form of the key is a string of 15 to 255 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the primary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the primary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN instance settings.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify the primary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple 123456TESTautr&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
secondary authorization
vpn-instance (HWTACACS scheme view)
reset hwtacacs statistics
Use reset hwtacacs statistics to clear HWTACACS statistics.
Syntax
reset hwtacacs statistics { accounting | all | authentication | authorization }
Views
User view
Predefined user roles
network-admin
Parameters
accounting: Clears the HWTACACS accounting statistics.
all: Clears all HWTACACS statistics.
authentication: Clears the HWTACACS authentication statistics.
authorization: Clears the HWTACACS authorization statistics.
Examples
# Clear all HWTACACS statistics.
<Sysname> reset hwtacacs statistics all
Related commands
display hwtacacs scheme
secondary accounting (HWTACACS scheme view)
Use secondary accounting to specify a secondary HWTACACS accounting server.
Use undo secondary accounting to remove a secondary HWTACACS accounting server.
Syntax
secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS accounting servers are specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS accounting server.
port-number: Specifies the service port number of the secondary HWTACACS accounting server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the secondary HWTACACS accounting server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext form of the key is a string of 15 to 255 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS accounting server use the same TCP connection to exchange all accounting packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges accounting packets with the secondary accounting server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary accounting command, the command removes all secondary accounting servers.
Two accounting servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN instance settings.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an accounting server only when it is not used for user accounting. Removing an accounting server affects only accounting processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary accounting server with IP address 10.163.155.12, TCP port number 49, and plaintext shared key 123456TESTacct&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple 123456TESTacct&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
primary accounting (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
secondary authentication (HWTACACS scheme view)
Use secondary authentication to specify a secondary HWTACACS authentication server.
Use undo secondary authentication to remove a secondary HWTACACS authentication server.
Syntax
secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authentication [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ]* ]
Default
No secondary HWTACACS authentication servers are specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authentication server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server.
port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the secondary HWTACACS authentication server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext form of the key is a string of 15 to 255 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS authentication server use the same TCP connection to exchange all authentication packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authentication packets with the secondary authentication server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of each secondary HWTACACS authentication server are the same as those configured on the corresponding server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authentication servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authentication command, the command removes all secondary authentication servers.
Two authentication servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN instance settings.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authentication server only when it is not used for user authentication. Removing an authentication server affects only authentication processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary authentication server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTauth&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple 123456TESTauth&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
primary authentication (HWTACACS scheme view)
vpn-instance (HWTACACS scheme view)
secondary authorization
Use secondary authorization to specify a secondary HWTACACS authorization server.
Use undo secondary authorization to remove a secondary HWTACACS authorization server.
Syntax
secondary authorization { ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] *
undo secondary authorization [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]
Default
No secondary HWTACACS authorization servers are specified.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the secondary HWTACACS authorization server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authorization server.
port-number: Specifies the service port number of the secondary HWTACACS authorization server. The value range for the TCP port number is 1 to 65535. The default setting is 49.
key: Specifies the shared key for secure communication with the secondary HWTACACS authorization server.
cipher: Specifies the key in encrypted form.
simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. This argument is case sensitive.
· In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters.
· In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext form of the key is a string of 15 to 255 characters. The plaintext string must contain digits, uppercase letters, lowercase letters, and special characters.
single-connection: The device and the secondary HWTACACS authorization server use the same TCP connection to exchange all authorization packets for all users. If you do not specify this keyword, the device establishes a new TCP connection each time it exchanges authorization packets with the secondary authorization server for a user. As a best practice, specify this keyword to reduce TCP connections for improving system performance if the HWTACACS server supports the single-connection method.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the secondary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure that the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server.
An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authorization servers. If the primary server fails, the device tries to communicate with a secondary server in active state. The device connects to the secondary servers in the order they are configured.
If you do not specify any parameters for the undo secondary authorization command, the command removes all secondary authorization servers.
Two authorization servers specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN instance settings.
If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the HWTACACS scheme.
You can remove an authorization server only when it is not used for user authorization. Removing an authorization server affects only authorization processes that occur after the remove operation.
Examples
# In HWTACACS scheme hwt1, specify a secondary authorization server with IP address 10.163.155.13, TCP port number 49, and plaintext shared key 123456TESTautr&!.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple 123456TESTautr&!
Related commands
display hwtacacs scheme
key (HWTACACS scheme view)
primary authorization
vpn-instance (HWTACACS scheme view)
timer quiet (HWTACACS scheme view)
Use timer quiet to set the quiet timer for the servers specified in an HWTACACS scheme.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The server quiet period is 5 minutes.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 1 to 255.
Examples
# In HWTACACS scheme hwt1, set the server quiet timer to 10 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer quiet 10
Related commands
display hwtacacs scheme
timer realtime-accounting (HWTACACS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Setting this interval to 0 disables the device from sending online user accounting information to the HWTACACS accounting server.
Usage guidelines
For real-time accounting, a NAS must transmit the accounting information of online users to the HWTACACS accounting server periodically. This command is used to set the interval.
A short interval helps improve accounting precision but requires many system resources.
Table 12 Recommended real-time accounting intervals
|
Number of users |
Real-time accounting interval |
|
1 to 99 |
3 minutes |
|
100 to 499 |
6 minutes |
|
500 to 999 |
12 minutes |
|
1000 or more |
15 minutes or longer |
Examples
# In HWTACACS scheme hwt1, set the real-time accounting interval to 51 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51
Related commands
display hwtacacs scheme
timer response-timeout (HWTACACS scheme view)
Use timer response-timeout to set the HWTACACS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The HWTACACS server response timeout time is 5 seconds.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
seconds: Specifies the HWTACACS server response timeout time, in the range of 1 to 300 seconds.
Usage guidelines
HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the device is disconnected from the HWTACACS server.
The client timeout period of the associated access module cannot be shorter than the total response timeout timer of all HWTACACS authentication servers in the scheme. Any violation will result in user logoffs before the authentication process is complete.
Examples
# In HWTACACS scheme hwt1, set the HWTACACS server response timeout timer to 30 seconds.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer response-timeout 30
Related commands
display hwtacacs scheme
user-name-format (HWTACACS scheme view)
Use user-name-format to specify the format of the username to be sent to an HWTACACS server.
Use undo user-name-format to restore the default.
Syntax
user-name-format { keep-original | with-domain | without-domain }
undo user-name-format
Default
The ISP domain name is included in the usernames sent to the HWTACACS servers.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
keep-original: Sends the username to the HWTACACS server as the username is entered.
with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.
Usage guidelines
A username is generally in the userid@isp-name format, of which the isp-name argument is used by the device to determine the ISP domain to which a user belongs. However, some HWTACACS servers cannot recognize a username containing an ISP domain name. Before sending a username including a domain name to such an HWTACACS server, the device must remove the domain name. This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server.
If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply the scheme to more than one ISP domain. Otherwise, the HWTACACS server will consider two users in different ISP domains but with the same userid as one user.
If the HWTACACS scheme is used for wireless users, specify the format of the username to be sent from the access device to the HWTACACS server as keep-original. Otherwise, authentication of the wireless users might fail.
Examples
# In HWTACACS scheme hwt1, configure the device to remove the ISP domain name from the usernames sent to the HWTACACS servers.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain
Related commands
display hwtacacs scheme
vpn-instance (HWTACACS scheme view)
Use vpn-instance to specify an MPLS L3VPN instance for an HWTACACS scheme.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The HWTACACS scheme belongs to the public network.
Views
HWTACACS scheme view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by the name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN instance specified for an HWTACACS scheme applies to all servers in that scheme. If a VPN instance is also configured for an individual HWTACACS server, the VPN instance specified for the HWTACACS scheme does not take effect on that server.
Examples
# Specify VPN instance test for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] vpn-instance test
Related commands
display hwtacacs scheme
LDAP commands
attribute-map
Use attribute-map to specify the LDAP attribute map in an LDAP scheme.
Use undo attribute-map to restore the default.
Syntax
attribute-map map-name
undo attribute-map
Default
An LDAP scheme does not use any LDAP attribute map.
Views
LDAP scheme view
Predefined user roles
network-admin
Parameters
map-name: Specifies an LDAP attribute map by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
When the LDAP scheme used for authorization contains an LDAP attribute map, the device converts server-assigned LDAP attributes to device-recognizable AAA attributes based on the mapping entries.
You can specify only one LDAP attribute map in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
If you specify another attribute map or change the mapping entries, the new settings are effective only on the LDAP authorization that occurs after your operation.
Examples
# Specify LDAP attribute map map1 in LDAP scheme test.
<Sysname> system-view
[Sysname] ldap scheme test
[Sysname-ldap-test] attribute-map map1
Related commands
display ldap-scheme
ldap attribute-map
authentication-server
Use authentication-server to specify the LDAP authentication server for an LDAP scheme.
Use undo authentication-server to restore the default.
Syntax
authentication-server server-name
undo authentication-server
Default
No LDAP authentication server is specified.
Views
LDAP scheme view
Predefined user roles
network-admin
Parameters
server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.
Usage guidelines
You can specify only one LDAP authentication server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In LDAP scheme ldap1, specify the LDAP authentication server as ccc.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1] authentication-server ccc
Related commands
display ldap scheme
ldap server
authorization-server
Use authorization-server to specify the LDAP authorization server for an LDAP scheme.
Use undo authorization-server to restore the default.
Syntax
authorization-server server-name
undo authorization-server
Default
No LDAP authorization server is specified.
Views
LDAP scheme view
Predefined user roles
network-admin
Parameters
server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters.
Usage guidelines
You can specify only one LDAP authorization server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In LDAP scheme ldap1, specify the LDAP authorization server as ccc.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1] authorization-server ccc
Related commands
display ldap scheme
ldap server
display ldap scheme
Use display ldap scheme to display the LDAP scheme configuration.
Syntax
display ldap scheme [ ldap-scheme-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. If you do not specify an LDAP scheme, this command displays the configuration of all LDAP schemes.
Examples
# Display the configuration of all LDAP schemes.
<Sysname> display ldap scheme
Total 1 LDAP schemes
------------------------------------------------------------------
LDAP scheme name : aaa
Authentication server : aaa
IP : 1.1.1.1
Port : 111
VPN instance : Not configured
LDAP protocol version : LDAPv3
Server timeout interval : 10 seconds
Login account DN : Not configured
Base DN : Not configured
Search scope : all-level
User searching parameters:
User object class : Not configured
Username attribute : cn
Username format : with-domain
Group filter : (objectclass=group)
Authorization server : aaa
IP : 1.1.1.1
Port : 111
VPN instance : Not configured
LDAP protocol version : LDAPv3
Server timeout interval : 10 seconds
Login account DN : Not configured
Base DN : Not configured
Search scope : all-level
User searching parameters:
User object class : Not configured
Username attribute : cn
Username format : with-domain
Group filter : (objectclass=group)
Attribute map : map1
------------------------------------------------------------------
Table 13 Command output
|
Field |
Description |
|
Authentication server |
Name of the LDAP authentication server. If no server is configured, this field displays Not configured. |
|
Name of the LDAP authorization server. If no server is configured, this field displays Not configured. |
|
|
IP |
IP address of the LDAP server. If no server is specified, this field displays Not configured. |
|
Port |
Port number of the server. If no port number is specified, this field displays the default port number. |
|
VPN instance |
MPLS L3VPN instance to which the LDAP server belongs. If no VPN instance is specified, this field displays Not configured. |
|
LDAP protocol version |
LDAP version, LDAPv2 or LDAPv3. |
|
Server timeout interval |
LDAP server timeout period, in seconds. |
|
Login account DN |
DN of the administrator. |
|
Base DN |
Base DN for user search. |
|
Search scope |
User DN search scope, including: · all-level—All subdirectories. · single-level—Next lower level of subdirectories under the base DN. |
|
User searching parameters |
User search parameters. |
|
User object class |
User object class for user DN search. If no user object class is configured, this field displays Not configured. |
|
Username attribute |
User account attribute for login. |
|
Username format |
Format for the username sent to the server. |
|
Group filter |
User group filter. |
|
Attribute map |
LDAP attribute map used by the scheme. If no LDAP attribute map is used, this field displays Not configured. |
group-filter
Use group-filter to configure the user group filter.
Use undo group-filter to restore the default.
Syntax
group-filter group-filter
undo group-filter
Default
The user group filter is (objectclass=group).
Views
LDAP server view
Predefined user roles
network-admin
Parameters
group-filter: Specifies the user group filter, a case-insensitive string of 1 to 127 characters. The syntax of the filter must meet the filter syntax requirements defined by LDAP servers.
Usage guidelines
When the device requests to import user group information from an LDAP server, the LDAP server sends only user groups that match the user group filter to the device.
Examples
# Configure the user group filter as (&(objectclass=group)(name=group1)) for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] group-filter (&(objectclass=group)(name=group1))
Related commands
display ldap scheme
ip
Use ip to configure the IP address and port number of the LDAP server.
Use undo ip to restore the default.
Syntax
ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ip
Default
An LDAP server does not have an IP address or port number.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of the LDAP server.
port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the LDAP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
The LDAP service port configured on the device must be consistent with the service port of the LDAP server.
If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.
Examples
# Specify the IP address and port number as 192.168.0.10 and 4300 for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] ip 192.168.0.10 port 4300
Related commands
ldap server
ipv6
Use ipv6 to configure the IPv6 address and port number of the LDAP server.
Use undo ipv6 to restore the default.
Syntax
ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ipv6
Default
An LDAP server does not have an IPv6 address or port number.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address of the LDAP server.
port port-number: Specifies the TCP port number of the LDAP server. The value range for the port-number argument is 1 to 65535, and the default value is 389.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the LDAP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
The LDAP service port configured on the device must be consistent with the service port of the LDAP server.
If you change the IP address and port number of the LDAP server, the change is effective only on the LDAP authentication that occurs after the change.
Examples
# Specify the IPv6 address and port number as 1:2::3:4 and 4300 for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] ipv6 1:2::3:4 port 4300
Related commands
ldap server
ldap attribute-map
Use ldap attribute-map to create an LDAP attribute map and enter its view, or enter the view of an existing LDAP attribute map.
Use undo ldap attribute-map to delete an LDAP attribute map.
Syntax
ldap attribute-map map-name
undo ldap attribute-map map-name
Default
No LDAP attribute maps exist.
Views
System view
Predefined user roles
network-admin
Parameters
map-name: Specifies the name of the LDAP attribute map, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map. Each entry defines the mapping between an LDAP attribute and an AAA attribute.
Examples
# Create an LDAP attribute map named map1 and enter LDAP attribute map view.
<Sysname> system-view
[Sysname] ldap attribute-map map1
[Sysname-ldap-map-map1]
Related commands
attribute-map
ldap scheme
map
ldap scheme
Use ldap scheme to create an LDAP scheme and enter its view, or enter the view of an existing LDAP scheme.
Use undo ldap scheme to delete an LDAP scheme.
Syntax
ldap scheme ldap-scheme-name
undo ldap scheme ldap-scheme-name
Default
No LDAP schemes exist.
Views
System view
Predefined user roles
network-admin
Parameters
ldap-scheme-name: Specifies the LDAP scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
An LDAP scheme can be used by more than one ISP domain at the same time.
You can configure a maximum of 16 LDAP schemes.
Examples
# Create an LDAP scheme named ldap1 and enter LDAP scheme view.
<Sysname> system-view
[Sysname] ldap scheme ldap1
[Sysname-ldap-ldap1]
Related commands
display ldap scheme
ldap server
Use ldap server to create an LDAP server and enter its view, or enter the view of an existing LDAP server.
Use undo ldap server to delete an LDAP server.
Syntax
ldap server server-name
undo ldap server server-name
Default
No LDAP servers exist.
Views
System view
Predefined user roles
network-admin
Parameters
server-name: Specifies the LDAP server name, a case-insensitive string of 1 to 64 characters.
Examples
# Create an LDAP server named ccc and enter LDAP server view.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc]
Related commands
display ldap scheme
login-dn
Use login-dn to specify the administrator DN.
Use undo login-dn to restore the default.
Syntax
login-dn dn-string
undo login-dn
Default
No administrator DN is specified.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters.
Usage guidelines
The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.
If you change the administrator DN, the change is effective only on the LDAP authentication that occurs after the change.
Examples
# Specify the administrator DN as uid=test, ou=people, o=example, c=city for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] login-dn uid=test,ou=people,o=example,c=city
Related commands
display ldap scheme
login-password
Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication.
Use undo login-password to restore the default.
Syntax
login-password { cipher | simple } string
undo login-password
Default
No administrator password is configured.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 128 characters. Its encrypted form is a case-sensitive string of 1 to 201 characters.
Usage guidelines
This command is effective only after the login-dn command is configured.
Examples
# Specify the administrator password as abcdefg in plaintext form for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] login-password simple abcdefg
Related commands
display ldap scheme
login-dn
map
Use map to configure mapping entries in an LDAP attribute map.
Use undo map to delete the specified mapping entries from the LDAP attribute map.
Syntax
map ldap-attribute ldap-attribute-name [ prefix prefix-value delimiter delimiter-value ] aaa-attribute { user-group | user-profile }
undo map [ ldap-attribute ldap-attribute-name ]
Default
An LDAP attribute map does not contain mapping entries.
Views
LDAP attribute map view
Predefined user roles
network-admin
Parameters
ldap-attribute ldap-attribute-name: Specifies an LDAP attribute by its name. The ldap-attribute-name argument is a case-insensitive string of 1 to 63 characters. If you do not specify this option in the undo map command, the command deletes all mapping entries from the LDAP attribute map.
prefix prefix-value delimiter delimiter-value: Specifies a partial value string of the LDAP attribute for attribute mapping. The prefix-value argument represents the position where the partial string starts. The prefix is a case-insensitive string of 1 to 7 characters, such as cn=. The delimiter-value argument represents the position where the partial string ends, such as a comma (,). If you do not specify the prefix prefix-value delimiter delimiter-value option, the mapping entry uses the entire value string of the LDAP attribute.
aaa-attribute: Specifies an AAA attribute.
user-group: Specifies the user group attribute.
user-profile: Specifies the user profile attribute.
Usage guidelines
Because the device ignores unrecognized LDAP attributes, configure the mapping entries to include important LDAP attributes that should not be ignored.
An LDAP attribute can be mapped only to one AAA attribute. Different LDAP attributes can be mapped to the same AAA attribute.
Examples
# In LDAP attribute map map1, map a partial value string of the LDAP attribute named memberof to AAA attribute named user-group.
<Sysname> system-view
[Sysname] ldap attribute-map map1
[Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group
Related commands
ldap attribute-map
user-group
user-profile
protocol-version
Use protocol-version to specify the LDAP version.
Use undo protocol-version to restore the default.
Syntax
protocol-version { v2 | v3 }
undo protocol-version
Default
The LDAP version is LDAPv3.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
v2: Specifies the LDAP version LDAPv2.
v3: Specifies the LDAP version LDAPv3.
Usage guidelines
For successful LDAP authentication, the LDAP version used by the device must be consistent with the version used by the LDAP server.
If you change the LDAP version, the change is effective only on the LDAP authentication that occurs after the change.
A Microsoft LDAP server supports only LDAPv3.
Examples
# Specify the LDAP version as LDAPv2 for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] protocol-version v2
Related commands
display ldap scheme
search-base-dn
Use search-base-dn to specify the base DN for user search.
Use undo search-base-dn to restore the default.
Syntax
search-base-dn base-dn
undo search-base-dn
Default
No base DN is specified for user search.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.
Examples
# Specify the base DN for user search as dc=ldap,dc=com for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] search-base-dn dc=ldap,dc=com
Related commands
display ldap scheme
ldap server
search-scope
Use search-scope to specify the user search scope.
Use undo search-scope to restore the default.
Syntax
search-scope { all-level | single-level }
undo search-scope
Default
The user search scope is all-level.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
all-level: Specifies that the search goes through all subdirectories of the base DN.
single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN.
Examples
# Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] search-scope all-level
Related commands
display ldap scheme
ldap server
server-timeout
Use server-timeout to set the LDAP server timeout period, the maximum time that the device waits for an LDAP response.
Use undo server-timeout to restore the default.
Syntax
server-timeout time-interval
undo server-timeout
Default
The LDAP server timeout period is 10 seconds.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
time-interval: Specifies the LDAP server timeout period in the range of 5 to 20 seconds.
Usage guidelines
If you change the LDAP server timeout period, the change is effective only on the LDAP authentication that occurs after the change.
Examples
# Set the LDAP server timeout period to 15 seconds for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] server-timeout 15
Related commands
display ldap scheme
user-parameters
Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user-defined user object class.
Use undo user-parameters to restore the default of an LDAP user attribute.
Syntax
user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name }
undo user-parameters { user-name-attribute | user-name-format | user-object-class }
Default
The LDAP username attribute is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used.
Views
LDAP server view
Predefined user roles
network-admin
Parameters
user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute. The name-attribute argument represents an attribute value, a case-insensitive string of 1 to 64 characters. The cn keyword represents the user account attribute of common name, and the uid keyword represents the user account attribute of user ID.
user-name-format { with-domain | without-domain }: Specifies the format of the username to be sent to the server. The with-domain keyword means that the username contains the domain name, and the without-domain keyword means that the username does not contain the domain name.
user-object-class object-class-name: Specifies the user object class for user search. The object-class-name argument represents a class value, a case-insensitive string of 1 to 64 characters.
Usage guidelines
If the username on the LDAP server does not contain the domain name, specify the without-domain keyword. If the username contains the domain name, specify the with-domain keyword.
Examples
# Set the user object class to person for LDAP server ccc.
<Sysname> system-view
[Sysname] ldap server ccc
[Sysname-ldap-server-ccc] user-parameters user-object-class person
Related commands
display ldap scheme
login-dn
802.1X commands
This feature is supported only on the following ports:
· Layer 2 Ethernet ports on the following modules:
¡ HMIM-8GSW.
¡ HMIM-8GSWF.
¡ HMIM-24GSW/24GSWP.
¡ SIC-4GSW.
· Fixed Layer 2 Ethernet ports of the following routers:
¡ MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-LM-HK/810-W-LM-HK/810-10-PoE/ 810-LMS/810-LUS.
¡ MSR2600-6-X1/2600-10-X1.
¡ MSR3600-28/3600-51.
¡ MSR3600-28-SI/3600-51-SI.
¡ MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/ 810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
WLAN is not supported on the following routers:
· MSR810-LMS/810-LUS.
· MSR3600-28-SI/3600-51-SI.
· MSR5620/5660/5680.
display dot1x
Use display dot1x to display information about 802.1X.
Syntax
Wireless devices:
display dot1x [ sessions | statistics ] [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ]
Wired devices:
display dot1x [ sessions | statistics ] [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
sessions: Displays 802.1X session information.
statistics: Displays 802.1X statistics.
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays 802.1X information for all radios on the specified AP.
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays both global and port-specific 802.1X information.
Usage guidelines
If you do not specify the sessions keyword or the statistics keyword, this command displays all information about 802.1X, including session information, statistics, and settings.
If you do not specify the ap ap-name [ radio radio-id ] option or the interface interface-type interface-number option, this command displays all 802.1X information, including wired 802.1X information and wireless 802.1X information.
Examples
# Display all information about 802.1X.
<Sysname> display dot1x
Global 802.1X parameters:
802.1X authentication : Enabled
CHAP authentication : Enabled
Max-tx period : 30 s
Handshake period : 15 s
Quiet timer : Disabled
Quiet period : 60 s
Supp timeout : 30 s
Server timeout : 100 s
Reauth period : 3600 s
Max auth requests : 2
SmartOn switch ID : 30
SmartOn supp timeout : 30 s
SmartOn retry counts : 3
EAD assistant function : Disabled
URL : http://www.dwsoft.com
Free IP : 6.6.6.0 255.255.255.0
EAD timeout : 30 min
Domain delimiter : @
Online 802.1X wired users : 1
Online 802.1X wireless users : 1
GigabitEthernet1/0/1 is link-up
802.1X authentication : Enabled
Handshake : Enabled
Handshake reply : Disabled
Handshake security : Disabled
Unicast trigger : Disabled
Periodic reauth : Disabled
Port role : Authenticator
Authorization mode : Auto
Port access control : Port-based
Multicast trigger : Enabled
Mandatory auth domain : Not configured
Guest VLAN : 3
Auth-Fail VLAN : Not configured
Critical VLAN : Not configured
Re-auth server-unreachable : Logoff
Max online users : 256
SmartOn : Disabled
EAPOL packets: Tx 3, Rx 3
Sent EAP Request/Identity packets : 1
EAP Request/Challenge packets: 1
EAP Success packets: 1
EAP Failure packets: 0
Received EAPOL Start packets : 1
EAPOL LogOff packets: 1
EAP Response/Identity packets : 1
EAP Response/Challenge packets: 1
Error packets: 0
Online 802.1X users: 1
MAC address Auth state
0001-0000-0000 Authenticated
AP name: AP1 Radio ID: 1 SSID: wlan_dot1x_ssid
BSSID : 1111-1111-1111
802.1X authentication : Enabled
Handshake : Enabled
Handshake security : Disabled
Periodic reauth : Disabled
Mandatory auth domain : Not configured
Max online users : 256
EAPOL packets: Tx 3, Rx 3
Sent EAP Request/Identity packets : 1
EAP Request/Challenge packets: 1
EAP Success packets: 1
EAP Failure packets: 0
Received EAPOL Start packets : 1
EAPOL LogOff packets: 1
EAP Response/Identity packets : 1
EAP Response/Challenge packets: 1
Error packets: 0
Online 802.1X users: 1
MAC address Auth state
0001-0000-0002 Authenticated
|
Field |
Description |
|
Global 802.1X parameters |
Global 802.1X configuration. |
|
802.1X authentication |
Whether 802.1X is enabled globally. |
|
CHAP authentication |
Performs EAP termination and uses CHAP to communicate with the RADIUS server. If EAP or PAP is enabled, this field is not available. |
|
EAP authentication |
Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. If CHAP or PAP is enabled, this field is not available. |
|
PAP authentication |
Performs EAP termination and uses PAP to communicate with the RADIUS server. If CHAP or EAP is enabled, this field is not available. |
|
Max-tx period |
Username request timeout timer in seconds. |
|
Handshake period |
Handshake timer in seconds. |
|
Quiet timer |
Status of the quiet timer, enabled or disabled. |
|
Quiet period |
Quiet timer in seconds. |
|
Supp timeout |
Client timeout timer in seconds. |
|
Server timeout |
Server timeout timer in seconds. |
|
Reauth period |
Periodic reauthentication timer in seconds. |
|
Max auth requests |
Maximum number of attempts for sending an authentication request to a client. |
|
SmartOn switch ID |
Switch ID for SmartOn authentication. |
|
SmartOn supp timeout |
SmartOn client timeout timer in seconds. |
|
SmartOn retry counts |
Maximum number of attempts for retransmitting an EAP-Request/Notification packet to a client. |
|
EAD assistant function |
Whether EAD assistant is enabled. |
|
URL |
Redirect URL for unauthenticated users using a Web browser to access the network. |
|
Free IP |
Network segment accessible to unauthenticated users. |
|
EAD timeout |
EAD rule timer in minutes. |
|
Domain delimiter |
Domain delimiters supported by the device. |
|
Online 802.1X wired users |
Number of wired online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication. |
|
Online 802.1X wireless users |
Number of wireless online 802.1X users, including users that have passed 802.1X authentication and users that are performing 802.1X authentication. |
|
GigabitEthernet1/0/1 is link-up |
Status of the port. In this example, GigabitEthernet 1/0/1 is up. |
|
802.1X authentication |
Whether 802.1X is enabled on the port. |
|
Handshake |
Whether the online user handshake feature is enabled on the port. |
|
Handshake reply |
Whether the online user handshake reply feature is enabled on the port. |
|
Handshake security |
Whether the online user handshake security feature is enabled on the port. |
|
Unicast trigger |
Whether the 802.1X unicast trigger is enabled on the port. |
|
Periodic reauth |
Whether periodic online user reauthentication is enabled on the port. |
|
Port role |
Role of the port. The port functions only as an Authenticator. |
|
Authorization mode |
Authorization state of the port, which can be Force-Authorized, Auto, or Force-Unauthorized. |
|
Port access control |
Access control method of the port: · MAC-based—MAC-based access control. · Port-based—Port-base access control. |
|
Multicast trigger |
Whether the 802.1X multicast trigger feature is enabled. |
|
Mandatory auth domain |
Mandatory authentication domain on the port. |
|
Guest VLAN |
802.1X guest VLAN configured on the port. If no 802.1X guest VLAN is configured on the port, this field displays Not configured. |
|
Auth-Fail VLAN |
802.1X Auth-Fail VLAN configured on the port. If no 802.1X Auth-Fail VLAN is configured on the port, this field displays Not configured. |
|
Critical VLAN |
802.1X critical VLAN configured on the port. If no 802.1X critical VLAN is configured on the port, this field displays Not configured. |
|
Re-auth server-unreachable |
Whether to log off online 802.1X users or keep them online when no server is reachable for 802.1X reauthentication. |
|
Max online users |
Maximum number of concurrent 802.1X users on the port. |
|
SmartOn |
Whether SmartOn authentication is enabled on the port. |
|
EAPOL packets |
Number of sent (Tx) and received (Rx) EAPOL packets. |
|
Sent EAP Request/Identity packets |
Number of sent EAP-Request/Identity packets. |
|
EAP Request/Challenge packets |
Number of sent EAP-Request/MD5-Challenge packets. |
|
EAP Success packets |
Number of sent EAP-Success packets. |
|
EAP Failure packets |
Number of sent EAP-Failure packets. |
|
Received EAPOL Start packets |
Number of received EAPOL-Start packets. |
|
EAPOL LogOff packets |
Number of received EAPOL-LogOff packets. |
|
EAP Response/Identity packets |
Number of received EAP-Response/Identity packets. |
|
EAP Response/Challenge packets |
Number of received EAP-Response/MD5-Challenge packets. |
|
Error packets |
Number of received error packets. |
|
Online 802.1X users |
Number of online 802.1X users on the port, including users that have passed 802.1X authentication and users that are performing 802.1X authentication. |
|
MAC address |
MAC addresses of the online 802.1X users. |
|
Auth state |
Authentication status of the online 802.1X users. |
|
AP name |
Name of the AP with which users are associated. |
|
Radio ID |
ID of the radio with which users are associated. |
|
SSID |
SSID with which users are associated. |
|
BSSID |
ID of the BSS with which users are associated. |
display dot1x connection
Use display dot1x connection to display information about online 802.1X users.
Syntax
Centralized devices in standalone mode:
display dot1x connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | user-mac mac-address | user-name name-string ]
Centralized devices in IRF mode:
display dot1x connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name name-string ]
Wired devices:
Centralized devices in standalone mode:
display dot1x connection [ interface interface-type interface-number | user-mac mac-address | user-name name-string ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display dot1x connection [ interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name name-string ]
Distributed devices in IRF mode:
display dot1x connection [ chassis chassis-number slot slot-number | interface interface-type interface-number | user-mac mac-address | user-name name-string ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command displays information about online 802.1X users for all APs.
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays information about online 802.1X users for all radios on the specified AP.
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays online 802.1X user information for all ports.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays online 802.1X user information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays online 802.1X user information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays online 802.1X user information for all cards on all IRF member devices. (Distributed devices in IRF mode.)
user-mac mac-address: Specifies an 802.1X user by MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify an 802.1X user, this command displays all online 802.1X user information.
user-name name-string: Specifies an 802.1X user by its name. The name-string argument represents the username, a case-sensitive string of 1 to 253 characters. If you do not specify an 802.1X user, this command displays all online 802.1X user information.
Examples
# (Centralized devices in standalone mode.) Display information about all online 802.1X users.
<Sysname> display dot1x connection
Total connections: 1
User MAC address: 0015-e9a6-7cfe
Access interface: GigabitEthernet1/0/1
Username: ias
Authentication domain: abc
IPv4 address: 192.168.1.1
IPv6 address: 2000:0:0:0:1:2345:6789:abcd
Authentication method: CHAP
Initial VLAN: 1
Authorization untagged VLAN: 6
Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33
35 37 40 to 100
Authorization ACL ID: 3001
Termination action: Default
Session timeout period: 2 s
Online from: 2013/03/02 13:14:15
Online duration: 0h 2m 15s
User MAC address : 0015-e9a6-7cfe
AP name : ap1
Radio ID : 1
SSID : wlan_dot1x_ssid
BSSID : 0015-e9a6-7cf0
User name : ias
Authentication domain : 1
IPv4 address : 192.168.1.1
IPv6 address : 2000:0:0:0:1:2345:6789:abcd
Authentication method : CHAP
Initial VLAN : 1
Authorization VLAN : N/A
Authorization ACL number : 3001
Termination action : Default
Session timeout period : 2 sec
Online from : 2013/03/02 13:14:15
Online duration : 0 h 2 m 15 s
# (Distributed devices in standalone mode.) Display information about all online 802.1X users.
<Sysname> display dot1x connection
Total connections: 1
Slot ID: 0
User MAC address: 0015-e9a6-7cfe
Access interface: GigabitEthernet1/0/1
Username: ias
Authentication domain: abc
IPv4 address: 192.168.1.1
IPv6 address: 2000:0:0:0:1:2345:6789:abcd
Authentication method: CHAP
Initial VLAN: 1
Authorization untagged VLAN: 6
Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33
35 37 40 to 100
Authorization ACL ID: 3001
Termination action: Default
Session timeout period: 2 s
Online from: 2013/03/02 13:14:15
Online duration: 0h 2m 15s
# (Centralized devices in IRF mode.) Display information about all online 802.1X users.
<Sysname> display dot1x connection
Total connections: 1
Slot ID: 1
User MAC address: 0015-e9a6-7cfe
Access interface: GigabitEthernet1/0/1
Username: ias
Authentication domain: abc
IPv4 address: 192.168.1.1
IPv6 address: 2000:0:0:0:1:2345:6789:abcd
Authentication method: CHAP
Initial VLAN: 1
Authorization untagged VLAN: 6
Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33
35 37 40 to 100
Authorization ACL ID: 3001
Termination action: Default
Session timeout period: 2 s
Online from: 2013/03/02 13:14:15
Online duration: 0h 2m 15s
User MAC address : 0015-e9a6-7cfe
AP name : ap1
Radio ID : 1
SSID : wlan_dot1x_ssid
BSSID : 0015-e9a6-7cf0
User name : ias
Authentication domain : 1
IPv4 address : 192.168.1.1
IPv6 address : 2000:0:0:0:1:2345:6789:abcd
Authentication method : CHAP
Initial VLAN : 1
Authorization VLAN : N/A
Authorization ACL number : 3001
Termination action : Default
Session timeout period : 2 sec
Online from : 2013/03/02 13:14:15
Online duration : 0 h 2 m 15 s
# (Distributed devices in IRF mode.) Display information about all online 802.1X users.
<Sysname> display dot1x connection
Total connections: 1
Chassis ID: 1
Slot ID: 0
User MAC address: 0015-e9a6-7cfe
Access interface: GigabitEthernet1/0/1
Username: ias
Authentication domain: abc
IPv4 address: 192.168.1.1
IPv6 address: 2000:0:0:0:1:2345:6789:abcd
Authentication method: CHAP
Initial VLAN: 1
Authorization untagged VLAN: 6
Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33
35 37 40 to 100
Authorization ACL ID: 3001
Termination action: Default
Session timeout period: 2 s
Online from: 2013/03/02 13:14:15
Online duration: 0h 2m 15s
Table 15 Command output
|
Field |
Description |
|
Total connections |
Number of online 802.1X users. |
|
User MAC address |
MAC address of the user. |
|
Access interface |
Interface through which the user access the device. |
|
AP name |
Name of the AP with which the user is associated. |
|
Radio ID |
ID of the radio with which the user is associated. |
|
SSID |
SSID with which the user is associated. |
|
BSSID |
ID of the BSS with which the user is associated. |
|
Authentication domain |
ISP domain used for 802.1X authentication. |
|
IPv4 address |
IPv4 address of the user. If the device does not get the IPv4 address of the user, this field is not available. |
|
IPv6 address |
IPv6 address of the user. If the device does not get the IPv6 address of the user, this field is not available. |
|
Authentication method |
EAP message handling method: · CHAP—Performs EAP termination and uses CHAP to communicate with the RADIUS server. · EAP—Relays EAP packets and supports any of the EAP authentication methods to communicate with the RADIUS server. · PAP—Performs EAP termination and uses PAP to communicate with the RADIUS server. |
|
Initial VLAN |
VLAN to which the user belongs before 802.1X authentication. |
|
Authorization untagged VLAN |
Untagged VLAN authorized to the user. |
|
Authorization tagged VLAN list |
Tagged VLANs authorized to the user. |
|
Authorization VLAN |
VLAN authorized to the user. This field is not available for MSR810-LMS/810-LUS/5620/5660/5680/3600-28-SI/3600-51-SI. |
|
Authorization ACL ID/number |
ACL authorized to the user. The Authorization ACL number field is not available for MSR810-LMS/810-LUS/5620/5660/5680/3600-28-SI/3600-51-SI. |
|
Termination action |
Action attribute assigned by the server when the session timeout timer expires: · Default—Logs off the online authenticated 802.1X user. This attribute does not take effect when periodic online user reauthentication is enabled and the periodic reauthentication timer is shorter than the session timeout timer. · Radius-request—Reauthenticates the online user when the session timeout timer expires, regardless of whether the periodic online reauthentication feature is enabled or not. If the device performs local authentication, this field displays N/A. |
|
Session timeout period |
Session timeout timer assigned by the server. If the device performs local authentication, this field displays N/A. |
|
Online from |
Time from which the 802.1X user came online. |
|
Online duration |
Online duration of the 802.1X user. |
dot1x
Use dot1x to enable 802.1X globally or on a port.
Use undo dot1x to disable 802.1X globally or on a port.
Syntax
dot1x
undo dot1x
Default
802.1X is neither enabled globally nor enabled for any port.
Views
System view
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
For the 802.1X feature to take effect on a port, you must enable the feature both globally and on the port.
Examples
# Enable 802.1X globally.
<Sysname> system-view
[Sysname] dot1x
# Enable 802.1X on GigabitEthernet 1/0/1.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x
[Sysname-GigabitEthernet1/0/1] quit
Related commands
display dot1x
dot1x authentication-method
Use dot1x authentication-method to specify an EAP message handling method.
Use undo dot1x authentication-method to restore the default.
Syntax
dot1x authentication-method { chap | eap | pap }
undo dot1x authentication-method
Default
The access device performs EAP termination and uses CHAP to communicate with the RADIUS server.
Views
System view
Predefined user roles
network-admin
Parameters
chap: Configures the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.
eap: Configures the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.
pap: Configures the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server.
Usage guidelines
The access device terminates or relays EAP packets.
· In EAP termination mode—The access device re-encapsulates and sends the authentication data from the client in standard RADIUS packets to the RADIUS server. The device performs either CHAP or PAP authentication with the RADIUS server. In this mode the RADIUS server supports only MD5-Challenge EAP authentication, and the username and password EAP authentication initiated by an iNode client.
¡ PAP transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security. To use PAP, the client can be an H3C iNode 802.1X client.
¡ CHAP transports usernames in plaintext and encrypted password over the network. CHAP is more secure than PAP.
· In EAP relay mode—The access device relays EAP messages between the client and the RADIUS server. The EAP relay mode supports multiple EAP authentication methods, such as MD5-Challenge, EAP-TLS, and PEAP. To use this mode, make sure the RADIUS server meets the following requirements:
¡ Supports the EAP-Message and Message-Authenticator attributes.
¡ Uses the same EAP authentication method as the client.
If this mode is used, the user-name-format command configured in RADIUS scheme view does not take effect. For more information about the user-name-format command, see "RADIUS commands."
If RADIUS authentication is used, you must configure the access device to use the same authentication method (PAP, CHAP, or EAP) as the RADIUS server.
Examples
# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS server.
<Sysname> system-view
[Sysname] dot1x authentication-method pap
Related commands
display dot1x
dot1x auth-fail vlan
Use dot1x auth-fail vlan to configure an 802.1X Auth-Fail VLAN on a port.
Use undo dot1x auth-fail vlan to restore the default.
Syntax
dot1x auth-fail vlan authfail-vlan-id
undo dot1x auth-fail vlan
Default
No 802.1X Auth-Fail VLAN exists.
Views
Ethernet interface view
Predefined user roles
network-admin
Parameters
authfail-vlan-id: Specifies the ID of the 802.1X Auth-Fail VLAN on the port. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Usage guidelines
An 802.1X Auth-Fail VLAN accommodates users that have failed 802.1X authentication for any reason other than unreachable servers.
To delete a VLAN that has been configured as an 802.1X Auth-Fail VLAN, you must first use the undo dot1x auth-fail vlan command.
Examples
# Configure VLAN 100 as the Auth-Fail VLAN on port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x auth-fail vlan 100
Related commands
display dot1x
dot1x critical vlan
Use dot1x critical vlan to configure an 802.1X critical VLAN on a port.
Use undo dot1x critical vlan to restore the default.
Syntax
dot1x critical vlan critical-vlan-id
undo dot1x critical vlan
Default
No 802.1X critical VLAN exists on a port.
Views
Ethernet interface view
Predefined user roles
network-admin
Parameters
critical-vlan-id: Specifies the ID of the 802.1X critical VLAN on the port. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Usage guidelines
An 802.1X critical VLAN accommodates users that have failed 802.1X authentication because all the RADIUS servers in their ISP domains are unreachable.
To delete a VLAN that has been configured as an 802.1X critical VLAN, you must first use the undo dot1x critical vlan command.
Examples
# Specify VLAN 100 as the 802.1X critical VLAN on port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x critical vlan 100
Related commands
display dot1x
dot1x domain-delimiter
Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the device.
Use undo dot1x domain-delimiter to restore the default.
Syntax
dot1x domain-delimiter string
undo dot1x domain-delimiter
Default
The device supports only the at sign (@) delimiter for 802.1X users.
Views
System view
Predefined user roles
network-admin
Parameters
string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (\), dot (.), and forward slash (/). If you want to use backslash (\) as the domain name delimiter, you must enter the escape character (\) along with the backslash (\) sign.
Usage guidelines
Any character in the configured set can be used as the domain name delimiter for 802.1X authentication users. Usernames that include domain names can use the format of username@domain-name, domain-name\username, username.domain-name, or username/domain-name.
The delimiter set you configured overrides the default setting. If the at sign (@) is not included in the delimiter set, the device does not support the 802.1X users that use this sign as the domain name delimiter.
If a username string contains multiple configured delimiters, the device takes the rightmost delimiter in the username string as the domain name delimiter. For example, if you configure the forward slash (/), dot (.), and backslash (\) as delimiters, the domain name delimiter for the username string 121.123/22\@abc is the backslash (\). The username is @abc and the domain name is 121.123/22.
Examples
# Specify the at sign (@) and forward slash (/) as domain name delimiters.
<Sysname> system-view
[Sysname] dot1x domain-delimiter @/
Related commands
display dot1x
dot1x ead-assistant enable
Use dot1x ead-assistant enable to enable the EAD assistant feature.
Use undo dot1x ead-assistant enable to disable the EAD assistant feature.
Syntax
dot1x ead-assistant enable
undo dot1x ead-assistant enable
Default
The EAD assistant feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No. |
|
MSR2600-6-X1 |
Yes. |
|
MSR2600-10-X1 |
No. |
|
MSR 2630 |
No. |
|
MSR3600-28/3600-51 |
Yes. |
|
MSR3600-28-SI/3600-51-SI |
Yes. |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes. |
|
MSR 3610/3620/3620-DP/3640/3660 |
No. |
|
MSR5620/5660/5680 |
Yes, but not supported on the SPU600-X1 module. |
The EAD assistant feature enables the access device to redirect a user seeking to access the network to download and install EAD client. This feature eliminates the tedious job of the administrator to deploy EAD clients.
The feature is mutually exclusive with MAC authentication and port security. You must disable MAC authentication and port security globally before you enable the EAD assistant feature.
To make the EAD assistant feature take effect on a port, you must enable 802.1X on the port and set the port authorization mode to auto.
Examples
# Enable the EAD assistant feature.
<Sysname> system-view
[Sysname] dot1x ead-assistant enable
Related commands
display dot1x
dot1x ead-assistant free-ip
dot1x ead-assistant url
dot1x ead-assistant free-ip
Use dot1x ead-assistant free-ip to configure a free IP.
Use undo dot1x ead-assistant free-ip to remove the specified or all free IP addresses.
Syntax
dot1x ead-assistant free-ip ip-address { mask-address | mask-length }
undo dot1x ead-assistant free-ip { ip-address { mask-address | mask-length } | all }
Default
No free IPs exist. Users cannot access any segments before they pass 802.1X authentication.
Views
System view
Predefined user roles
network-admin
Parameters
ip-address: Specifies a freely accessible IP address segment, also called a free IP.
mask: Specifies an IP address mask.
mask-length: Specifies IP address mask length in the range of 1 to 32.
all: Removes all free IP addresses.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No. |
|
MSR2600-6-X1 |
Yes. |
|
MSR2600-10-X1 |
No. |
|
MSR 2630 |
No. |
|
MSR3600-28/3600-51 |
Yes. |
|
MSR3600-28-SI/3600-51-SI |
Yes. |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes. |
|
MSR 3610/3620/3620-DP/3640/3660 |
No. |
|
MSR5620/5660/5680 |
Yes, but not supported on the SPU600-X1 module. |
Execute this command multiple times to configure multiple free IPs.
With EAD assistant enabled on the device, unauthenticated 802.1X users can access the network resources in the free IP segments before they pass 802.1X authentication.
Examples
# Configure 192.168.1.1/16 as a free IP.
<Sysname> system-view
[Sysname] dot1x ead-assistant free-ip 192.168.1.1 255.255.0.0
Related commands
display dot1x
dot1x ead-assistant enable
dot1x ead-assistant url
dot1x ead-assistant url
Use dot1x ead-assistant url to configure a redirect URL.
Use undo dot1x ead-assistant url to restore the default.
Syntax
dot1x ead-assistant url url-string
undo dot1x ead-assistant url
Default
No redirect URL exists.
Views
System view
Predefined user roles
network-admin
Parameters
url-string: Specifies the redirect URL, a case-insensitive string of 1 to 64 characters in the format http://string.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No. |
|
MSR2600-6-X1 |
Yes. |
|
MSR2600-10-X1 |
No. |
|
MSR 2630 |
No. |
|
MSR3600-28/3600-51 |
Yes. |
|
MSR3600-28-SI/3600-51-SI |
Yes. |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes. |
|
MSR 3610/3620/3620-DP/3640/3660 |
No. |
|
Yes, but not supported on the SPU600-X1 module. |
When an unauthenticated user uses a Web browser to access networks other than the free IP, the device redirects the user to the redirect URL.
The redirect URL must be on the free IP subnet.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the redirect URL as http://test.com.
<Sysname> system-view
[Sysname] dot1x ead-assistant url http://test.com
Related commands
display dot1x
dot1x ead-assistant enable
dot1x ead-assistant free-ip
dot1x guest-vlan
Use dot1x guest-vlan to configure an 802.1X guest VLAN on a port.
Use undo dot1x guest-vlan to restore the default.
Syntax
dot1x guest-vlan guest-vlan-id
undo dot1x guest-vlan
Default
No 802.1X guest VLAN exists on a port.
Views
Ethernet interface view
Predefined user roles
network-admin
Parameters
guest-vlan-id: Specifies the ID of the 802.1X guest VLAN. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
Usage guidelines
An 802.1X guest VLAN accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can access a limited set of network resources, such as a software server, to download anti-virus software and system patches.
To delete a VLAN that has been configured as a guest VLAN, you must use the undo dot1x guest-vlan command first.
Examples
# Specify VLAN 100 as the 802.1X guest VLAN on port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x guest-vlan 100
Related commands
display dot1x
dot1x handshake
Use dot1x handshake to enable the online user handshake feature.
Use undo dot1x handshake to disable the online user handshake feature.
Syntax
dot1x handshake
undo dot1x handshake
Default
The online user handshake feature is enabled.
Views
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The online user handshake feature enables the device to periodically send EAP-Request/Identity packets to the client for verifying the connectivity status of online 802.1X users. The device sets a user to the offline state if it does not receive an EAP-Response/Identity packet from the user after making the maximum attempts within the handshake timer. To set the handshake timer, use the dot1x timer handshake-period command. To set the maximum handshake attempts, use the dot1x retry command.
Examples
# Enable the online user handshake feature on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x handshake
Related commands
display dot1x
dot1x timer handshake-period
dot1x retry
dot1x handshake reply enable
Use dot1x handshake reply enable to enable the 802.1X online user handshake reply feature.
Use undo dot1x handshake reply enable to disable the 802.1X online user handshake reply feature.
Syntax
dot1x handshake reply enable
undo dot1x handshake reply enable
Default
The 802.1X online user handshake reply feature is disabled.
Views
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to reply to 802.1X clients' EAP-Response/Identity packets with EAP-Success packets during the online handshake process.
As a best practice, use this command only if 802.1X clients will go offline without receiving EAP-Success packets from the device.
Examples
# Enable the 802.1X online user handshake reply feature on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x handshake reply enable
Related commands
dot1x handshake
dot1x handshake secure
Use dot1x handshake secure to enable the online user handshake security feature.
Use undo dot1x handshake secure to disable the online user handshake security feature.
Syntax
dot1x handshake secure
undo dot1x handshake secure
Default
The online user handshake security feature is disabled.
Views
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The online user handshake security feature enables the device to prevent users from using illegal client software.
The feature is implemented based on the online user handshake feature. To bring the security function into effect, make sure the online user handshake feature is enabled.
The online user handshake security feature takes effect only on the network where the iNode client and IMC server are used.
Examples
# Enable the online user handshake security feature on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x handshake secure
Related commands
display dot1x
dot1x handshake
dot1x mandatory-domain
Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port.
Use undo dot1x mandatory-domain to restore the default.
Syntax
dot1x mandatory-domain domain-name
undo dot1x mandatory-domain
Default
No mandatory 802.1X authentication domain is specified on a port.
Views
Ethernet interface view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters.
Usage guidelines
When the system authenticates an 802.1X user trying to access a port, it selects an authentication domain in the following order:
1. Mandatory domain.
2. ISP domain specified in the username.
3. Default ISP domain.
Examples
# Specify my-domain as the mandatory authentication domain for 802.1X users on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain
Related commands
display dot1x
dot1x max-user
Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port.
Use undo dot1x max-user to restore the default.
Syntax
dot1x max-user max-number
undo dot1x max-user
Default
The device allows a maximum of 4294967295 concurrent 802.1X users on a port.
Views
Ethernet interface view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 4294967295.
Usage guidelines
Set the maximum number of concurrent 802.1X users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent 802.1X users.
Examples
# Set the maximum number of concurrent 802.1X users to 32 on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x max-user 32
Related commands
display dot1x
dot1x multicast-trigger
Use dot1x multicast-trigger to enable the 802.1X multicast trigger feature.
Use undo dot1x multicast-trigger to disable the 802.1X multicast trigger feature.
Syntax
dot1x multicast-trigger
undo dot1x multicast-trigger
Default
The 802.1X multicast trigger feature is enabled.
Views
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The multicast trigger feature enables the device to act as the initiator. The device periodically multicasts EAP-Request/Identity packets out of a port to detect 802.1X clients and trigger authentication. You can use the dot1x timer tx-period command to set the interval for sending multicast EAP-Request/Identity packets.
Disable the multicast trigger in a wireless LAN. Wireless clients and the wireless module of the access device can both initiate 802.1X authentication.
Examples
# Enable the multicast trigger feature on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x multicast-trigger
Related commands
display dot1x
dot1x timer tx-period
dot1x unicast-trigger
dot1x port-control
Use dot1x port-control to set the authorization state for the port.
Use undo dot1x port-control to restore the default.
Syntax
dot1x port-control { authorized-force | auto | unauthorized-force }
undo dot1x port-control
Default
The default port authorization state is auto.
Views
Ethernet interface view
Predefined user roles
network-admin
Parameters
authorized-force: Places the port in authorized state, enabling users on the port to access the network without authentication.
auto: Places the port initially in unauthorized state to allow only EAPOL packets to pass, and places the port in authorized state after a user passes authentication. You can use this option in most scenarios.
unauthorized-force: Places the port in unauthorized state, denying any access requests from users on the port.
Usage guidelines
You can use this command to set the port authorization state to determine whether a client is granted access to the network.
Examples
# Set the authorization state of port GigabitEthernet 1/0/1 to unauthorized-force.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x port-control unauthorized-force
Related commands
display dot1x
dot1x port-method
Use dot1x port-method to specify an access control method for the port.
Use undo dot1x port-method to restore the default.
Syntax
dot1x port-method { macbased | portbased }
undo dot1x port-method
Default
MAC-based access control applies.
Views
Ethernet interface view
Predefined user roles
network-admin
Parameters
macbased: Uses MAC-based access control on the port to separately authenticate each user attempting to access the network. Using this method, when an authenticated user logs off, no other online users are affected.
portbased: Uses port-based access control on the port. Using this method, once an 802.1X user passes authentication on the port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.
Examples
# Configure GigabitEthernet 1/0/1 to implement port-based access control.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x port-method portbased
Related commands
display dot1x
dot1x quiet-period
Use dot1x quiet-period to enable the quiet timer.
Use undo dot1x quiet-period to disable the quiet timer.
Syntax
dot1x quiet-period
undo dot1x quiet-period
Default
The quiet timer is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. You can use the dot1x timer quiet-period command to set the quiet timer.
Examples
# Enable the quiet timer and set the quiet timer to 100 seconds.
<Sysname> system-view
[Sysname] dot1x quiet-period
[Sysname] dot1x timer quiet-period 100
Related commands
display dot1x
dot1x timer
dot1x re-authenticate
Use dot1x re-authenticate to enable the periodic online user reauthentication feature.
Use undo dot1x re-authenticate to disable the periodic online user reauthentication feature.
Syntax
dot1x re-authenticate
undo dot1x re-authenticate
Default
The periodic online user reauthentication feature is disabled.
Views
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
Periodic reauthentication enables the access device to periodically authenticate online 802.1X users on a port. This feature tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL and VLAN.
You can use the dot1x timer reauth-period command to configure the interval for reauthentication.
Examples
# Enable the 802.1X periodic online user reauthentication feature on GigabitEthernet 1/0/1, and set the periodic reauthentication interval to 1800 seconds.
<Sysname> system-view
[Sysname] dot1x timer reauth-period 1800
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x re-authenticate
Related commands
display dot1x
dot1x timer
dot1x re-authenticate server-unreachable keep-online
Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on a port. Use undo dot1x re-authenticate server-unreachable to restore the default.
Syntax
dot1x re-authenticate server-unreachable keep-online
undo dot1x re-authenticate server-unreachable
Default
The keep-online feature is disabled on a port. The device logs off online 802.1X authenticated users if no server is reachable for 802.1X reauthentication.
Views
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
This feature keeps authenticated 802.1X users online when no server is reachable for 802.1X reauthentication.
Examples
# Enable the keep-online feature on GigabitEthernet 1/0/1 for 802.1X reauthentication.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x re-authenticate server-unreachable keep-online
Related commands
display dot1x
dot1x re-authenticate
dot1x retry
Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.
Use undo dot1x retry to restore the default.
Syntax
dot1x retry retries
undo dot1x retry
Default
A maximum of two attempts are made to send an authentication request to a client.
Views
System view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.
Usage guidelines
The access device retransmits an authentication request to a client in any of the following situations:
· The device does not receive any responses from the client within the username request timeout timer. The timer is set by using the dot1x timer tx-period tx-period-value command for the EAP-Request/Identity packet.
· The device does not receive any responses from the client within the client timeout timer. The timer is set by using the dot1x timer supp-timeout supp-timeout-value command for the EAP-Request/MD5-Challenge packet.
The access device stops retransmitting the request, if it has made the maximum number of request transmission attempts but still received no response.
Examples
# Set the maximum number of attempts to 9 for sending an authentication request to a client.
<Sysname> system-view
[Sysname] dot1x retry 9
Related commands
display dot1x
dot1x timer
dot1x smarton
Use dot1x smarton to enable the SmartOn feature on a port.
Use undo dot1x smarton to disable the SmartOn feature on a port.
Syntax
dot1x smarton
undo dot1x smarton
Default
The SmartOn feature is disabled on a port.
Views
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The SmartOn feature and the online user handshake feature are mutually exclusive.
When a SmartOn-enabled port receives an EAPOL-Start packet from an 802.1X client, it sends a unicast EAP-Request/Notification packet to the client. The client will respond with an EAP-Response/Notification packet, which contains the SmartOn switch ID and the MD5 digest of the SmartOn password. The device compares the digest in the packet with the digest on the device. If they are the same, the device continues to perform 802.1X authentication for the client. Otherwise, the device denies the client's 802.1X authentication request.
Examples
# Enable the SmartOn feature on port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x smarton
Related commands
display dot1x
dot1x smarton switched
dot1x smarton password
dot1x smarton password
Use dot1x smarton password to set a SmartOn password.
Use undo dot1x smarton password to restore the default.
Syntax
dot1x smarton password { cipher | simple } string
undo dot1x smarton password
Default
No SmartOn password is set.
Views
System view
Predefined user roles
network-admin
Parameters
cipher: Specifies a password in encrypted form.
simple: Specifies password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 16 characters. Its encrypted form is a case-sensitive string of 1 to 53 characters
Usage guidelines
The device checks the MD5 digest of the SmartOn password in each received EAP-Response/Notification packet. If the digest is different from the SmartOn password digest on the device, the device stops the 802.1X authentication process for the client that sends this packet.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the SmartOn password to abc in plaintext form.
<Sysname> system-view
[Sysname] dot1x smarton password simple abc
Related commands
display dot1x
dot1x smarton
dot1x smarton switched
dot1x smarton retry
Use dot1x smarton retry to set the maximum number of attempts for retransmitting an EAP-Request/Notification packet to a client.
Use undo dot1x smarton retry to restore the default.
Syntax
dot1x smarton retry retries
undo dot1x smarton retry
Default
A maximum of three attempts are made to retransmit an EAP-Request/Notification packet to a client.
Views
System view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum attempts for retransmitting an EAP-Request/Notification packet to a client. The value range is 1 to 10.
Usage guidelines
When the device sends an EAP-Request/Notification packet to the client, the SmartOn client timeout timer (set by using the dot1x smarton timer supp-timeout command) starts. If the device does not receive any EAP-Response/Notification packets from the client within the timer, it retransmits the EAP-Request/Notification packet to the client. After the device has made the maximum retransmission attempts but received no response, it stops the 802.1X authentication process for the client.
Examples
# Set the maximum attempts to 5 for retransmitting an EAP-Request/Notification packet.
<Sysname> system-view
[Sysname] dot1x smarton retry 5
Related commands
display dot1x
dot1x smarton timer supp-timeout
dot1x smarton switchid
Use dot1x smarton switchid to set a SmartOn switch ID.
Use undo dot1x smarton switchid to restore the default.
Syntax
dot1x smarton switchid switch-string
undo dot1x smarton switchid
Default
No SmartOn switch ID exists.
Views
System view
Predefined user roles
network-admin
Parameters
switch-string: Specifies the SmartOn switch ID, a case-sensitive string of 1 to 30 characters.
Usage guidelines
The device checks the SmartOn switch ID in each received EAP-Response/Notification packet. If the switch ID is not the same as the switch ID on the device, the device stops the 802.1X authentication process for the client that sends this packet.
Examples
# Set the SmartOn switch ID to abc.
<Sysname> system-view
[Sysname] dot1x smarton switchid abc
Related commands
display dot1x
dot1x smarton
dot1x smarton password
dot1x smarton timer supp-timeout
Use dot1x smarton timer supp-timeout to set the SmartOn client timeout timer.
Use undo dot1x smarton timer supp-timeout to restore the default.
Syntax
dot1x smarton timer supp-timeout supp-timeout-value
undo dot1x smarton timer supp-timeout
Default
The SmartOn client timeout timer is 30 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
supp-timeout-value: Specifies the SmartOn client timeout timer in seconds. The value range is 10 to 120.
Usage guidelines
The SmartOn client timeout timer starts when the device sends an EAP-Request/Notification packet to the client. If the device does not receive any EAP-Response/Notification packets from the client within the timer interval, it retransmits the EAP-Request/Notification packet. After the device has made the maximum retransmission attempts but received no response, it stops the 802.1X authentication process for the client. To set the maximum retransmission attempts, use the dot1x smarton retry command.
Examples
# Set the SmartOn client timeout timer to 20 seconds.
<Sysname> system-view
[Sysname] dot1x smarton timer supp-timeout 20
Related commands
display dot1x
dot1x smarton retry
dot1x timer
Use dot1x timer to set an 802.1X timer.
Use undo dot1x timer to restore the default of an 802.1X timer.
Syntax
dot1x timer { ead-timeout ead-timeout-value | handshake-period handshake-period-value | quiet-period quiet-period-value | reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value }
undo dot1x timer { ead-timeout | handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout | tx-period }
Default
The following 802.1X timers apply:
· EAD rule timer: 30 minutes.
· Handshake timer: 15 seconds.
· Quiet timer: 60 seconds.
· Periodic reauthentication timer: 3600 seconds.
· Server timeout timer: 100 seconds.
· Client timeout timer: 30 seconds.
· Username request timeout timer: 30 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
ead-timeout ead-timeout-value: Specifies the EAD rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440. The following matrix shows the ead-timeout ead-timeout-value option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No. |
|
MSR2600-6-X1 |
Yes. |
|
MSR2600-10-X1 |
No. |
|
MSR 2630 |
No. |
|
MSR3600-28/3600-51 |
Yes. |
|
MSR3600-28-SI/3600-51-SI |
Yes. |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes. |
|
MSR 3610/3620/3620-DP/3640/3660 |
No. |
|
MSR5620/5660/5680 |
Yes, but not supported on the SPU600-X1 module. |
handshake-period handshake-period-value: Specifies the handshake timer in seconds. The value range for the handshake-period-value argument is 5 to 1024.
quiet-period quiet-period-value: Specifies the quiet timer in seconds. The value range for the quiet-period-value argument is 10 to 120.
reauth-period reauth-period-value: Specifies the periodic reauthentication timer in seconds. The value range for the reauth-period-value argument is 60 to 7200.
server-timeout server-timeout-value: Specifies the server timeout timer in seconds. The value range for the server-timeout-value argument is 100 to 300.
supp-timeout supp-timeout-value: Specifies the client timeout timer in seconds. The value range for the supp-timeout-value argument is 1 to 120.
tx-period tx-period-value: Specifies the username request timeout timer in seconds. The value range for the tx-period-value argument is 1 to 120.
Usage guidelines
In most cases, the default settings are sufficient. You can edit the timers, depending on the network conditions.
· In a low-speed network, increase the client timeout timer.
· In a vulnerable network, set the quiet timer to a high value.
· In a high-performance network with quick authentication response, set the quiet timer to a low value.
· In a network with authentication servers of different performance, adjust the server timeout timer.
The network device uses the following 802.1X timers:
· EAD rule timer (EAD timeout)—Sets the lifetime of each EAD rule. When the timer expires or the user passes authentication, the rule is removed. If users fail to download the EAD client or fail to pass authentication within the timer, they must reconnect to the network to access the free IP.
· Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device does not receive a response after sending the maximum number of handshake requests, it considers that the client has logged off.
· Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device periodically reauthenticates online 802.1X users. To enable periodic online user reauthentication on a port, use the dot1x re-authenticate command.
· Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS Access-Request packet to the authentication server. If no response is received when this timer expires, the access device retransmits the request to the server.
· Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5-Challenge packet to a client. If no response is received when this timer expires, the access device retransmits the request to the client.
· Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device does not receive a response before this timer expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.
The change to the periodic reauthentication timer applies to the users that have been online only after the old timer expires. Other timer changes take effect immediately on the device.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] dot1x timer server-timeout 150
Related commands
display dot1x
dot1x unicast-trigger
Use dot1x unicast-trigger to enable the 802.1X unicast trigger feature.
Use undo dot1x unicast-trigger to disable the 802.1X unicast trigger feature.
Syntax
dot1x unicast-trigger
undo dot1x unicast-trigger
Default
The 802.1X unicast trigger feature is disabled.
Views
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The unicast trigger feature enables the access device to initiate 802.1X authentication when the device receives a data frame from an unknown source MAC address. The device sends a unicast EAP-Request/Identity packet to the unknown source MAC address. It will retransmit the packet if it does not receive any responses within a period of time (set by using the dot1x timer tx-period command). This process continues until the maximum number of request attempts (set by using the dot1x retry command) is reached.
Examples
# Enable the unicast trigger feature on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] dot1x unicast-trigger
Related commands
display dot1x
dot1x multicast-trigger
dot1x retry
dot1x timer
reset dot1x guest-vlan
Use reset dot1x guest-vlan to remove users from the 802.1X guest VLAN on a port.
Syntax
reset dot1x guest-vlan interface interface-type interface-number [ mac-address mac-address ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
mac-address mac-address: Specifies the MAC address of an 802.1X user in the guest VLAN. If you do not specify this option, the command removes all 802.1X users from the 802.1X guest VLAN on the port.
Examples
# Remove the 802.1X user with MAC address 1-1-1 from the 802.1X guest VLAN on port GigabitEthernet 1/0/1.
<Sysname> reset dot1x guest-vlan interface gigabitethernet 1/0/1 mac-address 1-1-1
Related commands
dot1x guest-vlan
reset dot1x statistics
Use reset dot1x statistics to clear 802.1X statistics.
Syntax
Wireless devices:
reset dot1x statistics [ ap ap-name [ radio radio-id ] | interface interface-type interface-number
Wired devices:
reset dot1x statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).If you do not specify an AP, this command clears statistics of 802.1X users for all APs.
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command clears 802.1X statistics for all radios on the specified AP.
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears 802.1X statistics on all ports.
Examples
# Clear 802.1X statistics on GigabitEthernet 1/0/1.
<Sysname> reset dot1x statistics interface gigabitethernet 1/0/1
display dot1x
MAC authentication commands
MAC authentication commands are supported only on the following ports:
· Layer 2 Ethernet ports on the following modules:
¡ HMIM-8GSW.
¡ HMIM-8GSWF.
¡ HMIM-24GSW/24GSWP.
¡ SIC-4GSW.
· Fixed Layer 2 Ethernet ports on the following routers:
¡ MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-LM-HK/810-W-LM-HK/810-10-PoE/ 810-LMS/810-LUS.
¡ MSR2600-6-X1/2600-10-X1.
¡ MSR3600-28/3600-51.
¡ MSR3600-28-SI/3600-51-SI.
¡ MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/ 810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
WLAN is not supported on the following routers:
· MSR810-LMS/810-LUS.
· MSR3600-28-SI/3600-51-SI.
· MSR5620/5660/5680.
display mac-authentication
Use display mac-authentication to display MAC authentication settings and statistics. The output includes the global settings, port-specific settings, MAC authentication statistics, and online user statistics.
Syntax
Wireless devices:
display mac-authentication [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ]
Wired devices:
display mac-authentication [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command displays MAC authentication settings and statistics for all APs.
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays MAC authentication information for all radios on the specified AP.
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays both global and port-specific MAC authentication information.
Examples
# Display all MAC authentication settings and statistics.
<Sysname> display mac-authentication
Global MAC authentication parameters:
MAC authentication : Enabled
User name format : MAC address in lowercase(xxxxxxxxxxxx)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 60 s
Server timeout : 100 s
Authentication domain : Not configured, use default domain
Online MAC-auth wired users : 1
Online MAC-auth wireless users : 2
Silent MAC users:
MAC address VLAN ID From port Port index
0001-0000-0005 100 GigabitEthernet1/0/2 21
0001-0000-0006 12 GigabitEthernet1/0/4 301
GigabitEthernet1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Enabled
Auth-delay period : 60 s
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Multiple VLAN
Max online users : 256
Authentication attempts : successful 2, failed 3
Current online users : 1
MAC address Auth state
0001-0000-0000 Authenticated
0001-0000-0001 Unauthenticated
AP name: AP1 Radio ID: 1 SSID: wlan_maca_ssid
BSSID : 1111-1111-1111
MAC authentication : Enabled
Authentication domain : Not configured
Max online users : 256
Authentication attempts : successful 1, failed 0
Current online users : 2
MAC address Auth state
0001-0000-0002 Authenticated
0001-0000-0003 Unauthenticated
Table 16 Command output
|
Field |
Description |
|
MAC authentication |
Whether MAC authentication is enabled globally. |
|
User name format |
User account type: MAC-based or shared. · If MAC-based accounts are used, this field displays the format settings for the username. For example, MAC address in lowercase(xxxxxxxxxxxx) indicates that the MAC address is in the hexadecimal notation without hyphens, and letters are in lower case. · If a shared account is used, this field displays Fixed account. |
|
Username: |
Username for MAC authentication. · If MAC-based accounts are used, this field displays mac. The device uses the MAC address of each user as the username and password for MAC authentication. · If a shared account is used, this field displays the username of the shared account for MAC authentication users. By default, the username is mac. |
|
Password: |
Password for MAC authentication. · If MAC-based accounts are used or if a shared account is used but no password is configured, this field displays Not configured. · If a shared account is used and a password is configured, this field displays a string of asterisks (******). |
|
Offline detect period |
Offline detect timer. |
|
Quiet period |
Quiet timer. |
|
Server timeout |
Server timeout timer. |
|
Authentication domain |
MAC authentication domain specified in system view. If no authentication domain is specified in system view, this field displays Not configured, use default domain. |
|
Online MAC-auth wired users |
Number of wired online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication. |
|
Online MAC-auth wireless users |
Number of wireless online MAC authentication users, including users that have passed MAC authentication and users that are performing MAC authentication. |
|
Silent MAC users |
Information about silent MAC addresses. |
|
MAC address |
Silent MAC address. |
|
VLAN ID |
ID of the VLAN to which the silent MAC address belongs. |
|
From port |
Name of the port that marks the MAC address as a silent MAC address. |
|
Port index |
Index of the port that marks the MAC address as a silent MAC address. |
|
GigabitEthernet1/0/1 is link-up |
Status of the link on port GigabitEthernet 1/0/1. In this example, the link is up. |
|
MAC authentication |
Whether MAC authentication is enabled on the port. |
|
Carry User-IP |
This field is not supported in the current software version. Whether user IP addresses are included in MAC authentication requests. |
|
Authentication domain |
MAC authentication domain specified for the port. |
|
Auth-delay timer |
Whether MAC authentication delay is enabled on the port. |
|
Auth-delay period |
MAC authentication delay timer. |
|
Re-auth server-unreachable |
Whether to log off online users or keep them online when no server is reachable for MAC reauthentication. |
|
Guest VLAN |
This field is not supported in the current software version. MAC authentication guest VLAN configured on the port. If no MAC authentication guest VLAN is configured, this field displays Not configured. |
|
Guest VLAN auth-period |
This field is not supported in the current software version. Authentication interval for users in the MAC authentication guest VLAN on the port. |
|
Critical VLAN |
This field is not supported in the current software version. MAC authentication critical VLAN configured on the port. If no MAC authentication critical VLAN is configured, this field displays Not configured. |
|
Critical voice VLAN |
This field is not supported in the current software version. Whether the MAC authentication critical voice VLAN feature is enabled on the port. |
|
Host mode |
· Single VLAN—The MAC authentication multi-VLAN mode is disabled on the port. When the port receives a packet sourced from an authenticated MAC address in a VLAN not matching the existing MAC-VLAN mapping, the device logs off and reauthenticates the user. · Multiple VLAN—The MAC authentication multi-VLAN mode is enabled on the port. When the port receives a packet sourced from an authenticated MAC in a VLAN not matching the existing MAC-VLAN mapping, the device creates a new MAC-VLAN mapping for the user. |
|
Max online users |
Maximum number of concurrent online users allowed on the port. |
|
Authentication attempts: successful 1, failed 0 |
MAC authentication statistics, including the number of successful and unsuccessful authentication attempts. |
|
Current online users |
Number of online MAC authentication users on the port, including users that have passed MAC authentication and users that are performing MAC authentication. |
|
MAC address |
MAC address of the online user. |
|
Auth state |
User status: · Authenticated—The user has passed MAC authentication. · Unauthenticated—The user failed MAC authentication. |
|
AP name |
Name of the AP with which users are associated. |
|
Radio ID |
ID of the radio with which users are associated. |
|
SSID |
SSID with which users are associated. |
|
BSSID |
ID of the BSS with which users are associated. |
display mac-authentication connection
Use display mac-authentication connection to display information about online MAC authentication users.
Syntax
Centralized devices in standalone mode:
display mac-authentication connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | user-mac mac-address | user-name user-name ]
Centralized devices in IRF mode:
display mac-authentication connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name user-name ]
Wired devices:
Centralized devices in standalone mode:
display mac-authentication connection [ interface interface-type interface-number | user-mac mac-address | user-name user-name ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display mac-authentication connection [ interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name user-name ]
Distributed devices in IRF mode:
display mac-authentication connection [ chassis chassis-number slot slot-number | interface interface-type interface-number | user-mac mac-address | user-name user-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command displays information about online MAC authentication users for all APs.
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command displays information about online MAC authentication users for all radios on the specified AP.
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays information about the online MAC authentication users for all ports.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about the online MAC authentication users for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information about the online MAC authentication users for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information about the online MAC authentication users for all cards on all IRF member devices. (Distributed devices in IRF mode.)
user-mac mac-address: Specifies an online MAC authentication user by its MAC address. The mac-address argument represents the MAC address of the user, in the form of H-H-H. If you do not specify an online MAC authentication user, this command displays all online MAC authentication user information.
user-name user-name: Specifies an online MAC authentication user by its username. The user name is a case-sensitive string of 1 to 253 characters, and it can include the domain name. If you do not specify an online MAC authentication user, this command displays all online MAC authentication user information.
Examples
# (Centralized devices in standalone mode.) Display information about all online MAC authentication users.
<Sysname> display mac-authentication connection
Total connections: 1
User MAC address: 0015-e9a6-7cfe
Access interface: GigabitEthernet1/0/1
Username: ias
Authentication domain: h3c
Initial VLAN: 1
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization ACL ID: 3001
Authorization user profile: N/A
Termination action: Radius-request
Session timeout period: 2 s
Online from: 2013/03/02 13:14:15
Online duration: 0h 2m 15s
User MAC address : 0015-e9a6-7cfe
AP name : ap1
Radio ID : 1
SSID : wlan_dot1x_ssid
BSSID : 0015-e9a6-7cf0
User name : ias
Authentication domain : 1
Initial VLAN : 1
Authorization VLAN : 100
Authorization ACL number : 3001
Authorization URL : N/A
Authorization user profile : N/A
Termination action : Radius-request
Session timeout period : 2 sec
Online from : 2014/06/02 13:14:15
Online duration : 0h 2m 15s
# (Distributed devices in standalone mode.) Display information about all online MAC authentication users.
<Sysname> display mac-authentication connection
Total connections: 1
Slot ID: 0
User MAC address: 0015-e9a6-7cfe
Access interface: GigabitEthernet1/0/1
Username: ias
Authentication domain: h3c
Initial VLAN: 1
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization ACL ID: 3001
Authorization user profile: N/A
Termination action: Radius-request
Session timeout period: 2 s
Online from: 2013/03/02 13:14:15
Online duration: 0h 2m 15s
# (Centralized devices in IRF mode.) Display information about all online MAC authentication users.
<Sysname> display mac-authentication connection
Total connections: 1
Slot ID: 1
User MAC address: 0015-e9a6-7cfe
Access interface: GigabitEthernet1/0/1
Username: ias
Authentication domain: h3c
Initial VLAN: 1
Authorization untagged VLAN: 100
Authorization tagged VLAN: N/A
Authorization ACL ID: 3001
Authorization user profile: N/A
Termination action: Radius-request
Session timeout period: 2 s
Online from: 2013/03/02 13:14:15
Online duration: 0h 2m 15s
User MAC address : 0015-e9a6-7cfe
AP name : ap1
Radio ID : 1
SSID : wlan_dot1x_ssid
BSSID : 0015-e9a6-7cf0
User name : ias
Authentication domain : 1
Initial VLAN : 1
Authorization VLAN : 100
Authorization ACL number : 3001
Authorization URL : N/A
Authorization user profile : N/A
Termination action : Radius-request
Session timeout period : 2 sec
Online from : 2014/06/02 13:14:15
Online duration : 0h 2m 15s
# (Distributed devices in IRF mode.) Display information about all online MAC authentication users.
<Sysname> display mac-authentication connection
Total connections: 1
Chassis ID: 1
Slot ID: 0
User MAC address: 0015-e9a6-7cfe
Access interface: GigabitEthernet1/0/1
Username: ias
Authentication domain: h3c
Initial VLAN: 1
Authorization untagged VLAN: 100
Authorization tagged VLAN : N/A
Authorization ACL ID: 3001
Authorization user profile: N/A
Termination action: Radius-request
Session timeout period: 2 s
Online from: 2013/03/02 13:14:15
Online duration: 0h 2m 15s
Table 17 Command output
|
Field |
Description |
|
Total connections |
Total number of online MAC authentication users. |
|
Chassis ID |
Member ID of the device in the IRF fabric. (Distributed devices in IRF mode.) |
|
Slot ID |
Slot number of the card. (Distributed devices.) |
|
Slot ID |
Member ID of the device in the IRF fabric. (Centralized devices in IRF mode.) |
|
User MAC address |
MAC address of the user. |
|
Access interface |
Interface through which the user accesses the device. |
|
AP name |
Name of the AP with which the user is associated. |
|
Radio ID |
ID of the radio with which the user is associated. |
|
SSID |
SSID with which the user is associated. |
|
BSSID |
ID of the BSS with which the user is associated. |
|
Authentication domain |
MAC authentication domain to which the user belongs. |
|
Initial VLAN |
VLAN that holds the user before MAC authentication. |
|
Authorization untagged VLAN |
|
|
Authorization tagged VLAN |
Tagged VLAN authorized to the user. |
|
Authorization VLAN |
VLAN authorized to the user. |
|
Authorization ACL ID/number |
ACL authorized to the user. |
|
Authorization user profile |
This field is not supported for wired users in the current software version. User profile authorized to the user. |
|
Authorization URL |
Redirect URL authorized to the wireless user. |
|
Termination action |
Action attribute assigned by the server when the session timeout timer expires. The following server-assigned action attributes are available: · Default—Logs off the online authenticated user when the session timeout timer expires. · Radius-request—Reauthenticates the online user when the session timeout timer expires. If the device performs local authentication, this field displays N/A. |
|
Session timeout period |
Session timeout timer assigned by the server. If the device performs local authentication, this field displays N/A. |
|
Online from |
Time from which the MAC authentication user came online. |
|
Online duration |
Online duration of the MAC authentication user. |
mac-authentication
Use mac-authentication to enable MAC authentication globally or on a port.
Use undo mac-authentication to disable MAC authentication globally or on a port.
Syntax
mac-authentication
undo mac-authentication
Default
MAC authentication is not enabled globally or on any port.
Views
System view
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
To use MAC authentication on a port, you must enable the feature both globally and on the port.
Examples
# Enable MAC authentication globally.
<Sysname> system-view
[Sysname] mac-authentication
# Enable MAC authentication on port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication
Related commands
display mac-authentication
mac-authentication domain
Use mac-authentication domain to specify a global or port-specific authentication domain.
Use undo mac-authentication domain to restore the default.
Syntax
mac-authentication domain domain-name
undo mac-authentication domain
Default
The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands."
Views
System view
Ethernet interface view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of an ISP domain, a case-insensitive string of 1 to 255 characters.
Usage guidelines
The global authentication domain applies to all MAC authentication-enabled ports. A port-specific authentication domain applies only to the port. You can specify different authentication domains on different ports.
A port chooses an authentication domain for MAC authentication users in the following order:
1. Authentication domain specified on the port.
2. Global authentication domain specified in system view.
3. Default authentication domain.
Examples
# Specify ISP domain domain1 as the global MAC authentication domain.
<Sysname> system-view
[Sysname] mac-authentication domain domain1
# Specify ISP domain aabbcc as the MAC authentication domain on port GigabitEthernet 1/0/1.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication domain aabbcc
Related commands
display mac-authentication
domain default enable
mac-authentication host-mode
Use mac-authentication host-mode multi-vlan to enable MAC authentication multi-VLAN mode on a port.
Use undo mac-authentication host-mode to restore the default.
Syntax
mac-authentication host-mode multi-vlan
undo mac-authentication host-mode
Default
MAC authentication multi-VLAN mode is disabled on a port. When the port receives a packet sourced from an authenticated MAC address in a VLAN not matching the existing MAC-VLAN mapping, the device logs off and reauthenticates the user.
Views
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports.
This feature improves transmission of data that is vulnerable to delay and interference. It is typically applicable to IP phone users.
Examples
# Enable MAC authentication multi-VLAN mode on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication host-mode multi-vlan
Related commands
display mac-authentication
mac-authentication max-user
Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users on a port.
Use undo mac-authentication max-user to restore the default.
Syntax
mac-authentication max-user max-number
undo mac-authentication max-user
Default
The device allows a maximum of 4294967295 concurrent MAC authentication users on a port.
Views
Ethernet interface view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of concurrent MAC authentication users on the port. The value range for this argument is 1 to 4294967295.
Usage guidelines
Set the maximum number of concurrent MAC authentication users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent MAC authentication users.
Examples
# Configure port GigabitEthernet 1/0/1 to support a maximum of 32 concurrent MAC authentication users.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication max-user 32
Related commands
display mac-authentication
mac-authentication re-authenticate server-unreachable keep-online
Use mac-authentication re-authenticate server-unreachable keep-online to enable the keep-online feature on a port.
Use undo mac-authentication re-authenticate server-unreachable to restore the default.
Syntax
mac-authentication re-authenticate server-unreachable keep-online
undo mac-authentication re-authenticate server-unreachable
Default
The keep-online feature is disabled on a port. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication.
Views
Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The keep-online feature keeps authenticated MAC authentication users online when no server is reachable for MAC reauthentication.
This command takes effect only after the server assigns the Radius-request action attribute to the authenticated MAC authentication user (see "display mac-authentication connection"). The access device will reauthenticate the user when the session timeout timer expires.
Examples
# Enable the keep-online feature for authenticated MAC authentication users on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication re-authenticate server-unreachable keep-online
Related commands
display mac-authentication
mac-authentication timer
Use mac-authentication timer to set the MAC authentication timers.
Use undo mac-authentication timer to restore the defaults.
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }
undo mac-authentication timer { offline-detect | quiet | server-timeout }
Default
The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
offline-detect offline-detect-value: Specifies the offline detect timer in the range of 60 to 65535, in seconds.
quiet quiet-value: Specifies the quiet timer in the range of 1 to 3600, in seconds.
server-timeout server-timeout-value: Specifies the server timeout timer in the range of 100 to 300, in seconds.
Usage guidelines
MAC authentication uses the following timers:
· Offline detect timer—Sets the interval that the device waits for traffic from a user before the device regards the user as idle. If a user connection has been idle within the interval, the device logs the user out and stops accounting for the user.
· Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.
· Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before the device regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] mac-authentication timer server-timeout 150
Related commands
display mac-authentication
mac-authentication timer auth-delay
Use mac-authentication timer auth-delay to enable MAC authentication delay and set the delay time.
Use undo mac-authentication timer auth-delay to restore the default.
Syntax
mac-authentication timer auth-delay time
undo mac-authentication timer auth-delay
Default
MAC authentication delay is disabled. MAC authentication starts immediately after it is triggered by a user packet.
Views
Ethernet interface view
Predefined user roles
network-admin
Parameters
time: Specifies the delay time for MAC authentication in seconds. The value range is 1 to 180.
Usage guidelines
When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC authentication.
Do not set the port security mode to mac-else-userlogin-secure or mac-else-userlogin-secure-ext when you want to use MAC authentication delay. The delay does not take effect on a port in either of the two modes. For more information about port security modes, see "Port security commands."
Examples
# Enable MAC authentication delay on interface GigabitEthernet 1/0/1 and set the delay time to 10 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication timer auth-delay 10
Related commands
display mac-authentication
port-security port-mode
mac-authentication user-name-format
Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication users.
Use undo mac-authentication user-name-format to restore the default.
Syntax
mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } string ] | mac-address [ { with-hyphen [ six-section | three-section ] | without-hyphen } [ lowercase | uppercase ] ] }
undo mac-authentication user-name-format
Default
Each user's MAC address is used as the username and password for MAC authentication. A MAC address is in the hexadecimal notation without hyphens, and letters are in lower case.
Views
System view
Predefined user roles
network-admin
Parameters
fixed: Uses a shared account for all MAC authentication users.
account name: Specifies the username for the shared account. The name is a case-sensitive string of 1 to 55 characters, excluding the at sign (@). If you do not specify a username, the default name mac applies.
password: Specifies the password for the shared user account.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
mac-address: Uses MAC-based user accounts for MAC authentication users. You can also specify the format of username and password by using the following keywords:
· with-hyphen: Includes hyphens in the MAC address.
¡ six-section: Hyphenates the MAC address into six groups of two hexadecimal digits, for example, xx-xx-xx-xx-xx-xx or XX-XX-XX-XX-XX-XX.
¡ three-section: Hyphenates the MAC address into three groups of four hexadecimal digits, for example, xxxx-xxxx-xxxx or XXXX-XXXX-XXXX.
If you do not specify the six-section or three-section keyword, the MAC address is in six-section format.
· without-hyphen: Excludes hyphens from the MAC address, for example, xxxxxxxxxxxx or XXXXXXXXXXXX.
· lowercase: Specifies letters in lower case.
· uppercase: Specifies letters in upper case.
Usage guidelines
If you specify the MAC-based user account, the device uses the MAC address of a user as the username and password for MAC authentication of the user. This user account type ensures high authentication security. However, you must create on the authentication server a user account for each user, using the MAC address of the user as both the username and password.
If you specify a shared user account, the device uses the specified username and password for MAC authentication of all users. Because all MAC authentication users use a single account for authentication, you only need to create one account on the authentication server. This user account type is suitable for trusted networks.
Examples
# Configure a shared account for MAC authentication users, set the username to abc and password to plaintext string of xyz.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password simple xyz
# Use MAC-based user accounts for MAC authentication users. A MAC address is in the six-section format and letters are in upper case.
<Sysname> system-view
[Sysname] mac-authentication user-name-format mac-address with-hyphen uppercase
display mac-authentication
reset mac-authentication statistics
Use reset mac-authentication statistics to clear MAC authentication statistics.
Syntax
Wireless devices:
reset mac-authentication statistics [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ]
Wired devices:
reset mac-authentication statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), dots (.), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-). If you do not specify an AP, this command clears MAC authentication statistics for all APs.
radio radio-id: Specifies a radio by its ID. The value range for the radio-id argument varies by AP model. If you do not specify a radio, this command clears MAC authentication statistics for all radios on the specified AP.
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command clears both global and port-specific MAC authentication statistics.
Examples
# Clear MAC authentication statistics on port GigabitEthernet 1/0/1.
<Sysname> reset mac-authentication statistics interface gigabitethernet 1/0/1
Related commands
display mac-authentication
Port security commands
This feature is supported only on the following ports:
· Layer 2 Ethernet ports on the following modules:
¡ HMIM-8GSW.
¡ HMIM-8GSWF.
¡ HMIM-24GSW/24GSWP.
¡ SIC-4GSW.
· Fixed Layer 2 Ethernet ports of the following routers:
¡ MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-LM-HK/810-W-LM-HK/810-10-PoE/ 810-LMS/810-LUS.
¡ MSR2600-6-X1/2600-10-X1.
¡ MSR3600-28/3600-51.
¡ MSR3600-28-SI/3600-51-SI.
¡ MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/ 810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display port-security
Use display port-security to display port security configuration, operation information, and statistics for ports.
Syntax
display port-security [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays port security information for all ports.
Examples
# Display port security information for all ports.
<Sysname> display port-security
Global port security parameters:
Port security : Enabled
AutoLearn aging time : 0 min
Disableport timeout : 20 s
MAC move : Denied
Authorization fail : Online
NAS-ID profile : Not configured
Dot1x-failure trap : Disabled
Dot1x-logon trap : Disabled
Dot1x-logoff trap : Enabled
Intrusion trap : Disabled
Address-learned trap : Enabled
Mac-auth-failure trap : Disabled
Mac-auth-logon trap : Enabled
Mac-auth-logoff trap : Disabled
OUI value list :
Index : 1 Value : 123401
GigabitEthernet1/0/1 is link-up
Port mode : userLogin
NeedToKnow mode : Disabled
Intrusion protection mode : NoAction
Security MAC address attribute
Learning mode : Sticky
Aging type : Periodical
Max secure MAC addresses : 32
Current secure MAC addresses : 0
Authorization : Permitted
NAS-ID profile : Not configured
Table 18 Command output
|
Field |
Description |
|
Port security |
Whether the port security feature is enabled. |
|
AutoLearn aging time |
Sticky MAC address aging timer, in minutes. |
|
Disableport timeout |
Silence period (in seconds) of the port that receives illegal packets. |
|
MAC move |
Status of MAC move: · If the feature is enabled, this field displays Permitted. · If the feature is disabled, this field displays Denied. |
|
Action to be taken for users that have failed ACL authorization: · Online—Allows the users to go online. · Offline—Logs off the users. |
|
|
NAS-ID profile applied globally. |
|
|
Whether SNMP notifications for 802.1X authentication failures are enabled. |
|
|
Whether SNMP notifications for 802.1X authentication successes are enabled. |
|
|
Whether SNMP notifications for 802.1X authenticated user logoffs are enabled. |
|
|
Whether SNMP notifications for intrusion protection are enabled. If they are enabled, the device sends SNMP notifications after illegal packets are detected. |
|
|
Whether SNMP notifications for MAC address learning are enabled. If they are enabled, the device sends SNMP notifications after it learns a new MAC address. |
|
|
Whether SNMP notifications for MAC authentication failures are enabled. |
|
|
Whether SNMP notifications for MAC authentication successes are enabled. |
|
|
Whether SNMP notifications for MAC authentication user logoffs are enabled. |
|
|
OUI value list |
List of OUI values allowed for authentication. |
|
Port mode |
Port security mode: · noRestrictions. · autoLearn. · macAddressWithRadius. · macAddressElseUserLoginSecure. · macAddressElseUserLoginSecureExt. · secure. · userLogin. · userLoginSecure. · userLoginSecureExt. · macAddressOrUserLoginSecure. · macAddressOrUserLoginSecureExt. · userLoginWithOUI. |
|
NeedToKnow mode |
Need to know (NTK) mode: · NeedToKnowOnly—Allows only unicast packets with authenticated destination MAC addresses. · NeedToKnowWithBroadcast—Allows only unicast packets and broadcasts with authenticated destination MAC addresses. · NeedToKnowWithMulticast—Allows unicast packets, multicasts, and broadcasts with authenticated destination MAC addresses. · Disabled—NTK is disabled. |
|
Intrusion protection mode |
Intrusion protection action: · BlockMacAddress—Adds the source MAC address of the illegal packet to the blocked MAC address list. · DisablePort—Shuts down the port that receives illegal packets permanently. · DisablePortTemporarily—Shuts down the port that receives illegal packets for some time. · NoAction—Does not perform intrusion protection. |
|
Learning mode |
Secure MAC address learning mode: · Dynamic. · Sticky. |
|
Aging type |
Secure MAC address aging type: · Periodical—Timer aging only. · Inactivity—Inactivity aging feature together with the aging timer. |
|
Max secure MAC addresses |
Maximum number of secure MAC addresses (or online users) that port security allows on the port. |
|
Current secure MAC addresses |
Number of secure MAC addresses stored. |
|
Authorization |
Whether the authorization information from the authentication server (RADIUS server or local device) is ignored: · Permitted—Authorization information from the authentication server takes effect. · Ignored—Authorization information from the authentication server does not take effect. |
|
NAS-ID profile applied to the port. |
display port-security mac-address block
Use display port-security mac-address block to display information about blocked MAC addresses.
Syntax
display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094.
count: Displays only the count of the blocked MAC addresses.
Usage guidelines
If you do not specify any parameters, this command displays information about all blocked MAC addresses.
Examples
# (Centralized devices in standalone mode.) Display information about all blocked MAC addresses.
<Sysname> display port-security mac-address block
MAC ADDR Port VLAN ID
0002-0002-0002 GE1/0/1 1
000d-88f8-0577 GE1/0/1 1
--- 2 mac address(es) found ---
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all blocked MAC addresses.
<Sysname> display port-security mac-address block
MAC ADDR Port VLAN ID
--- On slot 0, no MAC address found ---
MAC ADDR Port VLAN ID
000f-3d80-0d2d GE1/0/1 30
--- On slot 1, 1 MAC address(es) found ---
--- 1 mac address(es) found ---
# (Distributed devices in IRF mode.) Display information about all blocked MAC addresses.
<Sysname> display port-security mac-address block
MAC ADDR Port VLAN ID
--- On slot 0 in chassis 1, no MAC address found ---
MAC ADDR Port VLAN ID
000f-3d80-0d2d GE1/0/1 30
--- On slot 1 in chassis 1, 1 MAC address(es) found ---
--- 1 mac address(es) found ---
# (Centralized devices in standalone mode.) Display the count of all blocked MAC addresses.
<Sysname> display port-security mac-address block count
--- 2 mac address(es) found ---
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the count of all blocked MAC addresses.
<Sysname> display port-security mac-address block count
--- On slot 0, no MAC address found ---
--- On slot 1, 1 MAC address(es) found ---
--- 1 mac address(es) found ---
# (Distributed devices in IRF mode.) Display the count of all blocked MAC addresses.
<Sysname> display port-security mac-address block count
--- On slot 0 in chassis 1, no MAC address found ---
--- On slot 1 in chassis 1, 1 MAC address(es) found ---
--- 1 mac address(es) found ---
# (Centralized devices in standalone mode.) Display information about all blocked MAC addresses in VLAN 1.
<Sysname> display port-security mac-address block vlan 1
MAC ADDR Port VLAN ID
0002-0002-0002 GE1/0/1 1
000d-88f8-0577 GE1/0/1 1
--- 2 mac address(es) found ---
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all blocked MAC addresses in VLAN 30.
<Sysname> display port-security mac-address block vlan 30
MAC ADDR Port VLAN ID
--- On slot 0, no MAC address found ---
MAC ADDR Port VLAN ID
000f-3d80-0d2d GE1/0/1 30
--- On slot 1, 1 MAC address(es) found ---
--- 1 mac address(es) found ---
# (Distributed devices in IRF mode.) Display information about all blocked MAC addresses in VLAN 30.
<Sysname> display port-security mac-address block vlan 30
MAC ADDR Port VLAN ID
--- On slot 0 in chassis 1, no MAC address found ---
MAC ADDR Port VLAN ID
000f-3d80-0d2d GE1/0/1 30
--- On slot 1 in chassis 1, 1 MAC address(es) found ---
--- 1 mac address(es) found ---
# (Centralized devices in standalone mode.) Display information about all blocked MAC addresses of GigabitEthernet 1/0/1.
<Sysname> display port-security mac-address block interface gigabitethernet 1/0/1
MAC ADDR Port VLAN ID
000d-88f8-0577 GE1/0/1 1
--- 1 mac address(es) found ---
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all blocked MAC addresses of GigabitEthernet 1/0/1.
<Sysname> display port-security mac-address block interface gigabitethernet 1/0/1
MAC ADDR Port VLAN ID
000f-3d80-0d2d GE1/0/1 30
--- On slot 1, 1 MAC address(es) found ---
--- 1 mac address(es) found ---
# (Distributed devices in IRF mode.) Display information about all blocked MAC addresses of GigabitEthernet 1/0/1.
<Sysname> display port-security mac-address block interface gigabitethernet 1/0/1
MAC ADDR Port VLAN ID
000f-3d80-0d2d GE1/0/1 30
--- On slot 1 in chassis 1, 1 MAC address(es) found ---
--- 1 mac address(es) found ---
# (Centralized devices in standalone mode.) Display information about all blocked MAC addresses of GigabitEthernet 1/0/1 in VLAN 1.
<Sysname> display port-security mac-address block interface gigabitethernet 1/0/1 vlan 1
MAC ADDR Port VLAN ID
000d-88f8-0577 GE1/0/1 1
--- 1 mac address(es) found ---
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all blocked MAC addresses of GigabitEthernet 1/0/1 in VLAN 30.
<Sysname> display port-security mac-address block interface gigabitethernet 1/0/1 vlan 30
MAC ADDR Port VLAN ID
000f-3d80-0d2d GE1/0/1 30
--- On slot 1, 1 MAC address(es) found ---
--- 1 mac address(es) found ---
# (Distributed devices in IRF mode.) Display information about all blocked MAC addresses of GigabitEthernet 1/0/1 in VLAN 30.
<Sysname> display port-security mac-address block interface gigabitethernet 1/0/1 vlan 30
MAC ADDR Port VLAN ID
000f-3d80-0d2d GE1/0/1 30
--- On slot 1 in chassis 1, 1 MAC address(es) found ---
--- 1 mac address(es) found ---
Table 19 Command output
|
Field |
Description |
|
slot n |
Member device with member ID n. (Centralized devices in IRF mode.) Card in slot n. (Distributed devices in standalone mode.) |
|
slot n in chassis x |
Card in slot n on IRF member device x. (Distributed devices in IRF mode.) |
|
MAC ADDR |
Blocked MAC address. |
|
Port |
Port having received frames with the blocked MAC address being the source address. |
|
VLAN ID |
ID of the VLAN to which the port belongs. |
|
number mac address(es) found |
Number of blocked MAC addresses. |
Related commands
port-security intrusion-mode
display port-security mac-address security
Use display port-security mac-address security to display information about secure MAC addresses.
Syntax
display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094.
count: Displays only the count of the secure MAC addresses.
Usage guidelines
Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command.
If you do not specify any parameters, this command displays information about all secure MAC addresses.
Examples
# Display information about all secure MAC addresses.
<Sysname> display port-security mac-address security
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME
0002-0002-0002 1 Security GE1/0/1 NOAGED
000d-88f8-0577 1 Security GE1/0/1 28
--- 2 mac address(es) found ---
# Display only the count of the secure MAC addresses.
<Sysname> display port-security mac-address security count
--- 2 mac address(es) found
# Display information about secure MAC addresses in VLAN 1.
<Sysname> display port-security mac-address security vlan 1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME
0002-0002-0002 1 Security GE1/0/1 NOAGED
000d-88f8-0577 1 Security GE1/0/1 28
--- 2 mac address(es) found ---
# Display information about secure MAC addresses on GigabitEthernet 1/0/1.
<Sysname> display port-security mac-address security interface gigabitethernet 1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME
000d-88f8-0577 1 Security GE1/0/1 NOAGED
--- 1 mac address(es) found ---
# Display information about secure MAC addresses of GigabitEthernet 1/0/1 in VLAN 1.
<Sysname> display port-security mac-address security interface gigabitethernet 1/0/1 vlan 1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME
000d-88f8-0577 1 Security GE1/0/1 NOAGED
--- 1 mac address(es) found ---
Table 20 Command output
|
Field |
Description |
|
MAC ADDR |
Secure MAC address. |
|
VLAN ID |
ID of the VLAN to which the port belongs. |
|
STATE |
Type of the MAC address added. This field displays Security for a secure MAC address. |
|
PORT INDEX |
Port to which the secure MAC address belongs. |
|
AGING TIME |
Period of time before the secure MAC address ages out. · If the secure MAC address is a static MAC address, this field displays NOAGED. · If the secure MAC address is a sticky MAC address, this field displays the remaining lifetime in minutes. By default, sticky MAC addresses do not age out, and this field displays NOAGED. |
|
number mac address(es) found |
Number of secure MAC addresses stored. |
Related commands
port-security mac-address security
port-security authorization ignore
Use port-security authorization ignore to configure a port to ignore the authorization information received from the authentication server (a RADIUS server or the local device).
Use undo port-security authorization ignore to restore the default.
Syntax
port-security authorization ignore
undo port-security authorization ignore
Default
A port uses the authorization information from the server.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the port to use such authorization attributes for users, use this command to ignore the authorization information from the server.
Examples
# Configure GigabitEthernet 1/0/1 to ignore the authorization information from the authentication server.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security authorization ignore
Related commands
display port-security
port-security authorization-fail offline
Use port-security authorization-fail offline to enable the authorization-fail-offline feature.
Use undo port-security authorization-fail offline to disable the authorization-fail-offline feature.
Syntax
port-security authorization-fail offline
undo port-security authorization-fail offline
Default
The authorization-fail-offline feature is disabled. The device does not log off users that have failed ACL authorization.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The authorization-fail-offline feature logs off port security users that have failed ACL authorization.
A user fails ACL authorization in the following situations:
· The device fails to authorize the specified ACL to the user.
· The server assigns a nonexistent ACL to the user.
If this feature is disabled, the device does not log off users that have failed ACL authorization. However, the device outputs messages to report the failure.
Examples
# Enable the authorization-fail-offline feature.
[Sysname] port-security authorization-fail offline
Related commands
display port-security
port-security enable
Use port-security enable to enable port security.
Use undo port-security enable to disable port security.
Syntax
port-security enable
undo port-security enable
Default
Port security is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
You must disable global 802.1X and MAC authentication before you enable port security on a port.
Enabling or disabling port security resets the following security settings to the default:
· 802.1X access control mode is MAC-based.
· Port authorization state is auto.
When online users are present on a port, disabling port security logs off the online users.
Examples
# Enable port security.
<Sysname> system-view
[Sysname] port-security enable
Related commands
display port-security
dot1x
dot1x port-control
dot1x port-method
mac-authentication
port-security intrusion-mode
Use port-security intrusion-mode to configure the intrusion protection feature so the port takes the predefined actions when intrusion protection detects illegal frames on the port.
Use undo port-security intrusion-mode to restore the default.
Syntax
port-security intrusion-mode { blockmac | disableport | disableport-temporarily }
undo port-security intrusion-mode
Default
Intrusion protection is disabled.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This action implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for 3 minutes, which is not user configurable. To display the blocked MAC address list, use the display port-security mac-address block command.
disableport: Disables the port permanently upon detecting an illegal frame received on the port.
disableport-temporarily: Disables the port for a period of time whenever it receives an illegal frame. You can use the port-security timer disableport command to set the period.
Usage guidelines
|
|
IMPORTANT: · The SIC-4FSW, DSIC-9FSW, and SIC-4GSWF modules support only the userLogin mode, and intrusion protection does not take effect on these modules. · Blackhole MAC address configuration does not take effect on SIC-4GSW modules that are configured with intrusion protection. |
To restore the connection of the port disabled by the intrusion protection feature, use the undo shutdown command.
Examples
# Configure GigabitEthernet 1/0/1 to block the source MAC addresses of illegal frames after intrusion protection detects the illegal frames.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode blockmac
Related commands
display port-security
display port-security mac-address block
port-security timer disableport
port-security mac-address aging-type inactivity
Use port-security mac-address aging-type inactivity to enable inactivity aging for secure MAC addresses.
Use undo port-security mac-address aging-type inactivity to disable inactivity aging for secure MAC addresses.
Syntax
port-security mac-address aging-type inactivity
undo port-security mac-address aging-type inactivity
Default
The inactivity aging feature is disabled for secure MAC addresses.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC addresses. When you use the aging timer together with the inactivity aging feature, the aging timer restarts once traffic data is detected from the sticky MAC addresses. The inactivity aging feature prevents the unauthorized use of a secure MAC address when the authorized user is offline. The feature also removes outdated secure MAC addresses so that new secure MAC addresses can be learned or configured.
This command takes effect only on sticky MAC addresses and dynamic secure MAC addresses.
Examples
# Enable inactivity aging for secure MAC addresses on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security mac-address aging-type inactivity
Related commands
display port-security
port-security mac-address dynamic
Use port-security mac-address dynamic to enable the dynamic secure MAC feature.
Use undo port-security mac-address dynamic to disable the dynamic secure MAC feature.
Syntax
port-security mac-address dynamic
undo port-security mac-address dynamic
Default
The dynamic secure MAC feature is disabled. Sticky MAC addresses can be saved to the configuration file. Once saved, they survive a device reboot.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The dynamic secure MAC feature converts sticky MAC addresses to dynamic and disables saving them to the configuration file.
After you execute this command, you cannot manually configure sticky MAC addresses, and secure MAC addresses learned by a port in autoLearn mode are dynamic. All dynamic MAC addresses are lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot.
You can display dynamic secure MAC addresses by using the display port-security mac-address security command.
The undo port-security mac-address dynamic command converts all dynamic secure MAC addresses on the port to sticky MAC addresses. You can manually configure sticky MAC addresses.
Examples
# Enable the dynamic secure MAC feature on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet1/0/1
[Sysname-GigabitEthernet1/0/1] port-security mac-address dynamic
Related commands
display port-security
display port-security mac-address security
port-security mac-address security
Use port-security mac-address security to add a secure MAC address.
Use undo port-security mac-address security to remove a secure MAC address.
Syntax
In Layer 2 Ethernet interface view:
port-security mac-address security [ sticky ] mac-address vlan vlan-id
undo port-security mac-address security [ sticky ] mac-address vlan vlan-id
In system view:
port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id
undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]
Default
No manually configured secure MAC address entries exist.
Views
System view
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
sticky mac-address: Specifies a sticky MAC address, in H-H-H format. If you do not specify this keyword, the command configures a static secure MAC address.
interface interface-type interface-number: Specifies a Layer 2 Ethernet port by its type and number.
vlan vlan-id: Specifies the VLAN that has the secure MAC address. The value range for the vlan-id argument is 1 to 4094.
Usage guidelines
Secure MAC addresses are MAC addresses configured or learned in autoLearn mode, and if saved, can survive a device reboot. You can bind a secure MAC address only to one port in a VLAN.
You can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure. To successfully add secure MAC addresses on a port, first complete the following tasks:
· Enable port security on the port.
· Set the port security mode to autoLearn.
· Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN. Make sure the VLAN already exists.
Sticky MAC addresses can be manually configured or automatically learned in autoLearn mode. Sticky MAC addresses do not age out by default. You can use the port-security timer autolearn aging command to set an aging timer for the sticky MAC addresses. When the timer expires, the sticky MAC addresses are removed.
Static secure MAC addresses never age out unless you perform the following operations:
· Remove these MAC addresses by using the undo port-security mac-address security command.
· Change the port security mode.
· Disable the port security feature.
You cannot change the type of a secure address entry that has been added or add two entries that are identical except for their entry type. For example, you cannot add the port-security mac-address security sticky 1-1-1 vlan 10 entry when a port-security mac-address security 1-1-1 vlan 10 entry exists. To add the new entry, you must delete the old entry.
Examples
# Enable port security, set GigabitEthernet 1/0/1 to operate in autoLearn mode, and configure the port to support a maximum number of 100 secure MAC addresses.
<Sysname> system-view
[Sysname] port-security enable
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100
[Sysname-GigabitEthernet1/0/1] port-security port-mode autolearn
# Specify MAC address 0001-0002-0003 in VLAN 4 as a sticky MAC address.
[Sysname-GigabitEthernet1/0/1] port-security mac-address security sticky 0001-0002-0003 vlan 4
[Sysname-GigabitEthernet1/0/1] quit
# In system view, specify MAC address 0001-0001-0002 in VLAN 10 as a secure MAC address for GigabitEthernet 1/0/1.
[Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 1/0/1 vlan 10
Related commands
display port-security
port-security timer autolearn aging
port-security mac-move permit
Use port-security mac-move permit to enable MAC move on the device.
Use undo port-security mac-move permit to disable MAC move on the device.
Syntax
port-security mac-move permit
undo port-security mac-move permit
Default
MAC move is disabled on the device.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command takes effect on both 802.1X and MAC authentication users.
MAC move allows 802.1X or MAC authenticated users to move between ports on a device. For example, if an 802.1X-authenticated user moves to another 802.1X-enabled port on the device, the authentication session is deleted from the first port. The user is reauthenticated on the new port.
If MAC move is disabled, 802.1X or MAC users authenticated on one port cannot pass authentication after they move to another port.
Examples
# Enable MAC move.
<Sysname> system-view
[Sysname] port-security mac-move permit
Related commands
display port-security
port-security max-mac-count
Use port-security max-mac-count to set the maximum number of secure MAC addresses that port security allows on a port.
Use undo port-security max-mac-count to restore the default.
Syntax
port-security max-mac-count max-count
undo port-security max-mac-count
Default
Port security does not limit the number of secure MAC addresses on a port.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
max-count: Specifies the maximum number of secure MAC addresses that port security allows on the port. The value range is 1 to 2147483647. Make sure this value is not less than the number of MAC addresses currently saved on the port.
Usage guidelines
For autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port.
In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals the smaller of the following values:
· The value set by using this command.
· The maximum number of concurrent users allowed by the authentication mode in use.
For example, in userLoginSecureExt mode, if 802.1X allows more concurrent users than port security's limit on the number of MAC addresses, port security's limit takes effect.
You cannot change port security's limit on the number of MAC addresses when the port is operating in autoLearn mode.
Examples
# Set the maximum number of secure MAC address port security allows on GigabitEthernet 1/0/1 to 100.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100
Related commands
display port-security
port-security nas-id-profile
Use port-security nas-id-profile to apply a NAS-ID profile to global or port-based port security.
Use undo port-security nas-id-profile to restore the default.
Syntax
port-security nas-id-profile profile-name
undo port-security nas-id-profile
Default
No NAS-ID profile is applied to port security globally or on any port.
Views
System view
Interface view
Predefined user roles
Parameters
profile-name: Specifies a NAS-ID profile by its name. The argument is a case-insensitive string of 1 to 31 characters.
Usage guidelines
A NAS-ID profile defines NAS-ID and VLAN bindings. You can create a NAS-ID profile by using the aaa nas-id profile command.
The device selects a NAS-ID profile for a port in the following order:
1. The port-specific NAS-ID profile.
2. The NAS-ID profile applied globally.
If no NAS-ID profile is applied or no matching binding is found in the selected profile, the device uses the device name as the NAS-ID.
Examples
# Apply the NAS-ID profile aaa to GigabitEthernet 1/0/1 for port security.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security nas-id-profile aaa
# Globally apply the NAS-ID profile aaa to port security.
[Sysname] port-security nas-id-profile aaa
Related commands
aaa nas-id profile
port-security ntk-mode
Use port-security ntk-mode to configure the NTK feature.
Use undo port-security ntk-mode to restore the default.
Syntax
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }
undo port-security ntk-mode
Default
The NTK feature is not configured on a port and all frames are allowed to be sent.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses.
ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses.
ntkonly: Forwards only unicast frames with authenticated destination MAC addresses.
Usage guidelines
The NTK feature checks the destination MAC addresses in outbound frames. This feature allows frames to be sent only to devices passing authentication, preventing illegal devices from intercepting network traffic.
Examples
# Set the NTK mode of GigabitEthernet 1/0/1 to ntkonly, allowing the port to forward received packets only to devices passing authentication.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
Related commands
display port-security
port-security oui
Use port-security oui to configure an OUI value for user authentication.
Use undo port-security oui to delete the OUI value with the specified OUI index.
Syntax
port-security oui index index-value mac-address oui-value
undo port-security oui index index-value
Default
No OUI values are configured.
Views
System view
Predefined user roles
network-admin
Parameters
index-value: Specifies the OUI index, in the range of 1 to 16.
oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.
Usage guidelines
You can configure multiple OUI values.
An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command when you configure a device to allow packets from specific wired devices to pass authentication or to allow packets from certain wireless devices to initiate authentication. For example, when a company allows only IP phones of vendor A in the Intranet, use this command to specify the OUI of vendor A.
The OUI values configured by this command apply only to the ports operating in userLoginWithOUI mode. In userLoginWithOUI mode, a port allows only one 802.1X user and one user whose MAC address matches one of the configured OUI values.
Examples
# Configure an OUI value of 000d2a, and set the index to 4.
<Sysname> system-view
[Sysname] port-security oui index 4 mac-address 000d-2a10-0033
Related commands
display port-security
port-security port-mode
Use port-security port-mode to set the port security mode of a port.
Use undo port-security port-mode to restore the default.
Syntax
port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }
undo port-security port-mode
Default
A port operates in noRestrictions mode, where port security does not take effect.
Views
Interface view
Predefined user roles
network-admin
Parameters
|
Keyword |
Security mode |
Description |
|
autolearn |
autoLearn |
A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A port in autoLearn mode allows frames sourced from the following MAC addresses to pass: · Secure MAC addresses. · MAC addresses configured by using the mac-address dynamic and mac-address static commands. When the number of secure MAC addresses reaches the upper limit set by the port-security max-mac-count command, the port changes to secure mode. |
|
mac-authentication |
macAddressWithRadius |
In this mode, a port performs MAC authentication for users and services multiple users. |
|
mac-else-userlogin-secure |
macAddressElseUserLoginSecure |
This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. · Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. · Upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication. |
|
mac-else-userlogin-secure-ext |
macAddressElseUserLoginSecureExt |
Same as the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. |
|
secure |
secure |
In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from the following MAC addresses to pass: · Secure MAC addresses. · MAC addresses configured by using the mac-address static and mac-address dynamic commands. |
|
userlogin |
userLogin |
In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication. |
|
userlogin-secure |
userLoginSecure |
In this mode, a port performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication. |
|
userlogin-secure-ext |
userLoginSecureExt |
Same as the userLoginSecure mode, except that this mode supports multiple online 802.1X users. |
|
userlogin-secure-or-mac |
macAddressOrUserLoginSecure |
This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. In this mode, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed. |
|
userlogin-secure-or-mac-ext |
macAddressOrUserLoginSecureExt |
Same as the macAddressOrUserLoginSecure mode, except that a port in this mode supports multiple 802.1X and MAC authentication users. |
|
userlogin-withoui |
userLoginWithOUI |
Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI. In this mode, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication. |
Usage guidelines
To change the security mode for a port security enabled port, you must set the port in noRestrictions mode first. Do not change port security mode when the port has online users.
|
|
IMPORTANT: If you are configuring the autoLearn mode, first set port security's limit on the number of secure MAC addresses by using the port-security max-mac-count command. You cannot change the setting when the port is operating in autoLearn mode. |
When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.
As a best practice, do not enable the mac-else-userlogin-secure or mac-else-userlogin-secure-ext mode on the port where MAC authentication delay is enabled. The two modes are mutually exclusive with the MAC authentication delay feature. For more information about MAC authentication delay, see "MAC authentication commands."
Examples
# Enable port security, and set GigabitEthernet 1/0/1 to operate in secure mode.
<Sysname> system-view
[Sysname] port-security enable
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security port-mode secure
# Change the port security mode of GigabitEthernet 1/0/1 to userLogin.
[Sysname-GigabitEthernet1/0/1] undo port-security port-mode
[Sysname-GigabitEthernet1/0/1] port-security port-mode userlogin
Related commands
display port-security
port-security max-mac-count
port-security timer autolearn aging
Use port-security timer autolearn aging to set the secure MAC aging timer.
Use undo port-security timer autolearn aging to restore the default.
Syntax
port-security timer autolearn aging time-value
undo port-security timer autolearn aging
Default
Secure MAC addresses do not age out.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Specifies the aging timer in minutes for secure MAC addresses. The value is in the range of 0 to 129600. To disable the aging timer, set the timer to 0.
Usage guidelines
The timer applies to all sticky secure MAC addresses and those automatically learned by a port.
A short aging time improves port access security and port resource utility but affects online user stability. Set an appropriate secure MAC address aging timer according to your device performance and the network environment.
Examples
# Set the secure MAC aging timer to 30 minutes.
<Sysname> system-view
[Sysname] port-security timer autolearn aging 30
Related commands
display port-security
port-security mac-address security
port-security timer disableport
Use port-security timer disableport to set the silence period during which the port remains disabled.
Use undo port-security timer disableport to restore the default.
Syntax
port-security timer disableport time-value
undo port-security timer disableport
Default
The port silence period is 20 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300.
Usage guidelines
If you configure the intrusion protection action as disabling the port temporarily, use this command to set the silence period.
Examples
# Configure the intrusion protection action on GigabitEthernet 1/0/1 as disabling the port temporarily, and set the port silence period to 30 seconds.
<Sysname> system-view
[Sysname] port-security timer disableport 30
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily
display port-security
port-security intrusion-mode
snmp-agent trap enable port-security
Use snmp-agent trap enable port-security to enable SNMP notifications for port security.
Use undo snmp-agent trap enable port-security to disable SNMP notifications for port security.
Syntax
Default
All port security SNMP notifications are disabled.
Views
System view
Predefined user roles
Parameters
address-learned: Specifies notifications about MAC address learning.
dot1x-failure: Specifies notifications about 802.1X authentication failures.
dot1x-logoff: Specifies notifications about 802.1X user logoffs.
dot1x-logon: Specifies notifications about 802.1X authentication successes.
intrusion: Specifies notifications about illegal frame detection.
mac-auth-failure: Specifies notifications about MAC authentication failures.
mac-auth-logoff: Specifies notifications about MAC authentication user logoffs.
mac-auth-logon: Specifies notifications about MAC authentication successes.
Usage guidelines
To report critical port security events to an NMS, enable SNMP notifications for port security. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.
If you do not specify a notification, this command enables all SNMP notifications for port security.
Examples
# Enable SNMP notifications about MAC address learning.
[Sysname] snmp-agent trap enable port-security address-learned
Related commands
Portal commands
WLAN is not supported on the following routers:
· MSR810-LMS/810-LUS.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR5620/5560/5680.
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
The terms "AP" and "AC" in this document refer to MSR routers that support WLAN.
aaa-fail nobinding enable
Use aaa-fail nobinding enable to enable AAA failure unbinding.
Use undo aaa-fail nobinding enable to restore the default.
Syntax
aaa-fail nobinding enable
undo aaa-fail nobinding enable
Default
AAA failure unbinding is disabled.
Views
MAC binding server view
Predefined user roles
network-admin
Usage guidelines
If a portal user fails AAA in MAC-trigger authentication, the user cannot trigger authentication before the MAC-trigger entry of the user ages out. After the MAC-trigger entry ages out, the user triggers MAC-trigger authentication when it accesses the network.
After this feature is enabled, the device sets the MAC-trigger entry state for a user to unbound immediately after the user fails AAA in MAC-trigger authentication. Before the user's MAC-trigger entry ages out, the user can trigger normal portal authentication.
Examples
# Enable AAA failure unbinding for MAC binding server mts.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] aaa-fail nobinding enable
Related commands
display portal mac-trigger-server
aging-time
Use aging-time to set the aging time for MAC-trigger entries.
Use undo aging-time to restore the default.
Syntax
aging-time seconds
undo aging-time
Default
The aging time for MAC-trigger entries is 300 seconds.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
seconds: Specifies the aging time for MAC-trigger entries. The value range is 60 to 7200 seconds.
Usage guidelines
With MAC-based quick portal authentication enabled, the device generates a MAC-trigger entry for a user when the device detects traffic from the user for the first time. The MAC-trigger entry records the following information:
· MAC address of the user
· Interface index
· VLAN ID
· Traffic statistics
· Aging timer
When the aging time expires, the device deletes the MAC-trigger entry. The device re-creates a MAC-trigger entry for the user when it detects the user's traffic again.
Examples
# Specify the aging time as 300 seconds for MAC-trigger entries.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] aging-time 300
Related commands
display portal mac-trigger-server
app-id (Facebook authentication server view)
Use app-id to specify the app ID for Facebook authentication.
Use undo app-id to restore the default.
Syntax
app-id app-id
undo app-id
Default
An app ID for Facebook authentication exists.
Views
Facebook authentication server view
Predefined user roles
network-admin
Parameters
app-id: Specifies the app ID for Facebook authentication.
Usage guidelines
If a portal user uses Facebook authentication, the Facebook server authenticates and authorizes the user and sends an authorization code to the device after the authentication and authorization succeed. Then, the device sends the authorization code, app ID, and app key to the Facebook server to determine whether the user has passed authentication and authorization.
Examples
# Specify 123456789 as the app ID for Facebook authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server facebook
[Sysname-portal-extend-auth-server-fb] appid 123456789
Related commands
display portal extend-auth-server
app-id (QQ authentication server view)
Use app-id to specify the app ID for QQ authentication.
Use undo app-id to restore the default.
Syntax
app-id app-id
undo app-id
Default
An app ID for QQ authentication exists.
Views
QQ authentication server view
Predefined user roles
network-admin
Parameters
app-id: Specifies the app ID for QQ authentication.
Usage guidelines
To use QQ authentication for portal users, you must go to the Tencent Open Platform (http://connect.qq.com/intro/login) to finish the following tasks:
1. Register as a developer by using a valid QQ account.
2. Apply the access to the platform for your website. The website is the webpage to which users are redirected after passing QQ authentication.
You will obtain the app ID and app key from the Tencent Open Platform after your application succeeds.
After a portal user passes QQ authentication, the QQ authentication server sends the authorization code of the user to the portal Web server. After the portal Web server receives the authorization code, it sends the authorization code of the user, the app ID, and the app key to the QQ authentication server for verification. If the information is verified as correct, the device determines that the user passes QQ authentication.
Examples
# Specify 101235509 as the app ID for QQ authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server qq
[Sysname-portal-extend-auth-server-qq] app-id 101235509
Related commands
display portal extend-auth-server
app-id (WeChat authentication server view)
Use app-id to specify the app ID for WeChat authentication.
Use undo app-id to restore the default.
Syntax
app-id app-id
undo app-id
Default
No app ID is specified for WeChat authentication.
Views
WeChat authentication server view
Predefined user roles
network-admin
Parameters
app-id: Specifies the app ID for WeChat authentication.
Usage guidelines
This configuration is required for the device to provide local WeChat authentication for portal users. The app ID specified in this command must be the same as the app ID obtained from the WeChat Official Account Admin Platform.
To obtain the app ID for WeChat authentication, you must perform the following tasks:
1. Go to the WeChat Official Account Admin Platform (https://mp.weixin.qq.com) to apply a WeChat official account.
2. Use the account to log in to the platform and enable the WeChat WiFi hotspot feature.
3. Click the device management tab, add the device: select the shop where the device is deployed, select the portal device type, and enter the SSID of your WiFi network.
After the previous configurations, you will obtain the credentials (app ID, app key, and shop ID) for WeChat authentication.
When a WeChat user attempts to connect to the WiFi network provided in the specified shop, the device sends the credentials to the WeChat Official Account Platform for verification. After the credentials are verified, the device continues the portal authentication and allows the user to use the WiFi network after the authentication.
Examples
# Specify wx23fb4aaf04b8491e as the app ID for WeChat authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server wechat
[Sysname-portal-extend-auth-server-wechat] app-id wx23fb4aaf04b8491e
Related commands
display portal extend-auth-server
app-key (Facebook authentication server view)
Use app-key to specify the app key for Facebook authentication.
Use undo app-key to restore the default.
Syntax
app-key { cipher | simple } app-key
undo app-key
Default
An app key for Facebook authentication exists.
Views
Facebook authentication server view
Predefined user roles
network-admin
Parameters
cipher: Specifies the app key in encrypted form.
simple: Specifies the app key in plaintext form.
app-key: Specifies the app key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
If a portal user uses Facebook authentication, the Facebook server authenticates and authorizes the user and sends an authorization code to the device after the authentication and authorization succeed. Then, the device sends the authorization code, app ID, and app key to the Facebook server to determine whether the user has passed authentication and authorization.
Examples
# Specify 123 in plaintext form as the app key for Facebook authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server facebook
[Sysname-portal-extend-auth-server-fb] app-key simple 123
Related commands
display portal extend-auth-server
app-key (QQ authentication server view)
Use app-key to specify the app key for QQ authentication.
Use undo app-key to restore the default.
Syntax
app-key { cipher | simple } app-key
undo app-key
Default
An app key for QQ authentication exists.
Views
QQ authentication server view
Predefined user roles
network-admin
Parameters
cipher: Specifies the app key in encrypted form.
simple: Specifies the app key in plaintext form.
app-key: Specifies the app key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
To use QQ authentication for portal users, you must go to the Tencent Open Platform (http://connect.qq.com/intro/login) to finish the following tasks:
1. Register as a developer by using a valid QQ account.
2. Apply the access to the platform for your website. The website is the webpage to which users are redirected after passing QQ authentication.
You will obtain the app ID and app key from the Tencent Open Platform after your application succeeds.
After a portal user passes QQ authentication, the QQ authentication server sends the authorization code of the user to the portal Web server. After the portal Web server receives the authorization code, it sends the authorization code of the user, the app ID, and the app key to the QQ authentication server for verification. If the information is verified as correct, the device determines that the user passes QQ authentication.
Examples
# Specify 8a5428e6afdc3e2a2843087fe73f1507 in plaintext form as the app key for QQ authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server qq
[Sysname-portal-extend-auth-server-qq] app-key simple 8a5428e6afdc3e2a2843087fe73f1507
Related commands
display portal extend-auth-server
app-key (WeChat authentication server view)
Use app-key to specify the app key for WeChat authentication.
Use undo app-key to restore the default.
Syntax
app-key { cipher | simple } app-key
undo app-key
Default
No app key is specified for WeChat authentication.
Views
WeChat authentication server view
Predefined user roles
network-admin
Parameters
cipher: Specifies the app key in encrypted form.
simple: Specifies the app key in plaintext form.
app-key: Specifies the app key string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
This configuration is required for the device to provide local WeChat authentication for portal users. The app key specified in this command must be the same as the app key obtained from the WeChat Official Account Admin Platform.
To obtain the app key for WeChat authentication, you must perform the following tasks:
1. Go to the WeChat Official Account Admin Platform (https://mp.weixin.qq.com) to apply a WeChat official account.
2. Use the account to log in to the platform and enable the WeChat WiFi hotspot feature.
3. Click the device management tab, add the device: select the shop where the device is deployed, select the portal device type, and enter the SSID of your WiFi network.
After the previous configurations, you will obtain the credentials (app ID, app key, and shop ID) for WeChat authentication.
When a WeChat user attempts to connect to the WiFi network provided in the specified shop, the device sends the credentials to the WeChat Official Account Platform for verification. After the credentials are verified, the device continues the portal authentication and allows the user to use the WiFi network after the authentication.
Examples
# Specify nqduqg4816689geruhq3 in plaintext form as the app key for WeChat authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server wechat
[Sysname-portal-extend-auth-server-wechat] app-key simple nqduqg4816689geruhq3
Related commands
display portal extend-auth-server
app-secret
Use app-secret to specify the app secret for WeChat authentication.
Use undo app-secret to restore the default.
Syntax
app-secret { cipher | simple } string
undo app-secret
Default
No app secret is specified for WeChat authentication.
Views
WeChat authentication server view
Predefined user roles
network-admin
Parameters
cipher: Specifies the app secret in encrypted form.
simple: Specifies the app secret in plaintext form.
app-key: Specifies the app secret string. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.
Usage guidelines
When the subscribe-required feature is enabled, you must specify the app secret for WeChat authentication on the device.
To obtain the app secret for WeChat authentication, perform the following tasks:
1. Use a WeChat official account to log in to the WeChat Official Account Admin Platform.
For more information about the WeChat official account, see WeChat authentication configuration in Security Configuration Guide.
2. From the navigation tree, select Developer Centers.
In the Configuration Items area, you can see the app secret for the WeChat Official account.
Examples
# Specify nqduqg4816689geruhq3 in plaintext form as the app secret for WeChat authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server wechat
[Sysname-portal-extend-auth-server-wechat] app-secret simple nqduqg4816689geruhq3
authentication-timeout
Use authentication-timeout to specify the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving the MAC binding query response.
Use undo authentication-timeout to restore the default.
Syntax
authentication-timeout minutes
undo authentication-timeout
Default
The authentication timeout time is 3 minutes.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
minutes: Specifies the authentication timeout in the range of 1 to 15 minutes.
Usage guidelines
Upon receiving the MAC binding query response of a user from the MAC binding server, the device starts an authentication timeout timer for the user. When the timer expires, the device deletes the MAC-trigger entry of the user.
Examples
# Specify the authentication timeout as 10 minutes.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] authentication-timeout 10
Related commands
display portal mac-trigger-server
auth-url
Use auth-url to specify the URL of the QQ or Facebook authentication server.
Use undo auth-url to delete the URL of the QQ or Facebook authentication server.
Syntax
auth-url url-string
undo auth-url
Default
The URL of QQ authentication server is https://graph.qq.com.
The URL of Facebook authentication server is https://graph.facebook.com.
Views
QQ authentication server view
Facebook authentication server view
Predefined user roles
network-admin
Parameters
url-string: Specifies the URL of the QQ or Facebook authentication server, a case-sensitive string of 1 to 256 characters. Make sure that you specify the actual URL of the QQ or Facebook authentication server.
Examples
# Specify http://oauth.qq.com as the URL of the QQ authentication server.
<Sysname> system-view
[Sysname] portal extend-auth-server qq
[Sysname-portal-extend-auth-server-qq] auth-url http://oauth.qq.com
# Specify http://oauth.facebook.com as the URL of the Facebook authentication server.
<Sysname> system-view
[Sysname] portal extend-auth-server facebook
[Sysname-portal-extend-auth-server-fb] auth-url http://oauth.facebook.com
Related commands
display portal extend-auth-server
binding-retry
Use binding-retry to specify the maximum number of attempts and the interval for sending MAC binding queries to the MAC binding server.
Use undo binding-retry to restore the default.
Syntax
binding-retry { retries | interval interval } *
undo binding-retry
Default
The maximum number of query attempts is 3 and the query interval is 1 second.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of MAC binding query attempts, in the range of 1 to 10.
interval interval: Specifies the query interval in the range of 1 to 60 seconds.
Usage guidelines
If the device does not receive a response from the MAC binding server after the maximum number is reached, the device determines that the MAC binding server is unreachable. The device performs normal portal authentication for the user. The user needs to enter the username and password for authentication.
If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.
Examples
# Set the maximum number of MAC binding query attempts to 3 and the query interval to 60 seconds.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] binding-retry 3 interval 60
Related commands
display portal mac-trigger-server
captive-bypass enable
Use captive-bypass enable to enable the captive-bypass feature.
Use undo captive-bypass enable to disable the captive-bypass feature.
Syntax
captive-bypass [ android | ios [ optimize ] ] enable
undo captive-bypass [ android | ios [ optimize ] ] enable
Default
The captive-bypass feature is disabled. The device automatically pushes the portal authentication page to the iOS devices and some Android devices when they are connected to the network.
Views
Portal Web server view
Predefined user roles
network-admin
Parameters
android: Enables the captive-bypass feature for Android users.
ios: Enables the captive-bypass feature for iOS users.
optimize: Enables the optimized captive-bypass feature.
Usage guidelines
With the captive-bypass feature enabled, the device does not automatically push the portal authentication page to iOS devices and some Android devices when they are connected to the network. The device pushes the portal authentication page only when the user accesses the Internet by using a browser.
The optimized captive-bypass feature applies only to iOS mobile devices. The device automatically pushes the portal authentication page to iOS mobile devices when they are connected to the network. Users can press the home button to return to the desktop, and the Wi-Fi connection is not disabled.
You can repeat this command to enable the captive-bypass feature for both Android and iOS users.
If you do not specify any parameters, this command enables the captive-bypass feature for both Android and iOS users.
Examples
# Enable the captive-bypass feature.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] captive-bypass enable
# Enable the optimized captive-bypass feature for iOS users.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] captive-bypass ios optimize enable
# Enable the captive-bypass feature for Android users.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] captive-bypass android enable
Related commands
display portal web-server
display portal captive-bypass statistics
cloud-binding enable
Use cloud-binding enable to enable cloud MAC-trigger authentication.
Use undo cloud-binding enable to disable cloud MAC-trigger authentication.
Syntax
cloud-binding enable
undo cloud-binding enable
Default
Cloud MAC-trigger authentication is disabled.
Views
MAC binding server view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
The cloud MAC-trigger authentication feature enables the cloud server to provide automated authentication to users as a unified portal authentication, portal Web, and MAC binding server. Users are required to perform manual authentication (enter the username and password) only for the first network access. They are automatically connected to the network without manual authentication for subsequent network access attempts.
Examples
# Enable cloud MAC-trigger authentication for MAC binding server mts.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] cloud-binding enable
Related commands
display portal mac-trigger-server
cloud-server url
Use cloud-server url to specify the URL of the cloud portal authentication server.
Use undo cloud-server url to restore the default.
Syntax
cloud-server url url-string
undo cloud-server url
Default
The URL of the cloud portal authentication server is not specified. The device uses the URL of the portal Web server as the URL of the cloud portal authentication server.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
url-string: Specifies the URL of a cloud portal authentication server. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
If you do not configure this command, the cloud portal authentication and Web servers are the same server, which is usually the cloud server.
To separate portal authentication and Web servers, specify the cloud portal authentication server URL by using this command, and specify a different URL for the portal Web server. In this way, you can use a different portal Web server to provide customized authentication pages to users.
Examples
# In the view of MAC binding server mts, specify http://lvzhou.h3c.com as the URL of the cloud portal authentication server.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] cloud-server url http://lvzhou.h3c.com
Related commands
display portal mac-trigger-server
default-logon-page
Use default-logon-page to specify the default authentication page file for the local portal Web server.
Use undo default-logon-page to restore the default.
Syntax
default-logon-page file-name
undo default-logon-page
Default
No default authentication page file is specified for the local portal Web server.
Views
Local portal Web server view
Predefined user roles
network-admin
Parameters
file-name: Specifies the default authentication page file by the file name (without the file storage directory). The file name is a case-sensitive string of 1 to 91 characters. Valid characters are letters, digits, dots (.) and underscores (_).
Usage guidelines
You must edit the default authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.
After you use the default-logon-page command to specify the file, the device decompresses the file to get the authentication pages. The device then sets them as the default authentication pages for local portal authentication.
For successful local portal authentication, you must specify the default portal authentication page file for the local portal Web server.
Examples
# Specify the file pagefile1.zip as the default authentication page file for local portal authentication.
<Sysname> system-view
[Sysname] portal local-web-server http
[Sysname-portal-local-websvr-http] default-logon-page pagefile1.zip
Related commands
portal local-web-server
display portal
Use display portal to display portal configuration and portal running state.
Syntax
display portal { ap ap-name [ radio radio-id ] | interface interface-type interface-number }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio ID varies by device model. If you do not specify a radio, this command displays portal configuration and portal running state for all radios of the AP.
The following matrix shows the ap ap-name [ radio radio-id ] option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
No |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
No |
interface-type interface-number: Specifies an interface by its type and number.
Examples
# Display portal configuration and portal running state on GigabitEthernet 1/0/1. (Wired application.)
<Sysname> display portal interface gigabitethernet 1/0/1
Portal information of GigabitEthernet1/0/1
NAS-ID profile: aaa
Authorization : Strict checking
ACL : Enabled
User profile : Disabled
Dual stack : Disabled
Dual traffic-separate: Disabled
IPv4:
Portal status: Enabled
Portal authentication method: Layer3
Portal Web server: wbs(active)
Secondary portal Web server: wbs sec
Portal mac-trigger-server: mts
Authentication domain: my-domain
Pre-auth domain: abc
Extend-auth domain: abc
User-dhcp-only: Enabled
Pre-auth IP pool: ab
Max portal users: Not configured
Bas-ip: Not configured
User detection: Type: ICMP Interval: 300s Attempts: 5 Idle time: 180s
Portal temp-pass: Enabled Period: 30s
Action for server detection:
Server type Server name Action
Web server wbs fail-permit
Portal server pts fail-permit
Layer3 source network:
IP address Mask
1.1.1.1 255.255.0.0
Destination authentication subnet:
IP address Mask
2.2.2.2 255.255.255.0
IPv6:
Portal status: enabled
Portal authentication method: Layer3
Portal Web server: wbsv6(active)
Secondary portal Web server: Not configured
Authentication domain: my-domain
Pre-auth domain: abc
Extend-auth domain: Not configured
User-dhcp-only: Enabled
Pre-auth IP pool: ab
Max portal users: Not configured
Bas-ipv6:Not configured
User detection: Type: ICMPv6 Interval: 300s Attempts: 5 Idle time: 180s
Portal temp-pass: Disabled
Action for server detection:
Server type Server name Action
Web server wbsv6 fail-permit
Portal server ptsv6 fail-permit
Layer3 source network:
IP address Prefix length
11::5 64
Destination authentication subnet:
IP address Prefix length
# Display portal configuration and portal running state on AP ap1. (Wireless application.)
<Sysname> display portal ap ap1
Portal information of ap1
Radio ID: 1
SSID: portal
Authorization : Strict checking
ACL : Disable
User profile : Disable
Dual stack : Disabled
Dual traffic-separate: Disabled
IPv4:
Portal status: Enabled
Portal authentication method: Direct
Portal Web server: wbs(active)
Secondary portal Web server: wbs sec
Portal mac-trigger-server: mts
Authentication domain: my-domain
Extend-auth domain: def
User-dhcp-only: Enabled
Max portal users: 1024
Bas-ip: 2.2.2.2
Action for sever detection:
Server type Server name Action
Web server wbs fail-permit
Portal server pts fail-permit
Destination authentication subnet:
IP address Mask
2.2.2.2 255.255.0.0
IPv6:
Portal status: Enabled
Portal authentication method: Direct
Portal Web server: wbsv6(active)
Secondary portal Web server: Not configured
Authentication domain: my-domain
Extend-auth domain: Not configured
User-dhcp-only: Disabled
Max portal users: 512
Bas-ipv6: 2000::1
Action for sever detection:
Server type Server name Action
Web server wbsv6 fail-permit
Portal server ptsv6 fail-permit
Destination authentication subnet:
IP address Prefix length
3000::1 64
# Display portal configuration and portal running state on VLAN-interface 30.
<Sysname> display portal Vlan-interface 30
Portal information of Vlan-interface30
NAS-ID profile: Not configured
Authorization : Strict checking
ACL : Disable
User profile : Disable
Dual stack : Disabled
Dual traffic-separate: Disabled
IPv4:
Portal status: Enabled
Authentication type: Direct
Portal Web server: pt(active)
Secondary portal Web server: wbs sec
Authentication domain: test
Pre-auth domain: Not configured
Extend-auth domain: def
User-dhcp-only: Disabled
Pre-auth IP pool: Not configured
Max portal users: Not configured
Bas-ip: Not configured
User detection: Not configured
Portal temp-pass: Enabled, Period: 30s
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Mask
Destination authentication subnet:
IP address Mask
IPv6:
Portal status: Disabled
Authentication type: Disabled
Portal Web server: Not configured
Authentication domain: Not configured
Secondary portal Web server: Not configured
Pre-auth domain: Not configured
User-dhcp-only: Disabled
Pre-auth IP pool: Not configured
Extend-auth domain: Not configured
Max portal users: Not configured
Bas-ipv6: Not configured
User detection: Not configured
Portal temp-pass: Disabled
Action for server detection:
Server type Server name Action
-- -- --
Layer3 source network:
IP address Prefix length
Destination authentication subnet:
IP address Prefix length
Table 21 Command output
|
Field |
Description |
|
Portal information of interface |
Portal configuration on the interface. |
|
Radio ID |
ID of the radio. |
|
SSID |
Service set identifier. |
|
NAS-ID profile |
NAS-ID profile on the interface. |
|
Authorization |
Authorization information type: · ACL · User profile |
|
Strict checking |
Whether strict checking is enabled on portal authorization information. |
|
Dual stack |
Status of the portal dual-stack feature on the interface: · Disabled. · Enabled. |
|
Dual traffic-separate |
Status of separate IPv4 and IPv6 traffic statistics for dual-stack portal users on the interface: · Disabled. · Enabled. |
|
IPv4 |
IPv4 portal configuration. |
|
IPv6 |
IPv6 portal configuration. |
|
Portal status |
Portal authentication status on the interface: · Disabled—Portal authentication is disabled. · Enabled—Portal authentication is enabled. · Authorized—The portal authentication server or portal Web server is unreachable. The interface allows users to have network access without authentication. |
|
Portal authentication method |
Type of authentication enabled on the interface: · Direct—Direct authentication. · Redhcp—Re-DHCP authentication. · Layer3—Cross-subnet authentication. |
|
Portal Web server |
Name of the primary portal Web server specified on the interface. This field displays the (active) flag next to the server name if the server is being used. |
|
Secondary portal Web server |
Name of the backup portal Web server specified on the interface. This field displays the (active) flag next to the server name if the server is being used. |
|
Portal mac-trigger-server |
Name of the MAC binding server specified on the interface. |
|
Authentication domain |
Mandatory authentication domain on the interface. |
|
Extend-auth domain |
Authentication domain configured for third-party authentication on an interface or service template. |
|
Pre-auth domain |
Preauthentication domain for portal users on the interface. |
|
User-dhcp-only |
Status of the user-dhcp-only feature: · Enabled: Only users with IP addresses obtained through DHCP can perform portal authentication. · Disabled: Both users with IP addresses obtained through DHCP and users with static IP addresses can pass authentication to get online. |
|
Pre-auth ip-pool |
Name of the IP address pool specified for portal users before authentication. |
|
Max portal users |
Maximum number of portal users allowed on an interface. |
|
Bas-ip |
BAS-IP attribute of the portal packets sent to the portal authentication server. |
|
Bas-ipv6 |
BAS-IPv6 attribute of the portal packets sent to the portal authentication server. |
|
User detection |
Configuration for online detection of portal users on the interface, including detection method (ARP, ICMP, ND, or ICMPv6), detection interval, maximum number of detection attempts, and user idle time. |
|
Portal temp-pass |
Status of the temporary pass feature: · Enabled—The temporary pass feature is enabled. · Disabled—The temporary pass feature is disabled. · Period—Temporary pass period during which a user can access the Internet temporarily. This field is displayed only if the temporary pass feature is enabled. |
|
Action for server detection |
Portal server detection configuration on the interface: · Server type—Type of the server. Portal server represents the portal authentication server, and Web server represents the portal Web server. · Server name—Name of the server. · Action—Action triggered by the result of server detection. This field displays fail-permit when the portal fail-permit feature is enabled. |
|
Layer3 source subnet |
Information of the portal authentication source subnet. |
|
Destination authentication subnet |
Information of the portal authentication destination subnet. |
|
IP address |
IP address of the portal authentication subnet. |
|
Mask |
Subnet mask of the portal authentication subnet. |
|
Prefix length |
Prefix length of the IPv6 portal authentication subnet address. |
display portal auth-error-record
Use display portal auth-error-record to display portal authentication error records.
Syntax
display portal auth-error-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all portal authentication error records.
ipv4 ipv4-address: Specifies the IPv4 address of a portal user.
ipv6 ipv6-address: Specifies the IPv6 address of a portal user.
start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Examples
# Display all portal authentication error records.
<Sysname> display portal auth-error-record all
Total authentication error records: 2
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.188
AP : ap1
SSID : byod
Auth error time : 2016-03-04 16:49:07
Auth error reason : The maximum number of users already reached.
User MAC : 0016-ecb7-a235
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.10
AP : ap1
SSID : byod
Auth error time : 2016-03-04 16:51:07
Auth error reason : The maximum number of users already reached.
# Display portal authentication error records for the portal user whose IPv4 address is 192.168.0.188.
<Sysname> display portal auth-error-record ip 192.168.0.188
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.188
AP : ap1
SSID : byod
Auth error time : 2016-03-04 16:49:07
Auth error reason : The maximum number of users already reached.
# Display portal authentication error records for the portal user whose IPv6 address is 2000::2.
<Sysname> display portal auth-error-record ipv6 2000::2
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 2000::2
AP : ap1
SSID : byod
Auth error time : 2016-03-04 16:49:07
Auth error reason : The maximum number of users already reached.
# Display portal authentication error records with the error time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.
<Sysname> display portal auth-error-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.188
AP : ap1
SSID : byod
Auth error time : 2016-03-04 14:22:25
Auth error reason : The maximum number of users already reached.
Table 22 Command output
|
Field |
Description |
|
Total authentication error records |
Total number of portal authentication error records. |
|
User MAC |
MAC address of the portal user. |
|
Interface |
Access interface of the portal user. |
|
User IP address |
IP address of the portal user. |
|
AP |
AP name. |
|
SSID |
|
|
Auth error time |
Time when the portal user encountered an authentication error, in the format of YYYY-MM-DD hh:mm:ss. |
|
Auth error reason |
Reason for the authentication error: · The maximum number of users already reached. · Failed to obtain user physical information. · Failed to receive the packet because packet length is 0. · Packet source unknown. Server IP:X.X.X.X, VRF index:0. · Packet validity check failed because packet length and version don't match. · Packet type invalid. · Packet validity check failed due to invalid authenticator. · Memory insufficient. · Portal is disabled on the interface. · The maximum number of users on the interface already reached. · Failed to get the access token of the cloud user. · Failed to get the user information of the cloud user. · Failed to get the access token of the QQ user. · Failed to get the openID of the QQ user. · Failed to get the user information of the QQ user. · Email authentication failed. |
Related commands
portal auth-error-record enable
reset auth-error-record
display portal auth-fail-record
Use display portal auth-fail-record to display portal authentication failure records.
Syntax
display portal auth-fail-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all portal authentication failure records.
ipv4 ipv4-address: Specifies the IPv4 address of a portal user.
ipv6 ipv6-address: Specifies the IPv6 address of a portal user.
start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.
username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Examples
# Display all portal authentication failure records.
<Sysname> display portal auth-fail-record all
Total authentication fail records: 2
User name : test@abc
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.188
AP : ap1
SSID : byod
Auth failure time : 2016-03-04 16:49:07
Auth failure reason : Authorization information does not exist.
User name : coco
User MAC : 0016-ecb7-a235
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.10
AP : ap1
SSID : byod
Auth failure time : 2016-03-04 16:50:07
Auth failure reason : Authorization information does not exist.
# Display portal authentication failure records for the portal user whose IPv4 address is 192.168.0.8.
<Sysname> display portal auth-fail-record ip 192.168.0.188
User name : test@abc
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS0/1
User IP address : 192.168.0.188
AP : ap1
SSID : byod
Auth failure time : 2016-03-04 16:49:07
Auth failure reason : Authorization information does not exist.
# Display portal authentication failure records for the portal user whose IPv6 address is 2000::2.
<Sysname> display portal auth-fail-record ipv6 2000::2
User name : test@abc
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 2000::2
AP : ap1
SSID : byod
Auth failure time : 2016-03-04 16:49:07
Auth failure reason : Authorization information does not exist.
# Display portal authentication failure records for the portal user whose username is chap1.
<Sysname> display portal auth-fail-record username chap1
User name : chap1
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.188
AP : ap1
SSID : byod
Auth failure time : 2016-03-04 16:49:07
Auth failure reason : Authorization information does not exist.
# Display portal authentication failure records with the failure time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.
<Sysname> display portal auth-fail-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23
User name : chap1
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.188
AP : ap1
SSID : byod
Auth failure time : 2016-03-04 14:22:25
Auth failure reason : Authorization information does not exist.
Table 23 Command output
|
Field |
Description |
|
Total authentication fail records |
Total number of portal authentication failure records. |
|
User name |
Username of the portal user. |
|
User MAC |
MAC address of the portal user. |
|
Interface |
Access interface of the portal user. |
|
User IP address |
IP address of the portal user. |
|
AP |
AP name. |
|
SSID |
Service set identifier. |
|
Auth failure time |
Time when the portal user failed authentication, in the format of YYYY-MM-DD hh:mm:ss. |
|
Auth failure reason |
Reason why the user failed portal authentication. |
Related commands
portal auth-fail-record enable
reset portal auth-fail-record
display portal captive-bypass statistics
Use display portal captive-bypass statistics to display packet statistics for portal captive-bypass.
Syntax
Centralized devices in standalone mode:
display portal captive-bypass statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display portal captive-bypass statistics [ slot slot-number ]
Distributed devices in IRF mode:
display portal captive-bypass statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays portal captive-bypass packet statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays portal captive-bypass packet statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays portal captive-bypass packet statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display portal captive-bypass packet statistics.
<Sysname> display portal captive-bypass statistics
User type Packets
iOS: 1
Android: 0
# (Distributed devices in standalone mode/centralized in IRF mode.) Display portal captive-bypass packets on the specified slot.
<Sysname> display portal captive-bypass statistics slot 1
Slot 1:
User type Packets
iOS 1
Android 0
Table 24 Command output
|
Field |
Description |
|
User type |
Type of users: · iOS. · Android. |
|
Packets |
Number of portal captive-bypass packets sent to the users. |
Related commands
captive-bypass enable
display portal dns free-rule-host
Use display portal dns free-rule-host to display IP addresses corresponding to host names in destination-based portal-free rules.
Syntax
display portal dns free-rule-host [ host-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
host-name: Specifies a host by its name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, hyphens (-), underscores (_), dots (.), and wildcards (asterisks *). The host name cannot be ip or ipv6. If you do not specify a host name, this command displays IP addresses corresponding to all host names in destination-based portal-free rules.
Examples
# Display IP addresses corresponding to host name www.baidu.com in a destination-based portal-free rule.
<Sysname> display portal dns free-rule-host www.baidu.com
Host name IP
www.baidu.com 10.10.10.10
# Display IP addresses corresponding to host name *abc.com in a destination-based portal-free rule.
<Sysname> display portal dns free-rule-host *abc.com
Host name IP
*abc.com 12.12.12.12
111.8.33.100
3.3.3.3
Table 25 Command output
|
Field |
Description |
|
Host name |
Host name specified in a destination-based portal-free rule. |
|
IP |
IP address corresponding to the host name. |
display portal extend-auth-server
Use display portal extend-auth-server to display information about third-party authentication servers.
Syntax
display portal extend-auth-server { all | facebook | mail | qq | wechat }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all third-party authentication servers.
facebook: Specifies the Facebook authentication server.
mail: Specifies the email authentication server.
qq: Specifies the QQ authentication server.
wechat: Specifies the WeChat authentication server.
Examples
# Display information about all third-party authentication servers.
<Sysname> display portal extend-auth-server all
Portal extend-auth-server: qq
Authentication URL : http://graph.qq.com
APP ID : 101235509
APP key : ******
Redirect URL : http://oauthindev.h3c.com/portal/qqlogin.html
Portal extend-auth-server: mail
Mail protocol : POP3
Mail domain name : @qq.com
Portal extend-auth-server: wechat
App ID : wx23fb4aaf04b8491e
App key : ******
App secret : ******
Subscribe-required : Enabled
Shop ID : 6747662
Portal extend-auth-server: facebook
Authentication URL : https://graph.facebook.com
APP ID : 123456789
APP key : ******
Redirect URL : http://oauthindev.h3c.com/portal/fblogin.html
Table 26 Command output
|
Field |
Description |
|
Portal extend-auth-server |
Type of the third-party authentication server. |
|
Authentication URL |
URL of the third-party authentication server. |
|
APP ID |
App ID for third-party authentication. |
|
APP key |
App key for third-party authentication. |
|
App secret |
App secret for WeChat authentication |
|
Subscribe-required |
Status of the subscribe-required feature: · Enabled. · Disabled. |
|
Redirect URL |
Redirection URL for QQ authentication success. |
|
Mail protocol |
Protocols supported by the email authentication service. |
|
Mail domain name |
Email domain names supported by the email authentication service. |
|
Shop ID |
ID of the shop where the device is deployed as a portal device for WeChat authentication. |
Related commands
portal extend-auth-server
display portal local-binding mac-address
Use display portal local-binding mac-address to display information about local MAC-account binding entries.
Syntax
display portal local-binding mac-address { mac-address | all }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
mac-address: Specifies the MAC address of a portal user, in the format H-H-H.
all: Specifies all local MAC-account binding entries.
Examples
# Display information about all local MAC-account binding entries.
<Sysname> display portal local-binding mac-address all
Total MAC addresses: 5
MAC address Username Aging(hh:mm:ss)
0015-e9a6-7cfe wlan_user1 00:41:38
0000-e27c-6e80 wlan_user2 00:41:38
000f-e212-ff01 wlan_user3 00:41:38
001c-f08f-f804 wlan_user4 00:41:38
000f-e233-9000 wlan_user5 00:41:38
# Display information about the local MAC-account binding entry for the user with MAC address 0015-e9a6-7cfe.
<Sysname> display portal local-binding mac-address 0015-e9a6-7cfe
Total MAC addresses: 1
MAC address Username Aging(hh:mm:ss)
0015-e9a6-7cfe wlan_user1 00:41:38
Table 27 Command output
|
Field |
Description |
|
MAC address |
MAC address of a portal user. |
|
Username |
Username of a portal user. |
|
Aging |
Remaining lifetime of the local MAC-account binding entry. |
Related commands
local-binding enable
display portal logout-record
Use display portal logout-record to display portal user offline records.
Syntax
display portal logout-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all portal user offline records.
ipv4 ipv4-address: Specifies the IPv4 address of a portal user.
ipv6 ipv6-address: Specifies the IPv6 address of a portal user.
start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.
username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Examples
# Display all portal user offline records.
<Sysname> display portal logout-record all
Total logout records: 2
User name : test@abc
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.8
AP : ap1
SSID : byod
User login time : 2016-03-04 14:20:19
User logout time : 2016-03-04 14:22:05
Logout reason : Admin Reset
User name : coco
User MAC : 0016-ecb7-a235
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.10
AP : ap1
SSID : byod
User login time : 2016-03-04 14:10:15
User offline time : 2016-03-04 14:22:05
Offline reason : Admin Reset
# Display offline records for the portal user whose IP address is 192.168.0.8.
<Sysname> display portal logout-record ip 192.168.0.8
User name : test@abc
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.8
AP : ap1
SSID : byod
User login time : 2016-03-04 14:26:12
User logout time : 2016-03-04 14:27:35
Logout reason : Admin Reset
# Display offline records for the portal user whose username is chap1.
<Sysname> display portal logout-record username chap1
User name : chap1
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.8
AP : ap1
SSID : byod
User login time : 2016-03-04 17:20:19
User logout time : 2016-03-04 17:22:05
Logout reason : Admin Reset
# Display portal user offline records with the logout time in the range of 2016/3/4 14:20 to 2016/3/4 14:23.
<Sysname> display portal logout-record start-time 2016/3/4 14:20 end-time 2016/3/4 14:23
User name : test@abc
User MAC : 0016-ecb7-a879
Interface : WLAN-BSS1/0/1
User IP address : 192.168.0.8
AP : ap1
SSID : byod
User login time : 2016-03-04 14:20:19
User logout time : 2016-03-04 14:22:05
Logout reason : Admin Reset
Table 28 Command output
|
Field |
Description |
|
Total logout records |
Total number of portal user offline records. |
|
User name |
Username of the portal user. |
|
User MAC |
MAC address of the portal user. |
|
Interface |
Access interface of the portal user. |
|
User IP address |
IP address of the portal user. |
|
AP |
AP name. |
|
SSID |
Service set identifier. |
|
User login time |
Time when the portal user came online, in the format of YYYY-MM-DD hh:mm:ss. |
|
User logout time |
Time when the portal user went offline, in the format of YYYY-MM-DD hh:mm:ss. |
|
Logout reason |
Reason why the portal user went offline: · User Request. · Carrier Lost. · Service Lost. · Admin Reset. · NAS Request. · Idle Timeout. · Port Suspended. · Port Error. · Admin Reboot. · Session Timeout. · User Error. · Service Unavailable. · NAS Error. · Other Errors. |
Related commands
portal logout-record enable
reset portal logout-record
display portal mac-trigger user
Use display portal mac-trigger user to display information about MAC-trigger authentication users (portal users that perform MAC-trigger authentication).
Syntax
display portal mac-trigger user { all | ip ipv4-address | mac mac-address }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all MAC-trigger authentication users.
ip ipv4-address: Specifies a MAC-trigger authentication user by its IP address.
mac mac-address: Specifies a MAC-trigger authentication user by its MAC address, in the format of H-H-H.
Examples
# Display information about all MAC-trigger authentication users.
<Sysname> display portal mac-trigger user all
Total portal mac-trigger users: 8
MAC address IP address VLAN ID Interface Traffic(Bytes) State
0050-ba50-732a 1.1.1.6 1 Vlan-interface1 0 NOBIND
0050-ba50-7328 1.1.1.4 1 Vlan-interface1 0 NOBIND
0050-ba50-7326 1.1.1.2 1 Vlan-interface1 0 NOBIND
0050-ba50-732c 1.1.1.8 1 Vlan-interface1 0 NOBIND
0050-ba50-7329 1.1.1.5 1 Vlan-interface1 0 NOBIND
# Display information about the MAC-trigger authentication user whose MAC address is 0050-ba50-7777.
<Sysname> display portal mac-trigger user mac 0050-ba50-7777
MAC address IP address VLAN ID Interface Traffic(Bytes) State
0050-ba50-777 1.1.5.83 1 Vlan-interface1 0 NOBIND
# Display information about the MAC-trigger authentication user whose IP address is 1.1.2.126.
<Sysname> display portal mac-trigger user ip 1.1.2.126
MAC address IP address VLAN ID Interface Traffic(Bytes) State
0050-ba50-74a2 1.1.2.126 1 Vlan-interface1 0 NOBIND
Table 29 Command output
|
Field |
Description |
|
MAC address |
MAC address of the user. |
|
IP address |
IP address of the user. |
|
VLAN ID |
ID of the VLAN to which the user belongs. |
|
Interface |
Interface through which the user accesses the network. |
|
Traffic(Bytes) |
Traffic of the user, in bytes. |
|
State |
Status of the user: · DEFAULT—The user's traffic is below the free-traffic threshold and the user can access the network without authentication. · WAIT—The binding status between the user's MAC address and account is being queried. · NOBIND—The user's MAC address is not bound with the user's account. · BIND—The user's MAC address is bound with the user's account. · DISABLE—The MAC-trigger entry for the user is deleted on the device. |
Related commands
portal apply mac-trigger-server
portal mac-trigger-server
display portal mac-trigger-server
Use display portal mac-trigger-server to display information about MAC binding servers.
Syntax
display portal mac-trigger-server { all | name server-name }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Specifies all MAC binding servers.
name server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.
Examples
# Display information about all MAC binding servers.
<Sysname> display portal mac-trigger-server all
Portal mac trigger server name: ms1
Version : 2.0
Server type : CMCC
IP : 10.1.1.1
Port : 100
VPN instance : vpn1
Aging time : 120 seconds
Free-traffic threshold : 1000 bytes
NAS-Port-Type : 255
Binding retry times : 5
Binding retry interval : 2 seconds
Authentication timeout : 5 minutes
Local-binding : Disabled
Local-binding aging time : 12 hours
aaa-fail nobinding : Disabled
Excluded attribute list : 1
Cloud-binding : Disabled
Cloud server URL : Not configured
Portal mac trigger server: mts
Version : 1.0
Server type : IMC
IP : 4.4.4.2
Port : 50100
VPN instance : Not configured
Aging time : 300 seconds
Free-traffic threshold : 0 bytes
NAS-Port-Type : Not configured
Binding retry times : 3
Binding retry interval : 1 seconds
Authentication timeout : 3 minutes
Local-binding : Disabled
Local-binding aging time : 12 hours
aaa-fail nobinding : Disabled
Excluded attribute list : 1
Cloud-binding : Disabled
Cloud server URL : Not configured
# Display information about MAC binding server ms1.
<Sysname> display portal mac-trigger-server name ms1
Portal mac trigger server name: ms1
Version : 2.0
Server type : CMCC
IP : 10.1.1.1
Port : 100
VPN instance : vpn1
Aging time : 120 seconds
Free-traffic threshold : 1000 bytes
NAS-Port-Type : 255
Binding retry times : 5
Binding retry interval : 2 seconds
Authentication timeout : 5 minutes
Local-binding : Disabled
Local-binding aging time : 12 hours
aaa-fail nobinding : Disabled
Excluded attribute list : 1
Cloud-binding : Disabled
Cloud server URL : Not configured
Table 30 Command output
|
Field |
Description |
|
Portal mac trigger server name |
Name of the MAC binding server. |
|
Version |
Version of the portal protocol: · 1.0—Version 1. · 2.0—Version 2. · 3.0—Version 3. |
|
Server type |
Type of the MAC binding server: · CMCC—CMCC server. · IMC—H3C IMC server or H3C CAMS server. |
|
IP |
IP address of the MAC binding server. |
|
Port |
UDP port number on which the MAC binding server listens for MAC binding query packets. |
|
VPN instance |
MPLS L3VPN where the MAC binding server resides. |
|
Aging time |
Aging time in seconds. A MAC-trigger entry is aged out when the aging time expires. |
|
Free-traffic threshold |
Free-traffic threshold in bytes. If a user's traffic is below the threshold, the user can access the network without authentication. |
|
NAS-Port-Type |
NAS-Port-Type attribute value in RADIUS request packets sent to the RADIUS server. |
|
Binding retry times |
Maximum number of attempts for sending MAC binding queries to the MAC binding server. |
|
Binding retry interval |
Interval at which the device sends MAC binding queries to the MAC binding server. |
|
Authentication timeout |
Maximum amount of time that the device waits for portal authentication to complete after receiving the MAC binding query response. |
|
aaa-fail nobinding |
Status of the AAA failure unbinding feature: · Disabled. · Enabled. |
|
Excluded attribute list |
Numbers of attributes excluded from portal protocol packets. |
|
Local-binding |
Status of local MAC-trigger authentication: · Disabled. · Enabled. |
|
Local-binding aging-time |
Aging time for local MAC-account binding entries, in hours. |
|
Cloud-binding |
Status of cloud MAC-trigger authentication: · Disabled. · Enabled. |
|
Cloud server URL |
URL of the cloud portal authentication server. |
display portal packet statistics
Use display portal packet statistics to display packet statistics for portal authentication servers and MAC binding servers.
Syntax
display portal packet statistics [ extend-auth-server { cloud | facebook | mail | qq | wechat } | mac-trigger-server server-name | server server-name ] *
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
extend-auth-server: Specifies a third-party authentication server.
cloud: Specifies the Oasis cloud authentication server.
facebook: Specifies the Facebook authentication server.
mail: Specifies the email authentication server.
qq: Specifies the QQ authentication server.
wechat: Specifies the WeChat authentication server.
The following matrix shows the extend-auth-server { cloud | facebook | mail | qq | wechat } option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620 /3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
mac-trigger-server server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.
server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify any parameters, this command displays packet statistics for all third-party authentication servers, portal authentication servers, and MAC binding servers.
Examples
# Display packet statistics for portal authentication server pts.
<Sysname> display portal packet statistics server pts
Portal server : pts
Invalid packets: 0
Pkt-Type Total Drops Errors
REQ_CHALLENGE 3 0 0
ACK_CHALLENGE 3 0 0
REQ_AUTH 3 0 0
ACK_AUTH 3 0 0
REQ_LOGOUT 1 0 0
ACK_LOGOUT 1 0 0
AFF_ACK_AUTH 3 0 0
NTF_LOGOUT 1 0 0
REQ_INFO 6 0 0
ACK_INFO 6 0 0
NTF_USERDISCOVER 0 0 0
NTF_USERIPCHANGE 0 0 0
AFF_NTF_USERIPCHAN 0 0 0
ACK_NTF_LOGOUT 1 0 0
NTF_HEARTBEAT 0 0 0
NTF_USER_HEARTBEAT 2 0 0
ACK_NTF_USER_HEARTBEAT 0 0 0
NTF_CHALLENGE 0 0 0
NTF_USER_NOTIFY 0 0 0
AFF_NTF_USER_NOTIFY 0 0 0
# Display packet statistics for MAC binding server newpt.
<Sysname> display portal packet statistics mac-trigger-server newpt
MAC-trigger server: newpt
Invalid packets: 0
Pkt-Type Total Drops Errors
REQ_MACBIND 1 0 0
ACK_MACBIND 1 0 0
NTF_MTUSER_LOGON 1 0 0
NTF_MTUSER_LOGOUT 0 0 0
REQ_MTUSER_OFFLINE 0 0 0
# Display packet statistics for the Oasis cloud authentication server.
<Sysname> display portal packet statistics extend-auth-server cloud
Extend-auth server: cloud
Update interval: 60s
Pkt-Type Success Error Timeout Conn-failure
REQ_ACCESSTOKEN 1 0 0 0
REQ_USERINFO 1 0 0 0
RESP_ACCESSTOKEN 1 0 0 0
RESP_USERINFO 1 0 0 0
POST_ONLINEDATA 0 0 0 0
RESP_ONLINEDATA 0 0 0 0
POST_OFFLINEUSER 1 0 0 0
REPORT_ONLINEUSER 1 0 0 0
REQ_CLOUDBIND 1 0 0 0
RESP_CLOUDBIND 1 0 0 0
REQ_BINDUSERINFO 0 0 0 0
RESP_BINDUSERINFO 0 0 0 0
AUTHENTICATION 0 1 0 0
Table 31 Command output
|
Field |
Description |
|
Portal server |
Name of the portal authentication server. |
|
Invalid packets |
Number of invalid packets. |
|
Pkt-Type |
Packet type. |
|
Total |
Total number of packets. |
|
Drops |
Number of dropped packets. |
|
Errors |
Number of packets that carry error information. |
|
REQ_CHALLENGE |
Challenge request packet the portal authentication server sent to the access device. |
|
ACK_CHALLENGE |
Challenge acknowledgment packet the access device sent to the portal authentication server. |
|
REQ_AUTH |
Authentication request packet the portal authentication server sent to the access device. |
|
ACK_AUTH |
Authentication acknowledgment packet the access device sent to the portal authentication server. |
|
REQ_LOGOUT |
Logout request packet the portal authentication server sent to the access device. |
|
ACK_LOGOUT |
Logout acknowledgment packet the access device sent to the portal authentication server. |
|
AFF_ACK_AUTH |
Affirmation packet the portal authentication server sent to the access device after receiving an authentication acknowledgment packet. |
|
NTF_LOGOUT |
Forced logout notification packet the access device sent to the portal authentication server. |
|
REQ_INFO |
Information request packet. |
|
ACK_INFO |
Information acknowledgment packet. |
|
NTF_USERDISCOVER |
User discovery notification packet the portal authentication server sent to the access device. |
|
NTF_USERIPCHANGE |
User IP change notification packet the access device sent to the portal authentication server. |
|
AFF_NTF_USERIPCHAN |
User IP change success notification packet the portal authentication server sent to the access device. |
|
ACK_NTF_LOGOUT |
Forced logout acknowledgment packet the portal authentication server sent to the access device. |
|
NTF_HEARTBEAT |
Server heartbeat packet the portal authentication server periodically sent to the access device. |
|
NTF_USER_HEARTBEAT |
User synchronization packet the portal authentication server sent to the access device. |
|
ACK_NTF_USER_HEARTBEAT |
User synchronization acknowledgment packet the access device sent to the portal authentication server. |
|
NTF_CHALLENGE |
Challenge request packet the access device sent to the portal authentication server. |
|
NTF_USER_NOTIFY |
User information notification packet the access device sent to the portal authentication server. |
|
AFF_NTF_USER_NOTIFY |
NTF_USER_NOTIFY acknowledgment packet the portal authentication server sent to the access device. |
|
MAC-trigger server |
Name of the MAC binding server. |
|
REQ MACBIND |
MAC binding request packet the access device sent to the MAC binding server. |
|
ACK_MACBIND |
MAC binding acknowledgment packet the MAC binding server sent to the access device. |
|
NTF_MTUSER_LOGON |
User logon notification packet the access device sent to the MAC binding server. |
|
NTF_MTUSER_LOGOUT |
User logout notification packet the access device sent to the MAC binding server. |
|
REQ_MTUSER_OFFLINE |
Forced offline request packet the MAC binding server sent to the access device. |
|
Extend-auth server |
Type of the third-party authentication server: · qq—QQ authentication server. · mail—Email authentication server. · wechat—WeChat authentication server. · cloud—Oasis cloud authentication server. · facebook—Facebook authentication server. |
|
Update interval |
Interval at which the device sends online user information to the Oasis cloud server, in seconds. This field is displayed only if the third-party authentication server is the Oasis cloud authentication server. |
|
Success |
Number of packets that have been successfully sent or received. |
|
Timeout |
Number of packets that timed out of establishing a connection to the third-party authentication server. |
|
Conn-failure |
Number of packets that failed to establish a connection to the third-party authentication server. |
|
Deny |
Number of packets denied access to the third-party authentication server. This field is displayed only if the third-party authentication server is the email authentication server. |
|
REQ_ACCESSTOKEN |
Access token request packet the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is QQ, Facebook, Oasis cloud, or WeChat authentication server. |
|
REQ_OPENID |
Open ID request packet the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is the QQ authentication server. |
|
REQ_USERINFO |
User information request packet the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is the QQ, Facebook, Oasis cloud, or WeChat authentication server. |
|
RESP_ACCESSTOKEN |
Access token response packet the access device received from the third-party authentication server. This field is displayed only if the third-party authentication server is the QQ, Facebook, Oasis cloud, or WeChat authentication server. |
|
RESP_OPNEID |
Open ID response packet the access device received from the third-party authentication server. This field is displayed only if the third-party authentication server is the QQ authentication server. |
|
RESP_USERINFO |
User information response packet the access device received from the third-party authentication server. This field is displayed only if the third-party authentication server is the QQ, Facebook, Oasis cloud, or WeChat authentication server. |
|
REQ_POP3 |
POP3 authentication request packet the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is the email authentication server. |
|
REQ_IMAP |
IMAP authentication request packet the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is the email authentication server. |
|
POST_ONLINEDATA |
Cloud user information request packet the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is the Oasis cloud authentication server. |
|
RESP_ONLINEDATA |
Cloud user information response packet the access device received from the third-party authentication server. This field is displayed only if the third-party authentication server is the Oasis cloud authentication server. |
|
POST_OFFLINEUSER |
Cloud user offline packet the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is the Oasis cloud or WeChat authentication server. |
|
REPORT_ONLINEUSER |
Cloud user online packet the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is Oasis cloud or WeChat authentication server. |
|
REQ_CLOUDBIND |
Cloud user binding status query request that the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is Oasis cloud authentication server. |
|
RESP_CLOUDBIND |
Cloud user binding status query response that the access device received from the third-party authentication server. This field is displayed only if the third-party authentication server is Oasis cloud authentication server. |
|
REQ_BINDUSERINFO |
Cloud user information request packet that the access device sent to the third-party authentication server. This field is displayed only if the third-party authentication server is the Oasis cloud authentication server. |
|
RESP_BINDUSERINFO |
Cloud user information response packet that the access device received from the third-party authentication server. This field is displayed only if the third-party authentication server is the Oasis cloud authentication server. |
|
AUTHENTICATION |
Result of third-party authentication. |
Related commands
reset portal packet statistics
display portal permit-rule statistics
Use display portal permit-rule statistics to display statistics for portal permit rules.
Syntax
display portal permit-rule statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
Portal permit rules refer to category 1 and category 2 portal filtering rules, which permit user packets to pass.
Examples
# Display statistics for portal permit rules.
<Sysname> display portal permit-rule statistics
Interface Free rules Fuzzy rules User rules
WLAN-BSS1/0/1 2 5 10
WLAN-BSS2/0/1 2 3 6
Table 32 Command output
|
Field |
Description |
|
Interface |
Interface on which portal permit rules are used. |
|
Free rules |
Number of permit rules generated based on configured portal-free rules, excluding permit rules generated based on fuzzy matches of destination-based portal-free rules. |
|
Fuzzy rules |
Number of permit rules generated based on fuzzy matches of destination-based portal-free rules. |
|
User rules |
Number of permit rules generated after portal users pass authentication. |
display portal redirect statistics
Use display portal redirect statistics to display portal redirect packet statistics.
Syntax
Centralized devices in standalone mode:
display portal redirect statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display portal redirect statistics [ slot slot-number ]
Distributed devices in IRF mode:
display portal redirect statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays portal redirect packet statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays portal redirect packet statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays portal redirect packet statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display portal redirect packet statistics.
<Sysname> display portal redirect statistics
HttpReq: 1
HttpResp: 1
HttpsReq: 0
HttpsResp: 0
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display portal redirect packet statistics on the specified slot.
<Sysname> display portal redirect statistics slot 1
Slot 1:
HttpReq: 3
HttpResp: 3
HttpsReq: 6
HttpsResp: 6
Table 33 Command output
|
Field |
Description |
|
HttpReq |
Total number of HTTP redirect requests. |
|
HttpResp |
Total number of HTTP redirect responses. |
|
HttpsReq |
Total number of HTTPS redirect requests. |
|
HttpsResp |
Total number of HTTPS redirect responses. |
Related commands
reset portal redirect statistics
display portal rule
Use display portal rule to display portal filtering rules.
Syntax
Centralized devices in standalone mode:
display portal rule { all | dynamic | static } { ap ap-name [ radio radio-id ] | interface interface-type interface-number }
Distributed devices in standalone mode/centralized devices in IRF mode:
display portal rule { all | dynamic | static } { ap ap-name [ radio radio-id ] | interface interface-type interface-number [ slot slot-number ] }
Distributed devices in IRF mode:
display portal rule { all | dynamic | static } { ap ap-name [ radio radio-id ] | interface interface-type interface-number [ chassis chassis-number slot slot-number ] }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Displays all portal filtering rules, including dynamic and static portal filtering rules.
dynamic: Displays dynamic portal filtering rules, which are generated after users pass portal authentication. These rules allow packets with specific source IP addresses to pass the interface.
static: Displays static portal filtering rules, which are generated after portal authentication is enabled. The interface filters packets by these rules when portal authentication is enabled.
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio ID varies by device model. If you do not specify a radio, this command displays portal filtering rules for all radios of the AP.
The following matrix shows the ap ap-name [ radio radio-id ] option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
No |
|
MSR 3610/3620 /3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
No |
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays portal filtering rules for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays portal filtering rules for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays portal filtering rules for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display all portal filtering rules on GigabitEthernet 1/0/1. (Wired application).
<Sysname> display portal rule all interface gigabitethernet 1/0/1
IPv4 portal rules on GigabitEthernet1/0/1:
Rule 1
Type : Static
Action : Permit
Protocol : Any
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : Any
MAC : 0000-0000-0000
Interface : GigabitEthernet1/0/1
VLAN : Any
Destination:
IP : 192.168.0.111
Mask : 255.255.255.255
Port : Any
Rule 2
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 2.2.2.2
MAC : 000d-88f8-0eab
Interface : GigabitEthernet1/0/1
VLAN : Any
Author ACL:
Number : 3001
Rule 3
Type : Static
Action : Redirect
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : GigabitEthernet1/0/1
VLAN : Any
Protocol : TCP
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 80
Rule 4:
Type : Static
Action : Deny
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : GigabitEthernet1/0/1
VLAN : Any
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
IPv6 portal rules on GigabitEthernet1/0/1:
Rule 1
Type : Static
Action : Permit
Protocol : Any
Status : Active
Source:
IP : ::
Prefix length : 0
Port : Any
MAC : 0000-0000-0000
Interface : GigabitEthernet1/0/1
VLAN : Any
Destination:
IP : 3000::1
Prefix length : 64
Port : Any
Rule 2
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 3000::1
MAC : 0015-e9a6-7cfe
Interface : GigabitEthernet1/0/1
VLAN : Any
Author ACL:
Number : 3001
Rule 3
Type : Static
Action : Redirect
Status : Active
Source:
IP : ::
Prefix length : 0
Interface : GigabitEthernet1/0/1
VLAN : Any
Protocol : TCP
Destination:
IP : ::
Prefix length : 0
Port : 80
Rule 4:
Type : Static
Action : Deny
Status : Active
Source:
IP : ::
Prefix length : 0
Interface : GigabitEthernet1/0/1
VLAN : Any
Destination:
IP : ::
Prefix length : 0
Rule 5:
Type : Static
Action : Match pre-auth ACL
Status : Active
Source:
Interface : GigabitEthernet1/0/1
Pre-auth ACL:
Number : 3002
# (Centralized devices in standalone mode.) Display all portal filtering rules on AP ap1. (Wireless application.)
<Sysname> display portal rule all ap ap1
Slot 1:
IPv4 portal rules on ap1:
Radio ID : 1
SSID : portal
Rule 1
Type : Static
Action : Permit
Protocol : Any
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 23
MAC : 0000-0000-0000
Interface : WLAN-BSS1/0/1
VLAN : any
Destination:
IP : 192.168.0.111
Mask : 255.255.255.255
Port : Any
Rule 2
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 2.2.2.2
MAC : 000d-88f8-0eab
Interface : WLAN-BSS1/0/1
VLAN : 2
Author ACL:
Number : N/A
Rule 3
Type : Static
Action : Redirect
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : WLAN-BSS1/0/1
VLAN : any
Protocol : TCP
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 80
Rule 4:
Type : Static
Action : Deny
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : WLAN-BSS1/0/1
VLAN : Any
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
# (Distributed devices in standalone mode/centralized in IRF mode.) Display all portal filtering rules on GigabitEthernet 1/0/1 for the specified slot. (Wired application.)
<Sysname> display portal rule all interface gigabitethernet 1/0/1 slot 1
Slot 1:
IPv4 portal rules on GigabitEthernet1/0/1:
Rule 1
Type : Static
Action : Permit
Protocol : Any
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : Any
MAC : 0000-0000-0000
Interface : GigabitEthernet1/0/1
VLAN : Any
Destination:
IP : 192.168.0.111
Mask : 255.255.255.255
Port : Any
Rule 2
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 2.2.2.2
MAC : 000d-88f8-0eab
Interface : GigabitEthernet1/0/1
VLAN : Any
Author ACL:
Number : 3001
Rule 3
Type : Static
Action : Redirect
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : GigabitEthernet1/0/1
VLAN : Any
Protocol : TCP
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 80
Rule 4:
Type : Static
Action : Deny
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : GigabitEthernet1/0/1
VLAN : Any
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
IPv6 portal rules on GigabitEthernet1/0/1:
Rule 1
Type : Static
Action : Permit
Protocol : Any
Status : Active
Source:
IP : ::
Prefix length : 0
Port : Any
MAC : 0000-0000-0000
Interface : GigabitEthernet1/0/1
VLAN : Any
Destination:
IP : 3000::1
Prefix length : 64
Port : Any
Rule 2
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 3000::1
MAC : 0015-e9a6-7cfe
Interface : GigabitEthernet1/0/1
VLAN : Any
Author ACL:
Number : 3001
Rule 3
Type : Static
Action : Redirect
Status : Active
Source:
IP : ::
Prefix length : 0
Interface : GigabitEthernet1/0/1
VLAN : Any
Protocol : TCP
Destination:
IP : ::
Prefix length : 0
Port : 80
Rule 4:
Type : Static
Action : Deny
Status : Active
Source:
IP : ::
Prefix length : 0
Interface : GigabitEthernet1/0/1
VLAN : Any
Destination:
IP : ::
Prefix length : 0
Rule 5:
Type : Static
Action : Match pre-auth ACL
Status : Active
Source:
Interface : GigabitEthernet1/0/1
Pre-auth ACL:
Number : 3002
# (Distributed devices in standalone mode/centralized in IRF mode.) Display all portal filtering rules on AP ap1. (Wireless application.)
<Sysname> display portal rule all ap ap1
Slot 1:
IPv4 portal rules on ap1:
Radio ID : 1
SSID : portal
Rule 1
Type : Static
Action : Permit
Protocol : Any
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 23
MAC : 0000-0000-0000
Interface : WLAN-BSS1/0/1
VLAN : any
Destination:
IP : 192.168.0.111
Mask : 255.255.255.255
Port : Any
Rule 2
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 2.2.2.2
Mask : 255.255.255.255
MAC : 000d-88f8-0eab
Interface : WLAN-BSS1/0/1
VLAN : 2
Author ACL:
Number : N/A
Rule 3
Type : Static
Action : Redirect
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : Any
MAC : 0000-0000-0000
Interface : WLAN-BSS1/0/1
VLAN : any
Protocol : TCP
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 80
Rule 4:
Type : Static
Action : Deny
Status : Active
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Interface : WLAN-BSS1/0/1
VLAN : Any
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Table 34 Command output
|
Field |
Description |
|
Radio ID |
ID of the radio. |
|
SSID |
Service set identifier. |
|
Rule |
Number of the portal rule. IPv4 portal filtering rules and IPv6 portal filtering rules are numbered separately. |
|
Type |
Type of the portal rule: · Static—Static portal rule. · Dynamic—Dynamic portal rule. |
|
Action |
Action triggered by the portal rule: · Permit—The interface allows packets to pass. · Redirect—The interface redirects packets. · Deny—The interface forbids packets to pass. · Match pre-auth ACL—The interface matches packets against the authorized ACL rules in the preauthentication domain. |
|
Protocol |
Transport layer protocol permitted by the portal-free rule: · Any—Permits any transport layer protocol. · TCP—Permits TCP. · UDP—Permits UDP. |
|
Status |
Status of the portal rule: · Active—The portal rule is effective. · Unactuated—The portal rule is not activated. |
|
Source |
Source information of the portal rule. |
|
IP |
Source IP address. |
|
Mask |
Subnet mask of the source IPv4 address. |
|
Prefix length |
Prefix length of the source IPv6 address. |
|
Port |
Source transport layer port number. |
|
MAC |
Source MAC address. |
|
Interface |
Layer 3 interface on which the portal rule is implemented. |
|
VLAN |
Source VLAN ID. |
|
Protocol |
Transport layer protocol of the portal redirect rule. |
|
Destination |
Destination information of the portal rule. |
|
IP |
Destination IP address. |
|
Port |
Destination transport layer port number. |
|
Mask |
Subnet mask of the destination IPv4 address. |
|
Prefix length |
Prefix length of the destination IPv6 address. |
|
Author ACL |
Authorized ACL assigned to authenticated portal users. This field is displayed only for a dynamic portal rule. |
|
Pre-auth ACL |
Authorized ACL assigned to preauthentication portal users. This field is displayed only for the Match pre-auth ACL action. |
|
Number |
Number of the authorized ACL. This field displays N/A if the AAA server does not assign an ACL. |
display portal safe-redirect statistics
Use display portal safe-redirect statistics to display portal safe-redirect packet statistics.
Syntax
Centralized devices in standalone mode:
display portal safe-redirect statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
display portal safe-redirect statistics [ slot slot-number ]
Distributed devices in IRF mode:
display portal safe-redirect statistics [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics for all cards. (Centralized devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display portal safe-redirect packet statistics.
<Sysname> display portal safe-redirect statistics
Redirect statistics:
Success: 5
Failure: 6
Total: 11
Method statistics:
Get: 6
Post: 2
Others: 3
User agent statistics:
Safari: 3
Chrome: 2
Forbidden URL statistics:
http://www.abc.com: 0
Forbidden filename extension statistics:
.jpg: 0
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display portal safe-redirect packet statistics on the specified slot.
<Sysname> display portal safe-redirect statistics slot 1
Slot 1:
Redirect statistics:
Success: 7
Failure: 8
Total : 15
Method statistics:
Get : 11
Post : 1
Others : 3
User agent statistics:
Safari: 3
Chrome: 2
Forbidden URL statistics:
www.qq.com: 4
Forbidden filename extension statistics:
.jpg: 0
# (Distributed devices in IRF mode.) Display portal safe-redirect packet statistics on chassis 1 slot 0.
<Sysname> display portal safe-redirect statistics chassis 1 slot 0
Slot 0 in chassis 1:
Redirect statistics:
Success: 3
Failure: 5
Total : 8
Method statistics:
Get : 11
Post : 3
Others : 7
User agent statistics:
Safari: 3
Chrome: 2
Forbidden URL statistics:
http://www.abc.com: 0
Forbidden filename extension statistics:
.jpg: 1
Table 35 Command output
|
Field |
Description |
|
Success |
Number of packets redirected successfully. |
|
Failure |
Number of packets failed redirection. |
|
Total |
Total number of packets. |
|
Method statistics |
Statistics of HTTP request methods. |
|
Get |
|
|
Post |
Number of packets with the POST request method. |
|
Other |
Number of packets with other request methods. |
|
User agent statistics |
Browser types (in HTTP User Agent) allowed by portal safe-redirect, and packet statistics for the browsers. |
|
Forbidden URL statistics |
URLs forbidden by portal safe-redirect, and statistics for packets dropped by forbidden URL filtering. |
|
Forbidden filename extension statistics |
Filename extensions forbidden by portal safe-redirect, and statistics for packets dropped by forbidden filename extension filtering. |
Related commands
reset portal safe-redirect statistics
display portal server
Use display portal server to display information about portal authentication servers.
Syntax
display portal server [ server-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify the server-name argument, this command displays information about all portal authentication servers.
Examples
# Display information about the portal authentication server pts.
<Sysname> display portal server pts
Portal server: pts
Type : IMC
IP : 192.168.0.111
VPN instance : vpn1
Port : 50100
Server detection : Timeout 60s Action: log
User synchronization : Timeout 200s
Status : Up
Exclude-attribute : Not configured
Logout notification : Retry 3 interval 5s
Table 36 Command output
|
Field |
Description |
|
Type |
Portal authentication server type: · CMCC—CMCC server. · IMC—IMC server. |
|
Portal server |
Name of the portal authentication server. |
|
IP |
IP address of the portal authentication server. |
|
VPN instance |
MPLS L3VPN where the portal authentication server resides. |
|
Port |
Listening port on the portal authentication server. |
|
Server detection |
Parameters for portal authentication server detection: · Detection timeout in seconds. · Action (log) triggered by the reachability status change of the portal authentication server. |
|
User synchronization |
User idle timeout in seconds for portal user synchronization. |
|
Status |
Reachability status of the portal authentication server: · N/A—Portal authentication server detection is disabled. Reachability status of the server is unknown. · Up—Portal authentication server detection is enabled. The server is reachable. · Down—Portal authentication server detection is enabled. The server is unreachable. |
|
Exclude-attribute |
Attributes that are not carried in portal protocol packets sent to the portal authentication server. |
|
Logout-notification |
Maximum number of times and the interval (in seconds) for retransmitting a logout notification packet. |
Related commands
portal enable
portal server
server-detect (portal authentication server view)
user-sync
display portal user
Use display portal user to display information about portal users.
Syntax
display portal user { all | ap ap-name [ radio radio-id ] | auth-type { cloud | email | facebook | local | normal | qq | wechat } | interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address | mac mac-address | pre-auth [ interface interface-type interface-number | ip ipv4-address | ipv6 ipv6-address ] | username username } [ brief | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
all: Displays information about all portal users.
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio ID varies by device model. If you do not specify a radio, this command displays information about portal users for all radios of the AP.
The following matrix shows the ap ap-name [ radio radio-id ] option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
No |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
No |
auth-type: Specifies an authentication type.
cloud: Specifies the cloud authentication (a cloud portal authentication server performs portal authentication on portal users).
email: Specifies the email authentication.
facebook: Specifies the Facebook authentication.
local: Specifies the local authentication (a local portal authentication server performs portal authentication on portal users).
normal: Specifies the normal authentication (a remote portal authentication server performs portal authentication on portal users).
qq: Specifies QQ authentication.
wechat: Specifies WeChat authentication.
The following matrix shows the auth-type { cloud | email | facebook | local | normal | qq | wechat } option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
interface interface-type interface-number: Displays information about portal users on the specified interface.
ip ipv4-address: Specifies the IPv4 address of a portal user.
ipv6 ipv6-address: Specifies the IPv6 address of a portal user.
mac mac-address: Specifies the MAC address of a portal user, in the format of H-H-H.
The following matrix shows the mac mac-address option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.
The following matrix shows the username username option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
pre-auth: Displays information about preauthentication portal users. A preauthentication user is a user who is authorized with the authorization attributes in a preauthentication domain before portal authentication. If you do not specify the pre-auth keyword, this command displays information about authenticated portal users.
brief: Displays brief information about portal users.
verbose: Displays detailed information about portal users.
Usage guidelines
If you specify neither the brief nor the verbose keyword, this command displays portal authentication-related information for portal users.
Examples
# Display information about all portal users. (Wired application.)
<Sysname> display portal user all
Total portal users: 2
Username: abc
Portal server: pts
State: Online
VPN instance: N/A
MAC IP VLAN Interface
000d-88f8-0eab 2.2.2.2 -- GigabitEthernet1/0/1
Authorization information:
DHCP IP pool: N/A
User profile: abc (active)
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Username: def
Portal server: pts
State: Online
VPN instance: vpn1
MAC IP VLAN Interface
000d-88f8-0eac 3.3.3.3 -- GigabitEthernet1/0/2
Authorization information:
DHCP IP pool: N/A
User profile: N/A
ACL number: 3000
Inbound CAR: CIR 9000 bps PIR 20500 bps
CBS 20500 bit (active)
Outbound CAR: CIR 9000 bps PIR 20400 bps
CBS 20400 bit (active)
# Display information about portal users that perform normal portal authentication. (Wired application.)
<Sysname> display portal user auth-type normal
Total normal users: 1
Username: abc
Portal server: pts
State: Online
VPN instance: N/A
MAC IP VLAN Interface
000d-88f8-0eab 2.2.2.2 -- GigabitEthernet1/0/1
Authorization information:
DHCP IP pool: N/A
User profile: abc (active)
Session group profile: cd (inactive)
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
# Display information about the portal user whose MAC address is 000d-88f8-0eab. (Wired application.)
<Sysname> display portal user mac 000d-88f8-0eab
Username: abc
Portal server: pts
State: Online
VPN instance: N/A
MAC IP VLAN Interface
000d-88f8-0eab 2.2.2.2 -- GigabitEthernet1/0/1
Authorization information:
DHCP IP pool: N/A
User profile: abc (active)
Session group profile: cd (inactive)
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
# Display information about the portal user whose username is abc. (Wired application.)
<Sysname> display portal user username abc
Username: abc
Portal server: pts
State: Online
VPN instance: N/A
MAC IP VLAN Interface
000d-88f8-0eab 2.2.2.2 -- GigabitEthernet1/0/1
Authorization information:
DHCP IP pool: N/A
User profile: abc (active)
Session group profile: cd (inactive)
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Table 37 Command output
|
Field |
Description |
|
Total portal users |
Total number of portal users. |
|
Total normal users |
Total number of portal users whose authentication type is normal authentication. |
|
Total local users |
Total number of portal users whose authentication type is local authentication. |
|
Total email users |
Total number of portal users whose authentication type is email authentication. |
|
Total cloud users |
Total number of portal users whose authentication type is cloud authentication. |
|
Total QQ users |
Total number of portal users whose authentication type is QQ authentication. |
|
Total WeChat users |
Total number of portal users whose authentication type is WeChat authentication. |
|
Total Facebook users |
Total number of portal users whose authentication type is Facebook authentication. |
|
Username |
Name of the user. |
|
Portal server |
Name of the portal authentication server. |
|
State |
Current state of the portal user: · Initialized—The user is initialized and ready for authentication. · Authenticating—The user is being authenticated. · Waiting SetRule—The user is waiting for authorization information. · Authorizing—The user is being authorized. · Online—The user is online. · Waiting Traffic—The last traffic of the user is to be collected. · Stop Accounting—Accounting for the user is stopped. · Done—The user goes offline successfully. |
|
VPN instance |
MPLS L3VPN the portal user belongs to. If the portal user is on a public network, this field displays N/A. |
|
MAC |
MAC address of the portal user. |
|
IP |
IP address of the portal user. |
|
VLAN |
VLAN where the portal user resides. |
|
Interface |
Access interface of the portal user. |
|
Authorization information |
Authorization information for the portal user. |
|
DHCP IP pool |
Name of the authorized IP address pool. If no IP address pool is authorized for the portal user, this field displays N/A. |
|
User profile |
Authorized user profile: · N/A—The AAA server authorizes no user profile. · active—The AAA server has authorized the user profile successfully. · inactive—The AAA server failed to authorize the user profile or the user profile does not exist on the device. |
|
ACL number |
Authorized ACL: · N/A—The AAA server authorizes no ACL. · active—The AAA server has authorized the ACL successfully. · inactive—The AAA server failed to authorize the ACL or the ACL does not exist on the device. |
|
Inbound CAR |
Authorized inbound CAR information: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · CBS—Committed burst size in bits. · active—The AAA server has authorized the inbound CAR successfully. · inactive—The AAA server failed to authorize the inbound CAR. If no inbound CAR is authorized, this field displays N/A. |
|
Outbound CAR |
Authorized outbound CAR information: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · CBS—Committed burst size in bits. · active—The AAA server has authorized the outbound CAR successfully. · inactive—The AAA server failed to authorize the outbound CAR. If no outbound CAR is authorized, this field displays N/A. |
# Display detailed information about the portal user with IP address 50.50.50.3. (Wired application.)
<Sysname> display portal user ip 50.50.50.3 verbose
Basic:
Current IP address: 50.50.50.3
Original IP address: 30.30.30.2
Username: user1@hrss
User ID: 0x28000002
Access interface: eth3/2/2
Service-VLAN/Customer-VLAN: -/-
MAC address: 0000-0000-0001
Authentication type: Normal
Domain: hrss
VPN instance: 123
Status: Online
Portal server: test
Vendor: Apple
Authentication type: Direct
AAA:
Realtime accounting interval: 60s, retry times: 3
Idle-cut: 180 sec, 10240 bytes
Session duration: 500 sec, remaining: 300 sec
Remaining traffic: 10240000 bytes
Login time: 2014-01-19 2:42:3 UTC
DHCP IP pool: abc
ACL&QoS&Multicast:
Inbound CAR: CIR 9000 bps PIR 20500 bps
CBS 20500 bit (active)
Outbound CAR: CIR 9000 bps PIR 20400 bps
CBS 20400 bit (active)
ACL number: 3000 (inactive)
User profile: portal (active)
Max multicast addresses: 4
Multicast address list: 1.2.3.1, 1.34.33.1, 3.123.123.3, 4.5.6.7
2.2.2.2, 3.3.3.3, 4.4.4.4
Traffic statistic:
Uplink packets/bytes: 7/546
Downlink packets/bytes: 0/0
Dual-stack traffic statistics:
IPv4 address: 50.50.50.3
Uplink packets/bytes: 3/200
Downlink packets/bytes: 0/0
IPv6 address: 2001::2
Uplink packets/bytes: 4/346
Downlink packets/bytes: 0/0
Table 38 Command output
|
Field |
Description |
|
Current IP address |
IP address of the portal user after passing authentication. |
|
Original IP address |
IP address of the portal user during authentication. |
|
Username |
Name of the portal user. |
|
User ID |
Portal user ID. |
|
Access interface |
Access interface of the portal user. |
|
Service-VLAN/Customer-VLAN |
Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is configured for the portal user, this field displays -/-. |
|
MAC address |
MAC address of the portal user. |
|
Authentication type |
Type of portal authentication: · Normal—Normal authentication. · Local—Local authentication. · Email—Email authentication. · Cloud—Cloud authentication. · QQ—QQ authentication. · WeChat—WeChat authentication. · Facebook—Facebook authentication. |
|
Domain |
ISP domain name for portal authentication. |
|
VPN instance |
MPLS L3VPN to which the portal user belongs. If the portal user is on a public network, this field displays N/A. |
|
Status |
Status of the portal user: · Authenticating—The user is being authenticated. · Authorizing—The user is being authorized. · Waiting SetRule—Deploying portal rules to the user. · Online—The user is online. · Waiting Traffic—Waiting for traffic from the user. · Stop Accounting—Stopping accounting for the user. · Done—The user is offline. |
|
Portal server |
Name of the portal server. |
|
Vendor |
Vendor name of the endpoint. |
|
Authentication type |
Authentication type on the access interface: · Direct—Direct authentication. · Re-Dhcp—Re-DHCP authentication. · Layer3—Cross-subnet authentication. |
|
AAA |
AAA information about the portal user. |
|
Realtime accounting interval |
Interval for sending real-time accounting updates, and the maximum number of accounting attempts. If the real-time accounting is not authorized, this field displays N/A. |
|
Idle-cut |
Idle timeout period and the minimum traffic threshold. If idle-cut is not authorized, this field displays N/A. |
|
Session duration |
Session duration and the remaining session time. If the session duration is not authorized, this field displays N/A. |
|
Remaining traffic |
Remaining traffic for the portal user. If the remaining traffic is not authorized, this field displays N/A. |
|
Login time |
Time when the user logged in. The field uses the device time format, for example, 2023-1-19 2:42:30 UTC. |
|
DHCP IP pool |
Authorized DHCP IP address pool. If no DHCP IP address pool is authorized for the portal user, this field displays N/A. |
|
Inbound CAR |
Authorized inbound CAR information: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · CBS—Committed burst size in bits. · active—The AAA server has authorized the inbound CAR successfully. · inactive—The AAA server failed to authorize the inbound CAR. If no inbound CAR is authorized, this field displays N/A. |
|
Outbound CAR |
Authorized outbound CAR information: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · CBS—Committed burst size in bits. · active—The AAA server has authorized the outbound CAR successfully. · inactive—The AAA server failed to authorize the outbound CAR. If no outbound CAR is authorized, this field displays N/A. |
|
ACL number |
Authorized ACL: · N/A—The AAA server authorizes no ACL. · active—The AAA server has authorized the ACL successfully. · inactive—The AAA server failed to authorize the ACL or the ACL does not exist on the device. |
|
User profile |
Authorized user profile: · N/A—The AAA server authorizes no user profile. · active—The AAA server has authorized the user profile successfully. · inactive—The AAA server failed to authorize the user profile or the user profile does not exist on the device. |
|
Max multicast addresses |
Maximum number of multicast groups the portal user can join. |
|
Multicast address list |
Multicast group list the portal user can join. If no multicast group is authorized, this field displays N/A. |
|
Traffic statistic |
Traffic statistics for the portal user. |
|
Uplink packets/bytes |
Packet and byte statistics of the upstream traffic. |
|
Downlink packets/bytes |
Packet and byte statistics of the downstream traffic. |
|
Dual-stack traffic statistic |
IPv4 and IPv6 traffic statistics for the dual-stack user. |
|
IPv4 address |
IPv4 address of the portal user. |
|
IPv6 address |
IPv6 address of the portal user. |
|
Uplink packets/bytes |
Packet and byte statistics of the upstream traffic. |
|
Downlink packets/bytes |
Packet and byte statistics of the downstream traffic. |
# Display brief information about all portal users. (Wired application.)
<Sysname> display portal user all brief
IP address MAC address Online duration Username
2.2.2.2 000d-88f8-0eab 1:53:7 abc
3.3.3.3 000d-88f8-0eac 1:53:7 def
Table 39 Command output
|
Field |
Description |
|
IP address |
IP address of the portal user. |
|
MAC address |
MAC address of the portal user. |
|
Online duration |
Online duration of the portal user, in hh:ss:mm. |
|
Username |
Username of the portal user. |
# Display information about all portal users. (Wireless application.)
<Sysname> display portal user all
Total portal users: 1
Username: def
AP name: ap1
Radio ID: 1
SSID: portal
Portal server: pts
State: Online
VPN instance: vpn1
MAC IP VLAN Interface
000d-88f8-0eac 4.4.4.4 2 Bss1/2
Authorization information:
DHCP IP pool: N/A
User profile: N/A
ACL number: 3000
Inbound CAR: CIR 9000 bps PIR 20500 bps
CBS 20500 bit (active)
Outbound CAR: CIR 9000 bps PIR 20400 bps
CBS 20400 bit (active)
# Display information about portal users that perform normal authentication. (Wireless application.)
<Sysname> display portal user auth-type normal
Total remote users: 1
Username: abc
Portal server: pts
State: Online
VPN instance: N/A
MAC IP VLAN Interface
000d-88f8-0eab 2.2.2.2 2 WLAN-BSS1/0/1
Authorization information:
DHCP IP pool: N/A
User profile: abc (active)
Session group profile: cd (inactive)
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
# Display information about the portal user whose MAC address is 000d-88f8-0eab. (Wireless application.)
<Sysname> display portal user mac 000d-88f8-0eab
Username: abc
Portal server: pts
State: Online
VPN instance: N/A
MAC IP VLAN Interface
000d-88f8-0eab 2.2.2.2 2 WLAN-BSS1/0/1
Authorization information:
DHCP IP pool: N/A
User profile: abc (active)
Session group profile: cd (inactive)
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
# Display information about the portal user whose username is abc. (Wireless application.)
<Sysname> display portal user username abc
Username: abc
Portal server: pts
State: Online
VPN instance: N/A
MAC IP VLAN Interface
000d-88f8-0eab 2.2.2.2 2 WLAN-BSS1/0/1
Authorization information:
DHCP IP pool: N/A
User profile: abc (active)
Session group profile: cd (inactive)
ACL number: N/A
Inbound CAR: N/A
Outbound CAR: N/A
Table 40 Command output
|
Field |
Description |
|
Total portal users |
Total number of portal users. |
|
Total normal users |
Total number of portal users whose authentication type is normal authentication. |
|
Total local users |
Total number of portal users whose authentication type is local authentication. |
|
Total email users |
Total number of portal users whose authentication type is email authentication. |
|
Total cloud users |
Total number of portal users whose authentication type is cloud authentication. |
|
Total QQ users |
Total number of portal users whose authentication type is QQ authentication. |
|
Total WeChat users |
Total number of portal users whose authentication type is WeChat authentication. |
|
Total facebook users |
Total number of portal users whose authentication type is Facebook authentication. |
|
Username |
Name of the user. |
|
AP name |
Name of the AP. |
|
Radio ID |
ID of the radio. |
|
SSID |
Service set identifier. |
|
Portal server |
Name of the portal authentication server. |
|
State |
Current state of the portal user: · Initialized—The user is initialized and ready for authentication. · Authenticating—The user is being authenticated. · Authorizing—The user is being authorized. · Online—The user is online. |
|
VPN instance |
MPLS L3VPN the portal user belongs to. If the portal user is on a public network, this field displays N/A. |
|
MAC |
MAC address of the portal user. |
|
IP |
IP address of the portal user. |
|
VLAN |
VLAN where the portal user resides. |
|
Interface |
Access interface of the portal user. |
|
Authorization information |
Authorization information for the portal user. |
|
DHCP IP pool |
Name of the authorized IP address pool. If no IP address pool is authorized for the portal user, this field displays N/A. |
|
User profile |
Authorized user profile: · N/A—The AAA server authorizes no user profile. · active—The AAA server has authorized the user profile successfully. · inactive—The AAA server failed to authorize the user profile or the user profile does not exist on the device. |
|
ACL number |
Authorized ACL: · N/A—The AAA server authorizes no ACL. · active—The AAA server has authorized the ACL successfully. · inactive—The AAA server failed to authorize the ACL or the ACL does not exist on the device. |
|
Inbound CAR |
Authorized inbound CAR information: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · CBS—Committed burst size in bits. · active—The AAA server has authorized the inbound CAR successfully. · inactive—The AAA server failed to authorize the inbound CAR. If no inbound CAR is authorized, this field displays N/A. |
|
Outbound CAR |
Authorized outbound CAR information: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · CBS—Committed burst size in bits. · active—The AAA server has authorized the outbound CAR successfully. · inactive—The AAA server failed to authorize the outbound CAR. If no outbound CAR is authorized, this field displays N/A. |
# Display detailed information about the portal user whose IP address is 18.18.0.20. (Wireless application.)
<Sysname>display portal user ip 18.18.0.20 verbose
Basic:
AP name: ap1
Radio ID: 1
SSID: portal
Current IP address: 18.18.0.20
Original IP address: 18.18.0.20
Username: chap1
User ID: 0x10000001
Access interface: WLAN_BSS1/0/1
Service-VLAN/Customer-VLAN: 50/-
MAC address: 7854-2e1c-c59e
Authentication type: Normal
Domain name: portal
VPN instance: N/A
Status: Online
Portal server: pt
Vendor: Apple
Authentication type: Direct
AAA:
Realtime accounting interval: 720s, retry times: 5
Idle cut: N/A
Session duration: 0 sec, remaining: 0 sec
Remaining traffic: N/A
Online duration (hh:mm:ss): 1:53:7
Login time: 2014-12-25 10:47:53 UTC
DHCP IP pool: N/A
ACL&QoS&Multicast:
Inbound CAR: N/A
Outbound CAR: N/A
ACL number: N/A
User profile: N/A
Max multicast addresses: 4
Traffic statistic:
Uplink packets/bytes: 6/412
Downlink packets/bytes: 0/0
Dual-stack traffic statistics:
IPv4 address: 18.18.0.20
Uplink packets/bytes: 3/200
Downlink packets/bytes: 0/0
IPv6 address: 2001::2
Uplink packets/bytes: 3/212
Downlink packets/bytes: 0/0
Table 41 Command output
|
Field |
Description |
|
AP name |
Name of the AP. |
|
Radio ID |
Radio ID. |
|
SSID |
Service set identifier. |
|
Current IP address |
IP address of the portal user after passing authentication. |
|
Original IP address |
IP address of the portal user during authentication. |
|
Username |
Name of the portal user. |
|
User ID |
Portal user ID. |
|
Access interface |
Access interface of the portal user. |
|
Service-VLAN/Customer-VLAN |
Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is configured for the portal user, this field displays -/-. |
|
MAC address |
MAC address of the portal user. |
|
Authentication type |
Type of portal authentication: · Normal—Normal authentication. · Local—Local authentication. · Email—Email authentication. · Cloud—Cloud authentication. · QQ—QQ authentication. · WeChat—WeChat authentication. · Facebook—Facebook authentication. |
|
Domain |
ISP domain name for portal authentication. |
|
VPN instance |
MPLS L3VPN to which the portal user belongs. If the portal user is on a public network, this field displays N/A. |
|
Status |
Status of the portal user: · Authenticating—The user is being authenticated. · Authorizing—The user is being authorized. · Waiting SetRule—Deploying portal rules to the user. · Online—The user is online. · Waiting Traffic—Waiting for traffic from the user. · Stop Accounting—Stopping accounting for the user. · Done—The user is offline. |
|
Portal server |
Name of the portal server. |
|
Vendor |
Vendor name of the endpoint. |
|
Authentication type |
Type of authentication enabled on the access interface: · Direct—Direct authentication. · Re-Dhcp—Re-DHCP authentication. · Layer3—Cross-subnet authentication. |
|
AAA |
AAA information about the portal user. |
|
Realtime accounting interval |
Interval for sending real-time accounting updates, and the maximum number of accounting attempts. If the real-time accounting is not authorized, this field displays N/A. |
|
Idle-cut |
Idle timeout period and the minimum traffic threshold. If idle-cut is not authorized, this field displays N/A. |
|
Session duration |
Session duration and the remaining session time. If the session duration is not authorized, this field displays N/A. |
|
Remaining traffic |
Remaining traffic for the portal user. If the remaining traffic is not authorized, this field displays N/A. |
|
Login time |
Time when the user logged in. The field uses the device time format, for example, 2023-1-19 2:42:30 UTC. |
|
Online duration (hh:mm:ss) |
User online duration (hh:mm:ss). |
|
DHCP IP pool |
Authorized DHCP IP address pool. If no DHCP IP address pool is authorized for the portal user, this field displays N/A. |
|
Inbound CAR |
Authorized inbound CAR information: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · CBS—Committed burst size in bits. · active—The AAA server has authorized the inbound CAR successfully. · inactive—The AAA server failed to authorize the inbound CAR. If no inbound CAR is authorized, this field displays N/A. |
|
Outbound CAR |
Authorized outbound CAR information: · CIR—Committed information rate in bps. · PIR—Peak information rate in bps. · CBS—Committed burst size in bits. · active—The AAA server has authorized the outbound CAR successfully. · inactive—The AAA server failed to authorize the outbound CAR. If no outbound CAR is authorized, this field displays N/A. |
|
ACL number |
Authorized ACL: · N/A—The AAA server authorizes no ACL. · active—The AAA server has authorized the ACL successfully. · inactive—The AAA server failed to authorize the ACL or the ACL does not exist on the device. |
|
User profile |
Authorized user profile: · N/A—The AAA server authorizes no user profile. · active—The AAA server has authorized the user profile successfully. · inactive—The AAA server failed to authorize the user profile or the user profile does not exist on the device. |
|
Max multicast addresses |
Maximum number of multicast groups the portal user can join. |
|
Multicast address list |
Multicast group list the portal user can join. If no multicast group is authorized, this field displays N/A. |
|
Traffic statistic |
Flow statistics for the portal user. |
|
Uplink packets/bytes |
Packet and byte statistics of the upstream traffic. |
|
Downlink packets/bytes |
Packet and byte statistics of the downstream traffic. |
|
Dual-stack traffic statistic |
Traffic statistics for the dual-stack portal user. |
|
IPv4 address |
IPv4 address of the portal user. |
|
IPv6 address |
IPv6 address of the portal user. |
|
Uplink packets/bytes |
Packet and byte statistics of the upstream traffic. |
|
Downlink packets/bytes |
Packet and byte statistics of the downstream traffic. |
# Display brief information about all portal users. (Wireless application.)
<Sysname> display portal user all brief
IP address MAC address Online duration Username
4.4.4.4 000d-88f8-0eac 1:53:7 def
Table 42 Command output
|
Field |
Description |
|
IP address |
IP address of the portal user. |
|
MAC address |
MAC address of the portal user. |
|
Online duration |
Online duration of the portal user, in hh:ss:mm. |
|
Username |
Username of the portal user. |
Related commands
portal enable
display portal user count
Use display portal user count to display the number of portal users.
Syntax
display portal user count
Views
Any view
Predefined user roles
network-admin
Examples
# Display the number of portal users.
<Sysname> display portal user count
Total number of users: 1
Related commands
portal enable
portal delete-user
display portal web-server
Use display portal web-server to display information about portal Web servers.
Syntax
display portal web-server [ server-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify the server-name argument, this command displays information about all portal Web servers.
Examples
# Display information about portal Web server wbs.
<Sysname> display portal web-server wbs
Portal Web server: wbs
Type: IMC
URL: http://www.test.com/portal
URL parameters: userurl=http://www.test.com/welcome
userip=source-address
VPN instance: Not configured
Server detection: Interval: 120s Attempts: 5 Action: log
IPv4 status: Up
IPv6 status: Up
Captive-bypass: Enabled
If-match: original-url: http://2.2.2.2, redirect-url: http://192.168.56.2
original-url: http://1.1.1.1, temp-pass redirect-url:
http://192.168.1.1
Table 43 Command output
|
Field |
Description |
|
Type |
Portal Web server type: · CMCC—CMCC server. · IMC—IMC server. |
|
Portal Web server |
Name of the portal Web server. |
|
URL |
URL of the portal Web server. |
|
URL parameters |
URL parameters for the portal Web server. |
|
VPN instance |
Name of the MPLS L3VPN where the portal Web server resides. |
|
Server detection |
Parameters for portal Web server detection: · Detection interval in seconds. · Maximum number of detection attempts. · Action (log) triggered by the reachability status change of the portal Web server. |
|
IPv4/IPv6 status |
Current state of the portal Web server: · Up—This value indicates one of the following conditions: ¡ Portal Web server detection is disabled. ¡ Portal Web server detection is enabled and the server is reachable. · Down—Portal Web server detection is enabled and the server is unreachable. |
|
Captive-bypass |
Status of the captive-bypass feature: · Disabled—Captive-bypass is disabled. · Enabled—Captive-bypass is enabled. · Optimize Enabled—Optimized captive-bypass is enabled. |
|
If-match |
Match rules configured for URL redirection and temporary pass. |
Related commands
portal enable
portal web-server
server-detect (portal Web server view)
display web-redirect rule
Use display web-redirect rule to display information about Web redirect rules.
Syntax
Centralized devices in standalone mode:
display web-redirect rule { ap ap-name [ radio radio-id ] | interface interface-type interface-number }
Distributed devices in standalone mode/centralized devices in IRF mode:
display web-redirect rule interface { ap ap-name [ radio radio-id ] | interface-type interface-number [ slot slot-number ] }
Distributed devices in IRF mode:
display web-redirect rule interface { ap ap-name [ radio radio-id ] | interface-type interface-number [ chassis chassis-number slot slot-number ] }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).
radio radio-id: Specifies a radio by its ID. The value range for the radio ID varies by device model. If you do not specify a radio, this command displays portal filtering rules for all radios of the AP.
The following matrix shows the ap ap-name [ radio radio-id ] option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
No |
|
MSR 3610/3620 /3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
No |
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays Web redirect rules for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays Web redirect rules for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays Web redirect rules for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Display all Web redirect rules on GigabitEthernet 1/0/1. (Wired application.)
<Sysname> display web-redirect rule interface gigabitethernet 1/0/1
IPv4 web-redirect rules on GigabitEthernet1/0/1:
Rule 1:
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 192.168.2.114
VLAN : Any
Rule 2:
Type : Static
Action : Redirect
Status : Active
Source:
VLAN : Any
Protocol : TCP
Destination:
Port : 80
IPv6 web-redirect rules on GigabitEthernet1/0/1:
Rule 1:
Type : Static
Action : Redirect
Status : Active
Source:
VLAN : Any
Protocol : TCP
Destination:
Port : 80
# Display all Web redirect rules on AP ap1. (Wireless application.)
<Sysname> display web-redirect rule ap ap1
IPv4 web-redirect rules on ap1:
Radio ID: 1
SSID : portal
Rule 1:
Type : Dynamic
Action : Permit
Status : Active
Source:
IP : 192.168.2.114
VLAN : Any
Rule 2:
Type : Static
Action : Redirect
Status : Active
Source:
VLAN : Any
Protocol : TCP
Destination:
Port : 80
Table 44 Command output
|
Field |
Description |
|
Rule |
Number of the Web redirect rule. |
|
Type |
Type of the Web redirect rule: · Static—Static Web redirect rule, generated when the Web redirect feature takes effect. · Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage. |
|
Action |
Action in the Web redirect rule: · Permit—Allows packets to pass. · Redirect—Redirects the packets. |
|
Status |
Status of the Web redirect rule: · Active—The Web redirect rule is effective. · Inactive—The Web redirect rule is not effective. |
|
Source |
Source information in the Web redirect rule. |
|
IP |
Source IP address. |
|
Mask |
Subnet mask of the source IPv4 address. |
|
Prefix length |
Prefix length of the source IPv6 address. |
|
VLAN |
Source VLAN. If not specified, this field displays Any. |
|
Protocol |
Transport layer protocol in the Web redirect rule: · Any—No transport layer protocol is limited. · TCP—Transmission Control Protocol. |
|
Destination |
Destination information in the Web redirect rule. |
|
Port |
Destination transport layer port number. The default port number is 80. |
exclude-attribute (MAC binding server view)
Use exclude-attribute to exclude an attribute from portal protocol packets.
Use undo exclude-attribute to not exclude an attribute from portal protocol packets.
Syntax
exclude-attribute attribute-number
undo exclude-attribute attribute-number
Default
No attributes are excluded from portal protocol packets.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
attribute-number: Specifies an attribute by its number in the range of 1 to 255.
Usage guidelines
Support of the portal authentication server for portal protocol attributes varies by the server type. During MAC-trigger authentication, the device and the server cannot communicate if the device sends the portal authentication server a packet that contains an attribute unsupported by the server.
To address this issue, you can configure this command to exclude the unsupported attributes from portal protocol packets sent to the portal authentication server.
You can specify multiple excluded attributes.
Table 45 describes all attributes of the portal protocol.
|
Name |
Number |
Description |
|
UserName |
1 |
Name of the user to be authenticated. |
|
PassWord |
2 |
User password in plaintext form. |
|
Challenge |
3 |
Random challenge for CHAP authentication. |
|
ChapPassWord |
4 |
CHAP password encrypted by MD5. |
|
TextInfo |
5 |
The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server. The attribute value can be any string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet. |
|
UpLinkFlux |
6 |
Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB. |
|
DownLinkFlux |
7 |
Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB. |
|
Port |
8 |
Port information, a string excluding the end character '\0'. |
|
IP-Config |
9 |
This attribute has different meanings in different types of packets. · The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP. · The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user. |
|
BAS-IP |
10 |
IP address of the access device. For re-DHCP portal authentication, the value of this attribute is the public IP address of the access device. |
|
Session-ID |
11 |
Identification of a portal user. Generally, the value of this attribute is the MAC address of the portal user. |
|
Delay-Time |
12 |
Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets. |
|
User-List |
13 |
List of IP addresses of an IPv4 portal user. |
|
EAP-Message |
14 |
An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet. |
|
User-Notify |
15 |
Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently. |
|
BAS-IPv6 |
100 |
IPv6 address of the access device. |
|
UserIPv6-List |
101 |
List of IPv6 addresses of an IPv6 portal user. |
Examples
# Exclude the BAS-IP attribute (number 10) from portal packets sent to MAC binding server 123.
<Sysname> system-view
[Sysname] portal mac-trigger-server 123
[Sysname-portal-mac-trigger-server-123] exclude-attribute 10
exclude-attribute (portal authentication server view)
Use exclude-attribute to exclude an attribute from portal protocol packets.
Use undo exclude-attribute to not exclude an attribute from portal protocol packets.
Syntax
exclude-attribute number { ack-auth | ack-logout | ntf-logout }
undo exclude-attribute number { ack-auth | ack-logout | ntf-logout }
Default
No attributes are excluded from portal protocol packets.
Views
Portal authentication server view
Predefined user roles
network-admin
Parameters
number: Specifies an attribute by its number in the range of 1 to 255.
ack-auth: Excludes the attribute from ACK_AUTH packets.
ack-logout: Excludes the attribute from ACK_LOGOUT packets.
ntf-logout: Excludes the attribute from NTF_LOGOUT packets.
Usage guidelines
Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.
To address this issue, you can configure this command to exclude the unsupported attributes from specific portal protocol packets sent to the portal authentication server.
You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).
Table 46 describes all attributes of the portal protocol.
|
Name |
Number |
Description |
|
UserName |
1 |
Name of the user to be authenticated. |
|
PassWord |
2 |
User password in plaintext form. |
|
Challenge |
3 |
Random challenge for CHAP authentication. |
|
ChapPassWord |
4 |
CHAP password encrypted by MD5. |
|
TextInfo |
5 |
The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server. The attribute value can be any string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet. |
|
UpLinkFlux |
6 |
Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB. |
|
DownLinkFlux |
7 |
Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB. |
|
Port |
8 |
A string excluding the end character '\0'. |
|
IP-Config |
9 |
This attribute has different meanings in different types of packets. · The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP. · The device uses this attribute in ACK_LOGOUT (Type=0x06) and NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user. |
|
BAS-IP |
10 |
IP address of the access device. For re-DHCP portal authentication, the value of this attribute is the public IP address of the access device. |
|
Session-ID |
11 |
Identification of a portal user. Generally, the value of this attribute is the MAC address of the portal user. |
|
Delay-Time |
12 |
Delay time for sending a packet. This attributes exists in NTF_LOGOUT (Type=0x08) packets. |
|
User-List |
13 |
List of IP addresses of an IPv4 portal user. |
|
EAP-Message |
14 |
An EAP attribute that needs to be transported transparently. This attribute is applicable to EAP TLS authentication. Multiple EAP-Message attributes can exist in a portal authentication packet. |
|
User-Notify |
15 |
Value of the hw_User_Notify attribute in a RADIUS accounting response. This attribute needs to be transported transparently. |
|
BAS-IPv6 |
100 |
IPv6 address of the access device. |
|
UserIPv6-List |
101 |
List of IPv6 addresses of an IPv6 portal user. |
Examples
# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] exclude-attribute 6 ack-auth
Related commands
display portal server
free-traffic threshold
Use free-traffic threshold to set the free-traffic threshold for portal users.
Use undo free-traffic threshold to restore the default.
Syntax
free-traffic threshold value
undo free-traffic threshold
Default
The free-traffic threshold is 0 bytes.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
value: Specifies the free-traffic threshold in the range of 0 to 10240000 bytes. If the free-traffic threshold is set to 0, the device immediately triggers MAC-based quick portal authentication for a user once the user's traffic is detected.
Usage guidelines
After MAC-based quick portal authentication is configured, the device monitors a user's network traffic (sent and received) in real time before the MAC-trigger entry for the user ages out. A user can access the network without authentication if the user's network traffic is below the free-traffic threshold. When the user's network traffic reaches the threshold, the device triggers MAC-based quick portal authentication for the user.
If the user passes portal authentication, the device deletes the MAC-trigger entry and clears the user traffic statistics. If the user fails authentication, the device does not trigger MAC-based quick authentication for the user before the MAC-trigger entry ages out. When the MAC-trigger entry ages out, the device clears the user traffic statistics.
When traffic is detected from the user again, the device re-creates a MAC-trigger entry for the user and repeats the previous procedure.
In wireless networks where APs are configured to forward client data traffic, APs report traffic statistics to the AC at a regular interval. The AC can determine whether a user's traffic exceed the free-traffic threshold only after receiving the traffic statistics report from the associated AP. To set the interval for APs to report traffic statistics to the AC, use the portal client-traffic-report interval command.
Examples
# Set the free-traffic threshold for portal users to 10240 bytes.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] free-traffic threshold 10240
Related commands
display portal mac-trigger-server
if-match
Use if-match to configure a match rule for URL redirection.
Use undo if-match to delete a URL redirection match rule.
Syntax
if-match { original-url url-string redirect-url url-string [ url-param-encryption { aes | des } key { cipher | simple } string ] | user-agent string redirect-url url-string }
undo if-match { original-url url-string | user-agent user-agent }
Default
No URL redirection match rules exist.
Views
Portal Web server view
Predefined user roles
network-admin
Parameters
original-url url-string: Specifies a URL string to match the URL in HTTP or HTTPS requests of a portal user. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.
redirect-url url-string: Specifies the URL to which the user is redirected. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.
url-param-encryption: Specifies an encryption algorithm to encrypt the parameters carried in the redirection URL. If you do not specify an encryption algorithm, the parameters carried in the redirection URL are not encrypted.
aes: Specifies the AES algorithm.
des: Specifies the DES algorithm.
key: Specifies a key for encryption.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:
· If des cipher is specified, the string length is 41 characters.
· If des simple is specified, the string length is 8 characters.
· If aes cipher is specified, the string length is 1 to 73 characters.
· If aes simple is specified, the string length is 1 to 31 characters.
user-agent user-agent: Specifies a user agent string to match the User-Agent string in HTTP/HTTPS requests. The user agent string is a case-sensitive string of 1 to 255 characters. The User-Agent string in HTTP or HTTPS requests includes information about hardware manufacturer, operating system, browser, and search engine.
Usage guidelines
A URL redirection match rule matches HTTP or HTTPS requests by user-requested URL or User-Agent information, and redirects the matching HTTP or HTTPS requests to the specified redirection URL.
For a user to successfully access a redirection URL, configure a portal-free rule to allow HTTP or HTTPS requests destined for the redirection URL to pass. For information about configuring portal-free rules, see the portal free-rule command.
For a portal Web server, you can configure the url command and the if-match command for URL redirection. The url command redirects all HTTP or HTTPS requests from unauthenticated users to the portal Web server for authentication. The if-match command allows for flexible URL redirection by redirecting specific HTTP or HTTPS requests to specific redirection URLs. If both commands are executed, the if-match command takes priority to perform URL redirection.
If you configure encryption for parameters in the redirection URL, you must add an encryption prompt field after the redirection URL address. For example, to redirect HTTP requests to URL 10.1.1.1 with encrypted URL parameters, specify the redirection URL as http://10.1.1.1?yyyy=. The value of yyyy depends on the portal Web server configuration. For more information, see the portal Web server configuration guide.
Examples
# Configure a match rule to redirect HTTP requests destined for the URL http://www.abc.com.cn to the URL http://192.168.0.1.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn redirect-url http://192.168.0.1
# Configure a match rule to redirect HTTP requests that carry the user agent string 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to the URL http://192.168.0.1.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1
Related commands
display portal web-server
portal free-rule
url
url-parameter
if-match temp-pass
Use if-match temp-pass to configure a match rule for temporary pass.
Use undo if-match temp-pass to restore the default.
Syntax
if-match { original-url url-string | user-agent user-agent } * temp-pass [ redirect-url url-string | original ]
undo if-match { original-url url-string | user-agent user-agent } * temp-pass
Default
No match rules for temporary pass are configured.
Views
Portal Web server view
Predefined user roles
network-admin
Parameters
original-url url-string: Specifies a URL string to match the URL in HTTP/HTTPS requests of portal users. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.
user-agent user-agent: Specifies a user agent string to match the User-Agent string in HTTP/HTTPS requests. The user agent string is a case-sensitive string of 1 to 255 characters. The User-Agent string in HTTP or HTTPS requests includes information about hardware manufacturer, operating system, browser, and search engine.
redirect-url url-string: Redirects the matching Web requests to the specified URL. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters.
original: Redirects the matching Web requests to the originally requested URLs.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
A match rule for temporary pass matches Web requests by URL or User-Agent information. Only the matching Web requests are temporarily permitted to pass.
A permitted request can be redirected to the specified redirection URL or to the originally requested URL, depending on the redirection action in the match rule. If you do not configure a redirection action (by using the redirect-url url-string option or the original keyword), the device permits the matching requests to pass without redirection.
For the match rules to take effect, make sure the portal temporary pass feature is enabled.
If you configure the same match criteria but different redirection actions in two match rules, the new configuration overwrites the existing one.
Examples
# Configure a temporary pass rule to temporarily allow user packets that access the URL http://www.abc.com.cn to pass.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn temp-pass
# Configure a temporary pass rule to temporarily allow user packets that access the URL http://www.abc.com.cn to pass and then redirect the packets to the originally requested URL.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn temp-pass original
# Configure a temporary pass rule to allow user packets that contain user agent information 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to pass and then redirect the packets to the URL http://192.168.0.1.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 temp-pass redirect-url http://192.168.0.1
# Configure a temporary pass rule. This rule allows user packets that access the URL http://www.abc.com.cn and contain user agent information 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 to pass and then redirects the packets to the URL http://192.168.0.1.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] if-match original-url http://www.123.com.cn user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 temp-pass redirect-url http://192.168.0.1
Related commands
display portal web-server
portal free-rule
portal temp-pass enable
url
url-parameter
ip (MAC binding server view)
Use ip to specify the IPv4 address of a MAC binding server.
Use undo ip to restore the default.
Syntax
ip ipv4-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]
undo ip
Default
The IPv4 address of the MAC binding server is not specified.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of a MAC binding server.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the MAC binding server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the MAC binding server belongs to the public network, do not specify this option.
key: Specifies a shared key to be used to authenticate packets between the device and the MAC binding server. Portal packets exchanged between the device and MAC binding server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to verify the correctness of the received portal packets. If you do not specify a shared key, the device and MAC binding server do not authenticate the packets between them.
cipher: Specifies a shared key in encrypted form.
simple: Specifies a shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the shared key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 33 to 117 characters.
Usage guidelines
If you execute this command multiple times in the same MAC binding server view, the most recent configuration takes effect.
Examples
# Specify 192.168.0.111 as the IPv4 address of MAC binding server mts and plaintext key portal as the shared key for communication with the MAC binding server.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal
Related commands
display portal mac-trigger-server
ip (portal authentication server view)
Use ip to specify the IPv4 address of a portal authentication server.
Use undo ip to restore the default.
Syntax
ip ipv4-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]
undo ip
Default
The IPv4 address of the portal authentication server is not specified.
Views
Portal authentication server view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the portal authentication server.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the portal authentication server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server belongs to the public network, do not specify this option.
key: Specifies a shared key for communication with the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 33 to 117 characters.
Usage guidelines
A portal authentication server has only one IPv4 address. Therefore, in portal authentication server view, only one IPv4 address exists. If you execute this command multiple times, the most recent configuration takes effect.
Do not configure the same IPv4 address and MPLS L3VPN for different portal authentication servers.
Examples
# Specify 192.168.0.111 as the IPv4 address of portal authentication server pts and plaintext key portal as the shared key for communication with the portal authentication server.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] ip 192.168.0.111 key simple portal
Related commands
display portal server
portal server
ipv6 (portal authentication server view)
Use ipv6 to specify the IPv6 address of a portal authentication server.
Use undo ipv6 to restore the default.
Syntax
ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ key { cipher | simple } string ]
undo ipv6
Default
The IPv6 address of the portal authentication server is not specified.
Views
Portal authentication server view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address of the portal authentication server.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the portal authentication server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the portal authentication server belongs to the public network, do not specify this option.
key: Specifies a shared key for communication with the portal authentication server. Portal packets exchanged between the access device and the portal authentication server carry an authenticator that is generated with the shared key. The receiver uses the authenticator to check the correctness of the received portal packets.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key in plaintext form will be stored in encrypted form.
string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 64 characters. Its encrypted form is a case-sensitive string of 33 to 117 characters.
Usage guidelines
A portal authentication server has only one IPv6 address. Therefore in portal authentication server view, only one IPv6 address exists. If you execute this command multiple times, the most recent configuration takes effect.
Do not configure the same IPv6 address and MPLS L3VPN for different portal authentication servers.
Examples
# Specify 2000::1 as the IPv6 address of portal authentication server pts and plaintext key portal as the shared key for communication with the portal authentication server.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] ipv6 2000::1 key simple portal
Related commands
display portal server
portal server
local-binding aging-time
Use local-binding aging-time to set the aging time for local MAC-account binding entries.
Use undo local-binding aging-time to restore the default.
Syntax
local-binding aging-time minutes
undo local-binding aging-time
Default
The aging time for local MAC-account binding entries is 720 minutes.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
minutes: Specifies the aging time for local MAC-account binding entries. The value range for this argument is 1 to 129600 minutes.
Usage guidelines
The local MAC-account binding entry of a portal user is deleted when the entry ages out. If the device detects traffic for the user next time, the device creates a local MAC-trigger entry for the user.
If you disable local MAC-trigger authentication, the device does not delete existing local MAC-account binding entries. These entries are automatically deleted when they age out.
Examples
# Set the aging time of local MAC-account binding entries to 240 minutes for MAC binding server mts.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] local-binding aging-time 240
Related commands
display portal mac-trigger-server
local-binding enable
local-binding enable
Use local-binding enable to enable local MAC-trigger authentication.
Use undo local-binding enable to disable local MAC-trigger authentication.
Syntax
local-binding enable
undo local-binding enable
Default
Local MAC-trigger authentication is disabled.
Views
MAC binding server view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to act as a local MAC binding server to provide local MAC-trigger authentication for local portal users.
After a user passes portal authentication for the first time, the access device (local MAC binding server) generates a local MAC binding entry for the user. The local MAC binding entry records the MAC address and authentication information (username and password) of the user. Then, the user can be automatically connected to the network without manual authentication for subsequent network access attempts.
Examples
# Enable local MAC-trigger authentication for MAC binding server mts.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] local-binding enable
Related commands
display portal mac-trigger-server
local-binding aging-time
logon-page bind
Use logon-page bind to bind an SSID, endpoint name, or endpoint type to an authentication page file.
Use undo logon-page bind to unbind the SSID, endpoint name, or endpoint type from the authentication page file.
Syntax
logon-page bind { device-type { computer | pad | phone } | device-name device-name | ssid ssid-name } * file file-name
undo logon-page bind { all | device-type type { computer | pad | phone } | device-name device-name | ssid ssid-name } *
Default
No SSID, terminal device name, or endpoint type is bound to an authentication page file.
Views
Local portal Web server view
Predefined user roles
network-admin
Parameters
all: Specifies all SSIDs, endpoint names, and endpoint types.
device-type: Specifies an endpoint type.
computer: Specifies the endpoint type as computer.
pad: Specifies the endpoint type as tablet.
phone: Specifies the endpoint type as mobile phone.
device-name device-name: Specify an endpoint by its name, a case-sensitive string of 1 to 127 characters. The specified endpoint name must have been predefined on the device. Otherwise, the bound authentication page file does not take effect.
ssid ssid-name: Specifies an SSID by its name, a case-insensitive string of 1 to 32 characters. An SSID string can contain letters, digits, and spaces, but the start and end characters cannot be spaces. An SSID string cannot be f, fi, fil, or file.
file file-name: Specifies an authentication page file by the file name (without the file storage directory). A file name is a string of 1 to 91 characters, and can contain letters, digits, and underscores (_). You must edit the authentication pages, compress them to a .zip file, and then upload the file to the root directory of the storage medium of the device.
Usage guidelines
This command implements customized authentication page pushing for portal users. After you configure this command, the device pushes authentication pages to users according to the user SSID, endpoint name, and endpoint type.
When a Web user triggers local portal authentication, the device searches for a binding that matches the user's SSID, endpoint name, and endpoint type.
· If the binding exists, the device pushes the bound authentication pages to the user.
· If multiple matching binding entries are found, the device selects an entry in the following order:
a. The entry that specifies the SSID, endpoint name, and endpoint type.
b. The entry that specifies the SSID and endpoint name.
c. The entry that specifies the SSID and endpoint type.
d. The entry that specifies only the SSID.
e. The entry that specifies the endpoint name and endpoint type.
f. The entry that specifies only the endpoint name.
g. The entry that specifies only the endpoint type.
· If the binding does not exist, the device pushes the default authentication pages to the user.
When you configure this command, follow these restrictions and guidelines:
· If the name or content of the file in a binding entry is changed, you must reconfigure the binding.
· To reconfigure or modify a binding, simply re-execute this command without canceling the existing binding.
· If you execute this command multiple times to bind an SSID, endpoint name, or endpoint type to different authentication page files, the most recent configuration takes effect.
· You can configure multiple binding entries on the device.
Examples
# Create a local portal Web server and specify HTTP to exchange information with clients.
<Sysname> system-view
[Sysname] portal local-web-server http
# Bind the SSID SSID1 to the authentication page file file1.zip.
[Sysname-portal-local-websvr-http] logon-page bind ssid SSID1 file file1.zip
# Bind the endpoint type iphone to the authentication page file file2.zip.
[Sysname-portal-local-websvr-http] logon-page bind device-type phone file file2.zip
Related commands
default-logon-page
portal local-web-server
logout-notify
Use logout-notify to set the maximum number of times and the interval for retransmitting a logout notification packet.
Use undo logout-notify to restore the default.
Syntax
logout-notify retry retries interval interval
undo logout-notify
Default
The device does not retransmit a logout notification packet.
Views
Portal authentication server view
Predefined user roles
network-admin
Parameters
retry retries: Specifies the maximum number of retries, in the range of 1 to 5.
interval interval: Specifies the retry interval, in the range of 1 to 10 seconds.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
A logout notification packet is a UDP packet that the device sends to the portal authentication server for forcibly logging out a portal user. To increase the delivery reliability, you can set the maximum number of times and the interval for retransmitting a logout notification packet.
After the device sends a logout notification packet for logging out a portal user, it waits for a response from the portal authentication server. If the device receives a response within the specified period of time (maximum number of retries × retry interval), it logs out and deletes the user immediately. If the device does not receive a response within the period of time, the device logs out and deletes the user when the period of time elapses.
Examples
# Set the maximum number of times for retransmitting a logout notification packet to 3 and the retry interval to 5 seconds.
<Sysname> system-view
[Sysname] portal server pt
[Sysname-portal-server-pt] logout-notify retry 3 interval 5
Related commands
display portal server
mail-domain-name
Use mail-domain-name to specify an email domain name for email authentication.
Use undo mail-address to remove an email domain name for email authentication.
Syntax
mail-domain-name string
undo mail-domain-name [ string ]
Default
No email domain names are specified for email authentication.
Views
Email authentication server view
Predefined user roles
network-admin
Parameters
string: Specifies an email domain name for email authentication, a case-sensitive string of 1 to 255 characters, in the format of @XXX.XXX. If you do not specify an email domain name in the undo form of this command, this command removes all email domain names for email authentication.
Usage guidelines
After you configure this command, the device performs email authentication only on portal users that use the specified email domain names.
You can specify a maximum of 16 email domain names for email authentication.
Examples
# Specify @qq.com and @sina.com email domain names for email authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server mail
[Sysname-portal-extend-auth-server-mail] mail-domain-name @qq.com
[Sysname-portal-extend-auth-server-mail] mail-domain-name @Sina.com
Related commands
display portal extend-auth-server
mail-protocol
Use mail-protocol to specify protocols for email authentication.
Use undo mail-protocol to restore the default.
Syntax
mail-protocol { imap | pop3 } *
undo mail-protocol
Default
No protocols are specified for email authentication.
Views
Email authentication server view
Predefined user roles
network-admin
Parameters
imap: Specifies the Internet Message Access Protocol (
IMAP).
pop3: Specifies the Post Office Protocol 3 (POP3).
Usage guidelines
This command specifies email protocols that the device uses to interact with the email authentication server to perform authentication and authorization on portal users who uses email authentication.
Examples
# Specify the POP3 protocol for email authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server mail
[Sysname-portal-extend-auth-server-mail] mail-protocol pop3
Related commands
display portal extend-auth-server
nas-port-type
Use nas-port-type to specify the NAS-Port-Type value carried in RADIUS requests sent to the RADIUS server.
Use undo nas-port-type to restore the default.
Syntax
nas-port-type value
undo nas-port-type
Default
The NAS-Port-Type value carried in RADIUS requests is 15.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
value: Specifies the NAS-Port-Type value in the range of 1 to 255.
Usage guidelines
Some MAC binding servers identify MAC-based quick portal authentication by a specific NAS-Port-Type value in received RADIUS requests. To communicate with such a MAC binding server, you must configure the device to use the NAS-Port-Type value required by the MAC binding server.
Examples
# Set the NAS-Port-Type value in RADIUS requests sent to the MAC binding server mts to 30.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] nas-port-type 30
Related commands
display portal mac-trigger-server
port (MAC binding server view)
Use port to set the UDP port number the MAC binding server uses to listen for MAC binding query packets.
Use undo port to restore the default.
Syntax
port port-number
undo port
Default
The MAC binding server listens for MAC binding query packets on UDP port 50100.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
port-number: Specifies the listening UDP port number in the range of 1 to 65534.
Usage guidelines
The specified port number must be the same as the query listening port number configured on the MAC binding server.
Examples
# Set the UDP port number to 1000 for MAC binding server pts to listen for MAC binding query packets.
<sysname> system-view
[sysname] portal mac-trigger-server mts
[sysname-portal-mac-trigger-server-mts] port 1000
Related commands
display portal mac-trigger-server
port (portal authentication server view)
Use port to set the destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.
Use undo port to restore the default.
Syntax
port port-number
undo port
Default
The device uses 50100 as the destination UDP port number for unsolicited portal packets.
Views
Portal authentication server view
Predefined user roles
network-admin
Parameters
port-number: Specifies a destination UDP port number the device uses to send unsolicited portal packets to the portal authentication server. The value range for this argument is 1 to 65534.
Usage guidelines
The specified port must be the port that listens to portal packets on the portal authentication server.
Examples
# Set the destination UDP port number to 50000 for the device to send unsolicited portal packets to the portal authentication server pts.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] port 50000
Related commands
portal server
portal { bas-ip | bas-ipv6 }
Use portal { bas-ip | bas-ipv6 } to configure the BAS-IP or BAS-IPv6 attribute carried in the portal packets sent to the portal authentication server.
Use undo portal { bas-ip | bas-ipv6 } to delete the BAS-IP or BAS-IPv6 attribute setting.
Syntax
portal { bas-ip ipv4-address | bas-ipv6 ipv6-address }
undo portal { bas-ip | bas-ipv6 }
Default
The BAS-IP attribute of an IPv4 portal reply packet sent to the portal authentication server is the source IPv4 address of the packet. The BAS-IPv6 attribute of an IPv6 portal reply packet sent to the portal authentication server is the source IPv6 address of the packet.
The BAS-IP attribute of an IPv4 portal notification packet sent to the portal authentication server is the IPv4 address of the packet's output interface. The BAS-IPv6 attribute of an IPv6 portal notification packet sent to the portal authentication server is the IPv6 address of the packet's output interface.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
bas-ip ipv4-address: Specifies BAS-IP for portal packets sent to the portal authentication server. The ipv4-address argument must be the IPv4 address of an interface on the device. It cannot be 0.0.0.0, 1.1.1.1, a class D address, a class E address, or a loopback address.
bas-ip6 ipv6-address: Specifies BAS-IPv6 for portal packets sent to the portal authentication server. The ipv6-address argument must be the IPv6 address of an interface on the device. It cannot be a multicast address, an all 0 address, or a link-local address.
Usage guidelines
If the device runs Portal 2.0, unsolicited portal packets (such as a logout notification packet) sent to the portal authentication server must carry the BAS-IP attribute. If the device runs Portal 3.0, unsolicited portal packets sent to the portal authentication server must carry the BAS-IP or BAS-IPv6 attribute.
After this command takes effect, the source IP address for unsolicited notification portal packets the device sends to the portal authentication server is the configured BAS-IP or BAS-IPv6. If the attribute is not configured, the source IP address of the packets is the IP address of the packet output interface.
You must configure the BAS-IP or BAS-IPv6 attribute on a portal authentication-enabled interface or service template if the following conditions are met:
· The portal authentication server is an H3C IMC server or the portal authentication mode is re-DHCP.
· The portal device IP address specified on the portal authentication server is not the IP address of the portal packet output interface.
Examples
# On GigabitEthernet 1/0/1, configure the BAS-IP attribute as 2.2.2.2 for portal packets sent to the portal authentication server. (Wired application).
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal bas-ip 2.2.2.2
# On service template service1, configure the BAS-IP attribute as 2.2.2.2 for portal packets sent to the portal authentication server. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal bas-ip 2.2.2.2
Related commands
display portal
portal { ipv4-max-user | ipv6-max-user }
Use portal { ipv4-max-user | ipv6-max-user } to set the maximum number of portal users allowed on an interface or a service template.
Use undo portal { ipv4-max-user | ipv6-max-user } to restore the default.
Syntax
portal { ipv4-max-user | ipv6-max-user } max-number
undo portal { ipv4-max-user | ipv6-max-user }
Default
The maximum number of portal users allowed on an interface or a service template is not limited.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of portal users allowed on an interface or a service template, in the range of 1 to 4294967295.
Usage guidelines
If the specified maximum number is smaller than the number of current online portal users on the interface or service template, the limit can be set successfully. The limit does not impact the online portal users. However, the device does not allow new portal users to log in from the interface or service template until the number drops down below the limit.
Make sure the maximum combined number of IPv4 and IPv6 portal users specified on all interfaces or service templates does not exceed the system-allowed maximum number. Otherwise, the exceeding portal users will not be able to log in to the device.
Examples
# Set the maximum number of IPv4 portal users to 100 on GigabitEthernet 1/0/1. (Wired application).
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal ipv4-max-user 100
# Set the maximum number of IPv4 portal users to 100 on service template service1. (Wireless application.)
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname–Vlan-interface100] portal ipv4-max-user 100
Related commands
display portal user
portal max-user
portal apply mac-trigger-server
Use portal apply mac-trigger-server to specify a MAC binding server.
Use undo portal apply mac-trigger-server to restore the default.
Syntax
portal apply mac-trigger-server server-name
undo portal apply mac-trigger-server
Default
No MAC binding server is specified.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
Only direct portal authentication supports MAC-based quick portal authentication.
For MAC-based quick portal authentication to take effect, perform the following tasks:
· Configure normal portal authentication.
· Configure a MAC binding server.
· Specify the MAC binding server on a portal enabled interface or service template.
Examples
# Specify the MAC binding server mts on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal apply mac-trigger-server mts
Related commands
portal mac-trigger-server
portal apply web-server
Use portal [ ipv6 ] apply web-server to specify a portal Web server. The device redirects the HTTP or HTTPS requests sent by unauthenticated portal users to the portal Web server.
Use undo portal [ ipv6 ] apply web-server to delete a portal Web server.
Syntax
portal [ ipv6 ] apply web-server server-name [ secondary ]
undo portal [ ipv6 ] apply web-server [ server-name ]
Default
No portal Web servers are specified.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 portal Web server. If the server is an IPv4 portal Web server, do not specify this keyword.
secondary: Specifies the backup portal Web server. If you do not specify this keyword, the specified server is the primary portal Web server.
server-name: Specifies a portal Web server to be specified on the interface by its name, a case-sensitive string of 1 to 32 characters. The name must already exist. If you do not specify a server name in the undo form of this command, all portal Web servers on the interface or service template are removed.
Usage guidelines
IPv4 and IPv6 portal authentication can both be enabled on an interface or on a service template. You can specify both a primary portal Web server and a backup portal Web server after enabling each type (IPv4 or IPv6) of portal authentication.
The device first uses the primary portal Web server for portal authentication. When the primary portal Web server is unreachable but the backup portal Web server is reachable, the device uses the backup portal Web server. When the primary portal Web server becomes reachable, the device switches back to the primary portal Web server for portal authentication.
To automatically switch between the primary portal Web server and the backup portal Web server, configure portal Web server detection on both servers.
Examples
# Specify portal Web server wbs as the backup portal Web server on GigabitEthernet 1/0/1 for portal authentication. (Wired application).
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal apply web-server wbs secondary
# Specify portal Web server wbs as the backup portal Web server on service template service1 for portal authentication. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal apply web-server wbs secondary
Related commands
display portal
portal fail-permit server
portal web-server
server-detect (portal Web server view)
portal auth-error-record enable
Use portal auth-error-record enable to enable portal authentication error recording.
Use undo portal auth-error-record enable to disable portal authentication error recording.
Syntax
portal auth-error-record enable
undo portal auth-error-record enable
Default
Portal authentication error recording is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
This feature enables the device to save all portal authentication error records and to periodically send the records to the Oasis cloud server or other servers.
Examples
# Enable portal authentication error recording.
<Sysname> system-view
[Sysname] portal auth-error-record enable
Related commands
display portal auth-error-record
portal auth-error-record export
Use portal auth-error-record export to export portal authentication error records to a path.
Syntax
portal auth-error-record export url url-string [ start-time start-date start-time end-time end-date end-time ]
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the URL to which portal authentication error records are exported. The URL is a case-insensitive string of 1 to 255 characters.
start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
The device supports FTP, TFTP, and HTTP file transfer methods. Table 47 describes the valid URL format for each method.
|
Protocol |
URL format |
Remarks |
|
FTP |
ftp://username[:password]@server-address[:port-number]/file-path Example: ftp://a:1@1.1.1.1/authfail/ |
The username and password must be the same as those on the server. If the server authenticates only the username, no password is required. |
|
TFTP |
tftp://server-address[:port-number]/file-path Example: tftp://1.1.1.1/ autherror/ |
N/A |
|
HTTP |
http://username[:password]@server-address[:port-number]/file-path Example: http://1.1.1.1/autherror/ |
The username and password must be the same as those on the server. If the server authenticates only the username, no password is required. |
If the server address is an IPv6 address, bracket the IPv6 address to distinguish the IPv6 address from the port number. For example, if the server address is 2001::1 and the port number is 21, the URL is ftp://test:test@[2001::1]:21/test/.
Examples
# Export all portal authentication error records to path tftp://1.1.1.1/record/autherror/.
<Sysname> system-view
[Sysname] portal auth-error-record export url tftp://1.1.1.1/record/autherror/
# Export portal authentication error records in the time range from 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/autherror/.
<Sysname> system-view
[Sysname] portal auth-error-record export url tftp://1.1.1.1/record/autherror/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00
Related commands
display portal auth-error-record
portal auth-error-record enable
reset portal auth-error-record
portal auth-error-record max
Use portal auth-error-record max to set the maximum number of portal authentication error records.
Use undo portal auth-error-record max to restore the default.
Syntax
portal auth-error-record max number
undo portal auth-error-record max
Default
The maximum number of portal authentication error records is 32000.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the maximum number of portal authentication error records, in the range of 1 to 4294967295.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
When the maximum number of portal authentication error records is reached, the new record overwrites the oldest one.
Examples
# Set the maximum number of portal authentication error records to 50.
<Sysname> system-view
[Sysname] portal auth-error-record max 50
Related commands
display portal auth-error-record
portal auth-fail-record enable
Use portal auth-fail-record enable to enable portal authentication failure recording.
Use undo portal auth-fail-record enable to disable portal authentication failure recording.
Syntax
portal auth-fail-record enable
undo portal auth-fail-record enable
Default
Portal authentication failure recording is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
This feature enables the device to save portal authentication failure records and to periodically send the records to the Oasis cloud server or other servers.
Examples
# Enable portal authentication failure recording.
<Sysname> system-view
[Sysname] portal auth-fail-record enable
Related commands
display portal auth-fail-record
portal auth-fail-record export
Use portal auth-fail-record export to export portal authentication failure records to a path.
Syntax
portal auth-fail-record export url url-string [ start-time start-date start-time end-time end-date end-time ]
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the URL to which portal authentication failure records are exported. The URL is a case-insensitive string of 1 to 255 characters.
start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
The device supports FTP, TFTP, and HTTP file transfer methods. Table 48 describes the valid URL format for each method.
|
Protocol |
URL format |
Remarks |
|
FTP |
ftp://username[:password]@server-address[:port-number]/file-path Example: ftp://a:1@1.1.1.1/authfail/ |
The username and password must be the same as those on the server. If the server authenticates only the username, no password is required. |
|
TFTP |
tftp://server-address[:port-number]/file-path Example: tftp://1.1.1.1/ autherror/ |
N/A |
|
HTTP |
http://username[:password]@server-address[:port-number]/file-path Example: http://1.1.1.1/autherror/ |
The username and password must be the same as those on the server. If the server authenticates only the username, no password is required. |
If the server address is an IPv6 address, bracket the IPv6 address to distinguish the IPv6 address from the port number. For example, if the server address is 2001::1 and the port number is 21, the URL is ftp://test:test@[2001::1]:21/test/.
Examples
# Export all portal authentication failure records to path tftp://1.1.1.1/record/authfail/.
<Sysname> system-view
[Sysname] portal auth-fail-record export url tftp://1.1.1.1/record/authfail/
# Export portal authentication failure records in the time range from 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/authfail/.
<Sysname> system-view
[Sysname] portal auth-fail-record export url tftp://1.1.1.1/record/authfail/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00
Related commands
display portal auth-fail-record
portal auth-fail-record enable
reset portal auth-fail-record
portal auth-fail-record max
Use portal auth-fail-record max to set the maximum number of portal authentication failure records.
Use undo portal auth-fail-record max to restore the default.
Syntax
portal auth-fail-record max number
undo portal auth-fail-record max
Default
The maximum number of portal authentication failure records is 32000.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the maximum number of portal authentication failure records, in the range of 1 to 4294967295.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
When the maximum number of portal authentication failure records is reached, the new record overwrites the oldest one.
Examples
# Set the maximum number of portal authentication failure records to 50.
<Sysname> system-view
[Sysname] portal auth-fail-record max 50
Related commands
display portal auth-fail-record
portal authorization strict-checking
Use portal authorization strict-checking to enable strict checking on portal authorization information.
Use undo portal authorization strict-checking to disable strict checking on portal authorization information.
Syntax
portal authorization { acl | user-profile } strict-checking
undo portal authorization { acl | user-profile } strict-checking
Default
Strict checking mode on portal authentication information is disabled. If an authorized ACL or user profile does not exist on the device or the ACL or user profile fails to be deployed, the user will not be logged out.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
acl: Enables strict checking on authorized ACLs.
user-profile: Enables strict checking on authorized user profiles.
Usage guidelines
You can enable strict checking on authorized ACLs, authorized user profiles, or both. If you enable both strict ACL checking and user profile checking, the user will be logged out if either checking fails.
An ACL/user profile checking fails when the authorized ACL/user profile does not exist on the device or the ACL/user profile fails to be deployed.
Examples
# Enable strict checking on authorized ACLs on GigabitEthernet 1/0/1. (Wired application).
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] portal authorization acl strict-checking
# Enable strict checking on authorized ACLs on service template service1. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal authorization acl strict-checking
Related commands
display portal
portal captive-bypass optimize delay
Use portal captive-bypass optimize delay to set the captive-bypass detection timeout time.
Use undo portal captive-bypass optimize delay to restore the default.
Syntax
portal captive-bypass optimize delay seconds
undo portal captive-bypass optimize delay
Default
The captive-bypass detection timeout time is 6 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the captive-bypass detection timeout time, in the range of 6 to 60 seconds.
Usage guidelines
This command applies only to iOS mobile clients.
With optimized captive-bypass enabled, the device automatically pushes the portal authentication page to iOS mobile devices when they are connected to the network. Users can perform authentication on the page or press the home button to return to the desktop without performing authentication, and the Wi-Fi connection is not terminated.
Optimized captive-bypass might fail when the network condition is poor. The device cannot detect a server reachability detection packet from an iOS mobile device within the captive-bypass detection timeout time. Therefore, the Wi-Fi connection will be terminated on the iOS mobile device. To avoid Wi-Fi disconnections caused by server reachability detection failure, you can set a longer captive-bypass detection timeout time when the network condition is poor.
Examples
# Set the captive-bypass detection timeout time to 20 seconds.
<Sysname> system-view
[Sysname] portal captive-bypass optimize delay 20
Related commands
captive-bypass enable
portal client-gateway interface
Use portal client-gateway interface to specify the AC’s interface for portal clients to access during third-party authentication.
Use undo portal client-gateway interface to restore the default.
Syntax
portal client-gateway interface interface-type interface-number
undo portal client-gateway interface
Default
No AC's interface is specified for portal clients to access during third-party authentication.
Views
System view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Usage guidelines
When client traffic is forwarded by APs and third-party portal authentication is used, the client does not know the IP address of the AC. For the client to access AC successfully, specify an interface of the AC, so the client can obtain the AC's IP address and access the AC.
Examples
# Specify VLAN-interface 100 on the AC for clients to access during third-party authentication.
<Sysname> system-view
[Sysname] portal client-gateway interface vlan-interface 10
portal client-traffic-report interval
Use portal client-traffic-report interval to set the interval at which an AP reports traffic statistics to the device.
Use undo portal client-traffic-report interval to restore the default.
Syntax
portal client-traffic-report interval interval
undo portal client-traffic-report interval
Default
An AP reports traffic statistics to the device at an interval of 60 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the interval at which an AP reports traffic statistics to the device, in the range of 1 to 3600 seconds.
Usage guidelines
Before you execute this command, make sure the client traffic forwarding location is at APs.
Examples
# Set the interval at which an AP reports traffic statistic to the device to 120 seconds.
<Sysname> system-view
[Sysname] portal client-traffic-report interval 120
Related commands
client forwarding-location (WLAN Command Reference)
portal delete-user
Use portal delete-user to log out online portal users.
Syntax
portal delete-user { ipv4-address | all | auth-type { cloud | email | facebook | local | normal | qq | wechat } | interface interface-type interface-number | ipv6 ipv6-address | mac mac-address | username username }
Views
System view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IP address of an IPv4 online portal user.
all: Specifies IPv4 and IPv6 online portal users on all interfaces.
auth-type: Specifies online portal users by the authentication type.
cloud: Specifies the cloud authentication.
email: Specifies the email authentication.
facebook: Specifies the Facebook authentication.
local: Specifies the local authentication.
normal: Specifies the normal authentication.
qq: Specifies the QQ authentication.
wechat: Specifies the WeChat authentication.
The following matrix shows the auth-type { cloud | email | facebook | local | normal | qq | wechat } option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
interface interface-type interface-number: Specifies an interface by its type and number. If you specify this option, this command logs out all IPv4 and IPv6 online portal users on the interface.
ipv6 ipv6-address: Specifies the IP address of an IPv6 online portal user.
mac mac-address: Specifies the MAC address of an online portal user, in the format of H-H-H.
The following matrix shows the mac mac-address option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
username username: Specifies the username of an online portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.
The following matrix shows the username username option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Examples
# Log out the portal user whose IP address is 1.1.1.1.
<Sysname> system-view
[Sysname] portal delete-user 1.1.1.1
# Log out the portal user whose MAC address is 000d-88f8-0eab.
<Sysname> system-view
[Sysname] portal delete-user mac 000d-88f8-0eab
# Log out all portal users that come online through email authentication.
<Sysname> system-view
[Sysname] portal delete-user auth-type email
# Log out the portal user whose username is abc.
<Sysname> system-view
[Sysname] portal delete-user username abc
Related commands
display portal user
portal device-id
Use portal device-id to specify the device ID.
Use undo portal device-id to restore the default.
Syntax
portal device-id device-id
undo portal device-id
Default
A device is not configured with a device ID.
Views
System view
Predefined user roles
network-admin
Parameters
device-id: Specifies a device ID for the device, a case-sensitive string of 1 to 63 characters.
Usage guidelines
The portal authentication server uses device IDs to identify the device that sends protocol packets to the portal server.
Make sure the configured device ID is different than any other access devices communicating with the same portal authentication server.
Examples
# Set the device ID of the device to 0002.0010.100.00.
<Sysname> system-view
[Sysname] portal device-id 0002.0010.100.00
portal domain
Use portal [ ipv6 ] domain to configure a portal authentication domain on an interface or a service template. All portal users accessing through the interface or service template must use the authentication domain.
Use undo portal [ ipv6 ] domain to delete the configured portal authentication domain.
Syntax
portal [ ipv6 ] domain domain-name
undo portal [ ipv6 ] domain
Default
No portal authentication domain is configured on an interface or a service template.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an authentication domain for IPv6 portal users. Do not specify this keyword for IPv4 portal users.
domain-name: Specifies an ISP authentication domain by its name, a case-insensitive string of 1 to 255 characters.
Usage guidelines
You can specify both an IPv4 portal authentication domain and an IPv6 portal authentication domain on an interface or on a service template.
Do not specify the ipv6 keyword for IPv4 portal users.
Examples
# Configure the authentication domain as my-domain for IPv4 portal users on GigabitEthernet 1/0/1. (Wired application).
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] portal domain my-domain
# Configure the authentication domain as my-domain for IPv4 portal users on service template service1. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal domain my-domain
Related commands
display portal
portal dual-stack enable
Use portal dual-stack enable to enable the portal dual-stack feature.
Use undo portal dual-stack enable to disable the portal dual-stack feature.
Syntax
portal dual-stack enable
undo portal dual-stack enable
Default
The portal dual-stack feature is disabled.
Views
Interface view
Service template view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
The portal dual-stack feature enables portal users to access both IPv4 and IPv6 networks after passing one type (IPv4 or IPv6) of portal authentication.
Only direct portal authentication supports this feature.
Examples
# Enable the portal dual-stack feature on GigabitEthernet 1/0/1. (Wired application.)
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal dual-stack enable
# Enable the portal dual-stack feature on server template service1. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal dual-stack enable
Related commands
portal dual-stack traffic-separate enable
portal dual-stack traffic-separate enable
Use portal dual-stack traffic-separate enable to enable separate IPv4 and IPv6 traffic statistics for dual-stack portal users.
Use undo portal dual-stack traffic-separate enable to disable separate IPv4 and IPv6 traffic statistics for dual-stack portal users.
Syntax
portal dual-stack traffic-separate enable
undo portal dual-stack traffic-separate enable
Default
Separate IPv4 and IPv6 traffic statistics is disabled for dual-stack portal users. The device collects IPv4 and IPv6 traffic statistics collectively.
Views
Interface view
Service template view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
This feature enables the device to separately collect IPv4 traffic statistics and IPv6 traffic statistics for a dual-stack portal user. Then, the AAA server can separately perform accounting on IPv4 traffic and IPv6 traffic of the user.
For this feature to take effect, you must enable the portal dual-stack feature.
This command has a higher priority over the accounting dual-stack command in ISP domain view.
Examples
# Enable separate IPv4 and IPv6 traffic statistics for dual-stack portal users on GigabitEthernet 1/0/1. (Wired application.)
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal dual-stack traffic-separate enable
# Enable separate IPv4 and IPv6 traffic statistics for dual-stack portal users on service template service1. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal dual-stack traffic-separate enable
Related commands
portal dual-stack enable
portal enable
Use portal [ ipv6 ] enable to enable portal authentication.
Use undo portal [ ipv6 ] enable to disable portal authentication.
Syntax
Interface view:
portal enable method { direct | layer3 | redhcp }
portal ipv6 enable method { direct | layer3 }
undo portal [ ipv6 ] enable
Service template:
portal [ ipv6 ] enable method direct
undo portal [ ipv6 ] enable
Default
Portal authentication is disabled.
Views
Interface view
Service template
Predefined user roles
network-admin
Parameters
ipv6: Enables IPv6 portal authentication. Do not specify this keyword for IPv4 portal authentication.
method: Specifies an authentication mode:
· direct—Direct authentication.
· layer3—Cross-subnet authentication.
· redhcp—Re-DHCP authentication.
Usage guidelines
To modify the portal authentication mode, first execute the undo form of this command to disable portal authentication.
Make sure the device supports IPv6 ACL and IPv6 forwarding before you enable IPv6 portal authentication on the interface.
IPv6 portal authentication does not support the re-DHCP authentication mode.
Do not add a portal authentication-enabled Ethernet interface to an aggregation group. Otherwise, portal authentication cannot take effect on the interface.
You can enable both IPv4 and IPv6 portal authentication on an interface or on a service template.
Only direct portal authentication is supported on a service template.
Do not enable portal authentication on both an interface and a service template.
Examples
# Enable direct IPv4 portal authentication on GigabitEthernet 1/0/1. (Wired application).
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal enable method direct
# Enable direct IPv4 portal authentication on service template service1. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal enable method direct
Related commands
display portal
portal extend-auth domain
Use portal extend-auth domain to specify the authentication domain for third-party authentication.
Use undo portal extend-auth domain to remove the authentication domain for third-party authentication.
Syntax
portal extend-auth domain domain-name
undo portal extend-auth domain
Default
No authentication domain is specified for third-party authentication.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
domain-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters.
Usage guidelines
The specified ISP domain takes effect only on IPv4 portal users that use third-party authentication.
Examples
# Specify authentication domain my-domain for third-party authentication on GigabitEthernet 1/0/1. (Wired application.)
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] portal extend-auth domain my-domain
# Specify authentication domain my-domain for third-party authentication on service template service1. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal extend-auth domain my-domain
Related commands
display portal
portal extend-auth-server
Use portal extend-auth-server to create a third-party authentication server and enter its view, or enter the view of an existing third-party authentication server.
Use undo portal extend-auth-server to delete a third-party authentication server.
Syntax
portal extend-auth-server { facebook | mail | qq | wechat }
undo portal extend-auth-server { facebook | mail | qq | wechat }
Default
No third-party authentication servers exist.
Views
System view
Predefined user roles
network-admin
Parameters
facebook: Specifies the Facebook authentication server.
mail: Specifies the email authentication server.
qq: Specifies the QQ authentication server.
wechat: Specifies the WeChat authentication server.
Usage guidelines
The device supports using a third-party portal authentication server for portal authentication. A portal user can use a third-party account instead of a portal account to perform portal authentication. If the user passes third-party authentication, the third-party server notifies the third-party authentication success of the user to the device. Then, the device interacts with the local portal Web server to complete the remaining process of portal authentication.
Only direct portal authentication that uses a local portal Web portal server supports third-party authentication.
Examples
# Create a QQ authentication server and enter its view.
<Sysname> system-view
[Sysname] portal extend-auth-server qq
[Sysname-portal-extend-auth-server-qq]
# Create an email authentication server and enter its view.
<Sysname> system-view
[Sysname] portal extend-auth-server mail
[Sysname-portal-extend-auth-server-mail]
# Create a WeChat authentication server and enter its view.
<Sysname> system-view
[Sysname] portal extend-auth-server wechat
[Sysname-portal-extend-auth-server-wechat]
# Create a Facebook authentication server and enter its view.
<Sysname> system-view
[Sysname] portal extend-auth-server facebook
[Sysname-portal-extend-auth-server-fb]
Related commands
display portal extend-auth-server
portal fail-permit server
Use portal [ ipv6 ] fail-permit server to enable the portal fail-permit feature for a portal authentication server.
Use undo portal [ ipv6 ] fail-permit server to disable the portal fail-permit feature for the portal authentication server.
Syntax
portal [ ipv6 ] fail-permit server server-name
undo portal [ ipv6 ] fail-permit server
Default
Portal fail-permit is disabled for the portal authentication server.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server.
server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
When portal fail-permit is enabled for a portal authentication server and portal Web servers on an interface, the interface disables portal authentication in either of the following conditions:
· All portal Web servers are unreachable.
· The specified portal authentication server is unreachable.
Portal authentication resumes on the interface when the specified portal authentication server and a minimum of one portal Web server becomes reachable. After portal authentication resumes, users who failed portal authentication and unauthenticated portal users need to pass authentication to access network resources. Portal users who have passed authentication can continue accessing network resources.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable portal fail-permit for portal authentication server pts1 on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal fail-permit server pts1
Related commands
display portal
portal fail-permit web-server
Use portal [ ipv6 ] fail-permit web-server to enable the portal fail-permit feature for portal Web servers.
Use undo portal [ ipv6 ] fail-permit web-server to disable the portal fail-permit feature for portal Web servers.
Syntax
portal [ ipv6 ] fail-permit web-server
undo portal [ ipv6] fail-permit web-server
Default
Portal fail-permit is disabled for portal Web servers.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 portal Web servers. To specify IPv4 portal Web servers, do not specify this keyword.
Usage guidelines
The following matrix shows the support of the MSR routers for this command in different views:
|
Hardware |
Interface view |
Service template view |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
Yes |
|
MSR810-LMS/810-LUS |
Yes |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
Yes |
|
MSR 2630 |
Yes |
Yes |
|
MSR3600-28/3600-51 |
Yes |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
No |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
Yes |
|
MSR5620/5660/5680 |
Yes |
No |
On an interface or service template enabled with portal fail-permit for a portal authentication server and portal Web servers, portal authentication becomes disabled in either of the following conditions:
· All portal Web servers are unreachable.
· The specified portal authentication server is unreachable.
Portal authentication resumes when the specified portal authentication server and a minimum of one portal Web server becomes reachable. After portal authentication resumes, users who failed portal authentication and unauthenticated portal users need to pass authentication to access network resources. Portal users who have passed authentication can continue accessing network resources.
On the same interface or service template, the portal Web server is unreachable when both the primary and backup portal Web servers are unreachable.
Before you configure this feature for a service template, make sure the service template is disabled.
Examples
# Enable portal fail-permit for the portal Web servers on service template service1.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal fail-permit web-server
Related commands
display portal
portal forbidden-rule
Use portal forbidden-rule to configure a portal-forbidden rule.
Use undo portal forbidden-rule to delete portal-forbidden rules.
Syntax
portal forbidden-rule rule-number [ source { { ip { ipv4-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] } | ssid ssid-name } * ] destination { host-name | { ip { ipv4-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] } }
undo portal forbidden-rule { rule-number | all }
Default
No portal-forbidden rules are configured.
Views
System view
Predefined user roles
network-admin
Parameters
rule-number: Specifies the number of a portal-forbidden rule. The value range for this argument is 0 to 4294967295.
source: Specifies the source information.
ip ipv4-address: Specifies an IPv4 address.
{ mask-length | mask }: Specifies the subnet mask of the IPv4 address. The mask-length argument represents the length of a subnet mask, in the range of 0 to 32. The mask argument represents a subnet mask in dotted decimal notation.
ip any: Specifies any IPv4 address.
tcp tcp-port-number: Specifies a TCP port number in the range of 0 to 65535.
udp udp-port-number: Specifies a UDP port number in the range of 0 to 65535.
ipv6 ipv6-address: Specifies an IPv6 address.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
ipv6 any: Specifies any IPv6 address.
ssid ssid-name: Specifies an SSID by its name, a case-sensitive string of 1 to 32 characters.
host-name: Specifies a destination host by its name, a case-insensitive string of 1 to 253 characters. The host name string can include asterisk wildcard characters (*) to represent one or more characters. The device automatically converts multiple consecutive asterisks to one asterisk.
all: Specifies all portal-forbidden rules.
Usage guidelines
Portal-forbidden rules are used to filter HTTP or HTTPS packets from the specified sources or destined for the specified destinations. The device drops HTTP or HTTPS packets that match the portal-forbidden rules.
Portal-forbidden rules take effect only when portal authentication is enabled.
In a portal-forbidden rule, the source and destination IP addresses must be of the same IP type, and the source and destination ports must be of the same transport protocol type.
You can configure multiple portal-forbidden rules. The source or destination information in a newly configured rule cannot be included in the source or destination information in an existing rule.
If the source or destination information in a portal-free rule and that in a portal-forbidden rule overlap, the portal-forbidden rule takes effect.
Examples
# Configure portal-forbidden rule 10 to prohibit portal users from accessing website www.xyz.com.
<Sysname> system-view
[Sysname] portal forbidden-rule 10 source ip any destination www.xyz.com
# Configure portal-forbidden rule 12 to prohibit the portal user with IP address 1.1.1.1/32 from accessing IP address 2.2.2.2/32.
<Sysname> system-view
[Sysname] portal forbidden-rule 12 source ip 1.1.1.1 32 destination ip 2.2.2.2 32
Related commands
display portal rule
portal free-all except destination
Use portal free-all except destination to configure an IPv4 portal authentication destination subnet on an interface.
Use undo portal free-all except destination to delete the IPv4 portal authentication destination subnets on the interface.
Syntax
portal free-all except destination ipv4-network-address { mask-length | mask }
undo portal free-all except destination [ ipv4-network-address ]
Default
No IPv4 portal authentication destination subnet is configured on the interface. Portal users must pass portal authentication to access any subnet.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv4-network-address: Specifies an IPv4 portal authentication subnet address.
mask-length: Specifies the subnet mask length for the authentication subnet address, in the range of 0 to 32.
mask: Specifies the subnet mask in dotted decimal format.
Usage guidelines
Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication.
You can configure multiple authentication destination subnets.
If you do not specify the ipv4-network-address argument in the undo portal free-all except destination command, this commands deletes all IPv4 portal authentication destination subnets on the interface.
Re-DHCP authentication does not support authentication destination subnets.
If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.
Examples
# Configure an IPv4 portal authentication destination subnet of 11.11.11.0/24 on GigabitEthernet 1/0/1. Portal users need to pass authentication to access this subnet and can access other subnets without authentication.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] portal free-all except destination 11.11.11.0 24
Related commands
display portal
portal free-rule
Use portal free-rule to configure an IP-based portal-free rule.
Use undo portal free-rule to delete portal-free rules.
Syntax
portal free-rule rule-number { destination ip { ip-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | source ip { ip-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ]
portal free-rule rule-number { destination ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] | source ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ]
undo portal free-rule { rule-number | all }
Default
No IP-based portal-free rule is configured.
Views
System view
Predefined user roles
network-admin
Parameters
rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295.
destination: Specifies the destination information.
source: Specifies the source information.
ip ip-address: Specifies an IPv4 address for the portal-free rule.
{ mask-length | mask }: Specifies the subnet mask of the IPv4 address. The value range for the mask-length argument is 0 to 32. The mask argument is in dotted decimal format.
ipv6 ipv6-address: Specifies an IPv6 address for the portal-free rule.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
ip any: Represents any IPv4 address.
ipv6 any: Represents any IPv6 address.
tcp tcp-port-number: Specifies a TCP port number for the portal-free rule, in the range of 0 to 65535.
udp udp-port-number: Specifies a UDP port number for the portal-free rule, in the range of 0 to 65535.
all: Specifies all portal-free rules.
interface interface-type interface-number: Specifies a Layer 3 interface on which the portal-free rule takes effect.
Usage guidelines
You can specify both the source and destination keyword for a portal-free rule. If you specify only one keyword, the other keyword does not act as a filtering criterion.
If you specify both a source port number and a destination port number for a portal-free rule, the two port numbers must belong to the same transport layer protocol.
If you do not specify a Layer 3 interface, the portal-free rule takes effect on all portal-enabled interfaces.
You cannot configure two portal-free rules with the same filtering criteria.
Examples
# Configure an IPv4-based portal-free rule:
· Set the rule number to 1.
· Specify the source IP address as 10.10.10.1/24, the destination IP address as 20.20.20.1, and the destination TCP port number as 23.
· Specify the interface where the rule is applied as GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] portal free-rule 1 destination ip 20.20.20.1 32 tcp 23 source ip 10.10.10.1 24 interface gigabitethernet 1/0/1
With this rule, users in subnet 10.10.10.1/24 do not need to pass portal authentication through GigabitEthernet 1/0/1 when they access services provided on TCP port 23 of host 20.20.20.1.
# Configure an IPv6-based portal-free rule:
· Set the rule number to 2.
· Specify the source IP address as 2000::1/64, the destination IP address as 2001::1, and the destination TCP port number as 23.
· Specify the interface where the rule is applied as GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] portal free-rule 2 destination ipv6 2001::1 128 tcp 23 source ip 2000::1 64 interface gigabitethernet 1/0/1
With this rule, users in subnet 2000::1/64 do not need to pass portal authentication through GigabitEthernet 1/0/1 when they access services provided on TCP port 23 of host 2001::1.
Related commands
display portal rule
portal free-rule description
Use portal free-rule description to configure a description for a portal-free rule.
Use undo portal free-rule description to delete the description of a portal-free rule.
Syntax
portal free-rule rule-number description text
undo portal free-rule rule-number description
Default
No description is configured for a portal-free rule.
Views
System view
Predefined user roles
network-admin
Parameters
rule-number: Specifies a portal-free rule by its rule number. The value range for this argument varies by device mode.
text: Specifies the description, a case-sensitive string of 1 to 255 characters.
Examples
# Configure a description of This is IT department for portal-free rule 2.
<Sysname> system-view
[Sysname] portal free-rule 2 description This is IT department
portal free-rule destination
Use portal free-rule destination to configure a destination-based portal-free rule.
Use undo portal free-rule to delete portal-free rules.
Syntax
portal free-rule rule-number destination host-name
undo portal free-rule { rule-number | all }
Default
No destination-based portal-free rule is configured.
Views
System view
Predefined user roles
network-admin
Parameters
rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295.
destination: Specifies the destination host.
host-name: Specifies the destination host by its name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, hyphens (-), underscores (_), dots (.), and asterisks (*). The host name string cannot be ip and ipv6.
all: Specifies all portal-free rules.
Usage guidelines
You can configure a host name in one of the following ways:
· For exact match—Specify a complete host name. For example, if you configure the host name as abc.com.cn in the portal-free rule, only packets that contain the host name abc.com.cn match the rule. Packets that carry any other host names (such as dfabc.com.cn) do not match the rule.
· For fuzzy match—Specify a host name by placing the asterisk (*) wildcard character at the beginning or end of the host name string. For example, if you configure the host name as *abc.com.cn, abc*, or *abc*, packets that carry the host name ending with abc.com.cn, starting with abc, or including abc match the rule.
¡ The asterisk (*) wildcard character represents any characters. The device treats multiple consecutive asterisks as one.
¡ The configured host name cannot contain only asterisks (*).
The fuzzy match feature takes effect only on HTTP or HTTPS requests initiated by Web browsers.
You cannot configure two destination-based portal-free rules with the same destination information. Otherwise the system prompts you that the same rule already exists.
Examples
# Configure a destination-based portal-free rule: specify the rule number as 4 and host name as www.h3c.com. This rule allows the portal user who sends the HTTP/HTTPS request that carries the host name www.h3c.com to access network resources without authentication.
<Sysname> system-view
[Sysname] portal free-rule 4 destination www.h3c.com
Related commands
display portal rule
portal free-rule source
Use portal free-rule source to configure a source-based portal-free rule. The filtering criteria include source MAC address, source interface, and source VLAN.
Use undo portal free-rule to delete a specific or all portal-free rules.
Syntax
portal free-rule rule-number source { ap ap-name | { interface interface-type interface-number | mac mac-address | object-group object-group-name | vlan vlan-id } * }
undo portal free-rule { rule-number | all }
Default
No source-based portal-free rules exist.
Views
System view
Predefined user roles
network-admin
Parameters
rule-number: Specifies a portal-free rule number. The value range for this argument is 0 to 4294967295.
ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-). This option is applicable only when portal authentication is enabled on a service template.
The following matrix shows the ap ap-name option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
No |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
No |
interface interface-type interface-number: Specifies a source interface by its type and number for the portal-free rule.
mac mac-address: Specifies a source MAC address for the portal-free rule, in the form of H-H-H.
object-group object-group-name: Specifies a source object group by its name, a case-insensitive string of 1 to 31 characters.
vlan vlan-id: Specifies a source VLAN ID for the portal-free rule. This option takes effect only on portal users that access the network through VLAN interfaces.
all: Specifies all portal-free rules.
Usage guidelines
If you specify both the source VLAN and the source Layer 2 interface, the interface must be in the VLAN.
When you specify an object group in a source-based portal-free rule, make sure the specified object rule already exists. You can specify only IPv4 and IPv6 address object groups.
If portal users have come online before source-based portal-free rules are configured, the device keeps accounting on traffic of the users.
Examples
# Configure source-based portal-free rule: specify the rule number as 3, source MAC address as 1-1-1, and source VLAN ID as 10. This rule allows the portal user whose source MAC address is 1-1-1 from VLAN 10 to access network resources without authentication.
<Sysname> system-view
[Sysname] portal free-rule 3 source mac 1-1-1 vlan 10
# Configure a source-based portal-free rule: specify the rule number as 4 and source AP name as ap10. This rule allows portal users on AP 10 to access network resources without authentication.
<Sysname> system-view
[Sysname] portal free-rule 4 source ap ap10
Related commands
display portal rule
portal host-check enable
Use portal host-check enable to enable validity check on wireless portal clients.
Use undo portal host-check enable to disable validity check on wireless portal clients.
Syntax
portal host-check enable
undo portal host-check enable
Default
Validity check on wireless portal clients is disabled. The device checks wireless portal client validity according to ARP entries only.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
No |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
No |
By default, the device checks wireless portal client validity according to ARP entries only. In wireless networks where the AP forwards client traffic, the AC does not have ARP entries for clients. Therefore, the AC cannot check the validity of portal clients by using ARP entries. To ensure that valid users can perform portal authentication, you must enable wireless client validity check on the AC.
This feature enables the AC to validate a client by looking up the client information in the WLAN snooping table, DHCP snooping table, and ARP table. If the client information exists, the AC determines the client to be valid for portal authentication.
To view information about WLAN or DHCP snooping entries, execute the display ip source binding command.
Examples
# Enable validity check on wireless portal clients.
<Sysname> system-view
[Sysname] portal host-check enable
Related commands
display ip source binding
portal ipv6 free-all except destination
Use portal ipv6 free-all except destination to configure an IPv6 portal authentication destination subnet on an interface.
Use undo portal ipv6 free-all except destination to delete IPv6 portal authentication destination subnets on the interface.
Syntax
portal ipv6 free-all except destination ipv6-network-address prefix-length
undo portal ipv6 free-all except destination [ ipv6-network-address ]
Default
No IPv6 portal authentication destination subnet is configured on the interface. Portal users must pass portal authentication to access any IPv6 subnet.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-network-address: Specifies an IPv6 portal authentication destination subnet.
prefix-length: Specifies the prefix length of the IPv6 subnet, in the range of 0 to 128.
Usage guidelines
Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication.
You can configure multiple authentication destination subnets.
If you do not specify the ipv6-network-address argument in the undo portal ipv6 free-all except destination command, this command deletes all IPv6 portal authentication destination subnets on the interface.
Re-DHCP authentication does not support authentication destination subnets.
If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.
Examples
# Configure an IPv6 portal authentication destination subnet of 1::2/16 on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] portal ipv6 free-all except destination 1::2 16
Related commands
display portal
portal ipv6 layer3 source
Use portal ipv6 layer3 source to configure an IPv6 portal authentication source subnet on an interface.
Use undo portal ipv6 layer3 source to delete IPv6 portal authentication source subnets on an interface.
Syntax
portal ipv6 layer3 source ipv6-network-address prefix-length
undo portal ipv6 layer3 source [ ipv6-network-address ]
Default
No IPv6 portal authentication source subnet is configured on the interface. Portal users from any IPv6 subnet must pass portal authentication.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-network-address: Specifies an IPv6 portal authentication source subnet address.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
Usage guidelines
With IPv6 authentication source subnets configured, only packets from IPv6 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv6 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.
If you do not specify the ipv6-network-address argument in the undo portal ipv6 layer3 source command, this command deletes all IPv6 portal authentication source subnets on the interface.
Only cross-subnet authentication supports authentication source subnets.
If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.
Examples
# Configure an IPv6 portal authentication source subnet of 1::1/16 on GigabitEthernet 1/0/1. Only portal users from subnet 1::1/16 trigger portal authentication.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] portal ipv6 layer3 source 1::1 16
Related commands
display portal
portal ipv6 free-all except destination
portal ipv6 user-detect
Use portal ipv6 user-detect to enable online detection of IPv6 portal users.
Use undo portal ipv6 user-detect to disable online detection of IPv6 portal users.
Syntax
portal ipv6 user-detect type { icmpv6 | nd } [ retry retries ] [ interval interval ] [ idle time ]
undo portal ipv6 user-detect
Default
Online detection of IPv6 portal users is disabled.
Views
Interface view
Predefined user roles
network-admin
Parameters
type: Specifies the detection type.
· icmpv6—ICMPv6 detection.
· nd—ND detection.
retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.
interval interval: Sets a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds.
idle time: Sets the user idle timeout in the range of 60 to 3600 seconds. The default idle timeout is 180 seconds. When the timeout expires, online detection of portal users is started.
Usage guidelines
If the device receives no packets from a portal user within the idle time, the device detects the user's online status as follows:
· ICMPv6 detection—Sends ICMPv6 requests to the user at configurable intervals to detect the user status.
¡ If the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires.
¡ If the device receives no reply after the maximum number of detection attempts, the device logs out the user.
· ND detection—Sends ND requests to the user and detects the ND entry status of the user at configurable intervals.
¡ If the ND entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ND entry. Then the device resets the idle timer and repeats the detection process when the timer expires.
¡ If the ND entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.
Direct authentication and re-DHCP authentication support both ND detection and ICMPv6 detection. Cross-subnet authentication only supports ICMPv6 detection.
If firewall policies on the access device filter out ICMPv6 packets, ICMPv6 detection might fail and result in the logout of portal users. Make sure the access device does not block ICMPv6 packets before you enable ICMPv6 detection on an interface.
Examples
# Enable online detection of IPv6 portal users on GigabitEthernet 1/0/1. Configure the detection type as ICMPv6, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] portal ipv6 user-detect type icmpv6 retry 5 interval 10 idle 300
Related commands
display portal
portal layer3 source
Use portal layer3 source to configure an IPv4 portal authentication source subnet.
Use undo portal layer3 source to delete IPv4 portal authentication source subnets.
Syntax
portal layer3 source ipv4-network-address { mask-length | mask }
undo portal layer3 source [ ipv4-network-address ]
Default
No IPv4 portal authentication source subnet is configured. Portal users from any IPv4 subnet must pass portal authentication.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv4-network-address: Specifies an IPv4 portal authentication source subnet address.
mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.
mask: Specifies the subnet mask in dotted decimal format.
Usage guidelines
With IPv4 authentication source subnets configured, only packets from IPv4 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv4 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.
If you do not specify the ipv4-network-address argument in the undo portal layer3 source command, this command deletes all IPv4 portal authentication source subnets on the interface.
Only cross-subnet authentication supports authentication source subnets.
If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.
Examples
# Configure an IPv4 portal authentication source subnet of 10.10.10.0/24 on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] portal layer3 source 10.10.10.0 24
Related commands
display portal
portal free-all except destination
portal local-web-server
Use portal local-web-server to create a local portal Web server and enter its view, or enter the view of an existing local portal Web server.
Use undo portal local-web-server to delete the local portal Web server.
Syntax
portal local-web-server { http | https [ ssl-server-policy policy-name ] [ tcp-port port-number ] }
undo portal local-web-server { http | https }
Default
No local portal Web servers exist.
Views
System view
Predefined user roles
network-admin
Parameters
http: Configures the local portal Web server to use HTTP to exchange authentication information with clients.
https: Configures the local portal Web server to use HTTPS to exchange authentication information with clients.
ssl-server-policy policy-name: Specifies an existing SSL server policy for HTTPS. The policy name is a case-insensitive string of 1 to 31 characters. . If you do not specify this option, HTTPS is associated with the SSL server policy that uses the self-signed certificate. That SSL server policy supports all cipher suites.
tcp-port port-number: Specifies the listening TCP port number for HTTPS. The value range for the port-number argument is 1 to 65535. The default port number is 443.
Usage guidelines
After a local portal Web server is configured on the access device, the access device also acts as the portal Web server and the portal authentication server. No external portal Web server and portal authentication server are needed.
For an interface to use the local portal Web server, the URL of the portal Web server specified for the interface must meet the following requirements:
· The IP address in the URL must be a local IP address on the device.
· The URL must be ended with /portal/. For example: http://1.1.1.1/portal/.
You cannot delete an SSL server policy by using the undo ssl server-policy command when the policy is associated with HTTPS.
To specify a new SSL server policy for HTTPS, first execute the undo form of this command to delete the existing local portal Web server.
When you specify the listening TCP port number for the HTTPS-based local portal Web server, follow these restrictions and guidelines:
· For the HTTPS-based local portal Web server and other services that use HTTPS:
¡ If they use the same SSL server policy, they can use the same TCP port number to listen to HTTPS.
¡ If they use different SSL server policies, they cannot use the same TCP port number to listen to HTTPS.
· Do not configure the HTTPS listening TCP port number as the port number used by a known protocol (except HTTPS) or other service.
· Do not configure the same TCP port number for HTTP-based and HTTPS-based local portal Web servers.
Examples
# Configure a local portal Web server. Use HTTP to exchange authentication information with clients.
<Sysname> system-view
[Sysname] portal local-web-server http
[Sysname-portal-local-websvr-http] quit
# Configure a local portal Web server. Use HTTPS to exchange authentication information with clients, and specify the SSL server policy policy1 for HTTPS.
<Sysname> system-view
[Sysname] portal local-web-server https ssl-server-policy policy1
[Sysname-portal-local-websvr-https] quit
# Change the SSL server policy to policy2.
[Sysname] undo portal local-web-server https
[Sysname] portal local-web-server https ssl-server-policy policy2
[Sysname-portal-local-websvr-https] quit
# Configure a local portal Web server. Use HTTPS to exchange authentication information with clients, specify the SSL server policy policy1 for HTTPS, and set the TCP listening port number to 442.
<Sysname> system-view
[Sysname] portal local-web-server https ssl-server-policy policy1 tcp-port 442
[Sysname-portal-local-websvr-https] quit
Related commands
default-logon-page
portal local-web-server
ssl server-policy
portal logout-record enable
Use portal logout-record enable to enable portal user offline recording.
Use undo portal logout-record enable to disable portal user offline recording.
Syntax
portal logout-record enable
undo portal logout-record enable
Default
Portal user offline recording is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
This feature enables the device to save all portal user offline records and to periodically send the records to the Oasis cloud server or other servers.
Examples
# Enable portal user offline recording.
<Sysname> system-view
[Sysname] portal logout-record enable
Related commands
display portal logout-record
portal logout-record export
Use portal logout-record export to export portal user offline records to a path.
Syntax
portal logout-record export url url-string [ start-time start-date start-time end-time end-date end-time ]
Views
System view
Predefined user roles
network-admin
Parameters
url url-string: Specifies the URL to which portal user offline records are exported. The URL is a case-insensitive string of 1 to 255 characters.
start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
The device supports FTP, TFTP, and HTTP file transfer methods. Table 49 describes the valid URL format for each method.
|
Protocol |
URL format |
Remarks |
|
FTP |
ftp://username[:password]@server-address[:port-number]/file-path Example: ftp://a:1@1.1.1.1/authfail/ |
The username and password must be the same as those on the server. If the server authenticates only the username, no password is required. |
|
TFTP |
tftp://server-address[:port-number]/file-path Example: tftp://1.1.1.1/ autherror/ |
N/A |
|
HTTP |
http://username[:password]@server-address[:port-number]/file-path Example: http://1.1.1.1/autherror/ |
The username and password must be the same as those on the server. If the server authenticates only the username, no password is required. |
If the server address is an IPv6 address, bracket the IPv6 address to distinguish the IPv6 address from the port number. For example, if the server address is 2001::1 and the port number is 21, the URL is ftp://test:test@[2001::1]:21/test/.
Examples
# Export all portal user offline records to path tftp://1.1.1.1/record/logout/.
<Sysname> system-view
[Sysname] portal logout-record export url tftp://1.1.1.1/record/logout/
# Export portal user offline records in the time rang of 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/logout/.
<Sysname> system-view
[Sysname] portal logout-record export tftp://1.1.1.1/record/logout/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00
Related commands
display portal logout-record
portal logout-record enable
reset portal logout-record
portal logout-record max
Use portal logout-record max to set the maximum number of portal user offline records.
Use undo portal logout-record max to restore the default.
Syntax
portal logout-record max number
undo portal logout-record max
Default
The maximum number of portal user offline records is 32000.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the maximum number of portal user offline records, in the range of 1 to 4294967295.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
When the maximum number of portal user offline records is reached, the new record overwrites the oldest one.
Examples
# Set the maximum number of portal user offline records to 50.
<Sysname> system-view
[Sysname] portal logout-record max 50
Related commands
display portal logout-record
portal mac-trigger-server
Use portal mac-trigger-server to create a MAC binding server and enter its view, or enter the view of an existing MAC binding server.
Use undo portal mac-trigger-server to delete the MAC binding server.
Syntax
portal mac-trigger-server server-name
undo portal mac-trigger-server server-name
Default
No MAC binding servers exist.
Views
System view
Predefined user roles
network-admin
Parameters
server-name: Specifies a MAC binding server name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
After you create a MAC binding server, you can configure MAC binding server parameters, such as the server's IP address and the free-traffic threshold.
Examples
# Create the MAC binding server mts and enter its view.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts]
Related commands
display portal mac-trigger-server
portal apply mac-trigger-server
portal max-user
Use portal max-user to set the maximum number of total portal users allowed in the system.
Use undo portal max-user to restore the default.
Syntax
portal max-user max-number
undo portal max-user
Default
The total number of portal users allowed in the system is not limited.
Views
System view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of total portal users in the system. The value range for this argument is 1 to 4294967295.
Usage guidelines
If you configure the maximum total number smaller than the number of current online portal users on the device, this command still takes effect. The online users are not affected by this command, but the system forbids new portal users to log in.
This command sets the maximum number of online IPv4 and IPv6 portal users in all.
Make sure the maximum combined number of IPv4 and IPv6 portal users specified on all interfaces or service templates does not exceed the system-allowed maximum number. Otherwise, the exceeding portal users will not be able to log in to the device.
Examples
# Set the maximum number of online portal users allowed in the system to 100.
<Sysname> system-view
[Sysname] portal max-user 100
Related commands
display portal user
portal { ipv4-max-user | ipv6-max-user }
portal nas-id profile
Use portal nas-id-profile to specify a NAS-ID profile for an interface.
Use undo portal nas-id-profile to restore the default.
Syntax
portal nas-id-profile profile-name
undo portal nas-id-profile
Default
No NAS-ID profile is specified for an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the name of a NAS-ID profile, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A NAS-ID profile defines the binding relationship between VLANs and NAS-IDs. To configure a NAS-ID profile, use the aaa nas-id profile command.
Portal access matches only the inner VLAN ID of QinQ packets. For more information about QinQ, see Layer 2—LAN Switching Configuration Guide.
If an interface is specified with a NAS-ID profile, the interface prefers to use the bindings defined in the profile.
If no NAS-ID profile is specified for an interface or no matching binding is found in the specified profile, the device uses the device name as the interface NAS-ID.
Examples
# Specify the NAS-ID profile aaa for GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] portal nas-id-profile aaa
Related commands
aaa nas-id profile
portal nas-port-id format
Use portal nas-port-id format to specify the NAS-Port-Id attribute format.
Use undo portal nas-port-id format to restore the default.
Syntax
portal nas-port-id format { 1 | 2 | 3 | 4 }
undo portal nas-port-id format
Default
The format for the NAS-Port-Id attribute is format 2.
Views
System view
Predefined user roles
network-admin
Parameters
1: Uses format 1 for the NAS-Port-Id attribute.
2: Uses format 2 for the NAS-Port-Id attribute.
3: Uses format 3 for the NAS-Port-Id attribute.
4: Uses format 4 for the NAS-Port-Id attribute.
Usage guidelines
The NAS-Port-Id format supported by RADIUS servers varies by vendor. Use this command to specify the format of the NAS-Port-Id attribute in the RADIUS packets sent for portal users to the RADIUS server. The device then automatically constructs a value for the NAS-Port-Id attribute in the specified format to meet the RADIUS server requirements.
Format 1 contains three space-separated strings: interface-type port-location access-node-id. Spaces are not allowed within a string.
· The interface-type string specifies the interface type of the NAS port. Available options include:
¡ atm—ATM interface.
¡ eth—Common Ethernet interface.
¡ trunk—Ethernet trunk interface.
¡ 0—The interface type information will be reported by the access node to the BRAS.
· The port-location string represents the location of the access line on the BRAS. Its format is NAS_slot/NAS_subslot/NAS_port:XPI.XCI.
|
Field |
Description |
|
NAS_slot |
Slot number of the BRAS, in the range of 0 to 31. |
|
NAS_subslot |
Subslot number of the BRAS, in the range of 0 to 31. |
|
NAS_Port |
Port number of the BRAS, in the range of 0 to 63. |
|
XPI.XCI |
For ATM interfaces: · XPI is VPI in the range of 0 to 255. · XCI is VCI in the range of 0 to 65535. For Ethernet interfaces or Ethernet trunk interfaces: · XPI is PVLAN in the range of 0 to 4095. This field is set to 4096 if there is no PVLAN. · XCI is CVLAN in the range of 0 to 4095. This field is set to 4096 if the user is not assigned to a VLAN as in the situation where the end user device is directly connected to a BRAS port. |
For the access node to report its access line information to the BRAS, all fields will be set to 0s except for the XPI and XCI fields.
· The access-node-id string specifies the attributes the of BRAS. Its format is AccessNodeIdentifier/ANI_rack/ANI_frame/ANI_slot/ANI_subslot/ANI_port:ANI_XPI.ANI_XCI, in which the :ANI_XPI.ANI_XCI portion is optional.
|
AccessNodeIdentifier |
Identifier description of the access node, a string not longer than 50 characters without spaces. |
|
ANI_rack |
Rack number of the access node, in the range of 0 to 15. |
|
ANI_frame |
Frame number of the access node, in the range of 0 to 31. |
|
ANI_slot |
Slot number of the access node, in the range of 0 to 127. |
|
ANI_subslot |
Subslot number of the access node, in the range of 0 to 31. |
|
ANI_port |
Port number of the access node, in the range of 0 to 255. |
|
ANI_XPI.ANI_XCI |
Optional. This field is mainly used to carry CPE-side service information, identifying the further service type requirement. For example, use this field to identify specific services in a multi-PVC scenario. For ATM interfaces: · ANI_XPI is VPI in the range of 0 to 255. · ANI_XCI is VCI in the range of 0 to 65535. For Ethernet interfaces or Ethernet trunk interfaces: · ANI_XPI is PVLAN in the range of 0 to 4095. This field is set to 4096 if there is no PVLAN. · ANI_XCI is CVLAN in the range of 0 to 4095. This field is set to 4096 if the user is not assigned to a VLAN as in the situation where the end user device is directly connected to a BRAS port. |
If the device does not have rack, frame, or subslot information, 0 is padded in the corresponding field.
For ATM interfaces, all fields in the access-node-id string are filled with 0s except for the ANI_XPI and ANI_XCI fields.
· Examples of format 1:
|
NAS-Port-Id |
Description |
|
atm 31/31/7:255.65535 0/0/0/0/0/0 |
The subscriber interface type is an ATM interface. The slot number is 31, the BRAS subslot number is 31, the BRAS port number is 7, the VPI is 255, and the VCI is 65535. |
|
eth 31/31/7:1234.2345 0/0/0/0/0/0 |
The subscriber interface type is an Ethernet interface. The slot number is 31, the subslot number is 31, the port number is 7, the PVLAN is 1234, and the CVLAN is 2345. |
|
eth 31/31/7:4096.2345 0/0/0/0/0/0 |
The subscriber interface type is Ethernet. The slot number is 31, the subslot number is 31, the port number is 7, and the VLAN ID is 2345. |
|
eth 31/31/7:4096.2345 guangzhou001/1/31/63/31/127 |
The subscriber interface type is Ethernet. The slot number is 31, the subslot number is 31, the port number is 7, and the VLAN ID is 2345. The access node identifier of the DSLAM is guangzhou001, the rack number is 1, the frame number is 31, the slot number is 31, and the port number is 127. |
Format 2 is SlotID00IfNOVlanID.
· SlotID—Slot number, a string of 2 characters.
· IfNO—Slot number, a string of 3 characters.
· VlanID—VLAN ID, a string of 9 characters.
Format 3 is SlotID00IfNOVlanIDDHCPoption.
· SlotID—Slot number, a string of 2 characters.
· IfNO—Interface number, a string of 3 characters.
· VlanID—VLAN ID, a string of 9 characters.
· DHCPoption—DHCP option 82 is appended for IPv4 users and DHCP option 1 is appended for IPv6.
Format 4 is slot=**;subslot=**;port=**;vlanid=**;vlanid2=**;.
· For non-VLAN interfaces, the slot=**;subslot=**;port=**;vlanid=0; format is used.
· For interfaces that terminate only the outermost VLAN tag, the slot=**;subslot=**;port=**;vlanid=**; format is used.
Examples
# Set the format of the NAS-Port-Id attribute to format 1.
<Sysname> system-view
[Sysname] portal nas-port-id format 1
portal nas-port-type
Use portal nas-port-type to specify the NAS-Port-Type value carried in RADIUS requests sent to the RADIUS server.
Use undo portal nas-port-type to restore the default.
Syntax
portal nas-port-type { ethernet | wireless }
undo portal nas-port-type
Default
The NAS-Port-Type value carried in RADIUS requests is the user's access interface type value obtained by the access device.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
ethernet: Specifies the NAS-Port-Type attribute value as Ethernet (number 15).
wireless: Specifies the NAS-Port-Type attribute value as WLAN-IEEE 802.11 (number 19).
Usage guidelines
The following matrix shows the support of the MSR routers for this command in different views:
|
Hardware |
Interface view |
Service template view |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
Yes |
|
MSR810-LMS/810-LUS |
No |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
Yes |
|
MSR 2630 |
No |
Yes |
|
MSR3600-28/3600-51 |
Yes |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
No |
No |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
Yes |
|
MSR5620/5660/5680 |
No |
No |
As the access device, the BAS might not be able to correctly obtain a user's interface type when multiple network devices exist between the BAS and the portal client. For example, the access interface type obtained by the BAS for a wireless portal user might be the type of the wired interface that authenticated the user. For the BAS to send correct user interface type to the RADIUS server, use this command to specify the correct NAS-Port-Type value.
Examples
# On VLAN-interface 2, specify the NAS-Port-Type value in RADIUS requests sent to the RADIUS server as WLAN-IEEE 802.11.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] portal nas-port-type wireless
# On service template service1, specify the NAS-Port-Type value in RADIUS requests sent to the RADIUS server as WLAN-IEEE 802.11.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal nas-port-type wireless
Related commands
display portal interface
portal oauth user-sync interval
Use portal oauth user-sync interval to set the user synchronization interval for portal authentication using OAuth.
Use undo portal oauth user-sync interval to restore the default.
Syntax
portal oauth user-sync interval interval
undo portal oauth user-sync interval
Default
The user synchronization interval is 60 seconds for portal authentication using OAuth.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the user synchronization interval, in seconds. The value for this argument can be 0 or in the range of 60 to 3600.
Usage guidelines
If portal authentication uses OAuth, the device periodically reports user information to the portal authentication server for user synchronization on the server. To disable user synchronization from the device to the portal authentication server, set the user synchronization interval to 0 seconds on the device.
Examples
# Set the user synchronization interval to 120 seconds for portal authentication using OAuth.
<Sysname> system-view
[Sysname] portal oauth user-sync interval 120
portal outbound-filter enable
Use portal [ ipv6 ] outbound-filter enable to enable outgoing packets filtering on a portal-enabled interface.
Use undo portal [ ipv6 ] outbound-filter enable to disable outgoing packets filtering on a portal-enabled interface.
Syntax
portal [ ipv6 ] outbound-filter enable
undo portal [ ipv6 ] outbound-filter enable
Default
Outgoing packets filtering is disabled. A portal-enabled interface or service template can send any packets.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies outgoing IPv6 packets. If you do not specify this keyword, the command is for outgoing IPv4 packets.
Usage guidelines
When you enable this feature on a portal-enabled interface or service template, the device permits the interface or service template to send the following packets:
· Packets whose destination IP addresses are IP addresses of authenticated portal users.
· Packets that match portal-free rules.
Other outgoing packets on the interface or service template are dropped.
Examples
# Enable outgoing packets filtering on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal outbound-filter enable
portal pre-auth domain
Use portal [ ipv6 ] pre-auth domain to specify a preauthentication domain for portal users.
Use undo portal [ ipv6 ] pre-auth domain to restore the default.
Syntax
portal [ ipv6 ] pre-auth domain domain-name
undo portal [ ipv6 ] pre-auth domain
Default
No preauthentication domain is specified for portal users.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.
domain-name: Specifies an existing ISP domain by its name, a case-insensitive string of 1 to 255 characters. The string cannot contain the following characters: slashes (/), backslashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@).
Usage guidelines
After you configure a preauthentication domain on a portal-enabled interface, the device authorizes users on the interface as follows:
1. After an unauthenticated user obtains an IP address, the user is assigned with authorization attributes configured for the preauthentication domain.
The authorization attributes in a preauthentication domain include ACL, user profile, and CAR.
An unauthenticated user who is authorized with the authorization attributes in a preauthentication domain is called a preauthentication user.
2. After the user passes portal authentication, the user is assigned with new authorization attributes from the AAA server.
3. After the user goes offline, the user is reassigned with the authorization attributes in the preauthentication domain.
The preauthentication domain takes effect only on portal users with IP addresses assigned by DHCP or DHCPv6.
Make sure you specify an existing ISP domain as a preauthentication domain. If the specified ISP domain does not exist, the device might operate incorrectly.
You must delete a preauthentication domain (by using the undo portal [ ipv6 ] pre-auth domain command) and reconfigure it in the following situations:
· You create the ISP domain after specifying it as the preauthentication domain.
· You delete the specified ISP domain and then re-create it.
If you change the preauthentication domain on an interface, the interface uses the new preauthentication domain for both new and existing preauthentication users.
If authorization attributes in the preauthentication domain are modified, the modified attributes take effect only on new preauthentication users. Existing preauthentication users use the original authorization attributes.
If the ACL in the preauthentication domain does not exist or the ACL has no rules, the device does not control user access. Users can access any network resources without passing portal authentication.
Follow these guidelines when you configure a preauthentication ACL rule:
· Do not specify a source address. If you specify a source address, users cannot trigger portal authentication.
· Do not set the destination address to any. If you set the destination address to any, all packets will be permitted to pass and therefore users can access any resources before portal authentication.
Examples
# Create the preauthentication domain abc for GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal pre-auth domain abc
Related commands
display portal
portal packet log enable
Use portal packet log enable to enable logging for portal protocol packets.
Use undo portal packet log enable to disable logging for portal protocol packets.
Syntax
portal packet log enable
undo portal packet log enable
Default
Portal protocol packet logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature logs information about portal protocol packets, including the username, IP address, authentication type, packet type, SSID, and AP MAC. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for portal protocol packets.
<Sysname> system-view
[Sysname] portal packet log enable
Related commands
portal redirect log enable
portal user log enable
portal pre-auth ip-pool
Use portal pre-auth ip-pool to specify a preauthentication IP address pool for portal users.
Use undo portal pre-auth ip-pool to restore the default.
Syntax
portal [ ipv6 ] pre-auth ip-pool pool-name
undo portal [ ipv6 ] pre-auth ip-pool
Default
No preauthentication IP address pool is specified for portal users.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.
pool-name: Specifies an IP address pool by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You must use this command to specify a preauthentication IP address pool on a portal-enabled interface in the following situation:
· Portal users access the network through a subinterface of the portal-enabled interface.
· The subinterface does not have an IP address.
· Portal users need to obtain IP addresses through DHCP.
DHCP assigns an IP address from the specified IP address pool to a user. Then, the user can use this IP address to perform portal authentication.
The specified IP address pool takes effect when the following requirements are met:
· The direct portal authentication mode is used on the interface.
· The specified IP address pool must have existed and been correctly configured.
Examples
# Create the IPv4 address pool abc for GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal pre-auth ip-pool abc
Related commands
dhcp server ip-pool (Layer 3—IP Services Command Reference)
display portal
ipv6 dhcp pool (Layer 3—IP Services Command Reference)
portal redirect log enable
Use portal redirect log enable to enable logging for portal redirect.
Use undo portal redirect log enable to disable logging for portal redirect.
Syntax
portal redirect log enable
undo portal redirect log enable
Default
Portal redirect logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature logs information about portal redirect packets, including the user IP address, MAC address, SSID, BAS IP, and Web server IP address. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for portal redirect.
<Sysname> system-view
[Sysname] portal redirect log enable
Related commands
portal packet log enable
portal user log enable
portal refresh enable
Use portal refresh { arp | nd } enable to enable the Rule ARP or ND entry feature for portal clients.
Use undo portal refresh { arp | nd } enable to disable the Rule ARP or ND entry feature for portal clients.
Syntax
portal refresh { arp | nd } enable
undo portal refresh { arp | nd } enable
Default
The Rule ARP or ND entry feature is enabled for portal clients.
Views
System view
Predefined user roles
network-admin
Parameters
arp: Enables the Rule ARP entry feature.
nd: Enables the Rule ND entry feature.
Usage guidelines
When the Rule ARP or ND entry feature is enabled for portal clients, ARP or ND entries for portal clients are Rule entries after the clients come online. The Rule ARP or ND entries will not age out and will be deleted immediately after the portal clients go offline.
If portal clients go offline and then try to come online before the ARP or ND entries are relearned for them, the clients will fail the authentication. In this case, disable this feature so that ARP or ND entries are dynamic entries after the clients come online. The dynamic ARP or ND entries are deleted only when they age out.
Enabling or disabling of this feature does not affect existing Rule/dynamic ARP or ND entries for portal users.
Examples
# Disable the Rule ARP entry feature for portal clients.
<Sysname> system-view
[Sysname] undo portal refresh arp enable
portal roaming enable
Use portal roaming enable to enable portal roaming.
Use undo portal roaming enable to disable portal roaming.
Syntax
portal roaming enable
undo portal roaming enable
Default
Portal roaming is disabled. An online portal user cannot roam in its VLAN.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Portal roaming applies only to portal users that log in from VLAN interfaces.
This command cannot be executed when online users or preauthentication portal users are present on the device.
For portal roaming to take effect, you must disable the Rule ARP or ND entry feature by using the undo portal refresh { arp | nd } enable command.
If portal roaming is enabled, an online portal user can access network resources from any Layer 2 port in its local VLAN. If portal roaming is disabled, the portal user can access network resources only from the Layer 2 port on which it passes authentication.
Examples
# Enable portal roaming.
<Sysname> system-view
[Sysname] portal roaming enable
portal safe-redirect enable
Use portal safe-redirect enable to enable the portal safe-redirect feature.
Use undo portal safe-redirect enable to restore the default.
Syntax
portal safe-redirect enable
undo portal safe-redirect enable
Default
The portal safe-redirect feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Portal redirects all HTTP requests except HTTP requests that match portal-free rules to the portal Web server, which might overload the server.
Portal safe-redirect filters HTTP requests by HTTP request method, browser type (in HTTP User Agent), and destination URL, and redirects only the permitted HTTP requests.
As a best practice to avoid server overload and improve security, enable portal safe-redirect on the device.
Examples
# Enable the portal safe-redirect feature.
<Sysname> system-view
[Sysname] portal safe-redirect enable
Related commands
portal safe-redirect forbidden-url
portal safe-redirect method
portal safe-redirect user-agent
portal safe-redirect forbidden-file
Use portal safe-redirect forbidden-file to configure a filename extension forbidden by portal safe-redirect. If the URL of an HTTP request includes the specified filename extension, the device does not redirect the HTTP request.
Use undo portal safe-redirect forbidden-file to delete a portal safe-redirect forbidden filename extension.
Syntax
portal safe-redirect forbidden-file filename-extension
undo portal safe-redirect forbidden-file filename-extension
Default
No forbidden filename extensions are configured. The device redirects HTTP requests regardless of the filename extension in the URL.
Views
System view
Predefined user roles
network-admin
Parameters
filename-extension: Specifies a filename extension forbidden by portal safe-redirect, a case sensitive string of 1 to 16 characters.
Usage guidelines
You can configure multiple portal safe-redirect forbidden filename extensions.
Before you execute this command, make sure the portal safe-redirect feature is enabled.
Examples
# Specify .jpg as a portal safe-redirect forbidden filename extension.
<Sysname> system-view
[Sysname] portal safe-redirect forbidden-file .jpg
Related commands
display portal safe-redirect statistics
portal safe-redirect enable
portal safe-redirect forbidden-url
Use portal safe-redirect forbidden-url to configure a URL forbidden by portal safe-redirect.
Use undo portal safe-redirect forbidden-url to delete a portal safe-redirect forbidden URL.
Syntax
portal safe-redirect forbidden-url user-url-string
undo portal safe-redirect forbidden-url user-url-string
Default
No forbidden URLs are configured. The device can redirect HTTP requests with any URLs.
Views
System view
Predefined user roles
network-admin
Parameters
user-url-string: Specifies a URL forbidden by portal safe-redirect, a case sensitive string of 1 to 256 characters.
Usage guidelines
You can execute this command multiple times to configure multiple portal safe-redirect forbidden URLs. The device does not redirect HTTP requests destined for the specified URLs to the portal Web server.
Before you execute this command, make sure the portal safe-redirect feature is enabled.
Examples
# Specify http://www.abc.com as a portal safe-redirect forbidden URL.
<Sysname> system-view
[Sysname] portal safe-redirect forbidden-url http://www.abc.com
Related commands
portal safe-redirect enable
portal safe-redirect method
Use portal safe-redirect method to specify HTTP request methods permitted by portal safe-redirect.
Use undo portal safe-redirect method to delete HTTP request methods permitted by portal safe-redirect.
Syntax
portal safe-redirect method { get | post }*
undo portal safe-redirect method { get | post }*
Default
After portal safe-redirect is enabled, the device redirects only HTTP requests with the GET method.
Views
System view
Predefined user roles
network-admin
Parameters
get: Specifies the GET request method.
post: Specifies the POST request method.
Usage guidelines
After you specify HTTP request methods for portal safe-redirect, the device redirects only the HTTP requests with the specified methods to the portal Web server.
Before you execute this command, make sure the portal safe-redirect feature is enabled.
If you configure this command multiple times, the most recent configuration takes effect.
Examples
# Specify the GET request method for portal safe-redirect.
<Sysname> system-view
[Sysname] portal safe-redirect method get
Related commands
portal safe-redirect enable
portal safe-redirect user-agent
Use portal safe-redirect user-agent to specify a browser type for portal safe-redirect.
Use undo portal safe-redirect user-agent to delete a browser type for portal safe-redirect.
Syntax
portal safe-redirect user-agent user-agent-string
undo portal safe-redirect user-agent user-agent-string
Default
After portal safe-redirect is enabled, the device redirects the HTTP packets matching any browser types in Table 50.
Views
System view
Predefined user roles
network-admin
Parameters
user-agent-string: Specifies a browser type in HTTP User Agent, a case-sensitive string of 1 to 255 characters. You can specify the browser types as shown in Table 50.
Table 50 Browser types supported by portal safe-redirect
|
Browser type |
Description |
|
Safari |
Apple browser |
|
Chrome |
Google browser |
|
Firefox |
Firefox browser |
|
UC |
UC browser |
|
QQBrowser |
QQ browser |
|
LBBROWSER |
Cheetah browser |
|
TaoBrowser |
Taobao browser |
|
Maxthon |
Maxthon browser |
|
BIDUBrowser |
Baidu browser |
|
MSIE 10.0 |
Microsoft IE 10.0 browser |
|
MSIE 9.0 |
Microsoft IE 9.0 browser |
|
MSIE 8.0 |
Microsoft IE 8.0 browser |
|
MSIE 7.0 |
Microsoft IE 7.0 browser |
|
MSIE 6.0 |
Microsoft IE 6.0 browser |
|
MetaSr |
Sogou browser |
Usage guidelines
You can execute this command for multiple times to specify multiple browser types. The device redirects an HTTP request only when its User-Agent string contains a specified browser type.
Before you execute this command, make sure the portal safe-redirect feature is enabled.
Examples
# Specify browser types Chrome and Safari for portal safe-redirect.
<Sysname> system-view
[Sysname] portal safe-redirect user-agent Chrome
[Sysname] portal safe-redirect user-agent Safari
Related commands
portal safe-redirect enable
portal server
Use portal server to create a portal authentication server and enter its view, or enter the view of an existing portal authentication server.
Use undo portal server to delete the specified portal authentication server.
Syntax
portal server server-name
undo portal server server-name
Default
No portal authentication servers exist.
Views
System view
Predefined user roles
network-admin
Parameters
server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
In portal authentication server view, you can configure the following parameters and features for the portal authentication server:
· IP address of the server.
· Destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server.
· MPLS L3VPN where the portal authentication server resides.
· Pre-shared key for communication between the access device and the server.
· Server detection feature.
You can configure multiple portal authentication servers for an access device.
Examples
# Create portal authentication server pts and enter its view.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts]
Related commands
display portal server
portal temp-pass enable
Use portal temp-pass enable to enable portal temporary pass and set the temporary pass period.
Use undo portal temp-pass enable to disable portal temporary pass.
Syntax
portal temp-pass [ period period-value ] enable
undo portal temp-pass enable
Default
Portal temporary pass is disabled.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
period period-value: Specifies the temporary pass period. The value range for the period-value argument is 10 to 3600 seconds, and the default is 30 seconds.
Usage guidelines
Typically, a portal user cannot access the network before passing portal authentication. This feature allows a user to access the Internet temporarily if the user uses a WeChat account to perform portal authentication. During the temporary pass period, the user provides WeChat authentication information to the WeChat server for the server to interact with the access device to finish portal authentication.
Examples
# On GigabitEthernet 1/0/1, enable portal temporary pass and set the temporary pass period to 25 seconds. (Wired application.)
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal temp-pass period 25 enable
# On service template service1, enable portal temporary pass and set the temporary pass period to 25 seconds. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal temp-pass period 25 enable
Related commands
display portal
portal traffic-accounting disable
Use portal traffic-accounting disable to disable traffic accounting for portal users.
Use undo portal traffic-accounting disable to restore the default.
Syntax
portal traffic-accounting disable
undo portal traffic-accounting disable
Default
Traffic accounting for portal users is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The accounting server might perform time-based or traffic-based accounting, or it might not perform accounting. If the accounting server does not perform traffic-based accounting, disable traffic accounting for portal users on the device. The device will provide quick accounting for portal users, and the traffic statistics will be imprecise. If the accounting server performs traffic-based accounting, enable traffic accounting for portal users. The device will provide precise traffic statistics for portal users.
Examples
# Disable traffic accounting for portal users.
<Sysname> system-view
[Sysname] portal traffic-accounting disable
portal traffic-backup threshold
Use portal traffic-backup threshold to set the user traffic backup threshold.
Use undo portal traffic-backup threshold to restore the default.
Syntax
portal traffic-backup threshold value
undo portal traffic-backup threshold
Default
The user traffic backup threshold is 10 MB.
Views
System view
Predefined user roles
network-admin
Parameters
value: Specifies the user traffic backup threshold, in MB. The value range for this argument is 0 to 100000. If you set the threshold to 0 MB, the device backs up user traffic in real time.
Usage guidelines
The device backs up traffic for a user when the user's traffic reaches the user traffic backup threshold. A smaller threshold provides more accurate backup for user traffic. However, when a large number of users exist, a small threshold results in frequent user traffic backups, affecting the user online, offline, and accounting processes. Set a proper threshold to balance between service performance and traffic backup accuracy.
Examples
# Set the user traffic backup threshold to 10240 MB.
<Sysname> system-view
[Sysname] portal traffic-backup threshold 10240
portal user-detect
Use portal user-detect to enable online detection of IPv4 portal users.
Use undo portal user-detect to disable online detection of IPv4 portal users.
Syntax
portal user-detect type { arp | icmp } [ retry retries ] [ interval interval ] [ idle time ]
undo portal user-detect
Default
Online detection of IPv4 portal users is disabled.
Views
Interface view
Predefined user roles
network-admin
Parameters
type: Specifies the detection type.
· arp—ARP detection.
· icmp—ICMP detection.
retry retries: Sets the maximum number of detection attempts, in the range of 1 to 10. The default value is 3.
interval interval: Sets a detection interval in the range of 1 to 1200 seconds. The default interval is 3 seconds.
idle time: Sets a user idle timeout in the range of 60 to 3600 seconds. The default idle timeout is 180 seconds. When the timeout expires, online detection of IPv4 portal users is started.
Usage guidelines
If the device receives no packets from a portal user within the configured idle time, the device detects the user's online status as follows:
· ICMP detection—Sends ICMP requests to the user at configurable intervals to detect the user status.
¡ If the device receives a reply within the maximum number of detection attempts, it considers that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires.
¡ If the device receives no reply after the maximum number of detection attempts, the device logs out the user.
· ARP detection—Sends ARP requests to the user and detects the ARP entry status of the user at configurable intervals.
¡ If the ARP entry of the user is refreshed within the maximum number of detection attempts, the device considers that the user is online and stops detecting the user's ARP entry. Then the device resets the idle timer and repeats the detection process when the timer expires.
¡ If the ARP entry of the user is not refreshed after the maximum number of detection attempts, the device logs out the user.
Direct authentication and re-DHCP authentication support both ARP detection and ICMP detection. Cross-subnet authentication only supports ICMP detection.
If firewall policies on the access device filter out ICMP packets, ICMP detection might fail and result in the logout of portal users. Make sure the access device does not block ICMP packets before you enable ICMP detection on an interface.
Examples
# Enable online detection of IPv4 portal users on GigabitEthernet 1/0/1. Configure the detection type as ICMP, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname–GigabitEthernet1/0/1] portal user-detect type icmp retry 5 interval 10 idle 300
Related commands
display portal
portal user-dhcp-only
Use portal user-dhcp-only to allow only users with DHCP-assigned IP addresses to pass portal authentication.
Use undo portal user-dhcp-only to restore the default.
Syntax
portal [ ipv6 ] user-dhcp-only
undo portal [ ipv6 ] user-dhcp-only
Default
Both users with DHCP-assigned IP addresses and users with static IP addresses can pass portal authentication to come online.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users.
Usage guidelines
With this feature enabled, users with static IP addresses cannot pass portal authentication to get online.
To ensure that IPv6 users can pass portal authentication when this feature is enabled, disable the temporary IPv6 address feature on terminal devices. Otherwise, IPv6 users will use temporary IPv6 addresses to access the IPv6 network and will fail portal authentication.
Examples
# Allow only users with DHCP-assigned IP addresses on GigabitEthernet 1/0/1 to pass portal authentication. (Wired application).
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] portal user-dhcp-only
# Allow only users with DHCP-assigned IP addresses on service template service1 to pass portal authentication. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] portal user-dhcp-only
Related commands
display portal
portal user-logoff after-client-offline enable
Use portal user-logoff after-client-offline enable to enable automatic logout for wireless portal users.
Use undo portal user-logoff after-client-offline enable to disable automatic logout for wireless portal users.
Syntax
portal user-logoff after-client-offline enable
undo portal user-logoff after-client-offline enable
Default
Automatic logout is disabled for wireless portal users. Portal users will not be automatically logged out after the wireless clients are disconnected from the wireless network.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
No |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
No |
|
Hardware |
Command compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
|
MSR810-LM-GL |
No |
After automatic logout is enabled for wireless portal users, the device will automatically log out a portal user after the user is disconnected from the wireless network.
Examples
# Enable automatic logout for wireless portal users.
<Sysname> system-view
[Sysname] portal user-logoff after-client-offline enable
portal user log enable
Use portal user log enable to enable logging for portal user logins and logouts.
Use undo portal user log enable to disable logging for portal user logins and logouts.
Syntax
portal user log enable
undo portal user log enable
Default
Portal user login and logout logging is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature logs information about portal user login and logout events, including the username, IP address, user's MAC address, interface name, VLAN, SSID, AP's MAC address, and reason for login failure. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for portal user logins and logouts.
<Sysname> system-view
[Sysname] portal user log enable
Related commands
portal packet log enable
portal redirect log enable
portal web-server
Use portal web-server to create a portal Web server and enter its view, or enter the view of an existing portal Web server.
Use undo portal web-server to delete a portal Web server.
Syntax
portal web-server server-name
undo portal web-server server-name
Default
No portal Web servers exist.
Views
System view
Predefined user roles
network-admin
Parameters
server-name: Specifies a portal Web server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
The portal Web server pushes portal authentication pages to portal users during authentication. The access device redirects HTTP requests of unauthenticated portal users to the portal Web server. In portal Web server view, you can configure the URL and URL parameters for the portal Web server and the portal Web server detection feature.
Examples
# Create portal Web server wbs and enter its view.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs]
Related commands
display portal web-server
portal apply web-server
redirect-url
Use redirect-url to specify the URL to which portal users are redirected after they pass QQ or Facebook authentication.
Use undo redirect-url to restore the default.
Syntax
redirect-url url-string
undo redirect-url
Default
Portal users are redirected to URLs http://lvzhou.h3c.com/portal/qqlogin.html and http://oauthindev.h3c.com/portal/fblogin.html after they pass QQ authentication and Facebook authentication, respectively.
Views
QQ authentication server view
Facebook authentication server view
Predefined user roles
network-admin
Parameters
url-string: Specifies the URL to which portal users are redirected after they pass QQ or Facebook authentication. The URL is a case-sensitive string of 1 to 256 characters.
Usage guidelines
After a portal user passes QQ or Facebook authentication, the user is redirected to the specified webpage to complete portal authentication.
You must enable DNS proxy and specify the IP address of an interface on the device as the DNS server.
Examples
# Configure the device to redirect portal users to URL http://www.abc.com/portal/qqlogin.html after they pass QQ authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server qq
[Sysname-portal-extend-auth-server-qq] redirect-url http://www.abc.com/portal/qqlogin.html
# Configure the device to redirect portal users to URL http://www.abc.com/portal/qqlogin.html after they pass Facebook authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server qq
[Sysname-portal-extend-auth-server-qq] redirect-url http://www.abc.com/portal/qqlogin.html
Related commands
display portal extend-auth-server
reset portal auth-error-record
Use reset portal auth-error-record to clear portal authentication error records.
Syntax
reset portal auth-error-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time }
Views
User view
Predefined user roles
network-admin
Parameters
all: Specifies all portal authentication error records.
ipv4 ipv4-address: Specifies the IPv4 address of a portal user.
ipv6 ipv6-address: Specifies the IPv6 address of a portal user.
start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Examples
# Clear all portal authentication error records.
<Sysname> reset portal auth-error-record all
# Clear portal authentication error records for the portal user whose IPv4 address is 11.1.0.1.
<Sysname> reset portal auth-error-record ipv4 11.1.0.1
# Clear portal authentication error records for the portal user whose IPv6 address is 2000::2.
<Sysname> reset portal auth-error-record ipv6 2000::2
# Clear portal authentication error records with the error time in the range of 2016/3/4 14:20 to 2016/3/4 16:23.
<Sysname> reset portal auth-error-record start-time 2016/3/4 14:20 end-time 2016/3/4 16:23
Related commands
display portal auth-error-record
reset portal auth-fail-record
Use reset portal auth-fail-record to clear portal authentication failure records.
Syntax
reset portal auth-fail-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }
Views
User view
Predefined user roles
network-admin
Parameters
all: Specifies all portal authentication failure records.
ipv4 ipv4-address: Specifies the IPv4 address of a portal user.
ipv6 ipv6-address: Specifies the IPv6 address of a portal user.
start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.
username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Examples
# Clear all portal authentication failure records.
<Sysname> reset portal auth-fail-record all
# Clear portal authentication failure records for the portal user whose IPv4 address is 11.1.0.1.
<Sysname> reset portal auth-fail-record ipv4 11.1.0.1
# Clear portal authentication failure records for the portal user whose IPv6 address is 2000::2.
<Sysname> reset portal auth-fail-record ipv6 2000::2
# Clear portal authentication failure records for the portal user whose username is abc.
<Sysname> reset portal auth-fail-record username abc
# Clear portal authentication failure records with the failure time in the range of 2016/3/4 14:20 to 2016/3/4 16:23.
<Sysname> reset portal auth-fail-record start-time 2016/3/4 14:20 end-time 2016/3/4 16:23
Related commands
display portal auth-fail-record
reset portal captive-bypass statistics
Use reset portal captive-bypass statistics to clear portal captive-bypass packet statistics.
Syntax
Centralized devices in standalone mode:
reset portal captive-bypass statistics
Distributed devices in standalone mode/Centralized devices in IRF mode:
reset portal captive-bypass statistics [ slot slot-number ]
Distributed devices in IRF mode:
reset portal captive-bypass statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears portal captive-bypass packet statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears portal captive-bypass packet statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears portal captive-bypass packet statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Clear portal captive-bypass packet statistics.
<Sysname> reset portal captive-bypass statistics
# (Distributed devices in standalone mode/Centralized devices in IRF mode.) Clear portal captive-bypass packet statistics on the specified slot.
<Sysname> reset portal captive-bypass statistics slot 0
Related commands
display portal captive-bypass statistics
reset portal local-binding mac-address
Use reset portal local-binding mac-address to clear local MAC-account binding entries.
Syntax
reset portal local-binding mac-address { mac-address | all }
Views
User view
Predefined user roles
network-admin
Parameters
mac-address: Specifies the MAC address of a portal user, in the format of H-H-H.
all: Specifies all local MAC-account binding entries.
Examples
# Clear all local MAC-account binding entries.
<Sysname> reset portal local-binding mac-address all
Related commands
display portal local-binding mac-address
local-binding aging-time
reset portal logout-record
Use reset portal logout-record to clear portal user offline records.
Syntax
reset portal logout-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }
Views
User view
Predefined user roles
network-admin
Parameters
all: Specifies all portal user offline records.
ipv4 ipv4-address: Specifies the IPv4 address of a portal user.
ipv6 ipv6-address: Specifies the IPv6 address of a portal user.
start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD. The value range for MM is 1 to 12. The value range for DD varies with the specified month. The value range for YYYY is 1970 to 2037. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59.
username username: Specifies the username of a portal user, a case-sensitive string of 1 to 253 characters. The username cannot contain the domain name.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Examples
# Clear all portal user offline records.
<Sysname> reset portal logout-record all
# Clear offline records for the portal user whose IPv4 address is 11.1.0.1.
<Sysname> reset portal logout-record ipv4 11.1.0.1
# Clear offline records for the portal user whose IPv6 address is 2000::2.
<Sysname> reset portal logout-record ipv6 2000::2
# Clear offline records for the portal user whose username is abc.
<Sysname> reset portal logout-record username abc
# Clear portal user offline records with the logout time in the range of 2016/3/4 14:20 to 2016/3/4 16:23.
<Sysname> reset portal logout-record start-time 2016/3/4 14:20 end-time 2016/3/4 16:23
Related commands
display portal logout-record
reset portal packet statistics
Use reset portal packet statistics to clear packet statistics for portal authentication servers.
Syntax
reset portal packet statistics [ extend-auth-server { cloud | facebook | mail | qq | wechat } | mac-trigger-server server-server name | server server-name ]
Views
User view
Predefined user roles
network-admin
Parameters
extend-auth-server: Specifies a third-party authentication server by its type.
facebook: Specifies the Facebook authentication server.
cloud: Specifies the Oasis cloud authentication server.
mail: Specifies the email authentication server.
qq: Specifies the QQ authentication server.
wechat: Specifies the WeChat authentication server.
mac-trigger-server: Specify a MAC binding server by its name, a case-sensitive string of 1 to 32 characters.
server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify any parameters, this command clears packet statistics for all third-party authentication servers, portal authentication servers, and MAC binding servers.
Examples
# Clear packet statistics for portal authentication server pts.
<Sysname> reset portal packet statistics server pts
# Clear packet statistics for MAC binding server newps.
<Sysname> reset portal packet statistics mac-trigger-server newpt
# Clear packet statistics for the Oasis cloud authentication server.
<Sysname> reset portal packet statistics extend-auth-server cloud
Related commands
display portal packet statistics
reset portal redirect statistics
Use reset portal redirect statistics to reset portal redirect packet statistics.
Syntax
Centralized devices in standalone mode:
reset portal redirect statistics
Distributed devices in standalone mode/centralized in IRF mode:
reset portal redirect statistics [ slot slot-number ]
Distributed devices in IRF mode:
reset portal redirect statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears portal redirect packet statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears portal redirect packet statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears portal redirect packet statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in IRF mode.) Clear portal redirect packet statistics.
<Sysname> reset portal redirect statistics
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Clear redirect packet statistics on the specified slot.
<Sysname> reset portal redirect statistics slot 0
Related commands
display portal safe-redirect statistics
reset portal safe-redirect statistics
Use reset portal safe-redirect statistics to clear portal safe-redirect packet statistics.
Syntax
Centralized devices in standalone mode:
reset portal safe-redirect statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
reset portal safe-redirect statistics [ slot slot-number ]
Distributed devices in IRF mode:
reset portal safe-redirect statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Clear portal safe-redirect packet statistics.
<Sysname> reset portal safe-redirect statistics
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Clear portal safe-redirect packet statistics on the specified slot.
<Sysname> reset portal safe-redirect statistics slot 0
Related commands
display portal safe-redirect statistics
server-detect (portal authentication server view)
Use server-detect to enable portal authentication server detection. After server detection is enabled for a portal authentication server, the device periodically detects portal packets from the server to identify its reachability status.
Use undo server-detect to disable portal authentication server detection.
Syntax
server-detect [ timeout timeout ] log
undo server-detect
Default
Portal authentication server detection is disabled.
Views
Portal authentication server view
Predefined user roles
network-admin
Parameters
timeout timeout: Specifies the detection timeout in the range of 10 to 3600 seconds. The default is 60 seconds.
log: Enables the device to send a log message when it detects a reachability status change of the portal authentication server. The log message contains the name, the original state, and the current state of the portal authentication server.
Usage guidelines
The portal authentication server detection feature takes effect only when the device has a portal-enabled interface.
The portal authentication server detection feature takes effect only when the portal authentication server supports server heartbeat. Now only the IMC portal authentication server supports server heartbeat.
The detection timeout configured on the device must be greater than the server heartbeat interval configured on the portal authentication server.
If the device receives portal packets from the portal authentication server before the detection timeout expires and verifies the correctness of the packets, the device considers the portal authentication server is reachable. Otherwise, the device considers the portal authentication server is unreachable.
Examples
# Enable server detection for the portal authentication server pts:
· Set the detection timeout to 600 seconds.
· Configure the device to send a log message when it detects a reachability status change of the portal authentication server.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] server-detect timeout 600 log
Related commands
portal server
server-detect (portal Web server view)
Use server-detect to enable portal Web server detection.
Use undo server-detect to disable portal Web server detection.
Syntax
server-detect [ interval interval ] [ retry retries ] log
undo server-detect
Default
Portal Web server detection is disabled.
Views
Portal Web server view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a detection interval in the range of 1 to 1200 seconds. The default is 5 seconds.
retry retries: Specifies the maximum number of consecutive detection failures, in the range of 1 to 10. The default is 3. If the number of consecutive failed detections reaches this threshold, the device considers the server as unreachable.
log: Enables the device to send a log message when it detects a reachability status change of the portal Web server. The log message contains the name, the original state, and the current state of the portal Web server.
Usage guidelines
The access device performs server detection independently. No configuration on the portal Web server is required for the detection.
The portal Web server detection feature takes effect only when the URL of the portal Web server is specified and the device has a portal-enabled interface.
Examples
# Enable server detection for portal Web server wbs:
· Set the detection interval to 600 seconds.
· Set the maximum number of consecutive detection failures to 2.
· Configure the device to send a log message when it detects a reachability status change of the portal Web server.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] server-detect interval 600 retry 2 log
Related commands
portal web-server
server-register
Use server-register to configure the device to periodically send register packets to the portal authentication server.
Use undo server-register to restore the default.
Syntax
server-register [ interval interval ]
undo server-register
Default
The device does not send register packets to a portal authentication server.
Views
Portal authentication server view
Predefined user roles
network-admin
Parameters
interval interval: Specifies the interval at which the device sends register packets to the portal authentication server, in seconds. The value range for the interval argument is 1 to 3600, and the default value is 600.
Usage guidelines
This feature is typically used in scenarios where a NAT device exists between a portal authentication server and a large number of access devices.
Before this feature is used, you must configure a static NAT mapping for each access device on the NAT device, causing much workload. After this feature is enabled on an access device, the access device automatically sends a register packet to the portal authentication server. When the server receives the register packet, it records register information for the access device, including the device name, and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.
Only CMCC portal authentication servers support this feature.
Examples
# Configure the device to send register packets to portal authentication server pts at the interval of 120 seconds.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] server-register interval 120
Related commands
server-type (portal authentication server view/portal Web server view)
server-type (MAC binding server view)
Use server-type to specify the type of a MAC binding server.
Use undo server-type to restore the default.
Syntax
server-type { cmcc | imc }
undo server-type
Default
The type of the MAC binding server is IMC.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
cmcc: Specifies the MAC binding server type as CMCC.
imc: Specifies the MAC binding server type as IMC.
Examples
# Specify the type of the MAC binding server as cmcc.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] server-type cmcc
server-type(portal server view/portal Web server view)
Use server-type to specify the type of a portal authentication server or portal Web server.
Use undo server-type to restore the default.
Syntax
server-type { cmcc | imc | oauth }
undo server-type
Default
The type of the portal authentication server and portal Web server is IMC.
Views
Portal authentication server view
Portal Web server view
Predefined user roles
network-admin
Parameters
cmcc: Specifies the portal server type as CMCC.
imc: Specifies the portal server type as IMC.
oauth: Specifies the portal server type as Oasis. This keyword is supported only in portal Web server view.
Usage guidelines
Specify the portal server type on the device with the server type the device actually uses.
Examples
# Specify the type of the portal authentication server as cmcc.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] server-type cmcc
# Specify the type of the portal Web server as cmcc.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-pts] server-type cmcc
Related commands
display portal server
shop-id
Use shop-id to specify the shop ID for WeChat authentication.
Use undo shop-id to restore the default.
Syntax
shop-id shop-id
undo shop-id
Default
No shop ID is specified for WeChat authentication.
Views
WeChat authentication server view
Predefined user roles
network-admin
Parameters
shop-id: Specifies the ID of the shop where the device is deployed as a portal device for WeChat authentication.
Usage guidelines
This configuration is required for the device to provide local WeChat authentication for portal users. The shop ID specified in this command must be the same as the shop ID obtained from the WeChat Official Account Admin Platform.
To obtain the shop ID for WeChat authentication, you must perform the following tasks:
1. Go to the WeChat Official Account Admin Platform (https://mp.weixin.qq.com) to apply a WeChat official account.
2. Use the account to log in to the platform and enable the WeChat WiFi hotspot feature.
3. Click the device management tab, add the device: select the shop where the device is deployed, select the portal device type, and enter the SSID of your WiFi network.
After the previous configurations, you will obtain the credentials (app ID, app key, and shop ID) for WeChat authentication.
When a WeChat user attempts to connect to the WiFi network provided in the specified shop, the device sends the credentials to the WeChat Official Account Platform for verification. After the credentials are verified, the device continues the portal authentication and allows the user to use the WiFi network after the authentication.
Examples
# Specify 6747662 as the shop ID for WeChat authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server wechat
[Sysname-portal-extend-auth-server-wechat] shop-id 6747662
Related commands
display portal extend-auth-server
subscribe-required enable
Use subscribe-required enable to enable the subscribe-required feature for WeChat authentication.
Use undo subscribe-required enable to disable the subscribe-required feature for WeChat authentication.
Syntax
subscribe-required enable
undo subscribe-required enable
Default
The subscribe-required feature is disabled for WeChat authentication.
Views
WeChat authentication server view
Predefined user roles
network-admin
Usage guidelines
When the subscribe-required feature is enabled, portal users must follow WeChat official accounts to pass WeChat authentication.
This feature must be used with the portal temporary pass feature. As a best practice, set the temporary pass period to 600 seconds.
Examples
# Enable the subscribe-required feature for WeChat authentication.
<Sysname> system-view
[Sysname] portal extend-auth-server wechat
[Sysname-portal-extend-auth-server-wechat] subscribe-required enable
tcp-port
Use tcp-port to configure a listening TCP port for the local portal Web server.
Use undo tcp-port to restore the default.
Syntax
tcp-port port-number
undo tcp-port
Default
The listening TCP port number for HTTP is 80 and that for HTTPS is 443.
Views
Local portal Web server view
Predefined user roles
network-admin
Parameters
port-number: Specifies the listening TCP port number in the range of 1 to 65535.
Usage guidelines
To use the local portal Web server, make sure the port number in the portal Web server URL and the port number configured in this command are the same.
For successful local portal authentication, follow these guidelines:
· Do not configure the listening TCP port number for a local portal Web server as the port number used by a known protocol. For example, do not specify port numbers 21 and 23, which are used by FTP and Telnet, respectively.
· Do not configure the HTTP listening port number as the default HTTPS listening port number 443.
· Do not configure the HTTPS listening port number as the default HTTP listening port number 80.
· Do not configure the same listening port number for HTTP and HTTPS.
Examples
# Set the HTTP service listening port number to 2331 for the local portal Web server.
<Sysname> system-view
[Sysname] portal local-web-server http
[Sysname-portal-local-websvr-http] tcp-port 2331
Related commands
portal local-web-server
url
Use url to specify a URL for a portal Web server.
Use undo url to restore the default.
Syntax
url url-string
undo url
Default
No URL is specified for a portal Web server.
Views
Portal Web server view
Predefined user roles
network-admin
Parameters
url-string: Specifies a URL for the portal Web server, a case-sensitive string of 1 to 256 characters.
Usage guidelines
This command specifies a URL that can be accessed through standard HTTP or HTTPS. The URL should start with http:// or https://. If the URL you specify does not start with http:// or https://, the system considers the URL begins with http:// by default.
Examples
# Configure the URL for the portal Web server wbs as http://www.test.com/portal.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] url http://www.test.com/portal
Related commands
display portal web-server
url-parameter
Use url-parameter to configure the parameters carried in the URL of a portal Web server. The access device redirects a portal user by sending the URL with the parameters to the user.
Use undo url-parameter to delete the parameters carried in the URL of the portal Web server.
Syntax
url-parameter param-name { nas-id | nas-port-id | original-url | source-address | ssid | { ap-mac | source-mac } [ format section { 1 | 3 | 6 } { lowercase | uppercase } ] encryption { aes | des } key { cipher | simple } string ] | value expression | vlan }
undo url-parameter param-name
Default
No URL parameters are configured for a portal Web server.
Views
Portal Web server view
Predefined user roles
network-admin
Parameters
param-name: Specifies a URL parameter name, a case-sensitive string of 1 to 32 characters. Content of the parameter is determined by the following keyword you specify.
nas-id: Specifies the NAS-ID.
nas-port-id: Specifies the NAS-Port-Id.
original-url: Specifies the URL of the original webpage that a portal user visits.
source-address: Specifies the user IP address.
ssid: Specifies the SSID of the AP.
ap-mac: Specifies the MAC address of the AP.
source-mac: Specifies the user MAC address.
format: Specifies the format of the MAC address.
section: Specifies the number of sections that a MAC address contains.
1: Specifies the one-section format XXXXXXXXXXXX.
3: Specifies the three-section format XXXX-XXXX-XXXX.
6: Specifies the six-section format XX-XX-XX-XX-XX-XX.
lowercase: Specifies the letters in a MAC address to be in lower case.
uppercase: Specifies the letters in a MAC address to be in upper case.
The following matrix shows the format section { 1 | 3 | 6 } { lowercase | uppercase } option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
encryption: Specifies the encryption algorithm to encrypt the MAC address of the AP or user.
aes: Specifies the AES algorithm.
des: Specifies the DES algorithm.
key: Specifies a key for encryption.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the case-sensitive key string. The string length varies by the selected encryption method:
· If des cipher is specified, the string length is 41 characters.
· If des simple is specified, the string length is 8 characters.
· If aes cipher is specified, the string length is 1 to 73 characters.
· If aes simple is specified, the string length is 1 to 31 characters.
value expression: Specifies a custom case-sensitive string of 1 to 256 characters.
vlan: Specifies the user VLAN ID.
Usage guidelines
You can configure multiple URL parameters.
If you execute this command multiple times to configure the same URL parameter, the most recent configuration takes effect.
After you configure the URL parameters, the access device sends the portal Web server URL with these parameters to portal users. For example, assume that the URL of a portal Web server is http://www.test.com/portal, and you execute the url-parameter userip source-address and url-parameter userurl value http://www.abc.com/welcome commands. Then, the access device sends to the user whose IP address is 1.1.1.1 the URL http://www.test.com/portal?userip=1.1.1.1&userurl=http://www.abc.com/welcome.
When you configure the param-name argument in this command, you must use the URL parameter name supported by the actual portal server. Different portal server types support different URL parameter names.
For example, the IMC server supports parameter names userurl, userip, and usermac for the keywords original-url, source-address, and source-mac, respectively. To carry the user IP information in the portal Web server URL, you must configure the parameter name as userip and specify the source-address keyword.
If you specify the encryption algorithm for a parameter, the redirection URL carries the encrypted value for the parameter. Execute the url-parameter usermac source-mac encryption des key simple 12345678 command. Then the access device sends to the user with MAC address 1111-1111-1111 the URL http://www.test.com/portal?usermac=xxxxxxxxx&userip=1.1.1.1&userurl= http://www.test.com/welcome, where xxxxxxxxx represents the encrypted user MAC address.
Examples
# Configure the URL parameters userip and userurl for the portal Web server wbs. Configure the value of the userip parameter as source-address (the IP addresses of users) and that of the userurl parameter as http://www.abc.com/welcome.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] url-parameter userip source-address
[Sysname-portal-websvr-wbs] url-parameter userurl value http://www.abc.com/welcome
# Configure the URL parameter usermac for the portal Web server wbs. Configure the value of the usermac parameter as source-mac (the MAC addresses of users) and specify DES to encrypt the MAC addresses.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] url-parameter usermac source-mac encryption des key simple 12345678
# Configure URL parameter uservlan for portal Web server wbs. Configure the value of the uservlan parameter as vlan (the VLAN IDs of users.)
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] url-parameter uservlan vlan
Related commands
display portal web-server
url
user-agent
Use user-agent to configure the User-Agent match string.
Use undo user-agent to restore the default.
Syntax
user-agent user-agent-string
undo user-agent
Default
The User-Agent match string is MicroMessenger.
Views
Local portal Web server view
Predefined user roles
network-admin
Parameters
user-agent-string: Specifies the User-Agent match string, a case-sensitive string of 1 to 255 characters.
Examples
# Configure the User-Agent match string as text.
<Sysname> system-view
[Sysname] portal local-web-server http
[Sysname-portal-local-websvr-http] user-agent text
user-password modify enable
Use user-password modify enable to enable local portal user password modification.
Use undo user-password modify enable to disable local portal user password modification.
Syntax
user-password modify enable
undo user-password modify enable
Default
Local portal user password modification is disabled.
Views
Local portal Web server view
Predefined user roles
network-admin
Usage guidelines
This feature enables the local portal Web server to display the password modification button on the portal authentication page. Local portal users can change their passwords through this button.
Examples
# In local portal Web server view, enable local portal user password modification.
<Sysname> system-view
[Sysname] portal local-web-server http
[Sysname-portal-local-websvr-http] user-password modify enable
Related commands
portal local-web-server
user-sync
Use user-sync to enable portal user synchronization for a portal authentication server. After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server. In this way, information about online portal users on the device and on the portal authentication server remains consistent.
Use undo user-sync to disable portal user synchronization for a portal authentication server.
Syntax
user-sync timeout timeout
undo user-sync
Default
Portal user synchronization is disabled for a portal authentication server.
Views
Portal authentication server view
Predefined user roles
network-admin
Parameters
timeout timeout: Sets a detection timeout for synchronization packets, in the range of 60 to 18000 seconds. The default is 1200 seconds.
Usage guidelines
Portal user synchronization requires that the portal authentication server support the portal user heartbeat feature. Now, only the IMC portal authentication server supports portal user heartbeat. To implement portal user synchronization, you need to configure the user heartbeat feature on the portal authentication server. Make sure the user heartbeat interval configured on the portal authentication server is not greater than the synchronization detection timeout configured on the access device.
Deleting a portal authentication server on the device also deletes the user synchronization configuration for the server.
If you execute this command multiple times, the most recent configuration takes effect.
For information of the users considered as nonexistent on the portal authentication server, the device deletes the information after the configured detection timeout expires.
If the user information from the portal authentication server does not exist on the device, the device encapsulates IP addresses of the users in user heartbeat reply packets to the server. The portal authentication server then deletes the users.
Examples
# Enable portal user synchronization for the portal authentication server pts and set the detection timeout to 600 seconds. If a use has not appeared in the synchronization packets sent by the portal authentication server for 600 seconds, the access device logs out the user.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] user-sync timeout 600
Related commands
portal server
version
Use version to specify the version of the portal protocol.
Use undo version to restore the default.
Syntax
version version-number
undo version
Default
The version of the portal protocol is 1.
Views
MAC binding server view
Predefined user roles
network-admin
Parameters
version-number: Specifies the portal protocol version in the range of 1 to 3.
Usage guidelines
The specified portal protocol version must be the that required by the MAC binding server.
Examples
# Configure the device to use portal protocol version 2 to communicate with MAC binding server mts.
<Sysname> system-view
[Sysname] portal mac-trigger-server mts
[Sysname-portal-mac-trigger-server-mts] version 2
Related commands
display portal mac-trigger-server
portal mac-trigger-server
vpn-instance
Use vpn-instance to specify an MPLS L3VPN instance for a portal Web server.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
A portal Web server belongs to the public network.
Views
Portal Web server view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies the MPLS L3VPN instance to which the portal Web server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
A portal Web server belongs to only one MPLS L3VPN.
Examples
# Specify MPLS L3VPN instance abc for portal Web server wbs.
<Sysname> system-view
[Sysname] portal web-server wbs
[Sysname-portal-websvr-wbs] vpn-instance abc
web-redirect track
Use web-redirect track to enable Web redirect track to monitor the interface status or signal information.
Use undo web-redirect track to disable Web redirect track.
Syntax
web-redirect track interface interface-type interface-number
undo web-redirect track
Default
Web redirect track is disabled.
Views
Interface view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
Usage guidelines
This feature pushes a destination-unreachable notification webpage to users who attempt to access the Internet when it detects the following situations:
· The tracked interface is down.
· The tracked interface receives 2G signal or no signal.
In the current software version, this feature can track signal information only for Etherchannel interfaces.
This feature applies only to IPv4 users.
This feature requires that the webpage to which the redirect URL points must be configured on the device. The redirect URL is specified by the web-redirect url command.
Examples
# Enable Web redirect track on GigabitEthernet 1/0/1 to track network signal information on Etherchannel 2/0:0.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] web-redirect track interface eth-channel 2/0:0
Related commands
display web-redirect rule
web-redirect url
web-redirect url
Use web-redirect url to enable the Web redirect feature.
Use undo web-redirect url to disable the Web redirect feature.
Syntax
web-redirect [ ipv6 ] url url-string [ interval interval ]
undo web-redirect [ ipv6 ]
Default
The Web redirect feature is disabled.
Views
Interface view
Service template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the IPv6 Web redirect feature. Do not specify this keyword for the IPv4 Web redirect feature.
url url-string: Specifies the URL to which the user is redirected, a string of 1 to 256 characters. The URL must exist and must be a complete URL beginning with http:// or https://.
interval interval: Specifies the time interval at which the user is redirected to the specified URL. It is in the range of 60 to 86400 seconds. The default interval is 86400 seconds.
Usage guidelines
This feature redirects a user on an interface or a service template to the specified URL before the user can access an external network through a Web browser. After the specified interval, the user is redirected to the specified URL again.
To push different advertisement pages to different users, you can carry parameters in the redirect URL (by using the url url-string option) as needed. The following parameters are available:
· userip=%c—IP address of the user.
· usermac=%m—MAC address of the user.
· nasid=%n—NAS identifier of the device.
· ssid=%E—SSID with which the user associates.
· originalurl=%o—Original URL that the user enters in the browser.
Make sure the arrangement of the parameters conforms to the format of http://XXXX/index.html?userip=%c&usermac=%m&nasid=%n&ssid=%E&originalurl=%o.
On Etherchannel interfaces, both Web redirect and portal authentication can be enabled at the same time. On non-Etherchannel interfaces, Web redirect does not work when both Web redirect and portal authentication are enabled.
On a service template, both Web redirect and portal authentication can be enabled and will take effect at the same time.
The Web redirect feature takes effect only on HTTP packets that use the default port number 80.
To use the device URL as the Web redirect URL or allow users to successfully access the device URL, you must enable the HTTP service. To enable the HTTP service, use the ip http enable command.
Examples
# Configure IPv4 Web redirect on GigabitEthernet 1/0/1. Set the redirect URL to http://192.0.0.1 and the interval to 3600 seconds. (Wired application.)
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] web-redirect url http://192.0.0.1 /index.html?userip=%c&usermac=%m&nasid=%n&ssid=%E&originalurl=%o interval 3600
# Configure IPv4 Web redirect on service template service1. Set the redirect URL to http://192.0.0.1 and the interval to 3600 seconds. (Wireless application.)
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] web-redirect url http://192.0.0.1/index.html?userip=%c&usermac=%m&nasid=%n&ssid=%E&originalurl=%o interval 3600
Related commands
display web-redirect rule
User profile commands
The following matrix shows the feature and hardware compatibility:
|
Hardware |
User profile compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
|
Hardware |
User profile compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display user-profile
Use display user-profile to display configuration and online user information for user profiles.
Syntax
Centralized devices in standalone mode:
display user-profile [ name profile-name ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display user-profile [ name profile-name ] [ slot slot-number ]
Distributed devices in IRF mode:
display user-profile [ name profile-name ] [ chassis chassis-number slot slot-number ]
Views
Predefined user roles
Parameters
name profile-name: Specifies a user profile by its name, a case-sensitive string of 1 to 31 characters. Valid characters include English letters, digits, and underscores (_). The name must start with an English letter and must be unique. If you do not specify this option, the command displays configuration and online user information for all user profiles.
slot slot-number: Specifies a card by its slot number. If you do not specify this option, the command displays user profile configuration and online user information on all cards. (Distributed devices in standalone mode.)
Examples
# (Centralized devices in standalone mode.) Display configuration and online user information for user profile aaa.
<Sysname> display user-profile name aaa
User-Profile: aaa
Inbound:
CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Policy: p1
Outbound:
CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Policy: p2
User user_1:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet1/0/1
MAC address : 0000-1111-2222
Failed action list:
Inbound: Policy p1
Inbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
User user_2:
Authentication type: Portal
Network attributes:
Interface : GigabitEthernet1/0/3
IP address : 172.16.187.16
VPN : N/A
Service VLAN : 100
<Sysname> display user-profile slot 2
User-Profile: aaa
Inbound:
CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Policy: p1
Outbound:
CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Policy: p2
User user_1:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet1/0/1
MAC address : 0000-1111-2222
Failed action list:
Inbound: Policy p1
Inbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
User user_2:
Authentication type: Portal
Network attributes:
Interface : GigabitEthernet1/0/3
IP address : 172.16.187.16
VPN : N/A
Service VLAN : 100
User-Profile: bbb
Inbound:
CIR 512 (kbps), CBS 1024 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Policy: p3
User user_4:
Authentication type: Portal
Network attributes:
Interface : GigabitEthernet1/0/2
IP address : 172.16.187.166
VPN : N/A
Service VLAN : 100
# (Distributed devices in IRF mode.) Display configuration and online user information for user profile aaa in slot 2 of IRF member device 1.
<Sysname> display user-profile name aaa chassis 1 slot 2
User-Profile: aaa
Inbound:
CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Policy: p1
Outbound:
CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Policy: p2
User user_1:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet1/2/0/1
MAC address : 0000-1111-2222
Failed action list:
Inbound: Policy p1
Inbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
User user_2:
Authentication type: Portal
Network attributes:
Interface : GigabitEthernet1/2/0/3
IP address : 172.16.187.16
VPN : N/A
Service VLAN : 100
<Sysname> display user-profile name bbb
User-Profile: bbb
Inbound:
CIR 512 (kbps), CBS 1024 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Policy: p3
Chassis 1 Slot 2:
User user_3:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet1/2/0/1
MAC address : 1111-2222-3333
Failed action list:
User user_4:
Authentication type: PPP
Network attributes:
Interface : GigabitEthernet1/2/0/2
Chassis 1 Slot 5:
User user_5:
Authentication type: PPP
Network attributes:
MAC address : 2222-3333-4444
# (Distributed devices in IRF mode.) Display configuration and online user information for all user profiles.
<Sysname> display user-profile
User-Profile: aaa
Inbound:
CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Policy: p1
Chassis 1 Slot 2:
User user_1:
Authentication type: 802.1X
Network attributes:
Interface : GigabitEthernet1/2/0/1
MAC address : 0000-1111-2222
Failed action list:
Inbound: Policy p1
Chassis 1 Slot 5:
User user_6:
Authentication type: PPP
Network attributes:
Interface : GigabitEthernet1/2/0/3
User-Profile: bbb
Inbound:
CIR 512 (kbps), CBS 1024 (Bytes), EBS 0 (Bytes), PIR 888 (kbps)
Policy: p3
Chassis 1 Slot 5:
User user_7:
Authentication type: PPP
Network attributes:
Interface : GigabitEthernet1/2/0/2
MAC address : 0000-1111-2222
IP address : 172.16.187.166
VPN : N/A
Service VLAN : 100
|
Description |
|
|
User profile name. |
|
|
Policy name. |
|
|
Username of a user account with which a user profile is associated. If no user is online, User - is displayed. |
|
|
· 802.1X—802.1X authentication. · Portal—Portal authentication. · PPP—PPP authentication. · MACA—MAC authentication. |
|
user-profile
Use user-profile to create a user profile and enter its view, or enter the view of an existing user profile.
Use undo user-profile to delete a user profile.
Syntax
undo user-profile profile-name
Default
No user profiles exist.
Views
Predefined user roles
Parameters
profile-name: Specifies a user profile by its name, a case-sensitive string of 1 to 31 characters. A user profile name can only contain English letters, digits, underscores (_), and periods (.), and it must start with an English letter or digit. The name cannot contain only digits and must be unique.
Examples
# Create user profile a123 and enter the view of a123.
[Sysname] user-profile a123
Password control commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
display password-control
Use display password-control to display password control configuration.
Syntax
display password-control [ super ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
super: Displays the password control information for the super passwords. If you do not specify this keyword, the command displays the global password control configuration.
Examples
# Display the global password control configuration.
<Sysname> display password-control
Global password control configurations:
Password control: Disabled
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Password history: Enabled (max history records:4)
Early notice on password expiration: 7 days
Maximum login attempts: 3
Action for exceeding login attempts: Lock user for 1 minutes
Minimum interval between two updates: 24 hours
User account idle time: 90 days
Logins with aged password: 3 times in 30 days
Password complexity: Disabled (username checking)
Disabled (repeated characters checking)
# Display the password control configuration for super passwords.
<Sysname> display password-control super
Super password control configurations:
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Table 52 Command output
|
Field |
Description |
|
Password control |
Whether the password control feature is enabled. |
|
Password aging |
Whether password expiration is enabled and, if enabled, the expiration time. |
|
Password length |
Whether the minimum password length restriction feature is enabled and, if enabled, the setting. |
|
Password composition |
Whether the password composition restriction feature is enabled and, if enabled, the settings. |
|
Password history |
Whether the password history feature is enabled and, if enabled, the setting. |
|
Early notice on password expiration |
Number of days during which the user is notified of the pending password expiration. |
|
Maximum login attempts |
Allowed maximum number of consecutive failed login attempts for FTP and VTY users. |
|
Action for exceeding login attempts |
Action to be taken after a user fails to log in after the specified number of attempts. |
|
Minimum interval between two updates |
Minimum password update interval. |
|
Logins with aged password |
Number of times and maximum number of days a user can log in using an expired password. |
|
Password complexity |
Whether the following password complexity checking is enabled: · username checking—Checks whether a password contains the username or the reverse of the username. · repeated characters checking—Checks whether a password contains any character that appears consecutively three or more times. |
display password-control blacklist
Use display password-control blacklist to display password control blacklist information.
Syntax
display password-control blacklist [ user-name user-name | ip ipv4-address | ipv6 ipv6-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
user-name user-name: Specifies a user by its username, a case-sensitive string of 1 to 55 characters.
ip ipv4-address: Specifies the IPv4 address of a user.
ipv6 ipv6-address: Specifies the IPv6 address of a user.
Usage guidelines
If you do not specify any parameters, this command displays information about all users in the password control blacklist.
The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication. You can use this command to view information about blacklisted FTP, Web, and virtual terminal line (VTY) users.
Users accessing the system through the console or AUX interface are not blacklisted for the following reasons:
· The system is unable to obtain the IP addresses of these users.
· These users are privileged and, therefore, relatively secure to the system.
Examples
# Display password control blacklist information.
<Sysname> display password-control blacklist
Blacklist items matched: 2.
Username IP address Login failures Lock flag
abcd 111.8.18.60 4 lock
Table 53 Command output
|
Field |
Description |
|
Blacklist items matched |
Number of blacklisted users. |
|
IP address |
IP address of the user. |
|
Login failures |
Number of login failures. |
|
Lock flag |
Whether the user account is locked for the user: · unlock—Not limited. · lock—Disabled temporarily or permanently, depending on the password-control login-attempt command. |
password-control { aging | composition | history | length } enable
Use password-control { aging | composition | history | length } enable to enable the password expiration, composition restriction, history, or minimum length restriction feature.
Use undo password-control { aging | composition | history | length } enable to disable a password control feature.
Syntax
password-control { aging | composition | history | length } enable
undo password-control { aging | composition | history | length } enable
Default
The password control features (aging, composition, history, and length) are all enabled.
Views
System view
Predefined user roles
network-admin
Parameters
aging: Enables the password expiration feature.
composition: Enables the password composition restriction feature.
history: Enables the password history feature.
length: Enables the minimum password length restriction feature.
Usage guidelines
For a specific password control feature to take effect, make sure the global password control and the specific password control feature are both enabled. For example, if the global password control and the minimum length restriction feature are not enabled, the password-control length command does not take effect.
The system stops recording history passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
If the global password control feature is enabled but the minimum password length restriction feature is disabled, the following rules apply:
· In non-FIPS mode, a password must contain a minimum of 4 characters and a minimum of 4 characters must be different.
· In FIPS mode, a password must contain a minimum of 15 characters and a minimum of 4 characters must be different.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
# Enable the password composition restriction feature.
[Sysname] password-control composition enable
# Enable the password expiration feature.
[Sysname] password-control aging enable
# Enable the minimum password length restriction feature.
[Sysname] password-control length enable
# Enable the password history feature.
[Sysname] password-control history enable
Related commands
display password-control
password-control enable
password-control aging
Use password-control aging to set the password expiration time.
Use undo password-control aging to restore the default.
Syntax
password-control aging aging-time
undo password-control aging
Default
A password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs.
Views
System view
User group view
Local user view
Predefined user roles
network-admin
Parameters
aging-time: Specifies the password expiration time in days, in the range of 1 to 365.
Usage guidelines
The expiration time depends on the view:
· The time in system view has global significance and applies to all user groups.
· The time in user group view applies to all local users in the user group.
· The time in local user view applies only to the local user.
A password expiration time with a smaller application scope has higher priority. The system prefers to use the password expiration time in local user view for a local user.
· If no password expiration time is configured for the local user, the system uses the password expiration time for the user group to which the local user belongs.
· If no password expiration time is configured for the user group, the system uses the global password expiration time.
Examples
# Globally set the passwords to expire after 80 days.
<Sysname> system-view
[Sysname] password-control aging 80
# Set the passwords for user group test to expire after 90 days.
[Sysname] user-group test
[Sysname-ugroup-test] password-control aging 90
[Sysname-ugroup-test] quit
# Set the password for device management user abc to expire after 100 days.
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password-control aging 100
Related commands
display local-user
display password-control
display user-group
password-control aging enable
password-control alert-before-expire
Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration.
Use undo password-control alert-before-expire to restore the default.
Syntax
password-control alert-before-expire alert-time
undo password-control alert-before-expire
Default
The default is 7 days.
Views
System view
Predefined user roles
network-admin
Parameters
alert-time: Specifies the number of days before a user password expires during which the user is notified of the pending password expiration. The value range is 1 to 30.
Usage guidelines
This command is effective only for non-FTP users. FTP users can only have their passwords changed by the administrator.
Examples
# Configure the device to notify a user about pending password expiration 10 days before the user's password expires.
<Sysname> system-view
[Sysname] password-control alert-before-expire 10
Related commands
display password-control
password-control complexity
Use password-control complexity to configure the password complexity checking policy.
Use undo password-control complexity to remove a password complexity checking item.
Syntax
password-control complexity { same-character | user-name } check
undo password-control complexity { same-character | user-name } check
Default
The global password complexity checking policy is that both username checking and repeated character checking are disabled. The password complexity checking policy for a user group equals the global setting. The password complexity checking policy for a local user equals that of the user group to which the local user belongs.
Views
System view
User group view
Local user view
Predefined user roles
network-admin
Parameters
same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough.
user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
Usage guidelines
The password complexity checking policy depends on the view:
· The policy in system view has global significance and applies to all user groups.
· The policy in user group view applies to all local users in the user group.
· The policy in local user view applies only to the local user.
A password complexity checking policy with a smaller application scope has higher priority. The system prefers to use the password complexity checking policy in local user view for a local user.
· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.
· If no policy is configured for the user group, the system uses the global policy.
You can enable both username checking and repeated character checking.
After the password complexity checking is enabled, complexity-incompliant passwords will be refused.
Examples
# Configure the password complexity checking policy, refusing any password that contains the username or the reverse of the username.
<Sysname> system-view
[Sysname] password-control complexity user-name check
Related commands
display local-user
display password-control
display user-group
password-control composition
Use password-control composition to configure the password composition policy.
Use undo password-control composition to restore the default.
Syntax
password-control composition type-number type-number [ type-length type-length ]
undo password-control composition
Default
In non-FIPS mode:
The password using the global composition policy must contain a minimum of one character type and a minimum of one character for each type.
In FIPS mode:
The password using the global composition policy must contain a minimum of four character types and a minimum of one character for each type.
In both non-FIPS and FIPS modes:
The password composition policy for a user group is the same as the global policy. The password composition policy for a local user is the same as that of the user group to which the local user belongs.
Views
System view
User group view
Local user view
Predefined user roles
network-admin
Parameters
type-number type-number: Specifies the minimum number of character types that a password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode. The following character types are available:
· Uppercase letters A to Z.
· Lowercase letters a to z.
· Digits 0 to 9.
· Special characters in Table 54.
|
Character name |
Symbol |
Character name |
Symbol |
|
Ampersand sign |
& |
Apostrophe |
' |
|
Asterisk |
* |
At sign |
@ |
|
Back quote |
` |
Back slash |
\ |
|
Blank space |
N/A |
Caret |
^ |
|
Colon |
: |
Comma |
, |
|
Dollar sign |
$ |
Dot |
. |
|
Equal sign |
= |
Exclamation point |
! |
|
Left angle bracket |
< |
Left brace |
{ |
|
Left bracket |
[ |
Left parenthesis |
( |
|
Minus sign |
- |
Percent sign |
% |
|
Plus sign |
+ |
Pound sign |
# |
|
Quotation marks |
" |
Right angle bracket |
> |
|
Right brace |
} |
Right bracket |
] |
|
Right parenthesis |
) |
Semi-colon |
; |
|
Slash |
/ |
Tilde |
~ |
|
Underscore |
_ |
Vertical bar |
| |
type-length type-length: Specifies the minimum number of characters that are from each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
Usage guidelines
The password composition policy depends on the view:
· The policy in system view has global significance and applies to all user groups.
· The policy in user group view applies to all local users in the user group.
· The policy in local user view applies only to the local user.
A password composition policy with a smaller application scope has higher priority. The system prefers to use the password composition policy in local user view for a local user.
· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.
· If no policy is configured for the user group, the system uses the global policy.
The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of passwords.
Examples
# Specify that all passwords must each contain a minimum of four character types and a minimum of five characters for each type.
<Sysname> system-view
[Sysname] password-control composition type-number 4 type-length 5
# Specify that passwords in user group test must contain a minimum of four character types and a minimum of five characters for each type.
[Sysname] user-group test
[Sysname-ugroup-test] password-control composition type-number 4 type-length 5
[Sysname-ugroup-test] quit
# Specify that the password of device management user abc must contain a minimum of four character types and a minimum of five characters for each type.
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password-control composition type-number 4 type-length 5
Related commands
display local-user
display password-control
display user-group
password-control composition enable
password-control enable
Use password-control enable to enable the password control feature globally.
Use undo password-control enable to disable the password control feature globally.
Syntax
password-control enable
undo password-control enable
Default
In non-FIPS mode:
The password control feature is disabled globally.
In FIPS mode:
The password control feature is enabled globally and cannot be disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
A specific password control feature takes effect only after the global password control feature is enabled.
After the global password control feature is enabled, you cannot display the password and super password configurations for device management users by using the corresponding display commands. The configuration for network access user passwords can be displayed. The first password configured for device management users must contain a minimum of four different characters.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable
Related commands
display password-control
password-control { aging | composition | history | length } enable
password-control expired-user-login
Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires.
Use undo password-control expired-user-login to restore the defaults.
Syntax
password-control expired-user-login delay delay times times
undo password-control expired-user-login
Default
A user can use an expired password to log in three times within 30 days after the password expires. If all the three attempts fail or the user makes a login attempt after 30 days, the system prompts the user to set a new password.
Views
System view
Predefined user roles
network-admin
Parameters
delay delay: Specifies the maximum number of days during which a user can log in using an expired password. The value range for the delay argument is 1 to 90.
times times: Specifies the maximum number of times a user can log in after the password expires. The value range is 0 to 10. For a user to set a new password at the system prompt immediately after the password expires, set the value to 0.
Usage guidelines
This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires.
Examples
# Allow a user to log in five times within 60 days after the password expires.
<Sysname> system-view
[Sysname] password-control expired-user-login delay 60 times 5
Related commands
display password-control
password-control history
Use password-control history to set the maximum number of history password records for each user.
Use undo password-control history to restore the default.
Syntax
password-control history max-record-number
undo password-control history
Default
The maximum number of history password records for each user is 4.
Views
System view
Predefined user roles
network-admin
Parameters
max-record-number: Specifies the maximum number of history password records for each user. The value range is 2 to 15.
Usage guidelines
When the number of history password records reaches the maximum number, the subsequent history record overwrites the earliest one.
The system stops recording passwords after you execute the undo password-control history enable command, but it does not delete the prior records.
To delete the existing records, use one of the following methods:
· Use the undo password-control enable command to disable the password control feature globally.
· Use the reset password-control history-record command to clear the passwords manually.
Examples
# Set the maximum number of history password records for each user to 10.
<Sysname> system-view
[Sysname] password-control history 10
Related commands
display password-control
password-control history enable
reset password-control blacklist
password-control length
Use password-control length to set the minimum password length.
Use undo password-control length to restore the default.
Syntax
password-control length length
undo password-control length
Default
In non-FIPS mode:
The global minimum password length is 10 characters.
In FIPS mode:
The global minimum password length is 15 characters.
In both non-FIPS and FIPS modes:
The minimum password length for a user group equals the global setting. The minimum password length for a local user equals that of the user group to which the local user belongs.
Views
System view
User group view
Local user view
Predefined user roles
network-admin
Parameters
length: Specifies the minimum password length in characters. The value range for this argument is 4 to 32 in non-FIPS mode, and 15 to 32 in FIPS mode.
Usage guidelines
The minimum length setting depends on the view:
· The setting in system view has global significance and applies to all user groups.
· The setting in user group view applies to all local users in the user group.
· The setting in local user view applies only to the local user.
A minimum password length with a smaller application scope has higher priority. The system prefers to use the minimum password length in local user view for a local user.
· If no minimum password length is configured for the local user, the system uses the minimum password length for the user group to which the local user belongs.
· If no minimum password length is configured for the user group, the system uses the global minimum password length.
Examples
# Set the global minimum password length to 16 characters.
<Sysname> system-view
[Sysname] password-control length 16
# Set the minimum password length to 16 characters for the user group test.
[Sysname] user-group test
[Sysname-ugroup-test] password-control length 16
[Sysname-ugroup-test] quit
# Set the minimum password length to 16 characters for the device management user abc.
[Sysname] local-user abc class manage
[Sysname-luser-manage-abc] password-control length 16
Related commands
display local-user
display password-control
display user-group
password-control length enable
password-control login idle-time
Use password-control login idle-time to set the maximum account idle time.
Use undo password-control login idle-time to restore the default.
Syntax
password-control login idle-time idle-time
undo password-control login idle-time
Default
The maximum account idle time is 90 days.
Views
System view
Predefined user roles
network-admin
Parameters
idle-time: Specifies the maximum account idle time in days. The value range is 0 to 365. 0 means no restriction for account idle time.
Usage guidelines
If a user account is idle for this period of time, the account becomes invalid and can no longer be used to log in to the device.
Examples
# Set the maximum account idle time to 30 days.
<Sysname> system-view
[Sysname] password-control login idle-time 30
Related commands
display password-control
password-control login-attempt
Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached.
Use undo password-control login-attempt to restore the default.
Syntax
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
undo password-control login-attempt
Default
The global login-attempt settings:
· The maximum number of consecutive login failures is 3.
· The locking period is 1 minute.
The login-attempt settings for a user group equal the global settings.
The login-attempt settings for a local user equal those for the user group to which the local user belongs.
Views
System view
User group view
Local user view
Predefined user roles
network-admin
Parameters
login-times: Specifies the maximum number of consecutive login failures. The value range is 2 to 10.
exceed: Specifies an action to be taken for the user who fails to log in after making the maximum number of attempts.
· lock: Disables the user account permanently.
· lock-time time: Disables the user account for a period of time. The user can uses this user account when the timer expires. The value range for the time argument is 1 to 360 minutes.
· unlock: Allows the user account to continue using this account to perform login attempts.
Usage guidelines
The login-attempt policy depends on the view:
· The policy in system view has global significance and applies to all user groups.
· The policy in user group view applies to all local users in the user group.
· The policy in local user view applies only to the local user.
A login-attempt policy with a smaller application scope has higher priority. The system prefers to use the login-attempt policy in local user view for a local user.
· If no policy is configured for the local user, the system uses the policy for the user group to which the local user belongs.
· If no policy is configured for the user group, the system uses the global policy.
If an FTP or VTY user fails to log in, the system adds the user account and the user's IP address to the password control blacklist. When the maximum number of consecutive login failures is reached, the login attempt limit feature is triggered.
Whether a blacklisted user and user account are locked depends on the locking setting:
· If a user account is permanently locked for a user, the user cannot use this account unless this account is removed from the password control blacklist. To remove the user account, use the reset password-control blacklist command.
· To use a temporarily locked user account, the user can perform either of the following tasks:
¡ Wait until the locking timer expires.
¡ Remove the user account from the password control blacklist.
· If the user account and the user are blacklisted but not locked, the user can continue using this account to log in. The account and the user's IP address are removed from the password control blacklist when the user uses the account to successfully log in to the device.
|
|
NOTE: This account is locked only for this user. Other users can still use this account, and the blacklisted user can use other user accounts. |
The password-control login-attempt command takes effect immediately after being executed, and can affect the users already in the password control blacklist.
Examples
# Allow a maximum of four consecutive login failures on a user account, and disable the user account if the limit is reached.
<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock
# Use the user account test to log in to the device, and enter incorrect password for four times.
# Display the password control blacklist. The output shows that the user account is on the blacklist, and its status is lock.
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failures: 4 Lock flag: lock
Blacklist items matched: 1.
# Verify that the user at 192.168.44.1 cannot use this user account to log in.
# Allow a maximum of two consecutive login failures on a user account, and disable the account for 3 minutes if the limit is reached.
<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3
# Use the user account test to log in to the device, and enter incorrect password for two attempts.
# Display the password control blacklist. The output shows that the user account is on the blacklist and its status is lock.
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failures: 2 Lock flag: lock
Blacklist items matched: 1.
# Verify that after 3 minutes, the user account is removed from the password control blacklist and the user at 192.168.44.1 can use this account.
Related commands
display local-user
display password-control
display password-control blacklist
display user-group
reset password-control blacklist
password-control super aging
Use password-control super aging to set the expiration time for super passwords.
Use undo password-control super aging to restore the default.
Syntax
password-control super aging aging-time
undo password-control super aging
Default
A super password expires after 90 days.
Views
System view
Predefined user roles
network-admin
Parameters
aging-time: Specifies the super password expiration time in days, in the range of 1 to 365.
Examples
# Set the super passwords to expire after 10 days.
<Sysname> system-view
[Sysname] password-control super aging 10
Related commands
display password-control
password-control aging
password-control super composition
Use password-control super composition to configure the composition policy for super passwords.
Use undo password-control super composition to restore the default.
Syntax
password-control super composition type-number type-number [ type-length type-length ]
undo password-control super composition
Default
In non-FIPS mode:
A super password must contain a minimum of one character type and a minimum of one character for each type.
In FIPS mode:
A super password must contain a minimum of four character types and a minimum of one character for each type.
Views
System view
Predefined user roles
network-admin
Parameters
type-number type-number: Specifies the minimum number of character types that a super password must contain. The value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode.
type-length type-length: Specifies the minimum number of characters that are from each character type. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
Usage guidelines
The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of the super password.
Examples
# Specify that a super password must contain a minimum of four character types and a minimum of five characters for each type.
<Sysname> system-view
[Sysname] password-control super composition type-number 4 type-length 5
Related commands
display password-control
password-control composition
password-control super length
Use password-control super length to set the minimum length for super passwords.
Use undo password-control super length to restore the default.
Syntax
password-control super length length
undo password-control super length
Default
In non-FIPS mode:
The minimum super password length is 10 characters.
In FIPS mode:
The minimum super password length is 15 characters.
Views
System view
Predefined user roles
network-admin
Parameters
length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode.
Examples
# Set the minimum length of super passwords to 16 characters.
<Sysname> system-view
[Sysname] password-control super length 16
Related commands
display password-control
password-control length
password-control update-interval
Use password-control update-interval to set the minimum password update interval, which is the minimum interval at which users can change their passwords.
Use undo password-control update-interval to restore the default.
Syntax
password-control update-interval interval
undo password-control update-interval
Default
The minimum password update interval is 24 hours.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no requirements for password update interval.
Usage guidelines
The set minimum interval is not effective on a user who is prompted to change the password at the first login or after the password expires.
Examples
# Set the minimum password update interval to 36 hours.
<Sysname> system-view
[Sysname] password-control update-interval 36
Related commands
display password-control
reset password-control blacklist
Use reset password-control blacklist to remove blacklisted users.
Syntax
reset password-control blacklist [ user-name user-name ]
Views
User view
Predefined user roles
network-admin
Parameters
user-name user-name: Specifies the username of a user account to be removed from the password control blacklist. The username is a case-sensitive string of 1 to 55 characters.
Usage guidelines
You can use this command to remove a user account that is blacklisted due to excessive login failures. Then the blacklisted user can use this user account to log in.
Examples
# Remove the user account named test from the password control blacklist.
<Sysname> reset password-control blacklist user-name test
Are you sure to delete the specified user in blacklist? [Y/N]:
Related commands
display password-control blacklist
reset password-control history-record
Use reset password-control history-record to delete history password records.
Syntax
reset password-control history-record [ super [ role role name ] | user-name user-name ]
Views
User view
Predefined user roles
network-admin
Parameters
super: Deletes the history records of the specified super password or all super passwords.
role role name: Specifies a user role name, a case-sensitive string of 1 to 63 characters. If you do not specify this option, the command deletes the history records of all super passwords.
user-name user-name: Specifies the username of the user whose password records are to be deleted. The user-name argument is a case-sensitive string of 1 to 55 characters.
Usage guidelines
If you do not specify any parameters, this command deletes the history password records of all local users.
Examples
# Clear the history password records of all local users.
<Sysname> reset password-control history-record
Are you sure to delete all local user's history records? [Y/N]:y
Related commands
password-control history
Keychain commands
accept-lifetime utc
Use accept-lifetime utc to set the receiving lifetime for a key of a keychain in absolute time mode.
Use undo accept-lifetime to restore the default.
Syntax
accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }
undo accept-lifetime
Default
The receiving lifetime is not configured for a key of a keychain.
Views
Key view
Predefined user roles
network-admin
Parameters
start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59.
start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
duration duration-value: Specifies the lifetime of the key, in the range of 1 to 2147483646 seconds.
duration infinite: Specifies that the key never expires after it becomes valid.
to: Specifies the end time and date.
end-time: Specifies the end time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59.
end-date: Specifies the end date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
Usage guidelines
A key becomes a valid accept key when the following requirements are met:
· A key string has been configured.
· An authentication algorithm has been specified.
· The system time is within the specified receiving lifetime.
If an application receives a packet that carries a key ID, and the key is valid, the application uses the key to authenticate the packet. If the key is not valid, packet authentication fails.
If the received packet does not carry a key ID, the application uses all valid keys in the keychain to authenticate the packet. If the packet does not pass any authentication, packet authentication fails.
An application can use multiple valid keys to authenticate packets received from a peer.
Examples
# Set the receiving lifetime for key 1 of the keychain abc in absolute time mode.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21
authentication-algorithm
Use authentication-algorithm to specify an authentication algorithm for a key.
Use undo authentication-algorithm to restore the default.
Syntax
authentication-algorithm { hmac-md5 | md5 }
undo authentication-algorithm
Default
No authentication algorithm is specified for a key.
Views
Key view
Predefined user roles
network-admin
Parameters
hmac-md5: Specifies the HMAC-MD5 authentication algorithm.
md5: Specifies the MD5 authentication algorithm.
Usage guidelines
If an application does not support the authentication algorithm specified for a key, the application cannot use the key for packet authentication.
Examples
# Specify the MD5 authentication algorithm for key 1 of the keychain abc in absolute time mode.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] authentication-algorithm md5
display keychain
Use display keychain to display keychain information.
Syntax
display keychain [ name keychain-name [ key key-id ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters. If you do not specify a keychain, this command displays information about all keychains.
key key-id: Specifies a key by its ID in the range of 0 to 281474976710655. If you do not specify a key, this command displays information about all keys in a keychain.
Examples
# Display information about all keychains.
<Sysname> display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
MD5 : 3
Default send key ID : None
Active send key ID : 1
Active accept key IDs: 1 2
Key ID : 1
Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g==
Algorithm : md5
Send lifetime : 01:00:00 2015/01/22 to 01:00:00 2015/01/25
Send status : Active
Accept lifetime : 01:00:00 2015/01/22 to 01:00:00 2015/01/27
Accept status : Active
Key ID : 2
Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g==
Algorithm : md5
Send lifetime : 01:00:01 2015/01/25 to 01:00:00 2015/01/27
Send status : Inactive
Accept lifetime : 01:00:00 2015/01/22 to 01:00:00 2015/01/27
Accept status : Active
Table 55 Command output
|
Field |
Description |
|
Mode |
Time mode for the keychain. |
|
Accept tolerance |
Tolerance time (in minutes) for accept keys of the keychain. |
|
TCP kind value |
Value for the TCP kind field. The default value is 254. |
|
TCP algorithm value |
ID of the TCP authentication algorithm. The default algorithm ID for HMAC-MD5 is 5 and for MD5 is 3. |
|
Default send key ID |
ID of the default send key. The status for the key is displayed in parentheses. This field is not supported in the current software version. |
|
Key string |
Key string in cipher text. |
|
Algorithm |
Authentication algorithm for the key: hmac-md5 or md5. |
|
Send lifetime |
Sending lifetime for the key. |
|
Send status |
Status of the send key: Active or Inactive. |
|
Accept lifetime |
Receiving lifetime for the key. |
|
Accept status |
Status of the accept key: Active or Inactive. |
key
Use key to create a key for a keychain and enter its view, or enter the view of an existing key.
Use undo key to delete a key and all its configurations for a keychain.
Syntax
key key-id
undo key key-id
Default
No keys exist.
Views
Keychain view
Predefined user roles
network-admin
Parameters
key-id: Specifies a key ID in the range of 0 to 281474976710655.
Usage guidelines
The keys in a keychain must have different key IDs.
Examples
# Create key 1 and enter its view.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1]
keychain
Use keychain to create a keychain and enter its view, or enter the view of an existing keychain.
Use undo keychain to delete a keychain and all its configurations.
Syntax
keychain keychain-name [ mode absolute ]
undo keychain keychain-name
Default
No keychains exist.
Views
System view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies a keychain name, a case-sensitive string of 1 to 63 characters.
mode: Specifies a time mode.
absolute: Specifies the absolute time mode. In this mode, each time point during a key's lifetime is the UTC time and is not affected by the system's time zone or daylight saving time.
Usage guidelines
You must specify the time mode when you create a keychain. You cannot change the time mode for an existing keychain.
The time mode is not required when you enter the view of an existing keychain.
Examples
# Create the keychain abc, specify the absolute time mode for it, and enter keychain view.
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc]
key-string
Use key-string to configure a key string for a key.
Use undo key-string to restore the default.
Syntax
key-string { cipher | plain } string
undo key-string
Default
No key string is configured for a key.
Views
Key view
Predefined user roles
network-admin
Parameters
cipher: Specifies a key in encrypted form.
plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its encrypted form is a case-sensitive string of 33 o 373 characters.
Usage guidelines
If the length of a plaintext key exceeds the length limit supported by an application, the application uses the supported length of the key to authenticate packets.
Examples
# Set the key to 123456 in plaintext form for key 1.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] key-string plain 123456
send-lifetime utc
Use send-lifetime utc to set the sending lifetime for a key of a keychain in absolute time mode.
Use undo send-lifetime to restore the default.
Syntax
send-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date }
undo send-lifetime
Default
The sending lifetime is not configured for a key of a keychain.
Views
Key view
Predefined user roles
network-admin
Parameters
start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59.
start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
duration duration-value: Specifies the lifetime of the key, in the range of 1 to 2147483646 seconds.
duration infinite: Specifies that the key never expires after it becomes valid.
to: Specifies the end time and date.
end-time: Specifies the end time in the HH:MM:SS format. The value range for this argument is 0:0:0 to 23:59:59.
end-date: Specifies the end date in the MM/DD/YYYY or YYYY/MM/DD format. The value range for YYYY is 2000 to 2035.
Usage guidelines
A key becomes a valid send key when the following requirements are met:
· A key string has been configured.
· An authentication algorithm has been specified.
· The system time is within the specified sending lifetime.
To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set non-overlapping sending lifetimes for the keys in the keychain.
Examples
# Set the sending lifetime for key 1 of the keychain abc in absolute time mode.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] send-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21
Public key management commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
display public-key local public
Use display public-key local public to display local public keys.
Syntax
display public-key local { dsa | ecdsa | rsa | sm2 } public [ name key-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dsa: Specifies the DSA key pair type.
ecdsa: Specifies the ECDSA key pair type.
rsa: Specifies the RSA key pair type.
sm2: Specifies the SM2 key pair type.
The following matrix shows the sm2 keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM /810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1 |
Yes |
|
MSR2600-10-X1 |
No |
|
MSR 2630 |
No |
|
MSR3600-28/3600-51 |
No |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610 /3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
name key-name: Specifies a local key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command displays the public keys of all local key pairs of the specified type.
Usage guidelines
You can copy and distribute the public key of a local key pair to peer devices.
You cannot display a host public key that has the default key pair name by specifying the name key-name option. To view a host public key that has the default key pair name, display all local public keys by using this command without specifying a key pair name.
Examples
# Display all local RSA public keys.
<Sysname> display public-key local rsa public
=============================================
Key name: hostkey (default)
Key type: RSA
Time when key pair created: 15:40:48 2011/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DAA4AAFEFE04C2C9
667269BB8226E26331E30F41A8FF922C7338208097E84332610632B49F75DABF6D871B80CE
C1BA2B75020077C74745C933E2F390DC0B39D35B88283D700A163BB309B19F8F87216A44AB
FBF6A3D64DEB33E5CEBF2BCF26296778A26A84F4F4C5DBF8B656ACFA62CD96863474899BC1
2DA4C04EF5AE0835090203010001
=============================================
Key name: serverkey (default)
Key type: RSA
Time when key pair created: 15:40:48 2011/05/12
Key code:
307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442
762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64
DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E
9D85C13413996ECD093B0203010001
=============================================
Key name: rsa1
Key type: RSA
Time when key pair created: 15:42:26 2011/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D
426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA
1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7
9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03
92D8C6D940890BF4290203010001
# Display all local DSA public keys.
<Sysname> display public-key local dsa public
=============================================
Key name: dsakey (default)
Key type: DSA
Time when key pair created: 15:41:37 2011/05/12
Key code:
308201B73082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD
96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123
91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1
585DA7F42519718CC9B09EEF0381840002818041912CE34D12BCD2157E7AB1C2F03B3EF395
100F3DB4A9E2FDFE860C1BD663D676438F7DA40A9406D61CA9079AF13E330489F1C76785DE
52DA649AC8BC04B6D39CD7C52CD0A14F75F7491A91D31D6AC22340B5981B27A915CDEC4F09
887E541EC1E5302D500F68E7AC29A084463C60F9EE266985A502FC92193E1CF4D265C4BA
=============================================
Key name: dsa1
Key type: DSA
Time when key pair created: 15:35:42 2011/05/12
Key code:
308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD
96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123
91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1
585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8
3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74
0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7
15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A
# Display all local ECDSA public keys.
<Sysname> display public-key local ecdsa public
=============================================
Key name: ecdsakey (default)
Key type: ECDSA
Time when key pair created: 15:42:04 2011/05/12
Key code:
3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF
68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B
1D
=============================================
Key name: ecdsa1
Key type: ECDSA
Time when key pair created: 15:43:33 2011/05/12
Key code:
3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1
AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58
4D
# Display the public keys of all local SM2 key pairs.
<Sysname> display public-key local sm2 public
=============================================
Key name: sm2key (default)
Key type: SM2
Time when key pair created: 15:42:04 2016/08/15
Key code:
3059301306072A8648CE3D020106082A811CCF5501822D03420004DC5D3CCDD4F5E7AC9803
D7F55ADC0668C067859482999C390B1648BE91FB567150A6C909706BB04AFE8709D5EC884C
BD4EE36F38E8AD7DBCFB52286BF22CB146
=============================================
Key name: sm21
Key type: SM2
Time when key pair created: 15:43:33 2016/08/15
Key code:
3059301306072A8648CE3D020106082A811CCF5501822D034200047A8EF255A75A90FA9239
1B2BDD58B6F19E7D0158200E80297E434109A68A66160A20B5267ECB1706CA50A7ED04A89A
007AFEFF8335441347EB2EB69CFB4CD459
# Display the public key of local RSA key pair rsa1.
<Sysname> display public-key local rsa public name rsa1
=============================================
Key name: rsa1
Key type: RSA
Time when key pair created: 15:42:26 2011/05/12
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D
426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA
1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7
9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03
92D8C6D940890BF4290203010001
# Display the public key of local DSA key pair dsa1.
<Sysname> display public-key local dsa public name dsa1
=============================================
Key name: dsa1
Key type: DSA
Time when key pair created: 15:35:42 2011/05/12
Key code:
308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD
96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E
DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D
DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038
7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1
4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD
35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123
91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1
585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8
3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74
0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7
15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A
# Display the public key of local ECDSA key pair ecdsa1.
<Sysname> display public-key local ecdsa public name ecdsa1
=============================================
Key name: ecdsa1
Key type: ECDSA
Time when key pair created: 15:43:33 2011/05/12
Key code:
3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1
AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58
4D
# Display the public key of local SM2 key pair sm21.
<Sysname> display public-key local sm2 public name sm21
=============================================
Key name: sm21
Key type: SM2
Time when key pair created: 15:43:33 2016/08/15
Key code:
3059301306072A8648CE3D020106082A811CCF5501822D034200047A8EF255A75A90FA9239
1B2BDD58B6F19E7D0158200E80297E434109A68A66160A20B5267ECB1706CA50A7ED04A89A
007AFEFF8335441347EB2EB69CFB4CD459
Table 56 Command output
|
Field |
Description |
|
Key name |
Name of the local key pair. If you did not specify a name when creating the key pair, the default name is used followed by the word default in brackets. The following is the default key pair name for each key algorithm: · hostkey—Default RSA host key pair name. · serverkey—Default RSA server key pair name. · dsakey—Default DSA host key pair name. · ecdsakey—Default ECDSA host key pair name. · sm2key—Default SM2 host key pair name. |
|
Key type |
Options include: · RSA. · DSA. · ECDSA. · SM2. |
|
Time when key pair created |
Date and time when the local key pair was created. |
|
Key code |
Public key string. |
Related commands
public-key local create
display public-key peer
Use display public-key peer to display information about peer host public keys.
Syntax
display public-key peer [ brief | name publickey-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
brief: Displays brief information about all peer host public keys. The brief information includes only the key type, key modulus, and key name.
name publickey-name: Displays detailed information about a peer host public key, including its key code. The publickey-name argument specifies a peer host public by its name, a case-sensitive string of 1 to 64 characters.
Usage guidelines
If you do not specify any keywords, this command displays detailed information about all peer host public keys configured on the local device.
You can use the public-key peer command or the public-key peer import sshkey command to configure a peer host public key on the local device.
Examples
# Display detailed information about peer host public key idrsa.
<Sysname> display public-key peer name idrsa
=============================================
Key name: idrsa
Key type: RSA
Key modulus: 1024
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100C5971581A78B5388
B3C9063EC6B53D395A6704D9752B6F9B7B1F734EEB5DD509F0B050662C46FFB8D27F797E37
918F6270C5793F1FC63638970A0E4D51A3CEF7CFF6E92BFAFD73F530E0BDE27056E81F2525
6D0883836FD8E68031B2C272FE2EA75C87734A7B8F85B8EBEB3BD51CC26916AF3B3FDC32C3
42C142D41BB4884FEB0203010001
Table 57 Command output
|
Field |
Description |
|
Key name |
Name of the peer host public key. |
|
Key type |
Key type: RSA, DSA or ECDSA. |
|
Key modulus |
Key modulus length in bits. |
|
Key code |
Public key string. |
# Display brief information about all peer host public keys.
<Sysname> display public-key peer brief
Type Modulus Name
---------------------------
RSA 1024 idrsa
DSA 1024 10.1.1.1
Table 58 Command output
|
Field |
Description |
|
Type |
Key type: RSA, DSA or ECDSA. |
|
Modulus |
Key modulus length in bits. |
|
Name |
Name of the peer host public key. |
Related commands
public-key peer
public-key peer import sshkey
peer-public-key end
Use peer-public-key end to exit public key view to system view and save the configured peer host public key.
Syntax
peer-public-key end
Views
Public key view
Predefined user roles
network-admin
Usage guidelines
After you type the peer host public key on the local device, use this command to exit public key view and to save the peer host public key.
The system verifies the public key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, for example, the key was displayed by the display public-key local public command, the system saves the key.
Examples
# Exit public key view and save the configured peer host public key.
<Sysname> system-view
[Sysname] public-key peer key1
Enter public key view. Return to system view with "peer-public-key end" command.
[Sysname-pkey-public-key-key1]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC8014F82515F6335A0A
[Sysname-pkey-public-key-key1]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D1643135877E13B1C531B4
[Sysname-pkey-public-key-key1]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80EB5F52698FCF3D6
[Sysname-pkey-public-key-key1]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE675AC30CB020301
[Sysname-pkey-public-key-key1]0001
[Sysname-pkey-public-key-key1] peer-public-key end
[Sysname]
Related commands
display public-key local public
display public-key peer
public-key peer
public-key local create
Use public-key local create to create local key pairs.
Syntax
In non-FIPS mode:
In FIPS mode:
Default
No local key pairs exist.
Views
System view
Predefined user roles
network-admin
Parameters
dsa: Specifies the DSA key pair type.
ecdsa: Specifies the ECDSA key pair type.
· secp192r1: Uses the secp192r1 curve to create a 192-bit ECDSA key pair. The secp192r1 curve is used by default in non-FIPS mode.
· secp256r1: Uses the secp256r1 curve to create a 256-bit ECDSA key pair. The secp256r1 curve is used by default in FIPS mode.
· secp384r1: Uses the secp384r1 curve to create a 384-bit ECDSA key pair.
· secp521r1: Uses the secp521r1 curve to create a 521-bit ECDSA key pair.
rsa: Specifies the RSA key pair type.
sm2: Specifies the SM2 key pair type.
The following matrix shows the sm2 keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM /810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1 |
Yes |
|
MSR2600-10-X1 |
No |
|
MSR 2630 |
No |
|
MSR3600-28/3600-51 |
No |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610 /3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
name key-name: Assigns a name to the key pair. The key-name argument is a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not assign a name to the key pair, the key pair takes the default name.
Table 59 Default local key pair names
|
Type |
Default name |
|
RSA |
· Host key pair: hostkey · Server key pair: serverkey |
|
DSA |
dsakey |
|
ECDSA |
ecdsakey |
|
SM2 |
sm2key |
Usage guidelines
The key algorithm must be the same as required by the security application.
When you create an RSA or DSA key pair, enter an appropriate key modulus length at the prompt. The longer the key modulus length, the higher the security, the longer the key generation time.
When you create an ECDSA key pair, choose the appropriate elliptic curve. The elliptic curve determines the ECDSA key length. The longer the key length, the higher the security, the longer the key generation time.
When you create an SM key pair, you do not need to specify the key length. Only a 256-bit SM2 key pair can be created.
See Table 60 for more information about key modulus lengths and key lengths.
If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default. The name of a key pair must be unique among all manually named key pairs that use the same key algorithm. If a name conflict occurs, the system asks whether you want to overwrite the existing key pair.
The key pairs are automatically saved and can survive system reboots.
Table 60 A comparison of different types of asymmetric key algorithms
|
Generated key pairs |
Modulus/key length |
|
|
RSA |
· In non-FIPS mode: ¡ One host key pair, if you specify a key pair name. ¡ One server key pair and one host key pair, if you do not specify a
key pair name. · In FIPS mode: One host key pair. NOTE: Only SSH 1.5 uses the RSA server key pair. |
Key modulus length: · In non-FIPS mode: 512 to 2048 bits, 1024 bits
by default. · In FIPS mode: 2048 bits. |
|
DSA |
One host key pair. |
Key modulus length: · In non-FIPS mode: 512 to 2048 bits, 1024 bits
by default. · In FIPS mode: 2048 bits. |
|
ECDSA |
One host key pair. |
Key length: · In non-FIPS mode: 192, 256, 384, or 521 bits. · In FIPS mode: 256, 384, or 521 bits. |
|
SM2 |
One host key pair. |
Key length: 256 bits. |
Examples
# Create local RSA key pairs with default names.
<Sysname> system-view
[Sysname] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...++++++
.++++++
..++++++++
....++++++++
Create the key pair successfully.
# Create a local DSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+................
.......+..........+..............+.............+...+.....+...............+..+...
...+.................+..........+...+....+.......+.....+............+.........+.
........................+........+..........+..............+.....+...+..........
..............+.........+..........+...........+........+....+..................
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
Create the key pair successfully.
# Create a local ECDSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create ecdsa
Generating Keys...
Create the key pair successfully.
# Create a local SM2 key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create sm2
Generating Keys...
Create the key pair successfully.
# Create a local RSA key pair named rsa1.
<Sysname> system-view
[Sysname] public-key local create rsa name rsa1
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
...++++++
...............................++++++
Create the key pair successfully.
# Create a local DSA key pair named dsa1.
<Sysname> system-view
[Sysname] public-key local create dsa name dsa1
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+................
.......+..........+..............+.............+...+.....+...............+..+...
...+.................+..........+...+....+.......+.....+............+.........+.
........................+........+..........+..............+.....+...+..........
..............+.........+..........+...........+........+....+..................
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
Create the key pair successfully.
# Create a local ECDSA key pair named ecdsa1.
<Sysname> system-view
[Sysname] public-key local create ecdsa name ecdsa1
Generating Keys...
Create the key pair successfully.
# Create a local SM2 key pair named sm2.
<Sysname> system-view
[Sysname] public-key local create sm2 name sm2
Generating Keys...
Create the key pair successfully.
# In FIPS mode, create a local RSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create rsa
The range of public key modulus is (2048 ~ 2048).
It will take a few minutes.Press CTRL+C to abort.
Input the modulus length [default = 2048]:
Generating Keys...
...++++++
.++++++
..++++++++
....++++++++
Create the key pair successfully.
# In FIPS mode, create a local DSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local create dsa
The range of public key modulus is (2048 ~ 2048).
It will take a few minutes.Press CTRL+C to abort.
Input the modulus length [default = 2048]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+................
.......+..........+..............+.............+...+.....+...............+..+...
...+.................+..........+...+....+.......+.....+............+.........+.
........................+........+..........+..............+.....+...+..........
..............+.........+..........+...........+........+....+..................
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
Create the key pair successfully.
Related commands
display public-key local public
public-key local destroy
public-key local destroy
Use public-key local destroy to destroy local key pairs.
Syntax
public-key local destroy { dsa | ecdsa | rsa | sm2 } [ name key-name ]
Views
System view
Predefined user roles
network-admin
Parameters
dsa: Specifies the DSA key pair type.
ecdsa: Specifies the ECDSA key pair type.
rsa: Specifies the RSA key pair type.
sm2: Specifies the SM2 key pair type.
The following matrix shows the sm2 keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM /810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1 |
Yes |
|
MSR2600-10-X1 |
No |
|
MSR 2630 |
No |
|
MSR3600-28/3600-51 |
No |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610 /3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
name key-name: Specifies a local key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command destroys all key pairs of the specified type.
Usage guidelines
To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs:
· An intrusion event has occurred.
· The storage media of the device is replaced.
· The local certificate has expired. For more information about local certificates, see Security Configuration Guide.
Examples
# Destroy the local RSA key pairs with the default names.
<Sysname> system-view
[Sysname] public-key local destroy rsa
Confirm to destroy the key pair? [Y/N]:y
# Destroy the local DSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local destroy dsa
Confirm to destroy the key pair? [Y/N] :y
# Destroy the local ECDSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local destroy ecdsa
Confirm to destroy the key pair? [Y/N]:y
# Destroy the local SM2 key pair with the default name.
<Sysname> system-view
[Sysname] public-key local destroy sm2
Confirm to destroy the key pair? [Y/N]:y
# Destroy local RSA key pair rsa1.
<Sysname> system-view
[Sysname] public-key local destroy rsa name rsa1
Confirm to destroy the key pair? [Y/N]:y
# Destroy local DSA key pair dsa1.
<Sysname> system-view
[Sysname] public-key local destroy dsa name dsa1
Confirm to destroy the key pair? [Y/N] :y
# Destroy local ECDSA key pair ecdsa1.
<Sysname> system-view
[Sysname] public-key local destroy ecdsa name ecdsa1
Confirm to destroy the key pair? [Y/N]:y
# Destroy local SM2 key pair sm2.
<Sysname> system-view
[Sysname] public-key local destroy sm2 name sm2
Confirm to destroy the key pair? [Y/N]:y
Related commands
public-key local create
public-key local export dsa
Use public-key local export dsa to export a local DSA host public key.
Syntax
public-key local export dsa [ name key-name ] { openssh | ssh2 } [ filename ]
Views
System view
Predefined user roles
network-admin
Parameters
name key-name: Specifies a local DSA key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command exports the host public key of the local DSA key pair with the default name.
openssh: Exports the host public key in OpenSSH format.
ssh2: Exports the host public key in SSH2.0 format.
filename: Specifies the name of the file for saving the DSA host public key. The file name is a case-insensitive string of 1 to 128 characters. The name cannot be all dots (.), hostkey, serverkey, dsakey, ecdsakey, or sm2key, and cannot start with a slash (/) or contain ./ and ../. For more information about file names, see Fundamentals Configuration Guide. If you do not specify a file name, this command does not export the key to a file but displays the key on the monitor screen.
Usage guidelines
You can use this command to export a local DSA host public key before distributing it to a peer device.
To distribute a local DSA host public key to a peer device:
1. Save the exported local host public key to a file by using one of the following methods:
¡ Use the public-key local export dsa [ name key-name ] { openssh | ssh2 } command to export the local host public key, and then copy and paste the key to a file.
¡ Use the public-key local export dsa [ name key-name ] { openssh | ssh2 } filename command to export the key to a file. You cannot export the key to the folder pkey or its subfolders.
2. Transfer a copy of the file to the peer device, for example, by using FTP in binary mode or TFTP. For more information about FTP and TFTP, see Fundamentals Configuration Guide.
3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file.
SSH2.0 and OpenSSH are different public key formats. Choose the correct format that is supported on the device where you import the host public key.
Examples
# Export the host public key of the local DSA key pair with the default name in OpenSSH format to a file named key.pub.
<Sysname> system-view
[Sysname] public-key local export dsa openssh key.pub
# Display the host public key of the local DSA key pair with the default name in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export dsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-2011/05/12"
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxwvA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakdMdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo=
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local DSA key pair with the default name in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export dsa openssh
ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxwvA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakdMdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= dsa-key
# Export the host public key of local DSA key pair dsa1 in OpenSSH format to a file named dsa1.pub.
<Sysname> system-view
[Sysname] public-key local export dsa name dsa1 openssh dsa1.pub
# Display the host public key of local DSA key pair dsa1 in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export dsa name dsa1 ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-2011/05/12"
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEYZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq
---- END SSH2 PUBLIC KEY ----
# Display the host public key of local DSA key pair dsa1 in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export dsa name dsa1 openssh
ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBAKHkVsjaKtG7g7G98qGmtaboNkK0YEAkRdp+QDZxX0aPdmVeEU1GC3ES9XFD7gIK70pb+tB7dA+8scZNqKK85hkoNCFEXux3088NEYZullatZRH0km+DdpZ7CrcV+ft7UUvBF0FV3W4HOx/LOidJ5sX+qBAD4WcpSX0OrZEF4+dq dsa-key
Related commands
public-key local create
public-key peer import sshkey
public-key local export ecdsa
Use public-key local export ecdsa to export a local ECDSA host public key.
Syntax
public-key local export ecdsa [ name key-name ] { openssh | ssh2 } [ filename ]
Views
System view
Predefined user roles
network-admin
Parameters
name key-name: Specifies a local ECDSA key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command exports the host public key of the local ECDSA key pair with the default name.
openssh: Exports the host public key in OpenSSH format.
ssh2: Exports the host public key in SSH2.0 format.
filename: Specifies the name of the file for saving the ECDSA host public key. The file name is a case-insensitive string of 1 to 128 characters. The name cannot be all dots (.), hostkey, serverkey, dsakey, ecdsakey, or sm2key, and cannot start with a slash (/) or contain ./ and ../. For more information about file names, see Fundamentals Configuration Guide. If you do not specify a file name, this command does not export the key to a file but displays the key on the monitor screen.
Usage guidelines
You can use this command to export a local ECDSA host public key before distributing it to a peer device.
To distribute a local ECDSA host public key to a peer device:
1. Save the exported ECDSA host public key to a file by using one of the following methods:
¡ Use the public-key local export ecdsa [ name key-name ] { openssh | ssh2 } command to export the local host public key, and then copy and paste it to a file.
¡ Use the public-key local export ecdsa [ name key-name ] { openssh | ssh2 } filename command to export the host public key to a file. You cannot export the key to the folder pkey or its subfolders.
2. Transfer a copy of the file to the peer device, for example, by using FTP in binary mode or TFTP. For more information about FTP and TFTP, see Fundamentals Configuration Guide.
3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file.
SSH2.0 and OpenSSH are different public key formats. Choose the correct format that is supported by the device where you import the host public key.
Only the ECDSA host public key generated by using the secp256r1 curve can be exported.
Examples
# In FIPS mode, export the host public key of the local ECDSA key pair with the default name in OpenSSH format to a file named key.pub.
<Sysname> system-view
[Sysname] public-key local export ecdsa openssh key.pub
# In FIPS mode, display the host public key of the local ECDSA key pair with the default name in SSH2.0 format.
[Sysname] public-key local export ecdsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "ecdsa-sha2-nistp256-2014/07/06"
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBREw5tkARpbV+sYArt/xcW+UJEAevx7OckTtTLPBiLP5bWkSdKbvo+3oHRuIyZqmNTIcxuBjuBap+pHc919C58=
---- END SSH2 PUBLIC KEY ----
# In FIPS mode, display the host public key of the local ECDSA key pair with the default name in OpenSSH format.
[Sysname] public-key local export ecdsa openssh
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBREw5tkARpbV+sYArt/xcW+UJEAevx7OckTtTLPBiLP5bWkSdKbvo+3oHRuIyZqmNTIcxuBjuBap+pHc919C58=
ecdsa-key
Related commands
public-key local create
public-key peer import sshkey
public-key local export rsa
Use public-key local export rsa to export a local RSA host public key.
Syntax
In non-FIPS mode:
public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ]
In FIPS mode:
public-key local export rsa [ name key-name ] { openssh | ssh2 } [ filename ]
Views
System view
Predefined user roles
network-admin
Parameters
name key-name: Specifies a local RSA key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command exports the host public key of the local RSA key pair with the default name.
openssh: Exports the host public key in OpenSSH format.
ssh1: Exports the host public key in SSH1.5 format.
ssh2: Exports the host public key in SSH2.0 format.
filename: Specifies the name of the file for saving the RSA host public key. The file name is a case-insensitive string of 1 to 128 characters. The name cannot be all dots (.), hostkey, serverkey, dsakey, ecdsakey, or sm2key, and cannot start with a slash (/) or contain ./ and ../. For more information about file names, see Fundamentals Configuration Guide. If you do not specify a file name, this command does not export the key to a file but displays the key on the monitor screen.
Usage guidelines
You can use this command to export a local RSA host public key before distributing it to a peer device.
To distribute a local RSA host public key to a peer device:
1. Save the exported local host public key to a file by using one of the following methods:
¡ Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } command to export the key, and then copy and paste it to a file.
¡ Use the public-key local export rsa [ name key-name ] { openssh | ssh2 } filename command to export key to a file. You cannot export the key to the folder pkey or its subfolders.
2. Transfer a copy of the file to the peer device, for example, by using FTP in binary mode or TFTP. For more information about FTP and TFTP, see Fundamentals Configuration Guide.
3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file.
SSH1.5, SSH2.0, and OpenSSH are different public key formats. Choose the correct public key format that is supported on the device where you import the host public key. In FIPS mode, the device only supports SSH2.0 and OpenSSH.
Examples
# Export the host public key of the local RSA key pair with the default name in OpenSSH format to a file named key.pub.
<Sysname> system-view
[Sysname] public-key local export rsa openssh key.pub
# Display the host public key of the local RSA key pair with the default name in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export rsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-2011/05/12"
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/bYcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xdv4tlas+mLNloY0dImbwS2kwE71rgg1CQ==
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local RSA key pair with the default name in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export rsa openssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDapKr+/gTCyWZyabuCJuJjMeMPQaj/kixzOCCAl+hDMmEGMrSfddq/bYcbgM7Buit1AgB3x0dFyTPi85DcCznTW4goPXAKFjuzCbGfj4chakSr+/aj1k3rM+XOvyvPJilneKJqhPT0xdv4tlas+mLNloY0dImbwS2kwE71rgg1CQ== rsa-key
# Export the host public key of local RSA key pair rsa1 in OpenSSH format to a file named rsa1.pub.
<Sysname> system-view
[Sysname] public-key local export rsa name rsa1 openssh rsa1.pub
# Display the host public key of local RSA key pair rsa1 in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export rsa name rsa1 ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-2011/05/12"
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8ba8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ==
---- END SSH2 PUBLIC KEY ----
# Display the host public key of local RSA key pair rsa1 in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export rsa name rsa1 openssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDevEbyF93xHUJucJWqRc1r8fhzQ9lSVprCI6ATZeDYyR1J00fBQ8XY+q2olqoagn5YDyUC8ZJvUhlyMOHeORpkAVxD3XncTp4XG66h3rTHHa7Xmm7f1GDYlF0n05t8mCLVaupbfCzP8ba8UkrUmMO4fUvW6zavA5LYxtlAiQv0KQ== rsa-key
Related commands
public-key local create
public-key peer import sshkey
public-key local export sm2
Use public-key local export sm2 to export a local SM2 host public key.
Syntax
public-key local export sm2 [ name key-name ] { openssh | ssh2 } [ filename ]
Views
System view
Predefined user roles
network-admin
Parameters
name key-name: Specifies a local SM2 key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command exports the host public key of the local SM2 key pair with the default name.
openssh: Exports the host public key in OpenSSH format.
ssh2: Exports the host public key in SSH2.0 format.
filename: Specifies the name of the file for saving the SM2 host public key. The file name is a case-insensitive string of 1 to 128 characters. The name cannot be all dots (.), hostkey, serverkey, dsakey, ecdsakey, or sm2key, and cannot start with a slash (/) or contain ./ and ../. For more information about file names, see Fundamentals Configuration Guide. If you do not specify a file name, this command does not export the key to a file but displays the key on the monitor screen.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM /810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1 |
Yes |
|
MSR2600-10-X1 |
No |
|
MSR 2630 |
No |
|
MSR3600-28/3600-51 |
No |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610 /3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
|
Hardware |
Command compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
You can use this command to export a local SM2 host public key before distributing it to a peer device.
To distribute a local SM2 host public key to a peer device:
1. Save the exported local host public key to a file by using one of the following methods:
¡ Use the public-key local export sm2 [ name key-name ] { openssh | ssh2 } command to export the key, and then copy and paste it to a file.
¡ Use the public-key local export sm2 [ name key-name ] { openssh | ssh2 } filename command to export key to a file. You cannot export the key to the pkey folder or its subfolders.
2. Transfer a copy of the file to the peer device, for example, by using FTP in binary mode or TFTP. For more information about FTP and TFTP, see Fundamentals Configuration Guide.
3. On the peer device, use the public-key peer import sshkey command to import the host public key from the file.
SSH2.0 and OpenSSH are different public key formats. Choose the correct public key format that is supported on the device where you import the host public key.
Examples
# Export the host public key of the local SM2 key pair with the default name in OpenSSH format to file key.pub.
<Sysname> system-view
[Sysname] public-key local export sm2 openssh key.pub
# Display the host public key of the local SM2 key pair with the default name in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export sm2 ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "sm2-key-2016/09/12"
AAAAB3NtMi1rZXkAAABBBJo0XIySNcZiJq/N81QQozLcdBneur2w/E1gIRAfHM5SwDspD22aMdg5dRQr
IFrN6XMXdftV5vwI9qWX/tGMH0g=
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local SM2 key pair with the default name in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export sm2 openssh
ssh-sm2 AAAAB3NtMi1rZXkAAABBBJo0XIySNcZiJq/N81QQozLcdBneur2w/E1gIRAfHM5SwDspD22a
Mdg5dRQrIFrN6XMXdftV5vwI9qWX/tGMH0g= sm2-key
Related commands
public-key local create
public-key peer import sshkey
public-key peer
Use public-key peer to assign a name to a peer host public key and enter public key view, or enter the view of an existing peer host public key.
Use undo public-key peer to delete a peer host public key.
Syntax
public-key peer keyname
undo public-key peer keyname
Default
No peer host public keys exist.
Views
System view
Predefined user roles
network-admin
Parameters
keyname: Specifies a key name, a case-sensitive string of 1 to 64 characters.
Usage guidelines
After you execute this command to enter the public key view, type the public key. Spaces and carriage returns are allowed, but are not saved.
To configure a peer host public key on the local device, first obtain the peer public key in hexadecimal notation, and then perform the following tasks on the local device:
1. Execute the public-key peer command to enter public key view.
2. Type the public key.
3. Execute the peer-public-key end command to save the public key and return to system view.
The public key you type in the public key view must be in a correct format. If the peer device is an H3C device, use the display public-key local public command to display and record its public key.
Examples
# Assign name key1 to the peer host public key and enter public key view.
<Sysname> system-view
[Sysname] public-key peer key1
Enter public key view. Return to system view with "peer-public-key end" command.
[Sysname-pkey-public-key-key1]
Related commands
display public-key local public
display public-key peer
peer-public-key end
public-key peer import sshkey
Use public-key peer import sshkey to import a peer host public key from a public key file.
Use undo public-key peer to remove a peer host public key.
Syntax
public-key peer keyname import sshkey filename
undo public-key peer keyname
Default
No peer host public keys exist.
Views
System view
Predefined user roles
network-admin
Parameters
keyname: Specifies a name for a peer host public key, a case-sensitive string of 1 to 64 characters.
filename: Specifies a public key file by its name, a case-insensitive string of 1 to 128 characters. The name cannot be all dots (.), hostkey, serverkey, dsakey, ecdsakey, or sm2key, and cannot start with a slash (/) or contain ./ and ../. For more information about file names, see Fundamentals Configuration Guide.
Usage guidelines
Before you use this command, get a copy of the public key file from the peer device through FTP or TFTP in binary mode.
After you configure this command, the system automatically transforms the host public key to the PKCS format, and saves the key.
In non-FIPS mode, the device supports importing public keys in the format of SSH1.5, SSH2.0, and OpenSSH.
In FIPS mode, the device supports importing public keys in the format of SSH2.0 and OpenSSH.
Examples
# Import peer host public key key2 from public key file key.pub.
<Sysname> system-view
[Sysname] public-key peer key2 import sshkey key.pub
Related commands
display public-key peer
public-key local export dsa
public-key local export rsa
PKI commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
attribute
Use attribute to configure a rule to filter certificates based on an attribute in the certificate issuer name, subject name, or alternative subject name field.
Use undo attribute to remove an attribute rule.
Syntax
attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value
undo attribute id
Default
No attribute rules exist.
Views
Certificate attribute group view
Predefined user roles
network-admin
Parameters
id: Specifies a rule ID in the range of 1 to 16.
alt-subject-name: Specifies the alternative subject name field.
fqdn: Specifies the FQDN attribute.
ip: Specifies the IP address attribute.
dn: Specifies the DN attribute.
issuer-name: Specifies the issuer name field.
subject-name: Specifies the subject name field.
ctn: Specifies the contain operation.
equ: Specifies the equal operation.
nctn: Specifies the not-contain operation.
nequ: Specifies the not-equal operation.
attribute-value: Sets an attribute value, a case-insensitive string of 1 to 128 characters.
Usage guidelines
Different certificate fields support different attributes.
· The subject name field and the issuer name field can contain a single DN, multiple FQDNs, and multiple IP addresses.
· The alternative subject name field can contain multiple FQDNs and IP addresses but zero DNs.
An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed in Table 61.
Table 61 Combinations of attribute-value pairs and operation keywords
|
Operation |
DN |
FQDN/IP |
|
ctn |
The DN contains the specified attribute value. |
Any FQDN or IP address contains the specified attribute value. |
|
nctn |
The DN does not contain the specified attribute value. |
None of the FQDNs or IP addresses contain the specified attribute value. |
|
equ |
The DN is the same as the specified attribute value. |
Any FQDN or IP address is the same as the specified attribute value. |
|
nequ |
The DN is not the same as the specified attribute value. |
None of the FQDNs or IP addresses are the same as the specified attribute value. |
A certificate matches an attribute rule if it contains an attribute that matches the criterion defined in the rule. For example, a certificate matches the attribute 1 subject-name dn ctn abc rule if it meets the following conditions:
· The subject name field of the certificate contains the DN attribute.
· The DN attribute value contains the abc string.
A certificate matches an attribute group if it matches all attribute rules in the group.
Examples
# Create a certificate attribute group and enter its view.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
# Specify an attribute rule to match certificates that contain the abc string in the subject DN.
[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc
# Specify an attribute rule to match certificates that do not contain FQDN abc in the issuer name field.
[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc
# Specify an attribute rule to match certificates that do not contain IP address 10.0.0.1 in the alternative subject name field.
[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1
Related commands
display pki certificate attribute-group
rule
ca identifier
Use ca identifier to specify the trusted CA.
Use undo ca identifier to restore the default.
Syntax
ca identifier name
undo ca identifier
Default
No trusted CA is specified.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
name: Specifies the trusted CA by its name, a case-sensitive string of 1 to 63 characters.
Usage guidelines
To obtain a CA certificate in a PKI domain, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the CA server specified for the PKI domain.
Make sure the specified CA name is consistent with the name of the CA that owns the CA certificate to be obtained.
Examples
# Set the name of the trusted CA to new-ca.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] ca identifier new-ca
certificate request entity
Use certificate request entity to specify the PKI entity for certificate request.
Use undo certificate request entity to restore the default.
Syntax
certificate request entity entity-name
undo certificate request entity
Default
No PKI entity is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
entity-name: Specifies a PKI entity by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A PKI entity describes the identity attributes of an entity for certificate request, including the following information:
· Common name.
· Organization.
· Unit in the organization.
· Locality.
· State and country where the entity resides.
· FQDN.
· IP address.
You can specify only one PKI entity for a PKI domain. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify PKI entity en1 for certificate request in PKI domain aaa.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request entity en1
Related commands
pki entity
certificate request from
Use certificate request from to specify the type of certificate request reception authority.
Use undo certificate request from to restore the default.
Syntax
certificate request from { ca | ra }
undo certificate request from
Default
The type of certificate request reception authority is not specified.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
ca: Sends certificate requests to the CA.
ra: Sends certificate requests to the RA.
Usage guidelines
The CA server determines whether the CA or RA accepts certificate requests. This authority setting must be consistent with the setting on the CA server.
Examples
# Sends certificate requests to the RA.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request from ra
certificate request mode
Use certificate request mode to set the certificate request mode.
Use undo certificate request mode to restore the default.
Syntax
certificate request mode { auto [ password { cipher | simple } string | renew-before-expire days [ reuse-public-key ] [ automatic-append common-name ] ] * | manual }
undo certificate request mode
Default
The certificate request mode is manual.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
auto: Specifies the auto certificate request mode.
password: Specifies a password for certificate revocation as required by the CA policy.
cipher: Specifies a password in encrypted form.
simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.
string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 31 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.
renew-before-expire days: Configures the system to automatically request a new certificate the specified number of days before the current certificate expires. The value range for the days argument is 0 to 365. If the value is set to 0, the request for a new certificate is made when the old certificate expires, which might cause service interruptions.
reuse-public-key: Reuses the key pair in the old certificate for the new certificate. If you do not specify this keyword, the system generates a new key pair key for the new certificate. The old key pair is replaced with the new one when the new certificate is received from the CA..
automatic-append common-name: Automatically appends random data to the common name of the PKI entity for the new certificate. If you do not specify this keyword, the common name of the PKI entity will be unchanged in the new certificate.
manual: Specifies the manual certificate request mode.
Usage guidelines
A certificate request can be submitted to a CA in offline or online mode. In online mode, a certificate request can be automatically or manually submitted:
· Auto request mode—A PKI entity automatically obtains the CA certificate and submits a certificate request to the CA when both of the following conditions exist:
¡ An associated application (IKE, for example) performs identity authentication.
¡ No certificate is available for the application on the device.
· Manual request mode—You must manually obtain the CA certificate and submit certificate requests.
To avoid service interruptions caused by certificate expiration, specify the renew-before-expire days option to enable certificate auto-renewal in auto certificate request mode. Certificate auto-renewal allows the system to automatically request a new certificate the specified number of days before the old certificate expires. The old certificate is replaced immediately when the new certificate is received.
Some CAs require a new PKI entity common name for certificate auto-renewal to work. Specify the automatic-append common-name keyword to ensure successful certificate auto-renewal.
Examples
# Set the certificate request mode to auto.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request mode auto
# Set the certificate request mode to auto, and set the certificate revocation password in plain text to 123456.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request mode auto password simple 123456
# Set the certificate request mode to auto, and set the certificate revocation password in plain text to 123456. Configure the system to automatically request a new certificate by using a new key pair 60 days before the old certificate expires.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request mode auto password simple 123456 renew-before-expire 60
Related commands
pki request-certificate
certificate request polling
Use certificate request polling to set the polling interval and the maximum number of attempts to query certificate request status.
Use undo certificate request polling to restore the defaults.
Syntax
certificate request polling { count count | interval interval }
undo certificate request polling { count | interval }
Default
The polling interval is 20 minutes, and the maximum number of attempts is 50.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
count count: Specifies the maximum number of query attempts. The value range is 1 to 100.
interval interval: Specifies a polling interval in minutes. The value range is 5 to 168.
Usage guidelines
After a PKI entity submits a certificate request, it might take the CA server a while to issue the certificate if the CA administrator must manually approve the certificate request. During this period, the PKI entity periodically queries the CA server for the certificate request status. The periodic query operation stops until the PKI entity obtains the certificate or the maximum number of query attempts is reached. If the maximum number of query attempts is reached, the certificate request fails.
If the CA server automatically approves certificate requests, the PKI entity can obtain the certificate immediately after it submits a certificate request. In this case, the PKI entity does not send queries to the CA server.
Examples
# Set the polling interval to 15 minutes, and the maximum number of query attempts to 40.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] certificate request polling interval 15
[Sysname-pki-domain-aaa] certificate request polling count 40
Related commands
display pki certificate request-status
certificate request url
Use certificate request url to specify the URL of the certificate request reception authority (CA or RA) to which the device should send SCEP certificate requests.
Use undo certificate request url to restore the default.
Syntax
certificate request url url-string
undo certificate request url
Default
The URL of the certificate request reception authority is not specified.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
url-string: Specifies the URL of the certificate request reception authority, a case-sensitive string of 1 to 511 characters. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.
Usage guidelines
The URL is in the format http://server_location/ca_script_location, where:
· The server_location argument is the IPv4 address, IPv6 address, or domain name of the certificate request reception authority (CA or RA) server.
· The cgi_script_location argument is the path of the application script on the server.
Examples
# Set the certificate request URL to http://169.254.0.1/certsrv/mscep/mscep.dll.
<Sysname> system-view
[Sysname] pki domain a
[Sysname-pki-domain-a] certificate request url http://169.254.0.1/certsrv/mscep/mscep.dll
common-name
Use common-name to set the common name for a PKI entity.
Use undo common-name to restore the default.
Syntax
common-name common-name-sting
undo common-name
Default
No common name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
Parameters
common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set the username of the PKI entity as the common name.
Examples
# Set the common name to test for PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] common-name test
country
Use country to set the country code of a PKI entity.
Use undo country to restore the default.
Syntax
country country-code-string
undo country
Default
No country code is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
Parameters
country-code-string: Specifies a country code, a case-sensitive string of two characters. For example, CN is the country code for China.
Examples
# Set the country code to CN for PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] country CN
crl check
Use crl check enable to enable CRL checking.
Use undo crl check enable to disable CRL checking.
Syntax
crl check enable
undo crl check enable
Default
CRL checking is enabled.
Views
PKI domain view
Predefined user roles
network-admin
Usage guidelines
A CRL is a list of revoked certificates signed and published by a CA. Revoked certificates should no longer be trusted.
CRL checking is designed to check whether a certificate has been revoked.
Examples
# Disable CRL checking.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] undo crl check enable
Related commands
pki import
pki retrieve-certificate
pki validate-certificate
crl url
Use crl url to specify the URL of the CRL repository.
Use undo crl url to restore the default.
Syntax
crl url url-string
undo crl url
Default
The URL of the CRL repository is not specified.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters. The URL format is ldap://server_location or http://server_location. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller.
Usage guidelines
To use CRL checking, a CRL must be obtained from a CRL repository.
The device selects a CRL repository in the following order:
1. CRL repository specified in the PKI domain by using this command.
2. CRL repository in the certificate that is being verified.
3. CRL repository in the CA certificate or CRL repository in the upper-level CA certificate if the CA certificate is the certificate being verified.
After the previous selection process, if the CRL repository is not found, the device obtains the CRL through SCEP. In this scenario, the CA certificate and the local certificates must have been obtained.
If an LDAP URL is specified, the device must connect to the LDAP server to obtain the CRL. If the LDAP URL does not contain the address of the LDAP server, use the ldap-server command to configure the server address in the PKI domain.
Examples
# Set the URL of the CRL repository to http://169.254.0.30.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] crl url http://169.254.0.30
ldap-server
pki retrieve-crl
display pki certificate access-control-policy
Use display pki certificate access-control-policy to display information about certificate-based access control policies.
Syntax
display pki certificate access-control-policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you do not specify a policy name, this command displays information about all certificate-based access control policies.
Examples
# Display information about certificate-based access control policy mypolicy.
<Sysname> display pki certificate access-control-policy mypolicy
Access control policy name: mypolicy
Rule 1 deny mygroup1
Rule 2 permit mygroup2
# Display information about all certificate-based access control policies.
<Sysname> display pki certificate access-control-policy
Total PKI certificate access control policies: 2
Access control policy name: mypolicy1
Rule 1 deny mygroup1
Rule 2 permit mygroup2
Access control policy name: mypolicy2
Rule 1 deny mygroup3
Rule 2 permit mygroup4
Table 62 Command output
|
Field |
Description |
|
Total PKI certificate access control policies |
Total number of certificate-based access control policies. |
|
permit |
Permit certificates that match the attribute group in the access control rule. |
|
deny |
Deny certificates that match the attribute group in the access control rule. |
Related commands
pki certificate access-control-policy
rule
display pki certificate attribute-group
Use display pki certificate attribute-group to display information about certificate attribute groups.
Syntax
display pki certificate attribute-group [ group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups.
Examples
# Display information about certificate attribute group mygroup.
<Sysname> display pki certificate attribute-group mygroup
Attribute group name: mygroup
Attribute 1 subject-name dn ctn abc
Attribute 2 issuer-name fqdn nctn app
# Display information about all certificate attribute groups.
<Sysname> display pki certificate attribute-group
Total PKI certificate attribute groups: 2.
Attribute group name: mygroup1
Attribute 1 subject-name dn ctn abc
Attribute 2 issuer-name fqdn nctn app
Attribute group name: mygroup2
Attribute 1 subject-name dn ctn def
Attribute 2 issuer-name fqdn nctn fqd
Table 63 Command output
|
Field |
Description |
|
Total PKI certificate attribute groups |
Total number of certificate attribute groups. |
|
ctn |
Contain operation. |
|
nctn |
Not-contain operation. |
|
equ |
Equal operation. |
|
nequ |
Not-equal operation. |
|
Attribute 1 subject-name dn ctn abc |
Attribute rule contents: · alt-subject-name—Alternative subject name. · issuer-name—Certificate issuer name. · subject-name—Certificate subject name. · fqdn—FQDN of the PKI entity. · ip—IP address of the PKI entity. · dn—DN of the PKI entity. · ctn—Indicates the contain operation. · equ—Indicates the equal operation. · nctn—Indicates the not-contain operation. · nequ—Indicates the not-equal operation. |
Related commands
attribute
pki certificate attribute-group
display pki certificate domain
Use display pki certificate domain to display information about certificates.
Syntax
display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 64.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer: Specifies the peer certificates.
serial serial-num: Specifies the serial number of a peer certificate.
Usage guidelines
If you specify the CA keyword, this command displays information about all CA certificates in the domain. If the domain has RA certificates, the RA certificates are also displayed.
If you specify the local keyword, this command displays information about all local certificates in the domain.
If you specify the peer keyword without a serial number, this command displays brief information about all peer certificates. If you specify a serial number, this command display detailed information about the specified peer certificate.
Examples
# Display information about the CA certificate in PKI domain aaa.
<Sysname> display pki certificate domain aaa ca
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=docm, OU=rnd, CN=rootca
Validity
Not Before: Jan 6 02:51:41 2011 GMT
Not After : Dec 7 03:12:05 2013 GMT
Subject: C=cn, O=ccc, OU=ppp, CN=rootca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0:
28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40:
4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6:
57:7c:bb:bb:1b:1d:b6:81:ad:90:77:3d:25:21:e6:
7e:11:0a:d8:1d:3c:8e:a4:17:1e:8c:38:da:97:f6:
6d:be:09:e3:5f:21:c5:a0:6f:27:4b:e3:fb:9f:cd:
c1:91:18:ff:16:ee:d8:cf:8c:e3:4c:a3:1b:08:5d:
84:7e:11:32:5f:1a:f8:35:25:c0:7e:10:bd:aa:0f:
52:db:7b:cd:5d:2b:66:5a:fb
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
6d:b1:4e:d7:ef:bb:1d:67:53:67:d0:8f:7c:96:1d:2a:03:98:
3b:48:41:08:a4:8f:a9:c1:98:e3:ac:7d:05:54:7c:34:d5:ee:
09:5a:11:e3:c8:7a:ab:3b:27:d7:62:a7:bb:bc:7e:12:5e:9e:
4c:1c:4a:9f:d7:89:ca:20:46:de:c5:b3:ce:36:ca:5e:6e:dc:
e7:c6:fe:3f:c5:38:dd:d5:a3:36:ad:f4:3d:e6:32:7f:48:df:
07:f0:a2:32:89:86:72:22:cd:ed:e5:0f:95:df:9c:75:71:e7:
fe:34:c5:a0:64:1c:f0:5c:e4:8f:d3:00:bd:fa:90:b6:64:d8:
88:a6
# Display information about local certificates in PKI domain aaa.
<Sysname> display pki certificate domain aaa local
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bc:05:70:1f:0e:da:0d:10:16:1e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, O=sec, OU=software, CN=ipsec
Validity
Not Before: Jan 7 20:05:44 2011 GMT
Not After : Jan 7 20:05:44 2012 GMT
Subject: O=OpenCA Labs, OU=Users, CN=fips fips-sec
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b2:38:ad:8c:7d:78:38:37:88:ce:cc:97:17:39:
52:e1:99:b3:de:73:8b:ad:a8:04:f9:a1:f9:0d:67:
d8:95:e2:26:a4:0b:c2:8c:63:32:5d:38:3e:fd:b7:
4a:83:69:0e:3e:24:e4:ab:91:6c:56:51:88:93:9e:
12:a4:30:ad:ae:72:57:a7:ba:fb:bc:ac:20:8a:21:
46:ea:e8:93:55:f3:41:49:e9:9d:cc:ec:76:13:fd:
a5:8d:cb:5b:45:08:b7:d1:c5:b5:58:89:47:ce:12:
bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b:
8a:f0:ea:02:fd:2d:44:7a:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin
Netscape Comment:
User Certificate of OpenCA Labs
X509v3 Subject Key Identifier:
91:95:51:DD:BF:4F:55:FA:E4:C4:D0:10:C2:A1:C2:99:AF:A5:CB:30
X509v3 Authority Key Identifier:
keyid:DF:D2:C9:1A:06:1F:BC:61:54:39:FE:12:C4:22:64:EB:57:3B:11:9F
X509v3 Subject Alternative Name:
email:fips@ccc.com
X509v3 Issuer Alternative Name:
email:pki@openca.org
Authority Information Access:
CA Issuers - URI:http://titan/pki/pub/cacert/cacert.crt
OCSP - URI:http://titan:2560/
1.3.6.1.5.5.7.48.12 - URI:http://titan:830/
X509v3 CRL Distribution Points:
Full Name:
URI:http://titan/pki/pub/crl/cacrl.crl
Signature Algorithm: sha256WithRSAEncryption
94:ef:56:70:48:66:be:8f:9d:bb:77:0f:c9:f4:65:77:e3:bd:
ea:9a:b8:24:ae:a1:38:2d:f4:ab:e8:0e:93:c2:30:33:c8:ef:
f5:e9:eb:9d:37:04:6f:99:bd:b2:c0:e9:eb:b1:19:7e:e3:cb:
95:cd:6c:b8:47:e2:cf:18:8d:99:f4:11:74:b1:1b:86:92:98:
af:a2:34:f7:1b:15:ee:ea:91:ed:51:17:d0:76:ec:22:4c:56:
da:d6:d1:3c:f2:43:31:4f:1d:20:c8:c2:c3:4d:e5:92:29:ee:
43:c6:d7:72:92:e8:13:87:38:9a:9c:cd:54:38:b2:ad:ba:aa:
f9:a4:68:b5:2a:df:9a:31:2f:42:80:0c:0c:d9:6d:b3:ab:0f:
dd:a0:2c:c0:aa:16:81:aa:d9:33:ca:01:75:94:92:44:05:1a:
65:41:fa:1e:41:b5:8a:cc:2b:09:6e:67:70:c4:ed:b4:bc:28:
04:50:a6:33:65:6d:49:3c:fc:a8:93:88:53:94:4c:af:23:64:
cb:af:e3:02:d1:b6:59:5f:95:52:6d:00:00:a0:cb:75:cf:b4:
50:c5:50:00:65:f4:7d:69:cc:2d:68:a4:13:5c:ef:75:aa:8f:
3f:ca:fa:eb:4d:d5:5d:27:db:46:c7:f4:7d:3a:b2:fb:a7:c9:
de:18:9d:c1
# Display brief information about all peer certificates in PKI domain aaa.
<Sysname> display pki certificate domain aaa peer
Total peer certificates: 1
Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7
Subject Name: CN=sldsslserver
# Display detailed information about a peer certificate in PKI domain aaa.
<Sysname> display pki certificate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9a:03:37:eb:21:56:ba:1f:54:76:e4:d7:54:a5:a9:f7
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, O=ccc, OU=sec, CN=ssl
Validity
Not Before: Oct 15 01:23:06 2010 GMT
Not After : Jul 26 06:30:54 2012 GMT
Subject: CN=sldsslserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c2:cf:37:76:93:29:5e:cd:0e:77:48:3a:4d:0f:
a6:28:a4:60:f8:31:56:28:7f:81:e3:17:47:78:98:
68:03:5b:72:f4:57:d3:bf:c5:30:32:0d:58:72:67:
04:06:61:08:3b:e9:ac:53:b9:e7:69:68:1a:23:f2:
97:4c:26:14:c2:b5:d9:34:8b:ee:c1:ef:af:1a:f4:
39:da:c5:ae:ab:56:95:b5:be:0e:c3:46:35:c1:52:
29:9c:b7:46:f2:27:80:2d:a4:65:9a:81:78:53:d4:
ca:d3:f5:f3:92:54:85:b3:ab:55:a5:03:96:2b:19:
8b:a3:4d:b2:17:08:8d:dd:81
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:9A:83:29:13:29:D9:62:83:CB:41:D4:75:2E:52:A1:66:38:3C:90:11
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
Netscape Cert Type:
SSL Server
X509v3 Subject Alternative Name:
DNS:docm.com
X509v3 Subject Key Identifier:
3C:76:95:9B:DD:C2:7F:5F:98:83:B7:C7:A0:F8:99:1E:4B:D7:2F:26
X509v3 CRL Distribution Points:
Full Name:
URI:http://s03130.ccc.sec.com:447/ssl.crl
Signature Algorithm: sha1WithRSAEncryption
61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3:
31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59:
36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c:
85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5:
17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72:
ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2:
ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8:
f0:a5
Related commands
pki domain
pki retrieve-certificate
display pki certificate renew-status
Use display pki certificate renew-status to display the certificate renewal status for a PKI domain.
Syntax
display pki certificate renew-status [ domain domain-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 65. If you do not specify a domain name, this command displays the certificate renewal status for all PKI domains.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
Examples
# Display the certificate renewal status for all PKI domains.
<Sysname> display pki certificate renew-status
Domain Name: domain1
Renew Time : 03:12:05 2016-06-13
Renew public key:
Key type: RSA
Time when key pair created: 15:40:48 2016/06/13
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DAA4AAFEFE04C2C9
667269BB8226E26331E30F41A8FF922C7338208097E84332610632B49F75DABF6D871B80CE
C1BA2B75020077C74745C933E2F390DC0B39D35B88283D700A163BB309B19F8F87216A44AB
FBF6A3D64DEB33E5CEBF2BCF26296778A26A84F4F4C5DBF8B656ACFA62CD96863474899BC1
2DA4C04EF5AE0835090203010001
The command output indicates that the reuse-public-key keyword was not configured for PKI domain domain1 and a new key pair was created for the new certificate.
# Display the certificate renewal status for PKI domain domain1.
<Sysname> display pki certificate renew-status domain domain1
Domain Name: domain1
Renew Time : 03:12:05 2016-06-13
Renew public key:
Key type: RSA
Time when key pair created: 15:40:48 2016/06/13
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DAA4AAFEFE04C2C9
667269BB8226E26331E30F41A8FF922C7338208097E84332610632B49F75DABF6D871B80CE
C1BA2B75020077C74745C933E2F390DC0B39D35B88283D700A163BB309B19F8F87216A44AB
FBF6A3D64DEB33E5CEBF2BCF26296778A26A84F4F4C5DBF8B656ACFA62CD96863474899BC1
2DA4C04EF5AE0835090203010001
Table 66 Command output
|
Field |
Description |
|
Domain Name |
PKI domain name. |
|
Renew Time |
Time when a new certificate will be requested. |
|
Renew public key |
Information about the new key pair created for the certificate. The renew public key information is displayed only if the certificate renewal process is slow or has failed. |
|
Key type |
Key pair type, which can be RSA, DSA, ECDSA, or SM2. |
|
Time when key pair created |
Time when the key pair was created. |
|
Key code |
Public key data. |
display pki certificate request-status
Use display pki certificate request-status to display certificate request status.
Syntax
display pki certificate request-status [ domain domain-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 67.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
Usage guidelines
If you do not specify a PKI domain, this command displays the certificate request status for all PKI domains.
Examples
# Display certificate request status for PKI domain aaa.
<Sysname> display pki certificate request-status domain aaa
Certificate Request Transaction 1
Domain name: aaa
Status: Pending
Key usage: General
Remain polling attempts: 10
Next polling attempt after : 1191 seconds
# Display certificate request statuses for all PKI domains.
<Sysname> display pki certificate request-status
Certificate Request Transaction 1
Domain name: domain1
Status: Pending
Key usage: General
Remain polling attempts: 10
Next polling attempt after : 1191 seconds
Certificate Request Transaction 2
Domain name: domain2
Status: Pending
Key usage: Signature
Remain polling attempts: 10
Next polling attempt after : 188 seconds
Table 68 Command output
|
Field |
Description |
|
Certificate Request Transaction number |
Certificate request transaction number, starting from 1. |
|
Status |
Certificate request status, including only the pending status. |
|
Key usage |
Certificate purposes: · General—Signature and encryption. · Signature—Signature only. · Encryption—Encryption only. |
|
Remain polling attempts |
Remaining number of attempts to query certificate request status. |
|
Next polling attempt after |
Remaining seconds before the next request status polling. |
Related commands
certificate request polling
pki domain
pki retrieve-certificate
display pki crl domain
Use display pki crl domain to display information about the CRL saved at the local for a PKI domain.
Syntax
display pki crl domain domain-name
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 69.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
Usage guidelines
Use this command to identify whether a certificate has been revoked.
Examples
# Display information about the CRL saved at the local for PKI domain aaa.
<Sysname> display pki crl domain aaa
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=cn/O=docm/OU=sec/CN=therootca
Last Update: Apr 28 01:42:13 2011 GMT
Next Update: NONE
CRL extensions:
X509v3 CRL Number:
6
X509v3 Authority Key Identifier:
keyid:49:25:DB:07:3A:C4:8A:C2:B5:A0:64:A5:F1:54:93:69:14:51:11:EF
Revoked Certificates:
Serial Number: CDE626BF7A44A727B25F9CD81475C004
Revocation Date: Apr 28 01:37:52 2011 GMT
CRL entry extensions:
Invalidity Date:
Apr 28 01:37:49 2011 GMT
Serial Number: FCADFA81E1F56F43D3F2D3EF7EB56DE5
Revocation Date: Apr 28 01:33:28 2011 GMT
CRL entry extensions:
Invalidity Date:
Apr 28 01:33:09 2011 GMT
Signature Algorithm: sha1WithRSAEncryption
57:ac:00:3e:1e:e2:5f:59:62:04:05:9b:c7:61:58:2a:df:a4:
5c:e5:c0:14:af:c8:e7:de:cf:2a:0a:31:7d:32:da:be:cd:6a:
36:b5:83:e8:95:06:bd:b4:c0:36:fe:91:7c:77:d9:00:0f:9e:
99:03:65:9e:0c:9c:16:22:ef:4a:40:ec:59:40:60:53:4a:fc:
8e:47:57:23:e0:75:0a:a4:1c:0e:2f:3d:e0:b2:87:4d:61:8a:
4a:cb:cb:37:af:51:bd:53:78:76:a1:16:3d:0b:89:01:91:61:
52:d0:6f:5c:09:59:15:be:b8:68:65:0c:5d:1b:a1:f8:42:04:
ba:aa
Table 70 Command output
|
Field |
Description |
|
Version |
CRL version number. |
|
Signature Algorithm |
Signature algorithm used by the CA to sign the CRL. |
|
Issuer |
Name of the CA that issued the CRL. |
|
Last Update |
Most recent CRL update time. |
|
Next Update |
Next CRL update time. |
|
X509v3 Authority Key Identifier |
X509v3 ID of the CA that issues the CRL. |
|
keyid |
Key ID. This field identifies the key pair used to sign the CRL. |
|
Signature Algorithm: |
Signature algorithm and signature data. |
Related commands
pki retrieve-crl
fqdn
Use fqdn to set the FQDN of an entity.
Use undo fqdn to restore the default.
Syntax
fqdn fqdn-name-string
undo fqdn
Default
No FQDN is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
Parameters
fqdn-name-string: Specifies an FQDN, a case-sensitive string of 1 to 255 characters in the format hostname@domainname.
Usage guidelines
An FQDN uniquely identifies a PKI entity on a network.
Examples
# Set the FQDN to pki.domain-name.com for PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] fqdn abc@pki.domain.com
ip
Use ip to assign an IP address to a PKI entity.
Use undo ip to restore the default.
Syntax
ip { ip-address | interface interface-type interface-number }
undo ip
Default
No IP address is assigned to the PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
Parameters
ip-address: Specifies an IPv4 address.
interface interface-type interface-number: Specifies an interface by its type and number. The primary IPv4 address of the interface will be used as the IP address of the PKI entity.
Usage guidelines
Use this command to assign an IP address to a PKI entity or specify an interface for the entity. The interface's primary IPv4 address will be used as the IP address of the PKI entity. If you specify an interface, make sure the interface is assigned an IP address before the PKI entity requests a certificate.
Examples
# Assign IP address 192.168.0.2 to PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] ip 192.168.0.2
ldap-server
Use ldap-server to specify an LDAP server for a PKI domain.
Use undo ldap-server to restore the default.
Syntax
ldap-server host hostname [ port port-number ] [ vpn-instance vpn-instance-name ]
undo ldap-server
Default
No LDAP server is specified for a PKI domain.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
host hostname: Specifies an LDAP server by its IPv4 address, IPv6 address, or domain name. The domain name is a case-sensitive string of 1 to 255 characters.
port port-number: Specifies the port number of the LDAP server. The value range is 1 to 65535, and the default is 389.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the LDAP server is on the public network, do not specify this option.
Usage guidelines
You must specify an LDAP server for a PKI domain in the following situations:
· The certificate repository uses LDAP for certificate distribution.
· The CRL repository uses LDAP for CRL distribution. However, the CRL repository URL configured for the PKI domain does not contain the IP address or host name of the LDAP server.
You can specify only one LDAP server for a PKI domain. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify LDAP server 10.0.0.1 for PKI domain aaa.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] ldap-server host 10.0.0.1
# Specify LDAP server 10.0.0.11 in VPN instance vpn1 for PKI domain aaa. Set the port number to 333.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] ldap-server host 10.0.0.11 port 333 vpn-instance vpn1
Related commands
pki retrieve-certificate
pki retrieve-crl
locality
Use locality to set the locality of a PKI entity.
Use undo locality to restore the default.
Syntax
locality locality-name
undo locality
Default
No locality is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
Parameters
locality-name: Specifies a locality, a case-sensitive string of 1 to 63 characters. No comma can be included. You can set a city name as the locality.
Examples
# Set the locality to pukras for PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] locality pukras
organization
Use organization to set an organization name for a PKI entity.
Use undo organization to restore the default.
Syntax
organization org-name
undo organization
Default
No organization name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
Parameters
org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included.
Examples
# Set the organization name to abc for PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] organization abc
organization-unit
Use organization-unit to set an organization unit name for a PKI entity.
Use undo organization-unit to restore the default.
Syntax
organization-unit org-unit-name
undo organization-unit
Default
No organization unit name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
Parameters
org-unit-name: Specifies an organization unit name, a case-sensitive string of 1 to 63 characters. No commas can be included.
Examples
# Set the organization unit name to rdtest for PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] organization-unit rdtest
pkcs7-encryption-algorithm
Use pkcs7-encryption-algorithm to specify the encryption algorithm for certificate files in PKCS#7 format.
Use undo pkcs7-encryption-algorithm to restore the default.
Syntax
In non-FIPS mode:
pkcs7-encryption-algorithm { 3des-cbc | aes-cbc-128 | des-cbc | sm4-cbc }
undo pkcs7-encryption-algorithm
In FIPS mode:
pkcs7-encryption-algorithm aes-cbc-128
undo pkcs7-encryption-algorithm
Default
In non-FIPS mode:
The DES-CBC encryption algorithm is used.
In FIPS mode:
The 128-bit AES-CBC encryption algorithm is used.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.
des-cbc: Specifies the DES algorithm in CBC mode, which uses a 56-bit key.
sm4-cbc: Specifies SM4 algorithm in CBC mode, which uses a 128-bit key.
The following matrix shows the sm4-cbc keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM /810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1 |
Yes |
|
MSR2600-10-X1 |
No |
|
MSR 2630 |
No |
|
MSR3600-28/3600-51 |
No |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610 /3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.
Usage guidelines
During online certificate request, the device uses the specified encryption algorithm to encrypt the certificate signing request in PKCS#7 format before sending the request to the CA. After obtaining the certificate issued by the CA, the device uses the encryption algorithm to decrypt the certificate file in PKCS#7 format. Make sure the specified encryption algorithm is supported on the CA server.
Examples
# Specify the 128-bit SM4 algorithm in CBC mode as the encryption algorithm for certificate files in PKCS#7 format.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] pkcs7-encryption-algorithm sm4-cbc
pki abort-certificate-request
Use pki abort-certificate-request to abort the certificate request for a PKI domain.
Syntax
pki abort-certificate-request domain domain-name
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 71.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
Usage guidelines
You can abort a certificate request and change some parameters, such as common name, country code, or FQDN, in the certificate request before the CA issues the certificate. Use the display pki certificate request-status command to display the certificate request status.
Examples
# Abort the certificate request for PKI domain 1.
<Sysname> system-view
[Sysname] pki abort-certificate-request domain 1
The certificate request is in process.
Confirm to abort it? [Y/N]:y
Related commands
display pki certificate request-status
pki request-certificate domain
pki certificate access-control-policy
Use pki certificate access-control-policy to create a certificate-based access control policy and enter its view, or enter the view of an existing certificate-based access control policy.
Use undo pki certificate access-control-policy to remove a certificate-based access control policy.
Syntax
pki certificate access-control-policy policy-name
undo pki certificate access-control-policy policy-name
Default
No certificate-based access control policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a policy name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A certificate-based access control policy contains a set of access control rules that permit or deny access to the device based on the attributes in the requesting client's certificate.
Examples
# Create a certificate-based access control policy named mypolicy and enter its view.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy]
Related commands
display pki certificate access-control-policy
rule
pki certificate attribute-group
Use pki certificate attribute-group to create a certificate attribute group and enter its view, or enter the view of an existing certificate attribute group.
Use undo pki certificate attribute-group to remove a certificate attribute group.
Syntax
pki certificate attribute-group group-name
undo pki certificate attribute-group group-name
Default
No certificate attribute groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies a group name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A certificate attribute group is a set of attribute rules configured by using the attribute command. Each attribute rule defines a matching criterion for an attribute in the issuer name, subject name, or alternative subject name field of certificates.
A certificate attribute group must be associated with an access control rule (a permit or deny statement configured by using the rule command). If a certificate attribute group does not have any attribute rules, the system determines that the all certificates match the associated access control rule.
Examples
# Create a certificate attribute group named mygroup and enter its view.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
[Sysname-pki-cert-attribute-group-mygroup]
Related commands
attribute
display pki certificate attribute-group
rule
pki delete-certificate
Use pki delete-certificate to remove certificates from a PKI domain.
Syntax
pki delete-certificate domain domain-name { ca | local | peer [ serial serial-num ] }
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 72.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer: Specifies the peer certificates.
serial serial-num: Specifies a peer certificate by its serial number, a case-insensitive string of 1 to 127 characters. If you do not specify a serial number, this command removes all peer certificates in the PKI domain.
Usage guidelines
When you remove the CA certificate in a PKI domain, the system also removes the local certificates, peer certificates, and the CRL in the PKI domain.
To delete a specific peer certificate in a PKI domain, perform the following steps:
1. Execute the display pki certificate command to determine the serial number of the peer certificate.
2. Execute the pki delete-certificate domain domain-name peer serial serial-num command.
Examples
# Remove the CA certificate in PKI domain aaa.
<Sysname> system-view
[Sysname] pki delete-certificate domain aaa ca
Local certificates, peer certificates and CRL will also be deleted while deleting the CA certificate.
Confirm to delete the CA certificates? [Y/N]:y
[Sysname]
# Remove the local certificates in PKI domain aaa.
<Sysname> system-view
[Sysname] pki delete-certificate domain aaa local
[Sysname]
# Remove all peer certificates in PKI domain aaa.
<Sysname> system-view
[Sysname] pki delete-certificate domain aaa peer
[Sysname]
# Display information about all peer certificates in PKI domain aaa, and remove a peer certificate with the specified serial number.
<Sysname> system-view
[Sysname] display pki certificate domain aaa peer
Total peer certificates: 1
Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7
Subject Name: CN=abc
[Sysname] pki delete-certificate domain aaa peer serial 9a0337eb2156ba1f5476e4d754a5a9f7
Related commands
display pki certificate
pki domain
Use pki domain to create a PKI domain and enter its view, or enter the view of an existing PKI domain.
Use undo pki domain to remove a PKI domain.
Syntax
pki domain domain-name
undo pki domain domain-name
Default
No PKI domains exist.
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 73.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
Usage guidelines
When you remove a PKI domain, the certificates and the CRL in the domain are also removed.
Examples
# Create a PKI domain named aaa and enter its view.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa]
pki entity
Use pki entity to create a PKI entity and enter its view, or enter the view of an existing PKI entity.
Use undo pki entity to remove a PKI entity.
Syntax
pki entity entity-name
undo pki entity entity-name
Default
No PKI entities exist.
Views
System view
Predefined user roles
network-admin
Parameters
entity-name: Specifies a name for a PKI entity, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A PKI entity includes the identity information that can be used by a CA to identify a certificate applicant. You can configure multiple attributes for a PKI entity, such as common name, organization, organization unit, locality, state, country, FQDN, and IP address. The information will be included as subject contents in the certificate issued by the CA.
Examples
# Create a PKI entity named en and enter its view.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en]
Related commands
pki domain
pki export
Use pki export to export the CA certificate and the local certificates in a PKI domain.
Syntax
pki export domain domain-name der { all | ca | local } filename filename
pki export domain domain-name p12 { all | local } passphrase p12-key filename filename
pki export domain domain-name pem { { all | local } [ { 3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc } pem-key ] | ca } [ filename filename ]
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 74.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
der: Specifies the DER certificate file format, including PKCS#7.
p12: Specifies the PKCS#12 certificate file format.
pem: Specifies the PEM certificate file format.
all: Specifies both CA and local certificates. The RA certificate is excluded.
ca: Specifies the CA certificate.
local: Specifies the local certificates or the local certificates and their private keys.
passphrase p12-key: Specifies a password for encrypting the private key of a local PKCS12 certificate.
3des-cbc: Specifies 3DES_CBC for encrypting the private key of a local certificate.
aes-128-cbc: Specifies 128-bit AES_CBC for encrypting the private key of a local certificate.
aes-192-cbc: Specifies 192-bit AES_CBC for encrypting the private key of a local certificate.
aes-256-cbc: Specifies 256-bit AES_CBC for encrypting the private key of a local certificate.
des-cbc: Specifies DES_CBC for encrypting the private key of a local certificate.
pem-key: Specifies a password for encrypting the private key of a local certificate in PEM format.
filename filename: Specifies the name of the file for storing the certificate. The file name is a case-insensitive string. If you do not specify a file name when you export certificates in PEM format, this command displays the certificates on the monitor screen.
Usage guidelines
When you export the CA certificate, the following conditions might exist:
· If the PKI domain has only one CA certificate, this command exports the CA certificate to a file or displays it on the monitor screen.
· If the PKI domain has a CA certificate chain, this command exports the certificate chain to a file or displays it on the monitor screen.
When you export a local certificate to a local file, the local file name might be different from the file name specified in the command. The file name depends on the usage of the key pair contained in the certificate.
The following example uses certificate as the file name for saving an exported local certificate.
· If the local certificate contains an RSA signing key pair, the local file name is certificate-signature.
· If the local certificate contains an RSA encryption key pair, the local file name is certificate-encryption.
· If the local certificate contains a general purpose RSA, ECDSA, or DSA key pair, the local file name is certificate.
If the PKI domain has two local certificates, the local certificates are exported as follows:
· If you specify a file name, the two local certificates are exported to two different files.
· If you do not specify a file name, the local certificates are displayed on the monitor screen, separated by system prompts.
When you export all certificates, the following conditions might exist:
· If the PKI domain has only the CA certificate or local certificates, the result is the same as when you export the CA certificate or local certificates separately.
· If the PKI domain has both the CA certificate and local certificates, you get the following results:
¡ If you specify a file name, each local certificate is exported to a separate file with their associated CA certificate chain.
¡ If you do not specify a file name, the local certificates and CA certificate or CA certificate chain are displayed on the monitor screen, separated by system prompts.
When you export all certificates in PKCS12 format, the PKI domain must have a local certificate. Otherwise, the export operation fails.
When you export the local certificates or all certificates in PEM format, you must specify the cryptographic algorithm and the challenge password for the private key. Otherwise, this command does not export the private keys of the local certificates. If you specify the cryptographic algorithm and the password, and the local certificates have their private keys, this command can export the local certificates with their private keys. If the local certificates do not have their private keys, the export operation fails.
When you export the local certificates, if the key pair in the PKI domain is changed and no longer matches the key in the local certificates, the export operation fails.
When you export the local certificates or all certificates, if the PKI domain has two local certificates, failure of exporting one local certificate does not affect export of the other.
The specified file name can contain an absolute path. If the specified path does not exist, the export operation fails.
Examples
# Export the CA certificate in the PKI domain to a file named cert-ca.der in DER format.
<Sysname> system-view
[Sysname] pki export domain domain1 der ca filename cert-ca.der
# Export the local certificates in the PKI domain to a file named cert-lo.der in DER format.
<Sysname> system-view
[Sysname] pki export domain domain1 der local filename cert-lo.der
# Export all certificates in the PKI domain to a file named cert-all.p7b in DER format.
<Sysname> system-view
[Sysname] pki export domain domain1 der all filename cert-all.p7b
# Export the CA certificate in the PKI domain to a file named cacert in PEM format.
<Sysname> system-view
[Sysname] pki export domain domain1 pem ca filename cacert
# Export the local certificates and their private keys in the PKI domain to a file named local.pem in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.
<Sysname> system-view
[Sysname] pki export domain domain1 pem local des-cbc 111 filename local.pem
# Export the all certificates in the PKI domain to a file named all.pem in PEM format. No cryptographic algorithm or password is specified, and the private keys are not exported.
<Sysname> system-view
[Sysname] pki export domain domain1 pem all filename all.pem
# Display the local certificates and their private keys in the PKI domain on the monitor screen in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.
<Sysname> system-view
[Sysname] pki export domain domain1 pem local des-cbc 111
*** The general usage local certificate: ***
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest
issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG
A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy
ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla
ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF
VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE
jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy
cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA
AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw
NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz
L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw
IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh
Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY
ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0
CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w
ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp
dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6
Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js
L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB
tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12
X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv
UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd
no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK
7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw==
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIAbfcE+KoYYoCAggA
MBEGBSsOAwIHBAjB+UsJM07JRQSCAoABqtASbjGTQbdxL3n4wNHmyWLxbvL9v27C
Uu6MjYJDCipVzxHU0rExgn+6cQsK5uK99FPBmy4q9/nnyrooTX8BVlXAjenvgyii
WQLwnIg1IuM8j2aPkQ3wbae1+0RACjSLy1u/PCl5sp6CDxI0b9xz6cxIGxKvUOCc
/gxdgk97XZSW/0qnOSZkhgeqBZuxq6Va8iRyho7RCStVxQaeiAZpq/WoZbcS5CKI
/WXEBQd4AX2UxN0Ld/On7Wc6KFToixROTxWTtf8SEsKGPDfrEKq3fSTW1xokB8nM
bkRtU+fUiY27V/mr1RHO6+yEr+/wGGClBy5YDoD4I9xPkGUkmqx+kfYbMo4yxkSi
JdL+X3uEjHnQ/rvnPSKBEU/URwXHxMX9CdCTSqh/SajnrGuB/E4JhOEnS/H9dIM+
DN6iz1IwPFklbcK9KMGwV1bosymXmuEbYCYmSmhZb5FnR/RIyE804Jz9ifin3g0Q
ZrykfG7LHL7Ga4nh0hpEeEDiHGEMcQU+g0EtfpOLTI8cMJf7kdNWDnI0AYCvBAAM
3CY3BElDVjJq3ioyHSJca8C+3lzcueuAF+lO7Y4Zluq3dqWeuJjE+/1BZJbMmaQA
X6NmXKNzmtTPcMtojf+n3+uju0le0d0QYXQz/wPsV+9IYRYasjzoXE5dhZ5sIPOd
u9x9hhp5Ns23bwyNP135qTNjx9i/CZMKvLKywm3Yg+Bgg8Df4bBrFrsH1U0ifmmp
ir2+OuhlC+GbHOxWNeBCa8iAq91k6FGFJ0OLA2oIvhCnh45tM7BjjKTHk+RZdMiA
0TKSWuOyihrwxdUEWh999GKUpkwDHLZJFd21z/kWspqThodEx8ea
-----END ENCRYPTED PRIVATE KEY-----
# Display all certificates in the PKI domain in PEM format. For the private keys, the cryptographic algorithm is DES_CBC and the password is 111.
<Sysname> system-view
[Sysname] pki export domain domain1 pem all des-cbc 111
*** The general usage local certificate: ***
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
subject=/C=CN/O=OpenCA Labs/OU=Users/CN=chktest chktest
issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgILAOhID4rI04kBfYgwDQYJKoZIhvcNAQELBQAwRTELMAkG
A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy
ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla
ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF
VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE
jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy
cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA
AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw
NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz
L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw
IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh
Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY
ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0
CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w
ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp
dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6
Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js
L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB
tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12
X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv
UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd
no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK
7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw==
-----END CERTIFICATE-----
Bag Attributes: <No Attributes>
subject=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd
-----BEGIN CERTIFICATE-----
MIIEYTCCA0mgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDTjEU
MBIGA1UECgwLT3BlbkNBIExhYnMxETAPBgNVBAsMCHNvZnR3YXJlMQ0wCwYDVQQD
DARhYmNkMB4XDTExMDQxODExNDQ0N1oXDTEzMDQxNzExNDQ0N1owRTELMAkGA1UE
BhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2FyZTEN
MAsGA1UEAwwEYWJjZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1g
vomMF8S4u6q51bOwjKFUBwxyvOy4D897LmOSedaCyDt6Lvp+PBEHfwWBYBpsHhk7
kmnSNhX5dZ6NxunHaARZ2VlcctsYKyvAQapuaThy1tuOcphAB+jQQL9dPoqdk0xp
jvmPDlW+k832Konn9U4dIivS0n+/KMGh0g5UyzHGqUUOo7s9qFuQf5EjQon40TZg
BwUnFYRlvGe7bSQpXjwi8LTyxHPy+dDVjO5CP+rXx5IiToFy1YGWewkyn/WeswDf
Yx7ZludNus5vKWTihgx2Qalgb+sqUMwI/WUET7ghO2dRxPUdUbgIYF0saTndKPYd
4oBgl6M0SMsHhe9nF5UCAwEAAaOCAVowggFWMA8GA1UdEwEB/wQFMAMBAf8wCwYD
VR0PBAQDAgEGMB0GA1UdDgQWBBQzEQ58yIC54wxodp6JzZvn/gx0CDAfBgNVHSME
GDAWgBQzEQ58yIC54wxodp6JzZvn/gx0CDAZBgNVHREEEjAQgQ5wa2lAb3BlbmNh
Lm9yZzAZBgNVHRIEEjAQgQ5wa2lAb3BlbmNhLm9yZzCBgQYIKwYBBQUHAQEEdTBz
MDIGCCsGAQUFBzAChiZodHRwOi8mdcGl0YW4vcGtpL3B1Yi9jYWNlcnQvY2FjZXJ0
LmNydDAeBggrBgEFBQcwAYYSaHR0cDovL3RpdGFuOjI1NjAvMB0GCCsGAQUFBzAM
hhFodHRwOi8mdcGl0YW46ODMwLzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vMTky
LjE2OC40MC4xMjgvcGtpL3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBCwUA
A4IBAQC0q0SSmvQNfa5ELtRKYF62C/Y8QTLbk6lZDTZuIzN15SGKQcbNM970ffCD
Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi
d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT
3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE
6vZsPGAEisCmAl3dIp49jPgVkixoShraYF1jLsWzJGlzem8QvWYzOqKEDwq3SV0Z
cXK8gzDBcsobcUMkwIYPAmd1kAPX
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIcUSKSW9GVmICAggA
MBEGBSsOAwIHBAi5QZM+lSYWPASCAoBKDYulE5f2BXL9ZhI9zWAJpx2cShz/9PsW
5Qm106D+xSj1eAzkx/m4Xb4xRU8oOAuzu1DlWfSHKXoaa0OoRSiOEX1eg0eo/2vv
CHCvKHfTJr4gVSSa7i4I+aQ6AItrI6q99WlkN/e/IE5U1UE4ZhcsIiFJG+IvG7S8
f9liWQ2CImy/hjgFCD9nqSLN8wUzP7O2SdLVlUb5z4FR6VISZdgTFE8j7ko2HtUs
HVSg0nm114EwPtPMMbHefcuQ6b82y1M+dWfVxBN9K03lN4tZNfPWwLSRrPvjUzBG
dKtjf3/IFdV7/tUMy9JJSpt4iFt1h7SZPcOoGp1ZW+YUR30I7YnFE+9Yp/46KWT8
bk7j0STRnZX/xMy/9E52uHkLdW1ET3TXralLMYt/4jg4M0jUvoi3GS2Kbo+czsUn
gKgqwYnxVfRSvt8d6GBYrpF2tMFS9LEyngPKXExd+m4mAryuT5PhdFTkb1B190Lp
UIBjk3IXnr7AdrhvyLkH0UuQE95emXBD/K0HlD73cMrtmogL8F4yS5B2hpIr/v5/
eW35+1QMnJ9FtHFnVsLx9wl9lX8iNfsoBhg6FQ/hNSioN7rNBe7wwIRzxPVfEhO8
5ajQxWlidRn5RkzfUo6HuAcq02QTpSXI6wf2bzsVmr5sk+fRaELD/cwL6VjtXO6x
ZBLJcUyAwvScrOtTEK7Q5n0I34gQd4qcF0D1x9yQ4sqvTeU/7Jkm6XCPV05/5uiF
RLCfFAwaJMBdIQ6jDQHnpWT67uNDwdEzaPmuTVMme5Woc5zsqE5DY3hWu4oqFdDz
kPLnbX74IZ0gOLki9eIJkVswnF5HkBCKS50ejlW6TgbMNZ+JPk2w
-----END ENCRYPTED PRIVATE KEY-----
# Display the CA certificate in the PKI domain in PEM format.
<Sysname> system-view
[Sysname]pki export domain domain1 pem ca
-----BEGIN CERTIFICATE-----
MIIB+TCCAWICEQDMbgjRKygg3vpGFVY6pa3ZMA0GCSqGSIb3DQEBBQUAMD0xCzAJ
BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxETAPBgNVBAsTCGgzYy10ZXN0MQ0wCwYD
VQQDEwQ4MDQzMB4XDTExMDMyMjA0NDQyNFoXDTE0MDMyMzA0MzUyNFowPTELMAkG
A1UEBhMCY24xDDAKBgNVBAoTA2gzYzERMA8GA1UECxMIaDNjLXRlc3QxDTALBgNV
BAMTBDgwNDMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOvDAYQhyc++G7h5
eNDzJs22OQjCn/4JqnNKIdKz1BbaJT8/+IueSn9JIsg64Ex2WBeCd/tcmnSW57ag
dCvNIUYXXVOGca2iaSOElqCF4CQfV9zLrBtA7giHD49T+JbxLrrJLmdIQMJ+vYdC
sCxIp3YMAiuCahVLZeXklooqwqIXAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAElm7
W2Lp9Xk4nZVIpVV76CkNe8/C+Id00GCRUUVQFSMvo7Pded76bmYX2KzJSz+DlMqy
TdVrgG9Fp6XTFO80aKJGe6NapsfhJHKS+Q7mL0XpXeMONgK+e3dX7rsDxsY7hF+j
0gwsHrjV7kWvwJvDlhzGW6xbpr4DRmdcao19Cr6o=
-----END CERTIFICATE-----
# Export the CA certificate in the PKI domain to a file named cacert in PEM format.
<Sysname> system-view
[Sysname] pki export domain domain1 pem ca filename cacert
# Display the CA certificate or the CA certificate chain in the PKI domain on the monitor screen.
<Sysname> system-view
[Sysname]pki export domain domain1 pem ca
-----BEGIN CERTIFICATE-----
MIIB7jCCAVcCEQCdSVShJFEMifVG8zRRoSsWMA0GCSqGSIb3DQEBBQUAMDcxCzAJ
BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEMMAoGA1UEAxMD
YWNhMB4XDTExMDEwNjAyNTc0NFoXDTEzMTIwMTAzMTMyMFowODELMAkGA1UEBhMC
Y24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ0wCwYDVQQDEwRhYWNhMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcuJsWhAJXEDmowGb5z7VDVms54TKi
xnaNJCWvBOrU64ftvpVB7xQekbkjgAS9FjDyXlLQ8IyIsYIp5ebJr8P+n9i9Pl7j
lBx5mi4XeIldyv2OjfNx5oSQ+gWY9/m1R8uv13RS05r3rxPg+7EvKBjmiy0Giddw
vu3Y3WrjBPp6GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJrQddzVQEiy4AcgtzUL
ltkmlmWoz87+jUsgFB+H+xeyiZE4sancf2UwH8kXWqZ5AuReFCCBC2fkvvQvUGnV
cso7JXAhfw8sUFok9eHz2R+GSoEk5BZFzZ8eCmNyGq9ln6mJsO1hAqMpsCW6G2zh
5mus7FTHhywXpJ22/fnHg61m
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB8DCCAVkCEQD2PBUx/rvslNw9uTrZB3DlMA0GCSqGSIb3DQEBBQUAMDoxCzAJ
BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEPMA0GA1UEAxMG
cm9mdcGNhMB4XDTExMDEwNjAyNTY1OFoXDTEzMTIwNDAzMTMxMFowNzELMAkGA1UE
BhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQwwCgYDVQQDEwNhY2Ew
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOeklR7DpeEV72N1OLz+dydIDTx0
zVZDdPxF1gQYWSfIBwwFKJEyQ/4y8VIfDIm0EGTM4dsOX/QFwudhl/Czkio3dWLh
Q1y5XCJy68vQKrB82WZ2mah5Nuekus3LSZZBoZKTAOY5MCCMFcULM858dtSq15Sh
xF7tKSeAT7ARlJxTAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADJQCo6m0RNup0ewa
ItX4XK/tYcJXAQWMA0IuwaWpr+ofqVVgYBPwVpYglhJDOuIZxKdR2pfQOA4f35wM
Vz6kAujLATsEA1GW9ACUWa5PHwVgJk9BDEXhKSJ2e7odmrg/iROhJjc1NMV3pvIs
CuFiCLxRQcMGhCNHlOn4wuydssc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB8jCCAVsCEFxy3MSlQ835MrnBkI/dUPYwDQYJKoZIhvcNAQEFBQAwOjELMAkG
A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ8wDQYDVQQDEwZy
b290Y2EwHhcNMTEwMTA2MDI1MTQxWhcNMTMxMjA3MDMxMjA1WjA6MQswCQYDVQQG
EwJjbjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNoM2MxDzANBgNVBAMTBnJvb3Rj
YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxP2XLFE230zq6MhwZvAomOxa
7tc1r4bESXZu3UBKno3Ay9kQm2HrDOAizvZXfLu7Gx22ga2Qdz0lIeZ+EQrYHTyO
pBcejDjal/ZtvgnjXyHFoG8nS+P7n83BkRj/Fu7Yz4zjTKMbCF2EfhEyXxr4NSXA
fhC9qg9S23vNXStmWvsCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBtsU7X77sdZ1Nn
0I98lh0qA5g7SEEIpI+pwZjjrH0FVHw01e4JWhHjyHqrOyfXYqe7vH4SXp5MHEqf
14nKIEbexbPONspebtznxv4/xTjd1aM2rfQ95jJ/SN8H8KIyiYZyIs3t5Q+V35x1
cef+NMWgZBzwXOSP0wC9+pC2ZNiIpg==
-----END CERTIFICATE-----
# Export the local certificates and their private keys in the PKI domain to a file named cert-lo.der in PKCS12 format. The password for the private keys is 123.
<Sysname> system-view
[Sysname] pki export domain domain1 p12 local passphrase 123 filename cert-lo.der
# Export all certificates in the PKI domain to a file named cert-all.p7b in PKCS12 format.
<Sysname> system-view
[Sysname] pki export domain domain1 p12 all passphrase 123 filename cert-all.p7b
Related commands
pki domain
pki import
Use pki import to import the CA certificate, local certificates, or peer certificates for a PKI domain.
Syntax
pki import domain domain-name { der { ca | local | peer } filename filename | p12 local filename filename | pem { ca | local | peer } [ filename filename ] }
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 75.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
der: Specifies the DER certificate file format, including PKCS#7.
p12: Specifies the PKCS#12 certificate file format.
pem: Specifies the PEM certificate file format.
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer: Specifies the peer certificates.
filename filename: Specifies a certificate file name, a case-insensitive string. For a certificate in PEM format, you can also choose to copy and paste the certificate contents on the terminal instead of importing from a file.
Usage guidelines
Use this command to import a certificate in the following situations:
· The CRL repository is not specified or the CA server does not support SCEP.
· The certificate is packed with the server generated key pair in a single file. Only certificate files in PKCS12 or PEM format can contain key pairs.
Before you import certificates, complete the following tasks:
· Use FTP or TFTP to upload the certificate files to the storage media of the device. If FTP or TFTP is not available, display and copy the contents of a certificate to a file on the device. Make sure the certificate is in PEM format because only certificates in PEM format can be imported by this means.
· For the local certificates or peer certificates to be imported, the correct CA certificate chain must exist. The CA certificate chain can be stored on the device, or carried in the local certificates or peer certificates. If the PKI domain, the local certificates, or the peer certificates do not have the CA certificate chain, you must import the CA certificate first. To import a local or peer certificate, a CA certificate chain must exist in the PKI domain, or be carried in the local or peer certificate. If not, obtain it first.
When you import the local or peer certificates:
· If the local or peer certificates contain the CA certificate chain, you can import the CA certificate and the local or peer certificates at the same time. If the CA certificate already exists in a PKI domain, the system prompts you whether to overwrite the existing CA certificate.
· If the local or peer certificates do not contain the CA certificate chain, but the CA certificate already exists in a PKI domain, you can directly import the certificates.
You can import the CA certificate to a PKI domain when either of the following conditions is met:
· The CA certificate to be imported is the CA root certificate or contains the certificate chain with the root certificate.
· The CA certificate contains a certificate chain without the root certificate, but can form a complete certificate chain with an existing CA certificate on the device.
Contact the CA administrator to get information as prompted in the following scenarios:
· The system prompts you to confirm the certificate's fingerprint in the following situations:
¡ If the certificate file to be imported contains the root certificate, but the root certificate does not exist in any PKI domains on the device.
¡ The root-certificate fingerprint command is not configured in the PKI domain to which the certificate file is to be imported.
· The system prompts you to enter the challenge password used for encrypting the private key if the local certificate to be imported contains a key pair.
When you import a local certificate file that contains a key pair, you can choose to update the domain with the key pair. Depending on the purpose of the key pair, the following conditions might apply:
· If the purpose of the key pair is general, the device uses the key pair to replace the local key pair that is found in this order:
a. General-purpose key pair.
b. Signature key pair.
c. Encryption key pair.
· If the purpose of the key pair is signature, the device uses the key pair to replace the local key pair that is found in this order:
d. General-purpose key pair.
e. Signature key pair.
· If the purpose of the key pair is encryption, the device searches the domain for an encryption key pair.
If a matching key pair is found, the device asks whether you want to overwrite the existing key pair on the device. If no match is found, the device asks you to enter a key pair name (defaulting to the PKI domain name). Then, it generates the key pair according to the key algorithm and the purpose defined in the certificate file.
The import operation automatically updates or generates the correct key pair. When you perform the import operation, be sure to save the configuration file to avoid data loss.
Examples
# Import CA certificate file rootca_pem.cer in PEM format to PKI domain aaa. The certificate file contains the root certificate.
<Sysname> system-view
[Sysname] pki import domain aaa pem ca filename rootca_pem.cer
The trusted CA's finger print is:
MD5 fingerprint:FFFF 3EFF FFFF 37FF FFFF 137B FFFF 7535
SHA1 fingerprint:FFFF FF7F FF2B FFFF 7618 FF4C FFFF 0A7D FFFF FF69
Is the finger print correct?(Y/N):y
[Sysname]
# Import CA certificate file aca_pem.cer in PEM format to PKI domain bbb. The certificate file does not contain the root certificate.
<Sysname> system-view
[Sysname] pki import domain bbb pem ca filename aca_pem.cer
[Sysname]
# Import local certificate file local-ca.p12 in PKCS12 format to PKI domain bbb. The certificate file contains a key pair.
<Sysname> system-view
[Sysname] pki import domain bbb p12 local filename local-ca.p12
Please input challenge password:
******
[Sysname]
# Import local certificate in PEM format to PKI domain bbb by copying and pasting the contents of the certificate. The certificate contains the key pair and the CA certificate chain.
<Sysname> system-view
[Sysname] pki import domain bbb pem local
Enter PEM-formatted certificates.
End with a Ctrl+C on a line by itself.
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: {F7619D96-3AC2-40D4-B6F3-4EAB73DEED73}
Microsoft CSP Name: Microsoft Enhanced Cryptographic Provider v1.0
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8DCE37F0A61A4B8C
k9C3KHY5S3EtnF5iQymvHYYrVFy5ZdjSasU5y4XFubjdcvmpFHQteMjD0GKX6+xO
kuKbvpyCnWsPVg56sL/PDRyrRmqLmtUV3bpyQsFXgnc7p+Snj3CG2Ciow9XApybW
Ec1TDCD75yuQckpVQdhguTvoPQXf9zHmiGu5jLkySp2k7ec/Mc97Ef+qqpfnHpQp
GDmMqnFpp59ZzB21OGlbGzlPcsjoT+EGpZg6B1KrPiCyFim95L9dWVwX9sk+U1s2
+8wqac8jETwwM0UZ1NGJ50JJz1QYIzMbcrw+S5WlPxACTIz1cldlBlb1kpc+7mcX
4W+MxFzsL88IJ99T72eu4iUNsy26g0BZMAcc1sJA3A4w9RNhfs9hSG43S3hAh5li
JPp720LfYBlkQHn/MgMCZASWDJ5G0eSXQt9QymHAth4BiT9v7zetnQqf4q8plfd/
Xqd9zEFlBPpoJFtJqXwxHUCKgw6kJeC4CxHvi9ZCJU/upg9IpiguFPoaDOPia+Pm
GbRqSyy55clVde5GOccGN1DZ94DW7AypazgLpBbrkIYAdjFPRmq+zMOdyqsGMTNj
jnheI5l784pNOAKuGi0i/uXmRRcfoMh6qAnK6YZGS7rOLC9CfPmy8fgY+/Sl9d9x
Q00ruO1psxzh9c2YfuaiXFIx0auKl6o5+ZZYn7Rg/xy2Y0awVP+dO925GoAcHO40
cCl6jA/HsGAU9HkpwKHL35lmBDRLEzQeBFcaGwSm1JvRfE4tkJM7+Uz2QHJOfP10
0VLqMgxMlpk3TvBWgzHGJDe7TdzFCDPMPhod8pi4P8gGXmQd01PbyQ==
-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
subject=/CN=sldsslserver
issuer=/C=cn/O=ccc/OU=sec/CN=ssl
-----BEGIN CERTIFICATE-----
MIICjzCCAfigAwIBAgIRAJoDN+shVrofVHbk11SlqfcwDQYJKoZIhvcNAQEFBQAw
NzELMAkGA1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYD
VQQDEwNzc2wwHhcNMTAxMDE1MDEyMzA2WhcNMTIwNzI2MDYzMDU0WjAXMRUwEwYD
VQQDEwxzbGRzc2xzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLP
N3aTKV7NDndIOk0PpiikYPgxVih/geMXR3iYaANbcvRX07/FMDINWHJnBAZhCDvp
rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW+DsNGNcFSKZy3RvIngC2k
ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j
BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH/BAQDAgP4MBEGCWCG
SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb
3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw
LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD
gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm/UK01S8GQjGV5tl9ZNiTHFGNEFx7k
zxBp/JPpcFM8hapAfrVHdQ/wstq0pVDdBkrVF6XKIBks6XgCvRl32gcaQt9yrQd9
5RbWdetuBljudjFj25airYO2u7pLeVmdWWx3WVvZBzOo8KU=
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=cn/O=ccc/OU=sec/CN=ssl
issuer=/C=cn/O=ccc/OU=sec/CN=ssl
-----BEGIN CERTIFICATE-----
MIIB7DCCAVUCEG+jJTPxxiE67pl2ff0SnOMwDQYJKoZIhvcNAQEFBQAwNzELMAkG
A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYDVQQDEwNz
c2wwHhcNMDkwNzMxMDY0ODQ2WhcNMTIwNzI5MDYyODU4WjA3MQswCQYDVQQGEwJj
bjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNzZWMxDDAKBgNVBAMTA3NzbDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8QSMetQ70GONiFh7iJkvGQ8nC15zCF1
cqC/RcJhE/88LkKyQcu9j+Tz8Bk9Qj2UPaZdrk8fOrgtBsa7lZ+UO3j3l30q84l+
HjWq8yxVLRQahU3gqJze6pGR2l0s76u6GRyCX/zizGrHKqYlNnxK44NyRZx2klQ2
tKQAfpXCPIkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBWsaMgRbBMtYNrrYCMjY6g
c7PBjvajVOKNUMxaDalePmXfKCxl91+PKM7+i8I/zLcoQO+sHbva26a2/C4sNvoJ
2QZs6GtAOahP6CDqXC5VuNBU6eTKNKjL+mf6uuDeMxrlDNha0iymdrXXVIp5cuIu
fl7xgArs8Ks6aXDXM1o4DQ==
-----END CERTIFICATE-----
Please input the password:********
Local certificate already exist, confirm to overwrite it? [Y/N]:y
The PKI domain already has a CA certificate. If it is overwritten, local certificates, peer certificates and CRL of this domain will also be deleted.
Overwrite it? [Y/N]:y
The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-).
Please enter the key pair name [default name: bbb]:
The key pair already exists.
Please enter the key pair name:
import-key
Related commands
display pki certificate
public-key dsa
public-key ecdsa
public-key rsa
pki request-certificate
Use pki request-certificate to submit a local certificate request or generate a certificate request in PKCS#10 format.
Syntax
pki request-certificate domain domain-name [ password password ] [ pkcs10 [ filename filename ] ]
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 76.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
password password: Sets the password for certificate revocation, a case-sensitive string of 1 to 31 characters. The password is contained in the certificate request and must be provided if the certificate is revoked.
pkcs10: Displays BASE64-encoded PKCS#10 certificate request information, which can be used to request a certificate by an out-of-band means, like phone, disk, or email.
filename filename: Specifies a local file for saving the certificate request in PKCS#10 format. The filename argument is case-insensitive.
Usage guidelines
If SCEP fails, you can perform one of the following tasks:
· Use the pkcs10 keyword to print the BASE64-encoded request information.
· Use the pkcs10 filename filename option to save the request information to a local file and transfer the file to the CA by using an out-of-band means. The file name can contain an absolute path. If the specified path does exist, the request information cannot be saved.
This command is not saved in the configuration file.
Examples
# Display information about the certificate request in PKCS#10 format.
<Sysname> system-view
[Sysname] pki request-certificate domain aaa pkcs10
*** Request for certificate ***
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5
ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nmdcu5TED6iN8
4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G
CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw
R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ
JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c
-----END NEW CERTIFICATE REQUEST-----
# Request the local certificates.
[Sysname] pki request-certificate domain openca
Start to request general certificate ...
……
Certificate requested successfully.
Related commands
display pki certificate
pki retrieve-certificate
Use pki retrieve-certificate to obtain a certificate from the certificate distribution server.
Syntax
pki retrieve-certificate domain domain-name { ca | local | peer entity-name }
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 77.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
ca: Specifies the CA certificate.
local: Specifies the local certificates.
peer entity-name: Specifies a peer entity by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
In online mode:
· You can obtain the CA certificate through the SCEP protocol. If a CA certificate already exists locally, do not obtain the CA certificate again. To obtain a new CA certificate, use the pki delete-certificate command to remove the CA certificate and local certificates, and then obtain the CA certificate again.
· You can obtain local certificates or peer certificates through the LDAP protocol. If a PKI domain already has local certificates or peer certificates, you can still perform the obtain operation and the obtained local certificates or peer certificates overwrite the existing ones. If RSA or SM2 is used, a PKI domain can have two local certificates, one for signing and the other for encryption. Certificates for different purposes do not overwrite each other.
The obtained CA certificate, local certificates, and peer certificates are automatically verified before they are saved locally. If the verification fails, they are not saved.
This command is not saved in the configuration file.
Examples
# Obtain the CA certificate from the certificate distribution server. (This operation requires the user to confirm the fingerprint of the CA root certificate.)
<Sysname> system-view
[Sysname] pki retrieve-certificate domain aaa ca
The trusted CA's finger print is:
MD5 fingerprint:5C41 E657 A0D6 ECB4 6BD6 1823 7473 AABC
SHA1 fingerprint:1616 E7A5 D89A 2A99 9419 1C12 D696 8228 87BC C266
Is the finger print correct?(Y/N):y
# Obtain the local certificates from the certificate distribution server.
<Sysname> system-view
[Sysname] pki retrieve-certificate domain aaa local
# Obtain the certificate of peer entity en1 from the certificate distribution server.
<Sysname> system-view
[Sysname] pki retrieve-certificate domain aaa peer en1
Related commands
display pki certificate
pki delete-certificate
pki retrieve-crl
Use pki retrieve-crl to obtain CRLs and save them locally.
Syntax
pki retrieve-crl domain domain-name
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 78.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
Usage guidelines
CRLs are used to verify the validity of the local certificates and the peer certificates in a PKI domain. To obtain CRLs, a PKI domain must have the correct CA certificate.
The URL of the CRL repository is specified by using the crl url command.
The device can obtain CRLs from the CRL repository through the HTTP, LDAP, or SCEP protocol. Which protocol is used depends on the configuration of the CRL repository in the PKI domain:
· If the specified URL of the CRL repository is in HTTP format, the device obtains CRLs through the HTTP protocol.
· If the specified URL of the CRL repository is in LDAP format, the device obtains CRLs through the LDAP protocol. If the specified URL does not have a host name, for example, ldap:///CN=8088,OU=test,U=rd,C=cn, you must specify the LDAP server's URL for the PKI domain by using the ldap server command. The device can obtain the complete URL of the LDAP repository by combining the URLs of the LDAP server and of the CRL repository.
· If the PKI domain is not configured with the CRL repository, the device looks up the local certificates and then the CA certificate for the CRL repository. If a CRL repository is found, the device obtains CRLs from the CRL repository. If no CRL repository is found, the device obtains CRLs through the SCEP protocol.
Examples
# Obtain CRLs from the CRL repository.
<Sysname> system-view
[Sysname] pki retrieve-crl domain aaa
Related commands
crl url
ldap server
pki storage
Use pki storage to specify the storage path for the certificates or CRLs.
Use undo pki storage to restore the default.
Syntax
pki storage { certificates | crls } dir-path
undo pki storage { certificates | crls }
Default
Certificates and CRLs are stored in the PKI directory on the storage media of the device. The PKI directory is automatically created when a certificate is successfully requested, obtained, or imported for the first time.
Views
System view
Predefined user roles
network-admin
Parameters
certificates: Specifies a storage path for certificates.
crls: Specifies a storage path for CRLs.
dir-path: Specifies a storage path, a case-sensitive string, which cannot start with a slash (/) or contain two dots plus a slash (../). The dir-path argument specifies an absolute path or a relative path, and the path must exist.
Usage guidelines
On centralized devices in IRF mode, the specified storage path must be on the master device.
On distributed devices in standalone mode, the specified storage path must be on the active MPU.
On distributed devices in IRF mode, the specified storage path must be on the global active MPU.
If the path to be specified does not exist, use the mkdir command to create the path first.
Certificate files use the .cer or .p12 file extension. CRL files use the .crl file extension. After you change the storage path for certificates or CRLs, the certificate files and CRL files in the original path are moved to the new path.
Examples
# Specifies flash:/pki-new as the storage path for certificates.
<Sysname> system-view
[Sysname] pki storage certificates flash:/pki-new
# Specifies pki-new as the storage path for CRLs.
<Sysname> system-view
[Sysname] pki storage crls pki-new
pki validate-certificate
Use pki validate-certificate to verify the validity of certificates.
Syntax
pki validate-certificate domain domain-name { ca | local }
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table 79.
|
Character name |
Symbol |
Character name |
Symbol |
|
Tilde |
~ |
Dot |
. |
|
Asterisk |
* |
Left angle bracket |
< |
|
Backslash |
\ |
Right angle bracket |
> |
|
Vertical bar |
| |
Quotation marks |
" |
|
Colon |
: |
Apostrophe |
' |
ca: Specifies the CA certificate.
local: Specifies the local certificates.
Usage guidelines
Generally, certificates are automatically verified when you request, obtain, or import them, or when an application uses PKI.
You can also use this command to manually verify a certificate in the following aspects:
· Whether the certificate is issued by a trusted CA.
· Whether the certificate has expired.
· Whether the certificate is revoked. This check is performed only if CRL checking is enabled.
When CRL checking is enabled:
· To verify the local certificates, if the PKI domain has no CRLs, the device looks up the locally saved CRLs. If a correct CRL is found, the device loads the CRL to the PKI domain. If no correct CRL is found locally, the device obtains a correct CRL from the CA server and saves it locally.
· To verify the CA certificate, CRL checking is performed for the CA certificate chain from the current CA to the root CA.
Examples
# Verify the validity of the CA certificate in PKI domain aaa.
<Sysname> system-view
[Sysname] pki validate-certificate domain aaa ca
Verifying certificates......
Serial Number:
f6:3c:15:31:fe:bb:ec:94:dc:3d:b9:3a:d9:07:70:e5
Issuer:
C=cn
O=ccc
OU=ppp
CN=rootca
Subject:
C=cn
O=abc
OU=test
CN=aca
Verify result: OK
Verifying certificates......
Serial Number:
5c:72:dc:c4:a5:43:cd:f9:32:b9:c1:90:8f:dd:50:f6
Issuer:
C=cn
O=ccc
OU=ppp
CN=rootca
Subject:
C=cn
O=ccc
OU=ppp
CN=rootca
Verify result: OK
# Verify the local certificates in PKI domain aaa.
<Sysname> system-view
[Sysname] pki validate-certificate domain aaa local
Verifying certificates......
Serial Number:
bc:05:70:1f:0e:da:0d:10:16:1e
Issuer:
C=CN
O=sec
OU=software
CN=bca
Subject:
O=OpenCA Labs
OU=Users
CN=fips fips-sec
Verify result: OK
Related commands
crl check
pki domain
public-key dsa
Use public-key dsa to specify a DSA key pair for certificate request.
Use undo public-key to restore the default.
Syntax
public-key dsa name key-name [ length key-length ]
undo public-key
Default
No key pair is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher security but more public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. A key pair can be obtained in any of the following ways:
· Use the public-key local create command to generate a key pair.
· An application, like IKE using digital signature authentication, triggers the device to generate a key pair.
· Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, RSA, or SM2).
· If DSA or ECDSA is used, a PKI domain can have only one key pair. If you configure a DSA or ECDSA key pair multiple times, the most recent configuration takes effect.
· If RSA or SM2 is used, a PKI domain can have two key pairs of different purposes: one is the signing key pair, and the other is the encryption key pair.
If you configure an RSA signing key pair or RSA encryption key pair multiple times, the most recent configuration takes effect. The RSA signing key pair and encryption key pair do not overwrite each other. The same is true for SM2 key pairs.
The length key-length option takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and length before submitting a certificate request. The length key-length option is ignored if the specified key pair already exists or is already contained in an imported certificate.
Examples
# Specify 2048-bit DSA key pair abc for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key dsa name abc length 2048
Related commands
pki import
public-key local create (see Security Command Reference)
public-key ecdsa
Use public-key ecdsa to specify an ECDSA key pair for certificate request.
Use undo public-key to restore the default.
Syntax
In non-FIPS mode:
public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1 | secp521r1 ]
undo public-key
In FIPS mode:
public-key ecdsa name key-name [ secp256r1 | secp384r1 | secp521r1 ]
undo public-key
Default
No key pair is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
secp192r1: Uses the secp192r1 curve to generate the key pair. The secp192r1 curve is used by default in non-FIPS mode.
secp256r1: Uses the secp256r1 curve to generate the key pair. The secp256r1 curve is used by default in FIPS mode.
secp384r1: Uses the secp384r1 curve to generate the key pair.
secp521r1: Uses the secp521r1 curve to generate the key pair.
Usage guidelines
You can specify a nonexistent key pair for a PKI domain.
A key pair can be obtained in any of the following ways:
· Use the public-key local create command to generate a key pair.
· An application, like IKE using digital signature authentication, triggers the device to generate a key pair.
· Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, RSA, or SM2).
· If DSA or ECDSA is used, a PKI domain can have only one key pair. If you configure a DSA or ECDSA key pair multiple times, the most recent configuration takes effect.
· If RSA or SM2 is used, a PKI domain can have two key pairs of different purposes: one is the signing key pair, and the other is the encryption key pair.
If you configure an RSA signing key pair or RSA encryption key pair multiple times, the most recent configuration takes effect. The RSA signing key pair and encryption key pair do not overwrite each other. The same is true for SM2 key pairs.
The specified elliptic curve takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and curve before submitting a certificate request. The curve parameter is ignored if the specified key pair already exists or is already contained in an imported certificate.
Examples
# Specify 384-bit ECDSA key pair abc for certificate request in PKI domain aaa.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key ecdsa name abc secp384r1
Related commands
pki import
public-key local create (see Security Command Reference)
public-key rsa
Use public-key rsa to specify an RSA key pair for certificate request.
Use undo public-key to restore the default.
Syntax
public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name signature-key-name [ length key-length ] } * | general name key-name [ length key-length ] }
undo public-key
Default
No key pair is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
encryption name encryption-key-name: Specifies an encryption key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
signature name signature-key-name: Specifies a signing key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
general name key-name: Specifies a general-purpose key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024. In FIPS mode, the value must be 2048. A longer key means higher security but more public key calculation time.
Usage guidelines
You can specify a nonexistent key pair in this command. You can get a key pair in any of the following ways:
· Use the public-key local create command to generate a key pair.
· An application, like IKE using digital signature authentication, triggers the device to generate a key pair.
· Use the pki import command to import a certificate containing a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, RSA, or SM2).
· If DSA or ECDSA is used, a PKI domain can have only one key pair. If you configure a DSA or ECDSA key pair multiple times, the most recent configuration takes effect.
· If RSA or SM2 is used, a PKI domain can have two key pairs of different purposes: one is the signing key pair, and the other is the encryption key pair.
If you configure an RSA signing key pair or RSA encryption key pair multiple times, the most recent configuration takes effect. The RSA signing key pair and encryption key pair do not overwrite each other. The same is true for SM2 key pairs.
If you specify a signing key pair and an encryption key pair separately, their key lengths can be different.
The length key-length option takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and length before submitting a certificate request. The length key-length option is ignored if the specified key pair already exists or is already contained in an imported certificate.
Examples
# Specify 2048-bit general purpose RSA key pair abc for certificate request.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa general name abc length 2048
# Specify the following 2048-bit RSA key pairs for certificate request:
· RSA encryption key pair rsa1.
· RSA signing key pair sig1.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] public-key rsa encryption name rsa1 length 2048
[Sysname-pki-domain-aaa] public-key rsa signature name sig1 length 2048
Related commands
pki import
public-key local create
public-key sm2
Use public-key sm2 to specify an SM2 key pair for certificate request.
Use undo public-key to restore the default.
Syntax
public-key sm2 { { encryption name encryption-key-name | signature name signature-key-name } * | general name key-name }
undo public-key
Default
No key pair is specified for certificate request.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
encryption name encryption-key-name: Specifies an encryption key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
signature name signature-key-name: Specifies a signing key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
general name key-name: Specifies a general-purpose key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM /810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1 |
Yes |
|
MSR2600-10-X1 |
No |
|
MSR 2630 |
No |
|
MSR3600-28/3600-51 |
No |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610 /3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
|
Hardware |
Command compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
You can specify a nonexistent key pair in this command. You can get a key pair in any of the following ways:
· Use the public-key local create command to generate a key pair.
· An application, like IKE using digital signature authentication, triggers the device to generate a key pair.
A PKI domain can have key pairs using only one type of cryptographic algorithm (DSA, ECDSA, RSA, or SM2).
If you configure an SM2 key pair for a PKI domain multiple times, the most recent configuration takes effect.
A CA server that uses double certificate templates always issues both a signing certificate and an encryption certificate to a requesting applicant. When such a CA server is used, follow these guidelines when you specify SM2 key pairs for certificate request:
· Specify different names for the encryption key pair and the signing key pair. If you specify the same name for the two key pairs, request of the signing certificate will fail.
· If you do not specify an encryption key pair, the device will save the key pair in the issued encryption certificate with the PKI domain name. Do not use the PKI domain name as the name of the SM2 signing key pair.
If you configure this command for a PKI domain multiple times, the most recent configuration takes effect.
Examples
# Specify SM2 signing key pair sm21 and SM2 encryption key pair sm22 for certificate request.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] public-key sm2 signature name sm21 encryption name sm22
Related commands
pki import
public-key local create
root-certificate fingerprint
Use root-certificate fingerprint to set the fingerprint for verifying the root CA certificate.
Use undo root-certificate fingerprint to restore the default.
Syntax
In non-FIPS mode:
root-certificate fingerprint { md5 | sha1 } string
undo root-certificate fingerprint
In FIPS mode:
root-certificate fingerprint sha1 string
undo root-certificate fingerprint
Default
No fingerprint is set for verifying the root CA certificate.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
md5: Sets an MD5 fingerprint.
sha1: Sets an SHA1 fingerprint.
string: Sets the fingerprint in hexadecimal notation. If you specify the MD5 keyword, the fingerprint is a string of 32 characters. If you specify the SHA1 keyword, the fingerprint is a string of 40 characters.
Usage guidelines
If you set the certificate request mode to auto for a PKI domain that does not have a CA certificate, you must configure the fingerprint for CA certificate verification. When an application, like IKE, triggers the device to request local certificates, the device automatically performs the following operations:
1. Obtains the CA certificate from the CA server.
2. Verifies the fingerprint contained in the CA certificate with the one configured in the PKI domain.
If the two fingerprints do not match, or no fingerprint is configured in the PKI domain, the device rejects the CA certificate and the local certificate request fails.
The fingerprint configured by this command is also used for CA certificate verification when the device performs the following operations:
· Imports the CA certificate as requested by the pki import command.
· Obtains the CA certificate as requested by the pki retrieve-certificate command.
The device automatically verifies the fingerprint of the CA certificate to be imported or obtained against that configured in the PKI domain. If the two fingerprints do not match, the device rejects the CA certificate. If no fingerprint is configured in the PKI domain, the device prompts you to manually verify the fingerprint of the CA certificate to be imported or obtained.
Examples
# Specify an MD5 fingerprint for verifying the root CA certificate. (This feature is supported only in non-FIPS mode.)
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E
# Specify an SHA1 fingerprint for verifying the root CA certificate.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93
Related commands
certificate request mode
pki import
pki retrieve-certificate
rule
Use rule to create an access control rule.
Use undo rule to remove an access control rule.
Syntax
rule [ id ] { deny | permit } group-name
undo rule id
Default
No access control rules exist.
Views
Certificate-based access control policy view
Predefined user roles
network-admin
Parameters
id: Assigns an ID to the access control rule, in the range of 1 to 16. The default setting is the smallest unused ID in this range.
deny: Denies the certificates that match the associated attribute group.
permit: Permits the certificates that match the associated attribute group.
group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
When you create an access control rule, you can associate it with a nonexistent certificate attribute group.
The system determines that a certificate matches an access control rule when either of the following conditions exists:
· The associated certificate attribute group does not exist.
· The associated certificate attribute group does not contain any attribute rules.
· The certificate matches all attribute rules in the associated certificate attribute group.
You can configure multiple access control rules for an access control policy. A certificate matches the rules one by one, starting with the rule with the smallest ID. When a match is found, the match process stops, and the system performs the access control action defined in the access control rule.
Examples
# Create rule 1 to permit all certificates that match certificate attribute group mygroup.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup
Related commands
attribute
display pki certificate access-control-policy
pki certificate attribute-group
source
Use source to specify the source IP address for PKI protocol packets.
Use undo source to restore the default.
Syntax
source { ip | ipv6 } { ip-address | interface interface-type interface-number }
undo source
Default
The source IP address of PKI protocol packets is the IP address of their outgoing interface.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
ip: Specifies a source IPv4 address.
ipv6: Specifies a source IPv6 address.
ip-address: Specifies the IPv4 or IPv6 address.
interface interface-type interface-number: Specifies an interface by its type and number. The interface's primary IP address will be used as the source IP address for PKI protocol packets.
Usage guidelines
Use this command to specify the source IP address for PKI protocol packets. You can also specify a source interface if the IP address is dynamically obtained.
Make sure there is a route between the source IP address and the CA server.
You can specify only one source IP address in a PKI domain. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the source IP address to 111.1.1.8 for PKI protocol packets.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] source ip 111.1.1.8
# Set the source IPv6 address to 1::8 for PKI protocol packets.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] source ipv6 1::8
# Set the source interface to GigabitEthernet 1/0/1 for PKI protocol packets.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] source ip interface gigabitethernet 1/0/1
# Set the source IP address to the IPv6 address of GigabitEthernet 1/0/1 for PKI protocol packets.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] source ipv6 interface gigabitethernet 1/0/1
state
Use state to set the state or province name for a PKI entity.
Use undo state to restore the default.
Syntax
state state-name
undo state
Default
No state name or province name is set for a PKI entity.
Views
PKI entity view
Predefined user roles
network-admin
Parameters
state-name: Specifies a state or province by its name, a case-sensitive string of 1 to 63 characters. No comma can be included.
Examples
# Set the state name to countryA for PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] state countryA
subject-dn
Use subject-dn to configure the DN for a PKI entity.
Use undo subject-dn to restore the default.
Syntax
subject-dn dn-string
undo subject-dn
Default
No DN is configured for a PKI entity.
Views
PKI entity view
Default command level
network-admin
Parameters
dn-string: Specifies the DN for the PKI entity, a case-insensitive string of 1 to 511 characters.
Usage guidelines
The subject DN string is a sequence of attribute=value pairs separated by commas. Each attribute can be specified multiple times with different values. Supported DN attributes are:
· CN—Common-name.
· C—Country code.
· L—Locality.
· O—Organization.
· OU—Organization unit.
· ST—State or province.
After this command is configured, the following commands do not take effect:
· common-name
· country
· locality
· organization
· organization-unit
· state
If you configure this command multiple times, the most recent configuration takes effect.
Examples
# Configure the DN for PKI entity en.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en] subject-dn CN=test,C=CN,O=abc,OU=rdtest,OU=rstest,ST=countryA,L=pukras
Related commands
common-name
country
locality
organization
organization-unit
state
usage
Use usage to specify the extensions for certificates.
Use undo usage to remove certificate extensions.
Syntax
usage { ike | ssl-client | ssl-server } *
undo usage [ ike | ssl-client | ssl-server ] *
Default
No certificate extensions are specified. A certificate can be used for IKE, SSL clients, and SSL servers.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
ike: Specifies the IKE certificate extension so IKE peers can use the certificates.
ssl-client: Specifies the SSL client certificate extension so the SSL client can use the certificates.
ssl-server: Specifies the SSL server certificate extension so the SSL server can use the certificates.
Usage guidelines
If you do not specify any keywords for the undo usage command, this command removes all certificate extensions.
The extension options contained in a certificate depends on the CA policy, and might be different from those specified in the PKI domain.
Examples
# Specify the SSL client extension.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] usage ssl-client
vpn-instance
Use vpn-instance to specify the VPN instance where the certificate request reception authority and the CRL repository belong.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
The certificate request reception authority and the CRL repository belong to the public network.
Views
PKI domain view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Examples
# Specify vpn1 as the VPN instance where the certificate request reception authority and the CRL repository belong.
<Sysname> system-view
[Sysname] pki domain aaa
[Sysname-pki-domain-aaa] vpn-instance vpn1
IPsec commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
ah authentication-algorithm
Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Use undo ah authentication-algorithm to restore the default.
Syntax
In non-FIPS mode:
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm { sha1| sha256 | sha384 | sha512 } *
undo ah authentication-algorithm
Default
AH does not use any authentication algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Uses the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
md5: Uses the HMAC-MD5-96 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1-96 algorithm, which uses a 160-bit key.
sha256: Uses the HMAC-SHA256 algorithm, which uses a 256-bit key.
sha384: Uses the HMAC-SHA384 algorithm, which uses a 384-bit key.
sha512: Uses the HMAC-SHA512 algorithm, which uses a 512-bit key.
sm3: Uses the HMAC-SM3-96 algorithm, which uses a 256-bit key.
The following matrix shows the sm3 keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
No |
|
|
MSR 2630 |
No |
|
|
MSR3600-28/3600-51 |
No |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
Usage guidelines
In non-FIPS mode, you can specify multiple AH authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
For a manual or IKEv1-based IPsec policy, the first specified AH authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first AH authentication algorithm.
Examples
# Specify the AH authentication algorithm HMAC-SHA1 for the IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1
description
Use description to configure a description for an IPsec policy, IPsec policy template, or IPsec profile.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured.
Views
IPsec policy view
IPsec policy template view
IPsec profile view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 80 characters.
Usage guidelines
You can configure different descriptions for IPsec policies, IPsec policy templates, or IPsec profiles to distinguish them.
Examples
# Configure the description for IPsec policy 1 as CenterToA.
<Sysname> system-view
[Sysname] ipsec policy policy1 1 isakmp
[Sysname-ipsec-policy-isakmp-policy1-1] description CenterToA
display ipsec { ipv6-policy | policy }
Use display ipsec { ipv6-policy | policy } to display information about IPsec policies.
Syntax
display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6-policy: Displays information about IPv6 IPsec policies.
policy: Displays information about IPv4 IPsec policies.
policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPsec policies.
If you specify an IPsec policy name and a sequence number, this command displays information about the specified IPsec policy entry. If you specify an IPsec policy name without any sequence number, this command displays information about all IPsec policy entries with the specified name.
Examples
# Display information about all IPv4 IPsec policies.
<Sysname> display ipsec policy
-------------------------------------------
IPsec Policy: mypolicy
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: Manual
-----------------------------
The policy configuration is incomplete:
ACL not specified
Incomplete transform-set configuration
Description: This is my first IPv4 manual policy
Security data flow:
Remote address: 2.5.2.1
Transform set: transform
Inbound AH setting:
AH SPI: 1200 (0x000004b0)
AH string-key: ******
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 1400 (0x00000578)
ESP string-key:
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI: 1300 (0x00000514)
AH string-key: ******
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 1500 (0x000005dc)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
-----------------------------
Sequence number: 2
Mode: ISAKMP
-----------------------------
The policy configuration is incomplete:
Remote-address not set
ACL not specified
Transform-set not set
Description: This is my first IPv4 Isakmp policy
Traffic Flow Confidentiality: Enabled
Security data flow:
Selector mode: standard
Local address:
Remote address:
Transform set:
IKE profile:
IKEv2 profile:
smart-link policy:
SA trigger mode: Auto
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA soft-duration buffer(time based): 1000 seconds
SA soft-duration buffer(traffic based): 43200 kilobytes
SA idle time: 100 seconds
-------------------------------------------
IPsec Policy: mycompletepolicy
Interface: LoopBack2
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: Manual
-----------------------------
Description: This is my complete policy
Security data flow: 3100
Remote address: 2.2.2.2
Transform set: completetransform
Inbound AH setting:
AH SPI: 5000 (0x00001388)
AH string-key: ******
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 7000 (0x00001b58)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI: 6000 (0x00001770)
AH string-key: ******
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 8000 (0x00001f40)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
-----------------------------
Sequence number: 2
Mode: ISAKMP
-----------------------------
Description: This is my complete policy
Traffic Flow Confidentiality: Enabled
Security data flow: 3200
Selector mode: standard
Local address:
Remote address: 5.3.6.9
Transform set: completetransform
IKE profile:
IKEv2 profile:
smart-link policy:
SA trigger mode: Auto
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA soft-duration buffer(time based): 1000 seconds
SA soft-duration buffer(traffic based): 43200 kilobytes
SA idle time: 100 seconds
# Display information about all IPv6 IPsec policies.
<Sysname> display ipsec ipv6-policy
-------------------------------------------
IPsec Policy: mypolicy
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: Manual
-----------------------------
Description: This is my first IPv6 policy
Security data flow: 3600
Remote address: 1000::2
Transform set: mytransform
Inbound AH setting:
AH SPI: 1235 (0x000004d3)
AH string-key: ******
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 1236 (0x000004d4)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI: 1237 (0x000004d5)
AH string-key: ******
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 1238 (0x000004d6)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
-----------------------------
Sequence number: 2
Mode: ISAKMP
-----------------------------
Description: This is my complete policy
Traffic Flow Confidentiality: Enabled
Security data flow: 3200
Selector mode: standard
Local address:
Remote address: 1000::2
Transform set: completetransform
IKE profile:
IKEv2 profile:
smart-link policy:
SA trigger mode: Auto
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA soft-duration buffer(time based): 1000 seconds
SA soft-duration buffer(traffic based): 43200 kilobytes
SA idle time: 100 seconds
Table 80 Command output
|
Field |
Description |
|
IPsec Policy |
IPsec policy name. |
|
Interface |
Interface applied with the IPsec policy. |
|
Sequence number |
Sequence number of the IPsec policy entry. |
|
Mode |
Negotiation mode of the IPsec policy: · Manual—Manual mode. · ISAKMP—IKE negotiation mode. · Template—IPsec policy template mode. · GDOI—GDOI mode. |
|
The policy configuration is incomplete |
IPsec policy configuration incomplete. Possible causes include: · The ACL is not configured. · The IPsec transform set is not configured. · The ACL does not have any permit statements. · The IPsec transform set configuration is not complete. · The peer IP address of the IPsec tunnel is not specified. · The SPI and key of the IPsec SA do not match those in the IPsec policy. |
|
Description |
Description of the IPsec policy. |
|
Traffic Flow Confidentiality |
Whether Traffic Flow Confidentiality (TFC) padding is enabled. |
|
Security data flow |
ACL used by the IPsec policy. |
|
Selector mode |
Data flow protection mode of the IPsec policy: · standard · aggregation · per-host |
|
Local address |
Local end IP address of the IPsec tunnel (available only for the IKE-based IPsec policy). |
|
Remote address |
Remote end IP address or host name of the IPsec tunnel. |
|
Transform set |
Transform set used by the IPsec policy. |
|
IKE profile |
IKE profile used by the IPsec policy. |
|
IKEv2 profile |
IKEv2 profile used by the IPsec policy. |
|
smart-link policy |
Smart link policy used by the IPsec policy. This field is not supported in the current software version. |
|
SA trigger mode |
IPsec SA negotiation triggering mode: · Auto—Triggers SA negotiation when required IPsec configuration is complete. · Traffic-based—Triggers SA negotiation when traffic requires IPsec protection. |
|
SA duration(time based) |
Time-based IPsec SA lifetime, in seconds. |
|
SA duration(traffic based) |
Traffic-based IPsec SA lifetime, in kilobytes. |
|
SA soft-duration buffer(time based) |
Time-based IPsec SA soft lifetime buffer, in seconds. If the time-based IPsec SA soft lifetime buffer is not configured, this field displays two consecutive hyphens (--). |
|
SA soft-duration buffer(traffic based) |
Traffic-based IPsec SA soft lifetime buffer, in Kilobytes. If the traffic-based IPsec SA soft lifetime buffer is not configured, this field displays two consecutive hyphens (--). |
|
SA idle time |
Idle timeout of the IPsec SA, in seconds. If the IPsec SA idle timeout is not configured, this field displays two consecutive hyphens (--). |
|
AH string-key |
AH string key. This field displays ****** if the key is configured and it is empty if the key is not configured. |
|
AH authentication hex key |
AH authentication hexadecimal key. This field displays ****** if the key is configured and it is empty if the key is not configured. |
|
ESP string-key |
ESP string key. This field displays ****** if the key is configured and it is empty if the key is not configured. |
|
ESP encryption hex key |
ESP encryption hexadecimal key. This field displays ****** if the key is configured and it is empty if the key is not configured. |
|
ESP authentication hex key |
ESP authentication hexadecimal key. This field displays ****** if the key is configured and it is empty if the key is not configured. |
|
Group name |
GDOI GM group used by the IPsec policy. This field is displayed when the negotiation mode is GDOI. |
Related commands
ipsec { ipv6-policy | policy }
display ipsec { ipv6-policy-template | policy-template }
Use display ipsec { ipv6-policy-template | policy-template } to display information about IPsec policy templates.
Syntax
display ipsec { ipv6-policy-template | policy-template } [ template-name [ seq-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6-policy-template: Displays information about IPv6 IPsec policy templates.
policy-template: Displays information about IPv4 IPsec policy templates.
template-name: Specifies an IPsec policy template by its name, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies an IPsec policy template entry by its sequence number in the range of 1 to 65535.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPsec policy templates.
If you specify an IPsec policy template name and a sequence number, this command displays information about the specified IPsec policy template entry. If you specify an IPsec policy template name without any sequence number, this command displays information about all IPsec policy template entries with the specified name.
Examples
# Display information about all IPv4 IPsec policy templates.
<Sysname> display ipsec policy-template
-----------------------------------------------
IPsec Policy Template: template
-----------------------------------------------
---------------------------------
Sequence number: 1
---------------------------------
Description: This is policy template
Traffic Flow Confidentiality: Disabled
Security data flow :
Selector mode: standard
Local address:
IKE profile:
IKEv2 profile:
Remote address: 162.105.10.2
Transform set: testprop
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA idle time: 100 seconds
# Display information about all IPv6 IPsec policy templates.
<Sysname> display ipsec ipv6-policy-template
-----------------------------------------------
IPsec Policy Template: template6
-----------------------------------------------
---------------------------------
Sequence number: 1
---------------------------------
Description: This is policy template
Traffic Flow Confidentiality: Disabled
Security data flow :
Selector mode: standard
Local address:
IKE profile:
IKEv2 profile:
Remote address: 200::1
Transform set: testprop
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA idle time: 100 seconds
Table 81 Command output
|
Field |
Description |
|
IPsec Policy Template |
IPsec policy template name. |
|
Sequence number |
Sequence number of the IPsec policy template entry. |
|
Description |
Description of the IPsec policy template. |
|
Traffic Flow Confidentiality |
Whether Traffic Flow Confidentiality (TFC) padding is enabled. |
|
Security data flow |
ACL used by the IPsec policy template. |
|
Selector mode |
Data flow protection mode of the IPsec policy template: · standard · aggregation · per-host |
|
Local address |
Local end IP address of the IPsec tunnel. |
|
IKE profile |
IKE profile used by the IPsec policy template. |
|
IKEv2 profile |
IKEv2 profile used by the IPsec policy template. |
|
Remote address |
Remote end IP address of the IPsec tunnel. |
|
Transform set |
Transform set used by the IPsec policy template. |
|
IPsec SA local duration(time based) |
Time-based IPsec SA lifetime, in seconds. |
|
IPsec SA local duration(traffic based) |
Traffic-based IPsec SA lifetime, in kilobytes. |
|
SA idle time |
Idle timeout of the IPsec SA, in seconds. If the IPsec SA idle timeout is not configured, this field displays two consecutive hyphens (--). |
Related commands
ipsec { ipv6-policy | policy } isakmp template
display ipsec profile
Use display ipsec profile to display information about IPsec profiles.
Syntax
display ipsec profile [ profile-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPsec profiles.
Examples
# Display information about all IPsec profiles.
<Sysname> display ipsec profile
-------------------------------------------
IPsec profile: myprofile
Mode: isakmp
-------------------------------------------
Transform set: tran1
IKE profile: profile
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA soft-duration buffer(time based): 1000 seconds
SA soft-duration buffer(traffic based): 43200 kilobytes
SA idle time: 100 seconds
-----------------------------------------------
IPsec profile: profile
Mode: manual
-----------------------------------------------
Transform set: prop1
Inbound AH setting:
AH SPI: 12345 (0x00003039)
AH string-key:
AH authentication hex key: ******
Inbound ESP setting:
ESP SPI: 23456 (0x00005ba0)
ESP string-key:
ESP encryption hex-key: ******
ESP authentication hex-key: ******
Outbound AH setting:
AH SPI: 12345 (0x00003039)
AH string-key:
AH authentication hex key: ******
Outbound ESP setting:
ESP SPI: 23456 (0x00005ba0)
ESP string-key:
ESP encryption hex key: ******
ESP authentication hex key: ******
Table 82 Command output
|
Field |
Description |
|
IPsec profile |
IPsec profile name. |
|
Mode |
Negotiation mode used by the IPsec profile, manual or IKE. |
|
Description |
Description of the IPsec profile. |
|
Transform set |
IPsec transform set used by the IPsec profile. |
|
IKE profile |
IKE profile used by the IPsec profile. |
|
SA duration(time based) |
Time-based IPsec SA lifetime, in seconds. |
|
SA duration(traffic based) |
Traffic-based IPsec SA lifetime, in Kilobytes. |
|
SA soft-duration buffer(time based) |
Time-based IPsec SA soft lifetime buffer, in seconds. If the time-based IPsec SA soft lifetime buffer is not configured, this field displays two consecutive hyphens (--). |
|
SA soft-duration buffer(traffic based) |
Traffic-based IPsec SA soft lifetime buffer, in Kilobytes. If the traffic-based IPsec SA soft lifetime buffer is not configured, this field displays two consecutive hyphens (--). |
|
SA idle time |
IPsec SA idle timeout, in seconds. If the IPsec SA idle timeout is not configured, this field displays two consecutive hyphens (--). |
Related commands
ipsec profile
display ipsec sa
Use display ipsec sa to display information about IPsec SAs.
Syntax
display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
brief: Displays brief information about all IPsec SAs.
count: Displays the number of IPsec SAs.
interface interface-type interface-number: Specifies an interface by its type and number.
ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6 IPsec policy.
policy: Displays detailed information about IPsec SAs created by using a specified IPv4 IPsec policy.
policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies an IPsec policy entry by its sequence number. The value range is 1 to 65535.
profile: Displays detailed information about IPsec SAs created by using a specified IPsec profile.
profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.
remote ip-address: Specifies an IPsec SA by its remote end IP address.
ipv6: Specifies an IPsec SA by its remote end IPv6 address. If this keyword is not specified, the specified remote end IP address is an IPv4 address.
Usage guidelines
If you do not specify any parameters, this command displays detailed information about all IPsec SAs.
Examples
# Display brief information about IPsec SAs.
<Sysname> display ipsec sa brief
-----------------------------------------------------------------------
Interface/Global Dst Address SPI Protocol Status
-----------------------------------------------------------------------
GE1/0/1 10.1.1.1 400 ESP Active
GE1/0/1 255.255.255.255 4294967295 ESP Active
GE1/0/1 100::1/64 500 AH Active
Global -- 600 ESP Active
Table 83 Command output
|
Field |
Description |
|
Interface/Global |
Interface where the IPsec SA belongs to or global IPsec SA (created by using an IPsec profile). |
|
Dst Address |
Remote end IP address of the IPsec tunnel. For the IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
|
SPI |
IPsec SA SPI. |
|
Protocol |
Security protocol used by IPsec. |
|
Status |
Status of the IPsec SA: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active. |
# Display the number of IPsec SAs.
<Sysname> display ipsec sa count
Total IPsec SAs count: 4
# Display detailed information about all IPsec SAs.
<Sysname> display ipsec sa
-------------------------------
Interface: GigabitEthernet1/0/1
-------------------------------
-----------------------------
IPsec policy: r2
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 3
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: Y
Traffic Flow Confidentiality enable: N
Path MTU: 1443
Tunnel:
local address: 2.2.2.2
remote address: 1.1.1.2
Flow:
sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip
dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3564837569 (0xd47b1ac1)
Connection ID: 90194313219
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 4294967295/604800
SA remaining duration (kilobytes/sec): 1843200/2686
Max received sequence-number: 5
Anti-replay check enable: Y
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 801701189 (0x2fc8fd45)
Connection ID: 64424509441
Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 4294967295/604800
SA remaining duration (kilobytes/sec): 1843200/2686
Max sent sequence-number: 6
UDP encapsulation used for NAT traversal: N
Status: Active
-------------------------------
Global IPsec SA
-------------------------------
-----------------------------
IPsec profile: profile
Mode: Manual
-----------------------------
Encapsulation mode: transport
[Inbound AH SA]
SPI: 1234563 (0x0012d683)
Connection ID: 64426789452
Transform set: AH-SHA1
No duration limit for this SA
[Outbound AH SA]
SPI: 1234563 (0x002d683)
Connection ID: 64428999468
Transform set: AH-SHA1
No duration limit for this SA
Table 84 Command output
|
Field |
Description |
|
Interface |
Interface where the IPsec SA belongs. |
|
IPsec policy |
Name of the IPsec policy. |
|
IPsec profile |
Name of the IPsec profile. |
|
Sequence number |
Sequence number of the IPsec policy entry. |
|
Mode |
Negotiation mode used by the IPsec policy: · Manual · ISAKMP · Template · GDOI |
|
Tunnel id |
IPsec tunnel ID. |
|
Encapsulation mode |
Encapsulation mode, transport or tunnel. |
|
Perfect Forward Secrecy |
Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1) · 1024-bit Diffie-Hellman group (dh-group2) · 1536-bit Diffie-Hellman group (dh-group5) · 2048-bit Diffie-Hellman group (dh-group14) · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) · 256-bit ECP Diffie-Hellman group (dh-group19) · 384-bit ECP Diffie-Hellman group (dh-group20) |
|
Extended Sequence Numbers enable |
Whether Extended Sequence Number (ESN) is enabled. |
|
Traffic Flow Confidentiality enable |
Whether Traffic Flow Confidentiality (TFC) padding is enabled. |
|
Inside VPN |
VPN instance to which the protected data flow belongs. |
|
Path MTU |
Path MTU of the IPsec SA. |
|
Tunnel |
Local and remote addresses of the IPsec tunnel. This field is not displayed if the negotiation mode is GDOI. |
|
local address |
Local end IP address of the IPsec tunnel. |
|
remote address |
Remote end IP address of the IPsec tunnel. |
|
Flow |
Information about the data flow protected by the IPsec tunnel. |
|
sour addr |
Source IP address of the data flow. |
|
dest addr |
Destination IP address of the data flow. |
|
port |
Port number. |
|
protocol |
Protocol type: · ip—IPv4. · ipv6—IPv6. |
|
Current outbound SPI |
SPI that the outbound IPsec SA currently uses. This field is displayed when the negotiation mode is GDOI. |
|
SPI |
SPI of the IPsec SA. |
|
Connection ID |
Identifier of the IPsec SA. |
|
Transform set |
Security protocol and algorithms used by the IPsec transform set. |
|
SA duration (kilobytes/sec) |
IPsec SA lifetime, in kilobytes or seconds. |
|
SA remaining duration (kilobytes/sec) |
Remaining IPsec SA lifetime, in kilobytes or seconds. |
|
Max received sequence-number |
Max sequence number in the received packets. |
|
Max sent sequence-number |
Max sequence number in the sent packets. |
|
Anti-replay check enable |
Whether anti-replay checking is enabled. |
|
UDP encapsulation used for NAT traversal |
Whether NAT traversal is used by the IPsec SA. |
|
Status |
Status of the IPsec SA: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active. |
|
No duration limit for this SA |
The manual IPsec SAs do not have lifetime. |
Related commands
ipsec sa global-duration
reset ipsec sa
display ipsec statistics
Use display ipsec statistics to display IPsec packet statistics.
Syntax
display ipsec statistics [ tunnel-id tunnel-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.
Usage guidelines
If you do not specify any parameters, this command displays statistics for all IPsec packets.
Examples
# Display statistics for all IPsec packets.
<Sysname> display ipsec statistics
IPsec packet statistics:
Received/sent packets: 47/64
Received/sent bytes: 3948/5208
Dropped packets (received/sent): 0/45
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 45
MTU check failure: 0
Loopback limit exceeded: 0
Crypto speed limit exceeded: 0
# Display statistics for the packets of IPsec tunnel 1.
<Sysname> display ipsec statistics tunnel-id 1
IPsec packet statistics:
Received/sent packets: 5124/8231
Received/sent bytes: 52348/64356
Dropped packets (received/sent): 0/0
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 0
MTU check failure: 0
Loopback limit exceeded: 0
Crypto speed limit exceeded: 0
Table 85 Command output
|
Field |
Description |
|
Received/sent packets |
Number of received/sent IPsec-protected packets. |
|
Received/sent bytes |
Number of bytes of received/sent IPsec-protected packets. |
|
Dropped packets (received/sent) |
Number of dropped IPsec-protected packets (received/sent). |
|
No available SA |
Number of packets dropped due to lack of available IPsec SA. |
|
Wrong SA |
Number of packets dropped due to wrong IPsec SA. |
|
Invalid length |
Number of packets dropped due to invalid packet length. |
|
Authentication failure |
Number of packets dropped due to authentication failure. |
|
Encapsulation failure |
Number of packets dropped due to encapsulation failure. |
|
Decapsulation failure |
Number of packets dropped due to decapsulation failure. |
|
Replayed packets |
Number of dropped replayed packets. |
|
ACL check failure |
Number of packets dropped due to ACL check failure. |
|
MTU check failure |
Number of packets dropped due to MTU check failure. |
|
Loopback limit exceeded |
Number of packets dropped due to loopback limit exceeded. |
|
Crypto speed limit exceeded |
Number of packets dropped due to crypto speed limit exceeded. |
Related commands
reset ipsec statistics
display ipsec transform-set
Use display ipsec transform-set to display information about IPsec transform sets.
Syntax
display ipsec transform-set [ transform-set-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets.
Examples
# Display information about all IPsec transform sets.
<Sysname> display ipsec transform-set
IPsec transform set: mytransform
State: incomplete
Encapsulation mode: tunnel
ESN: Enabled
PFS:
Transform: ESP
IPsec transform set: completeTransform
State: complete
Encapsulation mode: transport
ESN: Enabled
PFS:
Transform: AH-ESP
AH protocol:
Integrity: SHA1
ESP protocol:
Integrity: SHA1
Encryption: AES-CBC-128
Table 86 Command output
|
Field |
Description |
|
IPsec transform set |
Name of the IPsec transform set. |
|
State |
Whether the IPsec transform set is complete. |
|
Encapsulation mode |
Encapsulation mode used by the IPsec transform set: transport or tunnel. |
|
ESN |
Whether Extended Sequence Number (ESN) is enabled. |
|
PFS |
Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1) · 1024-bit Diffie-Hellman group (dh-group2) · 1536-bit Diffie-Hellman group (dh-group5) · 2048-bit Diffie-Hellman group (dh-group14) · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) · 256-bit ECP Diffie-Hellman group (dh-group19) · 384-bit ECP Diffie-Hellman group (dh-group20) |
|
Transform |
Security protocols used by the IPsec transform set: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH. |
|
AH protocol |
AH settings. |
|
ESP protocol |
ESP settings. |
|
Integrity |
Authentication algorithm used by the security protocol. |
|
Encryption |
Encryption algorithm used by the security protocol. |
Related commands
ipsec transform-set
display ipsec tunnel
Use display ipsec tunnel to display information about IPsec tunnels.
Syntax
display ipsec tunnel { brief | count | tunnel-id tunnel-id }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
brief: Displays brief information about IPsec tunnels.
count: Displays the number of IPsec tunnels.
tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295.
Usage guidelines
IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
Examples
# Display brief information about all IPsec tunnels.
<Sysname> display ipsec tunnel brief
----------------------------------------------------------------------------
Tunn-id Src Address Dst Address Inbound SPI Outbound SPI Status
----------------------------------------------------------------------------
0 -- -- 1000 2000 Active
3000 4000
1 1.2.3.1 2.2.2.2 5000 6000 Active
7000 8000
Table 87 Command output
|
Field |
Description |
|
Src Address |
Source IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
|
Dst Address |
Destination IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
|
Inbound SPI |
Valid SPI in the inbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the inbound direction are displayed in two lines. |
|
Outbound SPI |
Valid SPI in the outbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines. |
|
Status |
Status of the IPsec SA: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active. |
# Display the number of IPsec tunnels.
<Sysname> display ipsec tunnel count
Total IPsec Tunnel Count: 2
# Display detailed information about all IPsec tunnels.
<Sysname> display ipsec tunnel
Tunnel ID: 0
Status: Active
Perfect forward secrecy:
Inside vpn-instance:
SA's SPI:
outbound: 2000 (0x000007d0) [AH]
inbound: 1000 (0x000003e8) [AH]
outbound: 4000 (0x00000fa0) [ESP]
inbound: 3000 (0x00000bb8) [ESP]
Tunnel:
local address:
remote address:
Flow:
Tunnel ID: 1
Status: Active
Perfect forward secrecy:
Inside vpn-instance:
SA's SPI:
outbound: 6000 (0x00001770) [AH]
inbound: 5000 (0x00001388) [AH]
outbound: 8000 (0x00001f40) [ESP]
inbound: 7000 (0x00001b58) [ESP]
Tunnel:
local address: 1.2.3.1
remote address: 2.2.2.2
Flow:
as defined in ACL 3100
# Display detailed information about IPsec tunnel 1.
<Sysname> display ipsec tunnel tunnel-id 1
Tunnel ID: 1
Status: Active
Perfect forward secrecy:
Inside vpn-instance:
SA's SPI:
outbound: 6000 (0x00001770) [AH]
inbound: 5000 (0x00001388) [AH]
outbound: 8000 (0x00001f40) [ESP]
inbound: 7000 (0x00001b58) [ESP]
Tunnel:
local address: 1.2.3.1
remote address: 2.2.2.2
Flow:
as defined in ACL 3100
Table 88 Command output
|
Field |
Description |
|
Tunnel ID |
IPsec ID, used to uniquely identify an IPsec tunnel. |
|
Status |
IPsec tunnel status: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active. |
|
Perfect forward secrecy |
Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1) · 1024-bit Diffie-Hellman group (dh-group2) · 1536-bit Diffie-Hellman group (dh-group5) · 2048-bit Diffie-Hellman group (dh-group14) · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) · 256-bit ECP Diffie-Hellman group (dh-group19) · 384-bit ECP Diffie-Hellman group (dh-group20) |
|
SA's SPI |
SPIs of the inbound and outbound SAs. |
|
Tunnel |
Local and remote addresses of the IPsec tunnel. |
|
local address |
Local end IP address of the IPsec tunnel. |
|
remote address |
Remote end IP address of the IPsec tunnel. |
|
Flow |
Information about the data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port, and protocol. |
|
as defined in ACL 3001 |
Range of data flow protected by the IPsec tunnel that is established manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001. |
encapsulation-mode
Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.
Use undo encapsulation-mode to restore the default.
Syntax
encapsulation-mode { transport | tunnel }
undo encapsulation-mode
Default
IP packets are encapsulated in tunnel mode.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
transport: Uses the transport mode for IP packet encapsulation.
tunnel: Uses the tunnel mode for IP packet encapsulation.
Usage guidelines
IPsec supports the following encapsulation modes:
· Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications.
· Tunnel mode—The security protocols protect the entire IP packet. The entire IP packet is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are encapsulated in a new IP packet. In this mode, the encapsulated packet has two IP headers. The inner IP header is the original IP header. The outer IP header is added by the network device that provides the IPsec service. You must use the tunnel mode when the secured transmission start and end points are not the actual start and end points of the data packets (for example, when two gateways provide IPsec but the data start and end points are two hosts behind the gateways). The tunnel mode is typically used for protecting gateway-to-gateway communications.
The IPsec transform sets at both ends of the IPsec tunnel must have the same encapsulation mode.
Examples
# Configure the IPsec transform set tran1 to use the transport mode for IP packet encapsulation.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport
Related commands
ipsec transform-set
esn enable
Use esn enable to enable the Extended Sequence Number (ESN) feature.
Use undo esn enable to disable the ESN feature.
Syntax
esn enable [ both ]
undo esn enable
Default
ESN is disabled.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
both: Specifies IPsec to support both extended sequence number and traditional sequence number. If you do not specify this keyword, IPsec only supports extended sequence number.
Usage guidelines
The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does not need to be renegotiated.
This feature must be enabled at both the initiator and the responder.
Examples
# Enable the ESN feature in the IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esn enable
Related commands
display ipsec transform-set
esp authentication-algorithm
Use esp authentication-algorithm to specify authentication algorithms for ESP.
Use undo esp authentication-algorithm to restore the default.
Syntax
In non-FIPS mode:
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm { sha1| sha256 | sha384 | sha512 } *
undo esp authentication-algorithm
Default
ESP does not use any authentication algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Uses the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
md5: Uses the HMAC-MD5-96 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1-96 algorithm, which uses a 160-bit key.
sha256: Uses the HMAC-SHA256 algorithm, which uses a 256-bit key.
sha384: Uses the HMAC-SHA384 algorithm, which uses a 384-bit key.
sha512: Uses the HMAC-SHA512 algorithm, which uses a 512-bit key.
sm3: Uses the HMAC-SM3-96 algorithm, which uses a 256-bit key.
The following matrix shows the sm3 keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM /810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
No |
|
|
MSR 2630 |
No |
|
|
MSR3600-28/3600-51 |
No |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
Usage guidelines
In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
For a manual or IKEv1-based IPsec policy, the first specified ESP authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP authentication algorithm.
Examples
# Configure the IPsec transform set tran1 to use the HMAC-SHA1 algorithm as the ESP authentication algorithm.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1
Related commands
ipsec transform-set
esp encryption-algorithm
Use esp encryption-algorithm to specify encryption algorithms for ESP.
Use undo esp encryption-algorithm to restore the default.
Syntax
In non-FIPS mode:
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null | sm1-cbc-128 | sm4-cbc } *
undo esp encryption-algorithm
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*
undo esp encryption-algorithm
Default
ESP does not use any encryption algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
3des-cbc: Uses the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128-bit key.
aes-cbc-192: Uses the AES algorithm in CBC mode, which uses a 192-bit key.
aes-cbc-256: Uses the AES algorithm in CBC mode, which uses a 256-bit key.
aes-ctr-128: Uses the AES algorithm in CTR mode, which uses a 128-bit key. This keyword is available only for IKEv2.
aes-ctr-192: Uses the AES algorithm in CTR mode, which uses a 192-bit key. This keyword is available only for IKEv2.
aes-ctr-256: Uses the AES algorithm in CTR mode, which uses a 256-bit key. This keyword is available only for IKEv2.
camellia-cbc-128: Uses the Camellia algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv2.
camellia-cbc-192: Uses the Camellia algorithm in CBC mode, which uses a 192-bit key. This keyword is available only for IKEv2.
camellia-cbc-256: Uses the Camellia algorithm in CBC mode, which uses a 256-bit key. This keyword is available only for IKEv2.
des-cbc: Uses the DES algorithm in CBC mode, which uses a 56-bit key.
gmac-128: Uses the GMAC algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
gmac-192: Uses the GMAC algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.
gmac-256: Uses the GMAC algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.
gcm-128: Uses the GCM algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
gcm-192: Uses the GCM algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.
gcm-256: Uses the GCM algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.
null: Uses the NULL algorithm, which means encryption is not performed.
sm1-cbc-128: Uses the SM1 algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv1.
The following matrix shows the sm1-cbc-128 keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
|
MSR810-LMS/810-LUS |
No |
|
|
MSR2600-10-X1 |
No |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
No |
|
|
MSR 2630 |
No |
|
|
MSR3600-28/3600-51 |
No |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
sm4-cbc: Uses the SM4 algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv1.
The following matrix shows the sm4-cbc keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
No |
|
|
MSR 2630 |
No |
|
|
MSR3600-28/3600-51 |
No |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
Usage guidelines
You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
For a manual or IKEv1-based IPsec policy, the first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.
GCM and GMAC algorithms are combined mode algorithms. GCM algorithms provide encryption and authentication services. GMAC algorithms only provide authentication service. Combined mode algorithms can be used only when ESP is used alone without AH. Combined mode algorithms cannot be used together with ordinary ESP authentication algorithms.
Examples
# Configure the IPsec transform set tran1 to use aes-cbc-128 as the ESP encryption algorithm.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
Related commands
ipsec transform-set
ike-profile
Use ike-profile to specify an IKE profile for an IPsec policy, IPsec policy template, or IPsec profile.
Use undo ike-profile to restore the default.
Syntax
ike-profile profile-name
undo ike-profile
Default
No IKE profile is specified. The IPsec policy, IPsec policy template, or IPsec profile uses the globally IKE settings for negotiation.
Views
IPsec policy view
IPsec policy template view
IPsec profile view
Predefined user roles
network-admin
Parameters
profile-name: Specifies an IKE profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The IKE profile specified for an IPsec policy, IPsec policy template, or IPsec profile defines the parameters used for IKE negotiation.
You can specify only one IKE profile for an IPsec policy, IPsec policy template, or IPsec profile.
Examples
# Specify the IKE profile profile1 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-profile profile1
Related commands
ike profile
ikev2-profile
Use ikev2-profile to specify an IKEv2 profile for an IPsec policy, IPsec policy template, or IPsec profile.
Use undo ikev2-profile to restore the default.
Syntax
ikev2-profile profile-name
undo ikev2-profile
Default
No IKEv2 profile is specified.
Views
IPsec policy view
IPsec policy template view
IPsec profile view
Predefined user roles
network-admin
Parameters
profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The IKEv2 profile specified for an IPsec policy, IPsec policy template, or IPsec profile defines the parameters used for IKEv2 negotiation.
You can specify only one IKEv2 profile for an IPsec policy, IPsec policy template, or IPsec profile. On the initiator, an IKEv2 profile is required. On the responder, an IKEv2 profile is optional. If you do not specify an IKEv2 profile, the responder can use any IKEv2 profile for negotiation.
Examples
# Specify the IKEv2 profile profile1 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ikev2-profile profile1
Related commands
display ipsec ipv6-policy
display ipsec policy
ikev2 profile
ipsec { ipv6-policy | policy }
Use ipsec { ipv6-policy | policy } to create an IPsec policy entry and enter its view, or enter the view of an existing IPsec policy entry.
Use undo ipsec { ipv6-policy | policy } to delete the specified IPsec policy.
Syntax
ipsec { ipv6-policy | policy } policy-name seq-number [ gdoi | isakmp | manual ]
undo ipsec { ipv6-policy | policy } policy-name [ seq-number ]
Default
No IPsec policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 IPsec policy.
policy: Specifies an IPv4 IPsec policy.
policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies a sequence number for the IPsec policy entry, in the range of 1 to 65535.
gdoi: Establishes IPsec SAs through GDOI.
The following matrix shows the gdoi keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
|
MSR810-LMS/810-LUS |
No |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
Yes |
|
|
MSR 2630 |
Yes |
|
|
MSR3600-28/3600-51 |
Yes |
|
|
MSR3600-28-SI/3600-51-SI |
No |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
No |
isakmp: Establishes IPsec SAs through IKE negotiation.
manual: Establishes IPsec SAs manually.
Usage guidelines
When you create an IPsec policy, you must specify the SA setup mode (gdoi, isakmp, or manual). When you enter the view of an existing IPsec policy, you do not need to specify the SA setup mode.
You cannot change the SA setup mode of an existing IPsec policy.
An IPsec policy is a set of IPsec policy entries that have the same name but different sequence numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a higher priority.
If you specify the seq-number argument, the undo command deletes the specified IPsec policy entry. If you do not specify this argument, the undo command deletes all entries of the specified IPsec policy.
An IPv4 IPsec policy and IPv6 IPsec policy can have the same name.
Examples
# Create an IKE-based IPsec policy entry and enter the IPsec policy view. The policy name is policy1 and the sequence number is 100.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100]
# Create a manual IPsec policy entry and enter the IPsec policy view. The policy name is policy1 and the sequence number is 101.
<Sysname> system-view
[Sysname] ipsec policy policy1 101 manual
[Sysname-ipsec-policy-manual-policy1-101]
# Create a GDOI-based IPsec policy entry and enter the IPsec policy view. The policy name is policygdoi and the sequence number is 100.
<Sysname> system-view
[Sysname] ipsec policy policygdoi 100 gdoi
[Sysname-ipsec-policy-gdoi-policygdoi-100]
Related commands
display ipsec { ipv6-policy | policy }
ipsec apply
ipsec { ipv6-policy | policy } isakmp template
Use ipsec { ipv6-policy | policy } isakmp template to create an IKE-based IPsec policy entry by using an IPsec policy template.
Use undo ipsec { ipv6-policy | policy } to delete the specified IPsec policy.
Syntax
ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name
undo ipsec { ipv6-policy | policy } policy-name [ seq-number ]
Default
No IPsec policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 IPsec policy.
policy: Specifies an IPv4 IPsec policy.
policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. A smaller number indicates a higher priority.
isakmp template template-name: Specifies an IPsec policy template by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If you do not specify the seq-number argument, the undo command deletes the specified IPsec policy.
An interface applied with an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator. When the remote end's information (such as the IP address) is unknown, this method allows the remote end to initiate negotiations with the local end.
Examples
# Create an IPsec policy entry by using the IPsec policy template temp1, and specify the IPsec policy name as policy2 and the sequence number as 200.
<Sysname> system-view
[Sysname] ipsec policy policy2 200 isakmp template temp1
Related commands
display ipsec { ipv6-policy | policy }
ipsec { ipv6-policy-template | policy-template }
ipsec { ipv6-policy | policy } local-address
Use ipsec { ipv6-policy | policy } local-address to bind an IPsec policy to a source interface.
Use undo ipsec { ipv6-policy | policy } local-address to remove the binding between an IPsec policy and a source interface.
Syntax
ipsec { ipv6-policy | policy } policy-name local-address interface-type interface-number
undo ipsec { ipv6-policy | policy } policy-name local-address
Default
No IPsec policy is bound to a source interface.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 IPsec policy.
policy: Specifies an IPv4 IPsec policy.
policy-name: Specifies an IPsec policy name, a case-insensitive string of 1 to 63 characters.
local-address interface-type interface-number: Specifies the shared source interface by its type and number.
Usage guidelines
For high availability, two interfaces can operate in backup or load sharing mode. After an IPsec policy is applied to the two interfaces, they negotiate with their peers to establish IPsec SAs separately. When one interface fails and a link failover occurs, the other interface needs to take some time to renegotiate SAs, resulting in service interruption.
To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces. This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working, regardless of link failover.
After an IPsec policy is applied to a service interface and IPsec SAs have been established, if you bind the IPsec policy to a source interface, the existing IPsec SAs are deleted.
Only an IKE-based IPsec policy can be bound to a source interface.
An IPsec policy can be bound to only one source interface. If you execute this command multiple times, the most recent configuration takes effect.
A source interface can be bound to multiple IPsec policies.
As a best practice, use a stable interface, such as a Loopback interface, as a source interface.
Examples
# Bind the IPsec policy map to source interface Loopback 11.
<Sysname> system-view
[Sysname] ipsec policy map local-address loopback 11
Related commands
ipsec { ipv6-policy | policy }
ipsec { ipv6-policy-template | policy-template }
Use undo ipsec { ipv6-policy-template | policy-template } to delete the specified IPsec policy template.
Syntax
ipsec { ipv6-policy-template | policy-template } template-name seq-number
undo ipsec { ipv6-policy-template | policy-template } template-name [ seq-number ]
Default
No IPsec policy templates exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy-template: Specifies an IPv6 IPsec policy template.
policy-template: Specifies an IPv4 IPsec policy template.
template-name: Specifies a name for the IPsec policy template, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies a sequence number for the IPsec policy template entry, in the range of 1 to 65535. A smaller number indicates a higher priority.
Usage guidelines
The configurable parameters for an IPsec policy template are similar to the parameters that you use when you configure an IKE-based IPsec policy. However, all parameters except for the IPsec transform sets and the IKE peer are optional for an IPsec policy template.
An IPsec policy template is a set of IPsec policy template entries that have the same name but different sequence numbers.
With the seq-number argument specified, the undo command deletes an IPsec policy template entry.
An IPv4 IPsec policy template and an IPv6 IPsec policy template can have the same name.
Examples
# Create an IPsec policy template entry and enter the IPsec policy template view. The template name is template1 and the sequence number is 100.
<Sysname> system-view
[Sysname] ipsec policy-template template1 100
[Sysname-ipsec-policy-template-template1-100]
Related commands
display ipsec { ipv6-policy-template | policy-template }
ipsec { ipv6-policy | policy }
ipsec { ipv6-policy | policy } isakmp template
ipsec anti-replay check
Use ipsec anti-replay check to enable IPsec anti-replay checking.
Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
Default
IPsec anti-replay checking is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.
In some situations, service data packets are received in a different order than their original order. The IPsec anti-replay feature drops them as replayed packets, which impacts communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
Only IPsec SAs negotiated by IKE support anti-replay checking. Manually created IPsec SAs do not support anti-replay checking. Enabling or disabling IPsec anti-replay checking does not affect manually created IPsec SAs.
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[Sysname] ipsec anti-replay check
Related commands
ipsec anti-replay window
ipsec anti-replay window
Use ipsec anti-replay window to set the anti-replay window size.
Use undo ipsec anti-replay window to restore the default.
Syntax
ipsec anti-replay window width
undo ipsec anti-replay window
Default
The anti-replay window size is 64.
Views
System view
Predefined user roles
network-admin
Parameters
width: Specifies the size for the anti-replay window. It can be 64, 128, 256, 512, or 1024 packets.
Usage guidelines
Changing the anti-replay window size affects only the IPsec SAs negotiated later.
Service data packets might be received in a very different order than their original order, and the IPsec anti-replay feature might drop them as replayed packets, affecting normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
Examples
# Set the size of the anti-replay window to 128.
<Sysname> system-view
[Sysname] ipsec anti-replay window 128
Related commands
ipsec anti-replay check
ipsec apply
Use ipsec apply to apply an IPsec policy to an interface.
Use undo ipsec apply to remove an IPsec policy application from an interface.
Syntax
ipsec apply { ipv6-policy | policy } policy-name
undo ipsec apply { ipv6-policy | policy }
Default
No IPsec policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 IPsec policy.
policy: Specifies an IPv4 IPsec policy.
policy-name: Specifies an IPsec policy name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
On an interface, you can apply a maximum of two IPsec policies: one IPv4 IPsec policy and one IPv6 IPsec policy.
An IKE-based IPsec policy can be applied to multiple interfaces. A manual IPsec policy can be applied to only one interface.
Examples
# Apply the IPsec policy policy1 to interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipsec apply policy policy1
Related commands
display ipsec { ipv6-policy | policy }
ipsec { ipv6-policy | policy }
ipsec decrypt-check enable
Use ipsec decrypt-check enable to enable ACL checking for de-encapsulated IPsec packets.
Use undo ipsec decrypt-check to disable ACL checking for de-encapsulated IPsec packets.
Syntax
ipsec decrypt-check enable
undo ipsec decrypt-check enable
Default
ACL checking for de-encapsulated IPsec packets is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security.
Examples
# Enable ACL checking for de-encapsulated IPsec packets.
<Sysname> system-view
[Sysname] ipsec decrypt-check enable
ipsec df-bit
Use ipsec df-bit to configure the DF bit for the outer IP header of IPsec packets on an interface.
Use undo ipsec df-bit to restore the default.
Syntax
ipsec df-bit { clear | copy | set }
undo ipsec df-bit
Default
The DF bit is not configured for the outer IP header of IPsec packets on an interface. The global DF bit setting is used.
Views
Interface view
Predefined user roles
network-admin
Parameters
clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented.
copy: Copies the DF bit setting of the original IP header to the outer IP header.
set: Sets the DF bit in the outer IP header. IPsec packets cannot be fragmented.
Usage guidelines
This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode.
This command does not change the DF bit for the original IP header of IPsec packets.
If multiple interfaces use an IPsec policy that is bound to a source interface, you must use the same DF bit setting on these interfaces.
Packet fragmentation and reassembly might cause packet forwarding to be delayed. You can set the DF bit to avoid the forwarding delay. However, to prevent the IPsec packets from being discarded, you must make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.
Examples
# Set the DF bit in the outer IP header of IPsec packets on GigabitEthernet1/0/2.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] ipsec df-bit set
Related commands
ipsec global-df-bit
ipsec fragmentation
Use ipsec fragmentation to configure the IPsec fragmentation feature.
Use undo ipsec fragmentation to restore the default.
Syntax
ipsec fragmentation { after-encryption | before-encryption }
undo ipsec fragmentation
Default
The device fragments packets before IPsec encapsulation.
Views
System view
Predefined user roles
network-admin
Parameters
after-encryption: Fragments packets after IPsec encapsulation.
before-encryption: Fragments packets before IPsec encapsulation.
Usage guidelines
If you configure the device to fragment packets before IPsec encapsulation, the device predetermines the encapsulated packet size before the actual encapsulation. If the encapsulated packet size exceeds the MTU of the output interface, the device fragments the packets before encapsulation. If a packet's DF bit is set, the device drops the packet and sends an ICMP error message.
If you configure the device to fragment packets after IPsec encapsulation, the device directly encapsulates the packets and fragments the encapsulated packets in subsequent service modules.
Examples
# Configure the device to fragment packets after IPsec encapsulation.
<Sysname>system-view
[Sysname] ipsec fragmentation after-encryption
ipsec global-df-bit
Use ipsec global-df-bit to configure the DF bit for the outer IP header of IPsec packets on all interfaces.
Use undo ipsec global-df-bit to restore the default.
Syntax
ipsec global-df-bit { clear | copy | set }
undo ipsec global-df-bit
Default
The DF bit setting of the original IP header is copied to the outer IP header for IPsec packets.
Views
System view
Predefined user roles
network-admin
Parameters
clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented.
copy: Copies the DF bit setting of the original IP header to the outer IP header.
set: Sets the DF bit in the outer IP header. IPsec packets cannot be fragmented.
Usage guidelines
This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode.
This command does not change the DF bit for the original IP header of IPsec packets.
Packet fragmentation and reassembly might cause packet forwarding to be delayed. You can set the DF bit to avoid the forwarding delay. However, to prevent IPsec packets from being discarded, you must make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.
Examples
# Set the DF bit in the outer IP header of IPsec packets on all interfaces.
<Sysname> system-view
[Sysname] ipsec global-df-bit set
Related commands
ipsec df-bit
ipsec limit max-tunnel
Use ipsec limit max-tunnel to set the maximum number of IPsec tunnels.
Use undo ipsec limit max-tunnel to restore the default.
Syntax
ipsec limit max-tunnel tunnel-limit
undo ipsec limit max-tunnel
Default
The number of IPsec tunnels is not limited.
Views
System view
Predefined user roles
network-admin
Parameters
tunnel-limit: Specifies the maximum number of IPsec tunnels, in the range of 1 to 4294967295.
Usage guidelines
A greater number of IPsec tunnels bring higher concurrent performance of IPsec but use more memory space. Adjust the maximum number of IPsec tunnels according to the size of free memory space.
Examples
# Set the maximum number of IPsec tunnels to 5000.
<Sysname> system-view
[Sysname] ipsec limit max-tunnel 5000
Related commands
ike limit
ipsec logging negotiation enable
Use ipsec logging negotiation enable to enable logging for IPsec negotiation.
Use undo ipsec logging negotiation packet enable to disable logging for IPsec negotiation.
Syntax
ipsec logging negotiation enable
undo ipsec logging negotiation enable
Default
Logging for IPsec negotiation is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to output logs for the IPsec negotiation process.
This command is available only in non-FIPS mode.
Examples
# Enable logging for IPsec negotiation.
<Sysname> system-view
[Sysname] ipsec logging negotiation enable
ipsec logging packet enable
Use ipsec logging packet enable to enable logging for IPsec packets.
Use undo ipsec logging packet enable to disable logging for IPsec packets.
Syntax
ipsec logging packet enable
undo ipsec logging packet enable
Default
Logging for IPsec packets is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded. IPsec packets might be discarded due to lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded.
Examples
# Enable logging for IPsec packets.
<Sysname> system-view
[Sysname] ipsec logging packet enable
ipsec profile
Use ipsec profile to create an IPsec profile and enter its view, or enter the view of an existing IPsec profile.
Use undo ipsec profile to delete the specified IPsec profile.
Syntax
ipsec profile profile-name [ manual | isakmp ]
undo ipsec profile profile-name
Default
No IPsec profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 63 characters.
manual: Specifies the IPsec SA setup mode as manual.
isakmp: Specifies the IPsec SA setup mode as IKE.
Usage guidelines
When you create an IPsec profile, you must specify the IPsec SA setup mode (isakmp or manual). When you enter the view of an existing IPsec profile, you do not need to specify the IPsec SA setup mode.
A manual IPsec profile is similar to a manual IPsec policy. It is used exclusively for IPsec protection for application protocols, including OSPFv3, IPv6 BGP, and RIPng.
An IKE-based IPsec profile is similar to an IKE-based IPsec policy. It uses IKE negotiation to establish IPsec SAs to protect both IPv4 and IPv6 application protocols, such as ADVPN. An IKE-based IPsec profile does not require you to specify the remote end address or an ACL.
Examples
# Create a manual IPsec profile named profile1.
<Sysname> system-view
[Sysname] ipsec profile profile1 manual
[Sysname-ipsec-profile-manual-profile1]
# Create an IKE-based IPsec profile named profile1.
[Sysname] ipsec profile profile1 isakmp
[Sysname-ipsec-profile-isakmp-profile1]
Related commands
display ipsec profile
ipsec redundancy enable
Use ipsec redundancy enable to enable IPsec redundancy.
Use undo ipsec redundancy enable to disable IPsec redundancy.
Syntax
ipsec redundancy enable
undo ipsec redundancy enable
Default
IPsec redundancy is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
With IPsec redundancy enabled, the system synchronizes the following information from the active device to the standby device at configurable intervals:
· Lower bound values of the IPsec anti-replay window for inbound packets.
· IPsec anti-replay sequence numbers for outbound packets.
The synchronization ensures uninterrupted IPsec traffic forwarding and anti-replay protection when the active device fails.
To configure synchronization intervals, use the redundancy replay-interval command.
Examples
# Enable IPsec redundancy.
[Sysname] ipsec redundancy enable
Related commands
redundancy replay-interval
ipsec sa global-duration
Use ipsec sa global-duration to configure the global IPsec SA lifetime.
Use undo ipsec sa global-duration to restore the default.
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
Default
The time-based global IPsec SA lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 kilobytes.
Views
System view
Predefined user roles
network-admin
Parameters
time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds.
traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires.
Usage guidelines
You can also configure IPsec SA lifetimes in IPsec policy view or IPsec policy template view. The device prefers the IPsec SA lifetimes configured in IPsec policy view or IPsec policy template view over the global IPsec SA lifetimes.
When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller.
An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires. Before the IPsec SA expires, IKE negotiates a new IPsec SA, which takes over immediately after its creation.
Examples
# Configure the global IPsec SA lifetime as 7200 seconds.
<Sysname> system-view
[Sysname] ipsec sa global-duration time-based 7200
# Configure the global IPsec SA lifetime as 10240 kilobytes.
[Sysname] ipsec sa global-duration traffic-based 10240
Related commands
display ipsec sa
sa duration
ipsec sa global-soft-duration buffer
Use ipsec sa global-soft-duration buffer to set the global time-based or traffic-based IPsec SA soft lifetime buffer.
Use undo ipsec sa global-soft-duration buffer to restore the default.
Syntax
ipsec sa global-soft-duration buffer { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-soft-duration buffer { time-based | traffic-based }
Default
The global time-based and traffic-based IPsec SA soft lifetime buffers are not configured.
Views
System view
Predefined user roles
network-admin
Parameters
time-based seconds: Specifies the time-based IPsec SA soft lifetime buffer, in seconds. The value range is 20 to 201600.
traffic-based kilobytes: Specifies the traffic-based IPsec SA soft lifetime buffer, in Kilobytes. The value range is 1000 to 4294901760.
Usage guidelines
This command takes effect only when IKEv1 is used.
The IPsec SA soft lifetime buffers are used to determine the IPsec SA soft lifetimes.
If no IPsec SA soft lifetime buffers are configured, the system calculates a default time-based and a default traffic-based IPsec SA soft lifetime.
If IPsec SA soft lifetime buffers are configured, the system calculates IPsec SA soft lifetimes as follows:
· Time-based IPsec SA soft lifetime = time-based IPsec SA lifetime – time-based IPsec SA soft lifetime buffer.
If the calculated time-based IPsec SA soft lifetime is shorter than or equal to 20 seconds, the system uses the default time-based IPsec SA soft lifetime.
· Traffic-based IPsec SA soft lifetime = traffic-based IPsec SA lifetime – traffic-based IPsec SA soft lifetime buffer.
If the calculated traffic-based IPsec SA soft lifetime is smaller than or equal to 1000 Kilobytes, the system uses the default traffic-based IPsec SA soft lifetime.
You can also configure IPsec SA soft lifetime buffers in IPsec policy view or IPsec profile view. The device prefers the IPsec SA lifetime buffers configured in IPsec policy view or IPsec profile view over the global lifetime buffers configured in system view.
Examples
# Set the global time-based IPsec SA soft lifetime buffer to 600 seconds.
<Sysname> system-view
[Sysname] ipsec sa global-soft-duration buffer time-based 600
# Set the global traffic-based IPsec SA soft lifetime buffer to 10000 Kilobytes.
<Sysname> system-view
[Sysname] ipsec sa global-soft-duration buffer traffic-based 10000
Related commands
sa soft-duration buffer
ipsec sa idle-time
Use ipsec sa idle-time to enable the global IPsec SA idle timeout feature and set the idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.
Use undo ipsec sa idle-time to disable the global IPsec SA idle timeout feature.
Syntax
ipsec sa idle-time seconds
undo ipsec sa idle-time
Default
The global IPsec SA idle timeout feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.
Usage guidelines
This feature applies only to IPsec SAs negotiated by IKE.
The IPsec SA idle timeout can also be configured in IPsec policy view, IPsec policy template view, or IPsec profile view, which takes precedence over the global IPsec SA timeout.
Examples
# Enable the global IPsec SA idle timeout feature and set the IPsec SA idle timeout to 600 seconds.
<Sysname> system-view
[Sysname] ipsec sa idle-time 600
display ipsec sa
sa idle-time
ipsec transform-set
Use ipsec transform-set to create an IPsec transform set and enter its view, or enter the view of an existing IPsec transform set.
Use undo ipsec transform-set to delete an IPsec transform set.
Syntax
ipsec transform-set transform-set-name
undo ipsec transform-set transform-set-name
Default
No IPsec transform sets exist.
Views
System view
Predefined user roles
network-admin
Parameters
transform-set-name: Specifies a name for the IPsec transform set, a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, authentication algorithms, and encapsulation mode.
Examples
# Create an IPsec transform set named tran1 and enter its view.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-transform-set-tran1]
display ipsec transform-set
local-address
Use local-address to configure the local IP address for the IPsec tunnel.
Use undo local-address to restore the default.
Syntax
local-address { ipv4-address | ipv6 ipv6-address }
undo local-address
Default
The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address. The first IPv6 address of the interface to which the IPsec policy is applied is used as the local IPv6 address.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the local IPv4 address for the IPsec tunnel.
ipv6 ipv6-address: Specifies the local IPv6 address for the IPsec tunnel.
Usage guidelines
The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE negotiation responder.
In a VRRP network, the local IP address must be the virtual IP address of the VRRP group to which the IPsec-applied interface belongs.
Examples
# Configure the local address 1.1.1.1 for the IPsec tunnel.
<Sysname> system-view
[Sysname] ipsec policy map 1 isakmp
[Sysname-ipsec-policy-isakmp-map-1] local-address 1.1.1.1
remote-address
pfs
Use pfs to enable the Perfect Forward Secrecy (PFS) feature for an IPsec transform set.
Use undo pfs to restore the default.
Syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 | dh-group24 }
undo pfs
In FIPS mode:
pfs { dh-group14 | dh-group19 | dh-group20 }
undo pfs
Default
The PFS feature is disabled for the IPsec transform set.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
dh-group1: Uses 768-bit Diffie-Hellman group.
dh-group2: Uses 1024-bit Diffie-Hellman group.
dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
dh-group20: Uses 384-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.
Usage guidelines
In terms of security and necessary calculation time, the following groups are in descending order: 384-bit ECP Diffie-Hellman group (dh-group20), 256-bit ECP Diffie-Hellman group (dh-group19), 2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24), 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2), and 768-bit Diffie-Hellman group (dh-group1).
In IKEv1, the security level of the Diffie-Hellman group of the initiator must be higher than or equal to that of the responder. This restriction does not apply to IKEv2.
The end without the PFS feature performs IKE negotiation according to the PFS requirements of the peer end.
Examples
# Enable PFS using 2048-bit Diffie-Hellman group for IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] pfs dh-group14
protocol
Use protocol to specify a security protocol for an IPsec transform set.
Use undo protocol to restore the default.
Syntax
protocol { ah | ah-esp | esp }
undo protocol
Default
The IPsec transform set uses the ESP protocol.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
ah: Specifies the AH protocol.
ah-esp: Specifies using the ESP protocol first and then using the AH protocol.
ah: Specifies the AH protocol.
Usage guidelines
The two tunnel ends must use the same security protocol in the IPsec transform set.
Examples
# Specify the AH protocol for the IPsec transform set.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] protocol ah
qos pre-classify
Use qos pre-classify to enable the QoS pre-classify feature.
Use undo qos pre-classify to disable the QoS pre-classify feature.
Syntax
qos pre-classify
undo qos pre-classify
Default
The QoS pre-classify feature is disabled. QoS uses the new IP header of IPsec packets to perform traffic classification.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Usage guidelines
The QoS pre-classify feature enables QoS to classify packets by using the IP header of the original IP packets.
Examples
# Enable the QoS pre-classify feature.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] qos pre-classify
redundancy replay-interval
Use redundancy replay-interval to set the anti-replay window lower bound value synchronization interval for inbound packets and the sequence number synchronization interval for outbound packets.
Use undo redundancy replay-interval to restore the default.
Syntax
redundancy replay-interval inbound inbound-interval outbound outbound-interval
undo redundancy replay-interval
Default
The active device synchronizes the anti-replay window lower bound value every time it receives 1000 packets and synchronizes the sequence number every time it sends 100000 packets.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Parameters
inbound inbound-interval: Specifies the interval at which the active device synchronizes the lower bound value of the IPsec anti-replay window to the standby device. This interval is expressed in the number of received packets, in the range of 0 to 1000. If you set the value to 0, the lower bound value of the anti-replay window will not be synchronized.
outbound outbound-interval: Specifies the interval at which the active device synchronizes the IPsec anti-replay sequence number to the standby device. This interval is expressed in the number of sent packets, in the range of 1000 to 100000.
Usage guidelines
The intervals take effect only after you enable IPsec redundancy by using the ipsec redundancy enable command.
A short interval improves the anti-replay information consistency between the active device and the standby device, but it sacrifices the forwarding performance of the devices.
Examples
# Set the anti-replay window lower bound value synchronization interval for inbound packets to 800. Set the sequence number synchronization interval for outbound packets to 50000.
[Sysname] ipsec policy test 1 manual
[sysname-ipsec-policy-manual-test-1] redundancy relay-interval inbound 800 outbound 50000
Related commands
ipsec anti-replay check
ipsec anti-replay window
ipsec redundancy enable
remote-address
Use remote-address to configure the remote IP address for the IPsec tunnel.
Use undo remote-address to restore the default.
Syntax
remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address }
undo remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address }
Default
No remote IP address is configured for the IPsec tunnel.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies the remote address or host name of an IPv6 IPsec tunnel. To specify the remote address or host name of an IPv4 IPsec tunnel, do not specify this keyword.
hostname: Specifies the remote host name, a case-insensitive string of 1 to 253 characters. The host name can be resolved to an IP address by the DNS server.
ipv4-address: Specifies a remote IPv4 address.
ipv6-address: Specifies a remote IPv6 address.
Usage guidelines
This remote IP address configuration is required on the IKE negotiation initiator and optional on the responder if the responder uses an IPsec policy template.
A manual IPsec policy does not support DNS. Therefore, you must specify a remote IP address rather than a remote host name for the manual IPsec policy.
If you configure a remote host name, make sure the local end can always resolve the host name into the latest IP address of the remote end.
· If a DNS server is used for resolution, the local end queries the remote IP address again from the DNS server after the previously cached remote IP address expires. This mechanism ensures that the local end can always obtain the latest remote IP address.
· If a static DNS entry is used for resolution, you must reconfigure the remote-address command whenever the remote IP address changes. Without the reconfiguration, the local end cannot obtain the latest remote IP address.
For example, the local end has a static DNS entry which maps the host name test to the IP address 1.1.1.1. Configure the following commands:
# Configure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
[Sysname] ipsec policy policy1 1 isakmp
[Sysname-ipsec-policy-isakmp-policy1-1] remote-address test
# Change the IP address for the host test to 2.2.2.2.
[Sysname] ip host test 2.2.2.2
In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end can obtain the latest IP address of the remote host.
# Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
[Sysname] ipsec policy policy1 1 isakmp
[Sysname -ipsec-policy-isakmp-policy1-1] remote-address test
Examples
# Specify the remote IP address 10.1.1.2 for the IPsec tunnel.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 manual
[Sysname-ipsec-policy-manual-policy1-10] remote-address 10.1.1.2
ip host (see Layer 3—IP Services Commands Reference)
local-address
reset ipsec sa
Use reset ipsec sa to clear IPsec SAs.
Syntax
reset ipsec sa [ { ipv6-policy | policy } policy-name [ seq-number ] | profile policy-name | remote { ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]
Views
User view
Predefined user roles
network-admin
Parameters
{ ipv6-policy | policy } policy-name [ seq-number ]: Clears IPsec SAs for the specified IPsec policy.
· ipv6-policy: Specifies an IPv6 IPsec policy.
· policy: Specifies an IPv4 IPsec policy.
· policy-name: Specifies the name of the IPsec policy, a case-insensitive string of 1 to 63 characters.
· seq-number: Specifies the sequence number of an IPsec policy entry, in the range of 1 to 65535. If you do not specify this argument, all the entries in the IPsec policy are specified.
profile profile-name: Clears IPsec SAs for the IPsec profile specified by its name, a case-insensitive string of 1 to 63 characters.
remote: Clears IPsec SAs for the specified remote address.
· ipv4-address: Specifies a remote IPv4 address.
· ipv6 ipv6-address: Specifies a remote IPv6 address.
spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]: Clears IPsec SAs matching the specified SA triplet: the remote address, the security protocol, and the SPI.
· ipv4-address: Specifies a remote IPv4 address.
· ipv6 ipv6-address: Specifies a remote IPv6 address.
· ah: Specifies the AH protocol.
· esp: Specifies the ESP protocol.
· spi-num: Specifies the security parameter index in the range of 256 to 4294967295.
Usage guidelines
If you do not specify any parameters, this command clears all IPsec SAs.
If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPsec SAs using the other security protocol (AH or ESP).
An outbound SA is uniquely identified by an SA triplet and an inbound SA is uniquely identified by an SPI. To clear IPsec SAs by specifying a triplet in the outbound direction, you should provide the remote IP address, the security protocol, and the SPI, where the remote IP address can be any valid address if the SAs are established by IPsec profiles. To clear IPsec SAs by specifying a triplet in the inbound direction, you should provide the SPI and use any valid values for the other two parameters.
After a manual IPsec SA is cleared, the system automatically creates a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system creates new SAs only when IKE negotiation is triggered by packets.
Examples
# Clear all IPsec SAs.
<Sysname> reset ipsec sa
# Clear the inbound and outbound IPsec SAs for the triplet of SPI 256, remote IP address 10.1.1.2, and security protocol AH.
<Sysname> reset ipsec sa spi 10.1.1.2 ah 256
# Clear all IPsec SAs for the remote IP address 10.1.1.2.
<Sysname> reset ipsec sa remote 10.1.1.2
# Clear all IPsec SAs for the entry 10 of the IPsec policy policy1.
<Sysname> reset ipsec sa policy policy1 10
# Clear all IPsec SAs for the IPsec policy policy1.
<Sysname> reset ipsec sa policy policy1
Related commands
display ipsec sa
reset ipsec statistics
Use reset ipsec statistics to clear IPsec packet statistics.
Syntax
reset ipsec statistics[ tunnel-id tunnel-id ]
Views
User view
Predefined user roles
network-admin
Parameters
tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id argument is 0 to 4294967295. If you do not specify this option, the command clears all IPsec packet statistics.
Examples
# Clear IPsec packet statistics.
<Sysname> reset ipsec statistics
display ipsec statistics
reverse-route dynamic
Use reverse-route dynamic to enable IPsec reverse route inject (RRI).
Use undo reverse-route dynamic to disable IPsec RRI.
Syntax
reverse-route [ next-hop [ ipv6 ] ip-address ] dynamic
undo reverse-route dynamic
Default
IPsec RRI is disabled.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Parameters
next-hop: Specifies a next hop IP address for the IPsec PRI-created static route. If you do not specify a next hop IP address, the static route uses the remote IP address of the IPsec tunnel as the next hop IP address.
ipv6: Specifies an IPv6 address.
ip-address: Specifies the next hop IPv4 or IPv6 address.
Usage guidelines
IPsec RRI is usually used on a gateway device at the headquarters side in an IPsec VPN. After IPsec RRI is enabled for an IPsec policy or an IPsec policy template on a gateway device, the gateway device automatically creates a static route upon IPsec SA creation according to this IPsec policy or IPsec policy template. By default, the static route uses the protected peer private network as the destination IP address and the remote IP address of the IPsec tunnel as the next hop address. If there are multiple paths to the remote tunnel end, you can use the next-hop command to specify a next hop IP address for the static route.
When you enable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs that are created according to this IPsec policy. Upon IPsec SAs are renegotiated, the static routes are created.
When you disable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs that are created according to this IPsec policy, and the associated static routes.
To display the static routes created by RRI, use the display ip routing-table command.
Examples
# Enable IPsec RRI to create a static route according to the IPsec SA negotiated by the specified IPsec policy. The destination IP address is the protected peer private network 3.0.0.0/24, and the next hop is the IP address (1.1.1.2) of the remote tunnel interface.
<Sysname> system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route dynamic
[Sysname-ipsec-policy-isakmp-1-1] quit
# Display the routing table. You can see a created static route. (Other information is not shown.)
[Sysname] display ip routing-table
…
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.2 GE1/0/1
# Enable IPsec RRI to create a static route according to the IPsec SA negotiated by the specified IPsec policy. Set the next hop IP address of the static route to 2.2.2.3.
<Sysname> system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route next-hop 2.2.2.3 dynamic
[Sysname-ipsec-policy-isakmp-1-1] quit
# Display the routing table. You can see a created static route. (Other information is not shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
4.0.0.0/24 Static 60 0 2.2.2.3 GE1/0/1
Related commands
display ip routing-table (Layer 3—IP Routing Command Reference)
ipsec policy
ipsec policy-template
reverse-route preference
Use reverse-route preference to set the preference of the static routes created by IPsec RRI.
Use undo reverse-route preference to restore the default.
Syntax
reverse-route preference number
undo reverse-route preference
Default
The preference for the static routes created by IPsec RRI is 60.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Parameters
number: Specifies a preference value. The value range is 1 to 255. A smaller value represents a higher preference.
Usage guidelines
When you change this preference in an IPsec policy, the device deletes all IPsec SAs created according to this IPsec policy, and the associated static routes.
Examples
# Change the preference to 100 for static routes created by IPsec RRI.
<Sysname> system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route preference 100
Related commands
ipsec policy
ipsec policy-template
reverse-route tag
Use reverse-route tag to set a route tag for the static routes created by IPsec RRI.
Use undo reverse-route tag to restore the default.
Syntax
reverse-route tag tag-value
undo reverse-route tag
Default
The route tag value is 0 for the static routes created by IPsec RRI.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Parameters
tag-value: Specifies a tag value. The value range is 1 to 4294967295.
Usage guidelines
The tag value set by this command helps in implementing flexible route control through routing policies.
When you change this tag value in an IPsec policy, the device deletes all IPsec SAs created by this IPsec policy, and all associated static routes.
Examples
# Set the tag value to 50 for the static routes created by IPsec RRI.
<Sysname>system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route tag 50
Related commands
ipsec policy
ipsec policy-template
sa duration
Use sa duration to set an SA lifetime.
Use undo sa duration to remove the SA lifetime.
Syntax
sa duration { time-based seconds | traffic-based kilobytes }
undo sa duration { time-based | traffic-based }
Default
The SA lifetime of an IPsec policy, IPsec policy template, or IPsec profile is the current global SA lifetime.
Views
IPsec policy view
IPsec policy template view
IPsec profile view
Predefined user roles
network-admin
Parameters
time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds.
traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes.
Usage guidelines
IKE prefers the SA lifetime of the IPsec policy, IPsec policy template, or IPsec profile over the global SA lifetime configured by the ipsec sa global-duration command. If the IPsec policy, IPsec policy template, or IPsec profile is not configured with the SA lifetime, IKE uses the global SA lifetime for SA negotiation.
During SA negotiation, IKE selects the shorter SA lifetime between the local SA lifetime and the remote SA lifetime.
Examples
# Set the SA lifetime for the IPsec policy policy1 to 7200 seconds.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200
# Set the SA lifetime for the IPsec policy policy1 to 20 MB. The IPsec SA expires after transmitting 20480 kilobytes.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480
Related commands
display ipsec sa
ipsec sa global-duration
sa hex-key authentication
Use sa hex-key authentication to configure a hexadecimal authentication key for manual IPsec SAs.
Use undo sa hex-key authentication to remove the hexadecimal authentication key.
Syntax
sa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } string
undo sa hex-key authentication { inbound | outbound } { ah | esp }
Default
No hexadecimal authentication key is configured for manual IPsec SAs.
Views
IPsec policy view
IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies a hexadecimal authentication key for inbound SAs.
outbound: Specifies a hexadecimal authentication key for outbound SAs.
ah: Uses AH.
esp: Uses ESP.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. Its plaintext form is case insensitive and must be a 16-byte hexadecimal string for HMAC-MD5, a 20-byte hexadecimal string for HMAC-SHA1, and a 32-byte hexadecimal string for HMAC-SM3. Its encrypted form is a case-sensitive string of 1 to 85 characters.
Usage guidelines
This command applies only to manual IPsec policies and IPsec profiles.
You must set an authentication key for both the inbound and outbound SAs.
The local inbound SA must use the same authentication key as the remote outbound SA, and the local outbound SA must use the same authentication key as the remote inbound SA.
In an IPsec profile to be applied to an IPv6 routing protocol, the local authentication keys of the inbound and outbound SAs must be identical.
If you execute this command multiple times, the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
Examples
# Configure plaintext authentication keys 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 for the inbound and outbound SAs that use AH.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication inbound ah simple 112233445566778899aabbccddeeff00
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication outbound ah simple aabbccddeeff001100aabbccddeeff00
display ipsec sa
sa string-key
sa hex-key encryption
Use sa encryption-hex to configure a hexadecimal encryption key for manual IPsec SAs.
Use undo sa encryption-hex to remove the hexadecimal encryption key.
Syntax
sa hex-key encryption { inbound | outbound } esp { cipher | simple } string
undo sa hex-key encryption { inbound | outbound } esp
Default
No hexadecimal encryption key is configured for manual IPsec SAs.
Views
IPsec policy view
IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies a hexadecimal encryption key for inbound SAs.
outbound: Specifies a hexadecimal encryption key for outbound SAs.
esp: Uses ESP.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. Its encrypted form is a case-sensitive string of 1 to 117 characters. Its plaintext form is a case-insensitive hexadecimal string and the key length varies by algorithm.
The following matrix shows the key length for the algorithms:
|
Algorithm |
Key length (bytes) |
|
DES-CBC |
8 |
|
3DES-CBC |
24 |
|
AES128-CBC |
16 |
|
AES192-CBC |
24 |
|
AES256-CBC |
32 |
|
SM1128-CBC |
16 |
|
SM4128-CBC |
16 |
Usage guidelines
This command applies only to manual IPsec policies and IPsec profiles.
You must set an encryption key for both the inbound and outbound SAs.
The local inbound SA must use the same encryption key as the remote outbound SA, and the local outbound SA must use the same encryption key as the remote inbound SA.
In an IPsec profile to be applied to an IPv6 routing protocol, the local encryption keys of the inbound and outbound SAs must be identical.
If you execute this command multiple times, the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
Examples
# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound and outbound IPsec SAs that use ESP.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple 1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple abcdefabcdef1234
display ipsec sa
sa string-key
sa idle-time
Use sa idle-time to set the IPsec SA idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.
Use undo sa idle-time to restore the default.
Syntax
sa idle-time seconds
undo sa idle-time
Default
An IPsec policy, IPsec policy template, or IPsec profile uses the global IPsec SA idle timeout.
Views
IPsec policy view
IPsec policy template view
IPsec profile view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.
Usage guidelines
This feature applies only to IPsec SAs negotiated by IKE and takes effect after the ipsec sa idle-time command is configured.
The IPsec SA idle timeout configured by this command takes precedence over the global IPsec SA timeout configured by the ipsec sa idle-time command. If the IPsec policy, IPsec policy template, or IPsec profile is not configured with the SA idle timeout, IKE uses the global SA idle timeout.
Examples
# Set the IPsec SA idle timeout to 600 seconds for the IPsec policy map.
<Sysname> system-view
[Sysname] ipsec policy map 100 isakmp
[Sysname-ipsec-policy-isakmp-map-100] sa idle-time 600
Related commands
display ipsec sa
ipsec sa idle-time
sa soft-duration buffer
Use sa soft-duration buffer to set the time-based or traffic-based IPsec SA soft lifetime buffer.
Use undo sa soft-duration buffer to restore the default.
Syntax
sa soft-duration buffer { time-based seconds | traffic-based kilobytes }
undo sa soft-duration buffer { time-based | traffic-based }
Default
The time-based and traffic-based IPsec SA soft lifetime buffers are not configured.
Views
IPsec policy view
IPsec profile view
Predefined user roles
network-admin
Parameters
time-based seconds: Specifies the time-based IPsec SA soft lifetime buffer in seconds. The value range is 20 to 201600.
traffic-based kilobytes: Specifies the traffic-based IPsec SA soft lifetime buffer in Kilobytes. The value range is 1000 to 4294901760.
Usage guidelines
This command takes effect only when IKEv1 is used.
The IPsec SA soft lifetime buffers are used to determine the IPsec SA soft lifetimes.
If no IPsec SA soft lifetime buffers are configured, the system calculates a default time-based and a default traffic-based IPsec SA soft lifetime.
If IPsec SA soft lifetime buffers are configured, the system calculates IPsec SA soft lifetimes as follows:
· Time-based IPsec SA soft lifetime = time-based IPsec SA lifetime – time-based IPsec SA soft lifetime buffer.
If the calculated time-based IPsec SA soft lifetime is shorter than or equal to 20 seconds, the system uses the default time-based IPsec SA soft lifetime.
· Traffic-based IPsec SA soft lifetime = traffic-based IPsec SA lifetime – traffic-based IPsec SA soft lifetime buffer.
If the calculated traffic-based IPsec SA soft lifetime is smaller than or equal to 1000 Kilobytes, the system uses the default traffic-based IPsec SA soft lifetime.
Examples
# Set the time-based IPsec SA soft lifetime buffer to 600 seconds in IPsec policy example 1.
<Sysname> system-view
[Sysname] ipsec policy example 1 isakmp
[Sysname-ipsec-policy-isakmp-example-1] sa soft-duration buffer time-based 600
# Set the traffic-based IPsec SA soft lifetime buffer to 10000 Kilobytes in IPsec policy example 1.
<Sysname> system-view
[Sysname] ipsec policy example 1 isakmp
[Sysname-ipsec-policy-isakmp-example-1] sa soft-duration buffer traffic-based 10000
Related commands
ipsec sa global-soft-duration buffer
sa spi
Use sa spi to configure an SPI for IPsec SAs.
Use undo sa spi to remove the SPI.
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
Default
No SPI is configured for IPsec SAs.
Views
IPsec policy view
IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies an SPI for inbound SAs.
outbound: Specifies an SPI for outbound SAs.
ah: Uses AH.
esp: Uses ESP.
spi-number: Specifies a security parameters index (SPI) in the range of 256 to 4294967295.
Usage guidelines
This command applies only to manual IPsec policies and IPsec profiles.
You must configure an SPI for both inbound and outbound SAs, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
The local inbound SA must use the same SPI as the remote outbound SA, and the local outbound SA must use the same SPI as the remote inbound SA.
When you configure an IPsec policy or IPsec profile for an IPv6 routing protocol, follow these guidelines:
· The local inbound and outbound SAs must use the same SPI.
· The IPsec SAs on the devices in the same scope must have the same SPI. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group.
Examples
# Set the SPI for the inbound SA to 10000 and the SPI for the outbound SA to 20000 in a manual IPsec policy.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000
display ipsec sa
sa string-key
Use sa string-key to set a key string (a key in character format) for manual IPsec SAs.
Use undo sa string-key to remove the key string.
Syntax
sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string
undo sa string-key { inbound | outbound } { ah | esp }
Default
No key string is configured for manual IPsec SAs.
Views
IPsec policy view
IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Sets a key string for inbound IPsec SAs.
outbound: Sets a key string for outbound IPsec SAs.
ah: Uses AH.
esp: Uses ESP.
cipher: Specifies a key string in encrypted form.
simple: Specifies a key string in plaintext form. For security purposes, the key string specified in plaintext form will be stored in encrypted form.
string: Specifies the key string. Its encrypted form is a case-sensitive string of 1 to 373 characters. Its plaintext form is a case-sensitive string of 1 to 255 characters. Using the key string, the system automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the system automatically generates keys for the authentication algorithm and encryption algorithm.
Usage guidelines
This command applies only to manual IPsec policies and IPsec profiles.
You must set a key for both inbound and outbound SAs.
The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA.
If you execute this command multiple times, the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
When you configure an IPsec policy or IPsec profile for an IPv6 protocol, follow these guidelines:
· The local inbound and outbound SAs must use the same key.
· The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group.
Examples
# Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab, respectively.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab
# In an IPv6 IPsec policy, configure the inbound and outbound SAs that use AH to use the plaintext key abcdef.
<Sysname> system-view
[Sysname] ipsec ipv6-policy policy1 100 manual
[Sysname-ipsec-ipv6-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-ipv6-policy-manual-policy1-100] sa string-key outbound ah simple abcdef
Related commands
display ipsec sa
sa hex-key
sa trigger-mode
Use sa trigger-mode to set the IPsec SA negotiation triggering mode.
Use undo sa trigger-mode to restore the default.
Syntax
sa trigger-mode { auto | traffic-based }
undo sa trigger-mode
Default
IPsec SA negotiation is triggered when traffic requires IPsec protection.
Views
IPsec policy view
Predefined user roles
network-admin
Parameters
auto: Triggers IPsec SA negotiation when required IPsec configuration is complete.
traffic-based: Triggers IPsec SA negotiation when traffic requires IPsec protection.
Usage guidelines
You can specify the IPsec SA negotiation triggering mode only for IKE-based IPsec policies.
Compared to the auto mode, the traffic-based mode is more economical in terms of resource usage because it triggers IPsec SA negotiation only when traffic requires IPsec protection. However, the traffic-based mode leaves traffic unprotected before IPsec SAs are successfully established.
The IPsec SA negotiation triggering modes on the local and remote ends of an IPsec tunnel can be different.
Modifying the IPsec SA negotiation triggering mode does not affect existing IPsec SAs.
If the IPsec SA negotiation triggering mode is set to auto, change the mode to traffic-based as a best practice after IPsec SA establishment is completed.
Examples
# Set the IPsec SA negotiation triggering mode to auto for IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] sa trigger-mode auto
security acl
Use security acl to specify an ACL for an IPsec policy or IPsec policy template.
Use undo security acl to restore the default.
Syntax
security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ]
undo security acl
Default
An IPsec policy or IPsec policy template does not use any ACL.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 ACL.
acl-number: Specifies an ACL by its number in the range of 3000 to 3999.
name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.
aggregation: Specifies the data protection mode as aggregation. The device does not support protecting IPv6 data flows in aggregation mode.
per-host: Specifies the data protection mode as per-host.
Usage guidelines
An IKE-based IPsec policy supports the following data flow protection modes:
· Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it. The standard mode is used if you do not specify the aggregation or the per-host mode.
· Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL. This mode is only used to communicate with old-version devices.
· Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode consumes more system resources when multiple data flows exist between two subnets to be protected.
A manual IPsec policy supports only the aggregation mode.
A GDOI-based IPsec policy supports only the standard mode. On a GM, do not configure permit rules in the local ACL used by a GDOI-based IPsec policy. Otherwise, packets matching the permit rules are dropped.
Examples
# Specify IPv4 advanced ACL 3001 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] acl advanced 3001
[Sysname-acl-ipv4-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[Sysname-acl-ipv4-adv-3001] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] security acl 3001
# Specify IPv4 advanced ACL 3002 for the IPsec policy policy2 and specify the data protection mode as aggregation.
<Sysname> system-view
[Sysname] acl advanced 3002
[Sysname-acl-ipv4-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255
[Sysname-acl-ipv4-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.255
[Sysname-acl-ipv4-adv-3002] quit
[Sysname] ipsec policy policy2 1 isakmp
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation
Related commands
display ipsec sa
display ipsec tunnel
snmp-agent trap enable ipsec
Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec.
Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.
Syntax
snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] *
undo snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] *
Default
All SNMP notifications for IPsec are disabled.
Views
System view
Predefined user roles
network-admin
Parameters
auth-failure: Specifies notifications about authentication failures.
decrypt-failure: Specifies notifications about decryption failures.
encrypt-failure: Specifies notifications about encryption failures.
global: Specifies notifications globally.
invalid-sa-failure: Specifies notifications about invalid-SA failures.
no-sa-failure: Specifies notifications about SA-not-found failures.
policy-add: Specifies notifications about events of adding IPsec policies.
policy-attach: Specifies notifications about events of applying IPsec policies to interfaces.
policy-delete: Specifies notifications about events of deleting IPsec policies.
policy-detach: Specifies notifications about events of removing IPsec policies from interfaces.
tunnel-start: Specifies notifications about events of creating IPsec tunnels.
tunnel-stop: Specifies notifications about events of deleting IPsec tunnels.
Usage guidelines
If you do not specify any keywords, this command enables or disables all SNMP notifications for IPsec.
To generate and output SNMP notifications for a specific IPsec failure type or event type, perform the following tasks:
1. Enable SNMP notifications for IPsec globally.
2. Enable SNMP notifications for the failure type or event type.
Examples
# Enable SNMP notifications for IPsec globally.
<Sysname> system-view
[Sysname] snmp-agent trap enable ipsec global
# Enable SNMP notifications for events of creating IPsec tunnels.
[Sysname] snmp-agent trap enable ipsec tunnel-start
tfc enable
Use tfc enable to enable Traffic Flow Confidentiality (TFC) padding.
Use undo tfc enable to disable the TFC padding feature.
Syntax
tfc enable
undo tfc enable
Default
TFC padding is disabled.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Usage guidelines
The TFC padding feature can hide the length of the original packet, and might affect the packet encapsulation and de-encapsulation performance. This feature takes effect on UDP packets encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel mode.
Examples
# Enable TFC padding for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] tfc enable
Related commands
display ipsec ipv6-policy
display ipsec policy
transform-set
Use transform-set to specify an IPsec transform set for an IPsec policy, IPsec policy template, or IPsec profile.
Use undo transform-set to remove the IPsec transform set specified for an IPsec policy, IPsec policy template, or IPsec profile.
Syntax
transform-set transform-set-name&<1-6>
undo transform-set [ transform-set-name ]
Default
No IPsec transform set is specified for an IPsec policy, IPsec policy template, or IPsec profile.
Views
IPsec policy view
IPsec policy template view
IPsec profile view
Predefined user roles
network-admin
Parameters
transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets. The specified transform set names must be different. A transform set name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can specify only one IPsec transform set for a manual IPsec policy. If you execute this command multiple times, the most recent configuration takes effect.
You can specify a maximum of six IPsec transform sets for an IKE-based IPsec policy. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.
If you do not specify the transform-set-name argument, the undo transform-set command removes all IPsec transform sets specified for the IPsec policy, IPsec policy template, or IPsec profile.
Examples
# Specify the IPsec transform set prop1 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] transform-set prop1
Related commands
ipsec { ipv6-policy | policy }
ipsec profile
ipsec transform-set
tunnel protection ipsec
Use tunnel protection ipsec to apply an IPsec profile to a tunnel interface.
Use undo tunnel protection ipsec to restore the default.
Syntax
tunnel protection ipsec profile profile-name
undo tunnel protection ipsec profile
Default
No IPsec profile is applied to a tunnel interface.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
profile profile-name: Specify an IPsec profile by its name, a case-insensitive string of 1 to 63 characters. The specified IPsec profile must be an IKE-based IPsec profile.
Usage guidelines
After an IPsec profile is applied to a tunnel interface, the peers negotiate an IPsec tunnel through IKE to protect data transmitted through the tunnel interface.
Examples
# Apply IPsec profile prf1 to tunnel interface Tunnel 1.
[Sysname] interface tunnel 1 mode advpn gre
[Sysname-Tunnel1]tunnel protection ipsec profile prf1
Related commands
interface tunnel (Layer 3—IP Services Command Reference)
display interface tunnel (Layer 3—IP Services Command Reference)
ipsec profile
IKE commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
aaa authorization
Use aaa authorization to enable IKE AAA authorization.
Use undo aaa authorization to disable IKE AAA authorization.
Syntax
aaa authorization domain domain-name username user-name
undo aaa authorization
Default
IKE AAA authorization is disabled.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
domain domain-name: Specifies the ISP domain used for requesting authorization attributes. The ISP domain name is a case-insensitive string of 1 to 255 characters and must meet the following requirements:
· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).
· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
username user-name: Specifies the username used for requesting authorization attributes. The username is a case-sensitive string of 1 to 55 characters and must meet the following requirements:
· The username cannot contain the domain name.
· The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).
· The username cannot be a, al, or all.
Usage guidelines
The AAA authorization feature enables IKE to request authorization attributes, such as the IKE IPv4 address pool, from AAA.
IKE uses the ISP domain and username to request authorization attributes. AAA uses the authorization settings in the ISP domain to request the user's authorization attributes from the remote AAA server or the local user database. After IKE passes the username authentication, it obtains the authorization attributes.
This feature is applicable when AAA is used to centrally manage and deploy authorization attributes.
Examples
# Create the IKE profile profile1.
<Sysname> system-view
[Sysname] ike profile profile1
# Enable AAA authorization. Specify the ISP domain abc and the username test.
[Sysname-ike-profile-profile1] aaa authorization domain abc username test
authentication-algorithm
Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.
Use undo authentication-algorithm to restore the default.
Syntax
In non-FIPS mode:
authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 | sm3 }
undo authentication-algorithm
In FIPS mode:
authentication-algorithm { sha | sha256 | sha384 | sha512 }
undo authentication-algorithm
Default
In non-FIPS mode, the IKE proposal uses the HMAC-SHA1 authentication algorithm.
In FIPS mode, the IKE proposal uses the HMAC-SHA256 authentication algorithm.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
md5: Specifies HMAC-MD5 as the authentication algorithm.
sha: Specifies HMAC-SHA1 as the authentication algorithm.
sha256: Specifies HMAC-SHA256 as the authentication algorithm.
sha384: Specifies HMAC-SHA384 as the authentication algorithm.
sha512: Specifies HMAC-SHA512 as the authentication algorithm.
sm3: Specifies HMAC-SM3 as the authentication algorithm.
The following matrix shows the sm3 keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
No |
|
|
MSR 2630 |
No |
|
|
MSR3600-28/3600-51 |
No |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
Examples
# Specify HMAC-SHA1 as the authentication algorithm for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] authentication-algorithm sha
Related commands
display ike proposal
authentication-method
Use authentication-method to specify an authentication method to be used in an IKE proposal.
Use undo authentication-method to restore the default.
Syntax
authentication-method { dsa-signature | pre-share | rsa-de | rsa-signature | sm2-de }
undo authentication-method
Default
The preshared key authentication method is used.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
dsa-signature: Specifies the DSA signature authentication method.
pre-share: Specifies the preshared key authentication method.
rsa-de: Specifies the RSA digital envelope authentication method.
rsa-signature: Specifies the RSA signature authentication method.
sm2-de: Specifies the SM2 digital envelope authentication method.
The following matrix shows the support of the MSR routers for the rsa-de and sm2-de keywords:
|
Hardware |
Keyword compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
No |
|
|
MSR 2630 |
No |
|
|
MSR3600-28/3600-51 |
No |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
Usage guidelines
Preshared key authentication does not require certificates as signature authentication does, and it is usually used in a simple network.
Signature authentication provides higher security, and it is usually deployed in a large-scale network, such as a network with many branches.
In a network with many branches, using preshared key authentication requires the headquarters to configure a preshared key for each branch. Using signature authentication only requires the headquarters to configure one PKI domain.
The digital envelope authentication method is supported only in IKEv1 and must be used if the device is subject to China OSCCA regulations.
Authentication methods configured on both IKE ends must match.
If you specify the RSA or DSA signature authentication method, you must configure the IKE peer to obtain certificates from a CA.
If you specify the preshared key authentication method, you must configure the same preshared key on both IKE ends.
Examples
# Specify the preshared key authentication method for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] authentication-method pre-share
Related commands
display ike proposal
ike keychain
pre-shared-key
certificate domain
Use certificate domain to specify a PKI domain for signature authentication.
Use undo certificate domain to remove a PKI domain for signature authentication.
Syntax
certificate domain domain-name
undo certificate domain domain-name
Default
No PKI domains are specified for signature authentication.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can specify a maximum of six PKI domains for an IKE profile by executing this command multiple times.
IKE uses the specified PKI domains for enrollment, authentication, certificate issuing, validation, and signature. If you do not specify any PKI domains, IKE uses all PKI domains configured on the device.
Follow these restrictions and guidelines for the device to obtain the CA certificate during IKE negotiation:
· On the initiator:
¡ If the IKE profile has a PKI domain and the automatic certificate request mode is configured for the PKI domain, the initiator automatically obtains the CA certificate.
¡ If the IKE profile has no PKI domain, you must manually obtain the CA certificate.
· On the responder:
¡ If main mode is used in IKE phase 1, the responder does not automatically obtain the CA certificate. You must manually obtain the CA certificate.
¡ If aggressive mode is used in IKE phase 1, the responder automatically obtains the CA certificate if the following conditions are met:
- A matching IKE profile is found.
- An PKI domain is specified in the IKE profile.
- The automatic certificate request mode is configured for the PKI domain.
If the conditions are not met, you must manually obtain the CA certificate.
IKE first automatically obtains the CA certificate, and then requests a local certificate. If the CA certificate already exists locally, IKE automatically requests a local certificate.
Examples
# Specify the PKI domain abc for IKE profile 1.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] certificate domain abc
Related commands
authentication-method
pki domain
client-authentication
Use client-authentication to enable client authentication.
Use undo client-authentication to disable client authentication.
Syntax
client-authentication xauth
undo client-authentication
Default
Client authentication is disabled.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
xauth: Uses Extended Authentication within ISAKMP/Oakley (XAUTH) for authentication.
Usage guidelines
The client authentication feature provides additional authentication in IKE negotiation for secure remote access to an IPsec VPN.
When networking an IPsec VPN for remote access, enable client authentication on the IPsec gateway. During the IKE negotiation, the IPsec gateway uses a RADIUS server to authenticate the remote users. Remote users who provide the correct username and password pass the authentication and continue with the negotiation. This feature simplifies the configuration on the IPsec gateway and ensures the validity of the remote users. If you do not use this feature, you must configure an IPsec policy and an authentication password for each remote user, which is time-consuming and difficult to maintain.
Examples
# Enable XAUTH client authentication.
<Sysname> system-view
[Sysname] ike profile test
[Sysname-ike-profile-test] client-authentication xauth
Related commands
local-user
description
Use description to configure a description for an IKE proposal.
Use undo description to restore the default.
Syntax
description text
undo description
Default
An IKE proposal does not have a description.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
text: Specifies the description, a case-sensitive string of 1 to 80 characters.
Usage guidelines
You can configure different descriptions for IKE proposals to distinguish them.
Examples
# Configure a description of test for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] description test
dh
Use dh to specify the DH group to be used for key negotiation in IKE phase 1.
Use undo dh to restore the default.
Syntax
In non-FIPS mode:
dh { group1 | group14 | group2 | group24 | group5 }
undo dh
In FIPS mode:
dh group14
undo dh
Default
In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used.
In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
group1: Uses the 768-bit Diffie-Hellman group.
group14: Uses the 2048-bit Diffie-Hellman group.
group2: Uses the 1024-bit Diffie-Hellman group.
group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.
group5: Uses the 1536-bit Diffie-Hellman group.
Usage guidelines
A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose a proper Diffie-Hellman group for your network.
Examples
# Specify the 2048-bit Diffie-Hellman group group1 to be used for key negotiation in IKE phase 1 in the IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] dh group14
Related commands
display ike proposal
display ike proposal
Use display ike proposal to display configuration information about all IKE proposals.
Syntax
display ike proposal
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, this command displays the default IKE proposal.
Examples
# Display the configuration information about all IKE proposals.
<Sysname> display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
1 RSA-SIG SHA1 DES-CBC Group 1 5000
11 PRE-SHARED-KEY SHA1 DES-CBC Group 1 50000
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
Table 89 Command output
|
Field |
Description |
|
Priority |
Priority of the IKE proposal |
|
Authentication method |
Authentication method used by the IKE proposal. |
|
Authentication algorithm |
Authentication algorithm used in the IKE proposal: · MD5—HMAC-MD5 algorithm. · SHA1—HMAC-SHA1 algorithm. · SHA256—HMAC-SHA256 algorithm. · SHA384—HMAC-SHA384 algorithm. · SHA512—HMAC-SHA512 algorithm. · SM3—HMAC-SM3 algorithm. |
|
Encryption algorithm |
Encryption algorithm used by the IKE proposal: · 3DES-CBC—168-bit 3DES algorithm in CBC mode. · AES-CBC-128—128-bit AES algorithm in CBC mode. · AES-CBC-192—192-bit AES algorithm in CBC mode. · AES-CBC-256—256-bit AES algorithm in CBC mode. · DES-CBC—56-bit DES algorithm in CBC mode. · SM1-CBC-128—128-bit SM1 algorithm in CBC mode. · SM4-CBC-128—128-bit SM4 algorithm in CBC mode. |
|
Diffie-Hellman group |
DH group used in IKE negotiation phase 1. |
|
Duration (seconds) |
IKE SA lifetime (in seconds) of the IKE proposal |
Related commands
ike proposal
display ike sa
Use display ike sa to display information about IKE SAs.
Syntax
display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-instance-name ] ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
verbose: Displays detailed information.
connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.
remote-address: Displays detailed information about IKE SAs with the specified remote address.
ipv6: Specifies an IPv6 address.
remote-address: Remote IP address.
vpn-instance vpn-instance-name: Displays detailed information about IKE SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To display information about IKE SAs on the public network, do not specify this option.
Usage guidelines
If you do not specify any parameters, this command displays summary information about all IKE SAs.
Examples
# Display summary information about all IKE SAs.
<Sysname> display ike sa
Connection-ID Remote Flag DOI
----------------------------------------------------------
1 202.38.0.2 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
Table 90 Command output
|
Field |
Description |
|
Connection-ID |
Identifier of the IKE SA. |
|
Remote |
Remote IP address of the SA. |
|
Flags |
Status of the SA: · RD--READY—The SA has been established. · RL--REPLACED—The SA has been replaced by a new one and will be deleted later. · FD-FADING—The SA is in use, but it is about to expire and will be deleted soon. · RK-REKEY—The SA is a Rekey SA. · Unknown—The SA status is unknown. |
|
DOI |
Interpretation domain to which the SA belongs. · IPsec—The SA belongs to an IPsec DOI. · Group—The SA belongs to a GDOI. |
# Display detailed information about all IKE SAs.
<Sysname> display ike sa verbose
---------------------------------------------
Connection ID: 2
Outside VPN: 1
Inside VPN: 1
Profile: prof1
Transmitting entity: Initiator
Initiator cookie: 1bcf453f0a217259
Responder cookie: 5e32a74dfa66a0a4
---------------------------------------------
Local IP: 4.4.4.4
Local ID type: IPV4_ADDR
Local ID: 4.4.4.4
Remote IP: 4.4.4.5
Remote ID type: IPV4_ADDR
Remote ID: 4.4.4.5
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: AES-CBC-128
Life duration(sec): 86400
Remaining key duration(sec): 86379
Exchange-mode: Main
Diffie-Hellman group: Group 1
NAT traversal: Not detected
Extend authentication: Enabled
Assigned IP address: 192.168.2.1
Vendor ID index: 0xa1d
Vendor ID sequence number: 0x0
# Display detailed information about the IKE SA with the remote address of 4.4.4.5.
<Sysname> display ike sa verbose remote-address 4.4.4.5
---------------------------------------------
Connection ID: 2
Outside VPN: 1
Inside VPN: 1
Profile: prof1
Transmitting entity: Initiator
Initiator cookie: 1bcf453f0a217259
Responder cookie: 5e32a74dfa66a0a4
---------------------------------------------
Local IP: 4.4.4.4
Local ID type: IPV4_ADDR
Local ID: 4.4.4.4
Remote IP: 4.4.4.5
Remote ID type: IPV4_ADDR
Remote ID: 4.4.4.5
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: AES-CBC-128
Life duration(sec): 86400
Remaining key duration(sec): 86379
Exchange-mode: Main
Diffie-Hellman group: Group 1
NAT traversal: Not detected
Extend authentication: Enabled
Assigned IP address: 192.168.2.1
Vendor ID index: 0xa1d
Vendor ID sequence number: 0x0
Table 91 Command output
|
Field |
Description |
|
Connection ID |
Identifier of the IKE SA. |
|
Outside VPN |
VPN instance name of the MPLS L3VPN to which the receiving interface belongs. |
|
Inside VPN |
VPN instance name of the MPLS L3VPN to which the protected data belongs. |
|
Profile |
Name of the matching IKE profile found in the IKE SA negotiation. If no matching profile is found, this field displays nothing. |
|
Transmitting entity |
Role of the IKE negotiation entity: Initiator or Responder. |
|
Initiator cookie |
IKE SA initiator cookie. |
|
Responder cookie |
IKE SA responder cookie. |
|
Local IP |
IP address of the local gateway. |
|
Local ID type |
Identifier type of the local gateway. |
|
Local ID |
Identifier of the local gateway. |
|
Remote IP |
IP address of the remote gateway. |
|
Remote ID type |
Identifier type of the remote gateway. |
|
Remote ID |
Identifier of the remote security gateway. |
|
Authentication-method |
Authentication method used by the IKE proposal. |
|
Authentication-algorithm |
Authentication algorithm used by the IKE proposal: · MD5—HMAC-MD5 algorithm. · SHA1—HMAC-SHA1 algorithm. · SHA256—HMAC-SHA256 algorithm. · SHA384—HMAC-SHA384 algorithm. · SHA512—HMAC-SHA512 algorithm. · SM3—HMAC-SM3 algorithm. |
|
Encryption-algorithm |
Encryption algorithm used by the IKE proposal: · 3DES-CBC—168-bit 3DES algorithm in CBC mode. · AES-CBC-128—128-bit AES algorithm in CBC mode. · AES-CBC-192—192-bit AES algorithm in CBC mode. · AES-CBC-256—256-bit AES algorithm in CBC mode. · DES-CBC—56-bit DES algorithm in CBC mode. · SM1-CBC-128—128-bit SM1 algorithm in CBC mode. · SM4-CBC-128—128-bit SM4 algorithm in CBC mode. |
|
Life duration(sec) |
Lifetime of the IKE SA in seconds. |
|
Remaining key duration(sec) |
Remaining lifetime of the IKE SA in seconds. |
|
Exchange-mode |
IKE negotiation mode in phase 1: main mode, GM main mode, or aggressive mode. |
|
Diffie-Hellman group |
DH group used for key negotiation in IKE phase 1. |
|
NAT traversal |
Whether a NAT gateway is detected. |
|
Extend authentication |
Whether extended authentication for clients is enabled. |
|
Assigned IP address |
IP address assigned to the remote peer. This field is not displayed if no IP address is assigned. |
|
Vendor ID index |
Vendor ID index used when the IKE negotiation was triggered. |
|
Vendor ID sequence number |
Vendor ID sequence number used when the IKE negotiation was triggered. |
display ike statistics
Use display ike statistics to display IKE statistics.
Syntax
display ike statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display IKE statistics.
<Sysname> display ike statistics
IKE statistics:
No matching proposal: 0
Invalid ID information: 0
Unavailable certificate: 0
Unsupported DOI: 0
Unsupported situation: 0
Invalid proposal syntax: 0
Invalid SPI: 0
Invalid protocol ID: 0
Invalid certificate: 0
Authentication failure: 0
Invalid flags: 0
Invalid message id: 0
Invalid cookie: 0
Invalid transform ID: 0
Malformed payload: 0
Invalid key information: 0
Invalid hash information: 0
Unsupported attribute: 0
Unsupported certificate type: 0
Invalid certificate authority: 0
Invalid signature: 0
Unsupported exchage type: 0
No available SA: 1
Retransmit timeout: 0
Not enough memory: 0
Enqueue fails: 0
Failures to send R_U_THERE DPD packets: 0
Failures to receive R_U_THERE DPD packets: 0
Failures to send ACK DPD packets: 0
Failures to receive ACK DPD packets: 0
Sent P1 SA lifetime change packets: 0
Received P1 SA lifetime change packets: total=0, process failures=0 (no SA=0, failures to reset SA soft lifetime=0, failures to reset SA hard lifetime=0)
Sent P2 SA lifetime change packets: 0
Received P2 SA lifetime change packets: total=0, process failures=0
Related commands
reset ike statistics
dpd
Use dpd to configure IKE DPD.
Use undo dpd to disable IKE DPD.
Syntax
dpd interval interval [ retry seconds ] { on-demand | periodic }
undo dpd interval
Default
IKE DPD is disabled.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 1 to 300 seconds.
retry seconds: Specifies the DPD retry interval in the range of 1 to 60 seconds. The default is 5 seconds.
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.
periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.
Usage guidelines
DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.
It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.
Examples
# Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] dpd interval 10 retry 5 on-demand
Related commands
ike dpd
encryption-algorithm
Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.
Use undo encryption-algorithm to restore the default.
Syntax
In non-FIPS mode:
encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | sm1-cbc-128 | sm4-cbc }
undo encryption-algorithm
In FIPS mode:
encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }
undo encryption-algorithm
Default
In non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode.
In FIPS mode, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption.
aes-cbc-128: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 128-bit key for encryption.
aes-cbc-192: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 192-bit key for encryption.
aes-cbc-256: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 256-bit key for encryption.
des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses a 56-bit key for encryption.
sm1-cbc-128: Uses the SM1 algorithm in CBC mode as the encryption algorithm. The SM1 algorithm uses a 128-bit key for encryption.
The following matrix shows the sm1-cbc-128 keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
|
MSR810-LMS/810-LUS |
No |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
No |
|
|
MSR 2630 |
No |
|
|
MSR3600-28/3600-51 |
No |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
sm4-cbc: Uses the SM4 algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv1.
The following matrix shows the sm4-cbc keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
No |
|
|
MSR 2630 |
No |
|
|
MSR3600-28/3600-51 |
No |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
Examples
# Use the 128-bit AES in CBC mode as the encryption algorithm for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] encryption-algorithm aes-cbc-128
Related commands
display ike proposal
exchange-mode
Use exchange-mode to select an IKE negotiation mode for phase 1.
Use undo exchange-mode to restore the default.
Syntax
In non-FIPS mode:
exchange-mode { aggressive | gm-main | main }
undo exchange-mode
In FIPS mode:
exchange-mode main
undo exchange-mode
Default
Main mode is used for phase 1.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
aggressive: Specifies the aggressive mode.
gm-main: Specifies the GM main mode.
The following matrix shows the gm-main keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
No |
|
|
MSR 2630 |
No |
|
|
MSR3600-28/3600-51 |
No |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Keyword compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
main: Specifies the main mode.
Usage guidelines
As a best practice, specify the aggressive mode at the local end if the following conditions are met:
· The local end, for example, a dialup user, obtains an IP address automatically.
· Preshared key authentication is used.
Examples
# Specify that IKE negotiation operates in main mode.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] exchange-mode main
Related commands
display ike proposal
ike address-group
Use ike address-group to configure an IKE IPv4 address pool for assigning IPv4 addresses to remote peers.
Use undo ike address-group to delete an IKE IPv4 address pool.
Syntax
ike address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]
undo ike address-group group-name
Default
No IKE IPv4 address pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies a name for the IKE IPv4 address pool, a case-insensitive string of 1 to 63 characters.
start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4 address.
mask: Specifies the IPv4 address mask.
mask-length: Specifies the length of the IPv4 address mask.
Usage guidelines
An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses.
To modify or delete an address pool, you must delete all IKE SAs and IPsec SAs. Otherwise, the assigned IPv4 addresses might not be reclaimed.
Examples
# Configure an IKE IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2, and the mask 255.255.255.0.
<Sysname> system-view
[Sysname] ike address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0
# Configure an IKE IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2, and the mask length 32.
<Sysname> system-view
[Sysname] ike address-group ipv4group 1.1.1.1 1.1.1.2 32
Related commands
aaa authorization
ike compatible-sm4 enable
Use ike compatible-sm4 enable enable to enable SM4-CBC key length compatibility.
Use undo ike compatible-sm4 enable enable to restore the default.
Syntax
ike compatible-sm4 enable
undo ike compatible-sm4 enable
Default
SM4-CBC key length compatibility is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compability:
|
Hardware |
Command compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
|
|
MSR2600-6-X1 |
Yes |
|
|
MSR2600-10-X1 |
No |
|
|
MSR 2630 |
No |
|
|
MSR3600-28/3600-51 |
No |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Command compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
This command is not supported in FIPS mode.
By default, IKE negotiation between two peers using the SM4-CBC encryption algorithm will fail if the peers use different SM4-CBC key lengths. You can enable SM4-CBC key length compatibility so the local IKE peer can successfully negotiate with a remote peer that uses a different SM4-CBC key length.
Examples
# Enable SM4-CBC key length compatibility.
<Sysname> system-view
[Sysname] ike compatible-sm4 enable
ike dpd
Use ike dpd to configure global IKE DPD.
Use undo ike dpd to disable global IKE DPD.
Syntax
ike dpd interval interval [ retry seconds ] { on-demand | periodic }
undo ike dpd interval
Default
Global IKE DPD is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 1 to 300 seconds.
retry seconds: Specifies the DPD retry interval in the range of 1 to 60 seconds. The default is 5 seconds.
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.
periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.
Usage guidelines
DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodical triggering mode, which consumes more bandwidth and CPU.
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.
It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.
Examples
# Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.
<Sysname> system-view
[Sysname] ike dpd interval 10 retry 5 on-demand
Related commands
dpd
ike identity
Use ike identity to specify the global identity used by the local end during IKE negotiations.
Use undo ike identity to restore the default.
Syntax
ike identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }
undo ike identity
Default
The IP address of the interface where the IPsec policy applies is used as the IKE identity.
Views
System view
Predefined user roles
network-admin
Parameters
address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the identity.
dn: Uses the DN in the digital signature as the identity.
fqdn fqdn-name: Uses the FQDN name as the identity. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
user-fqdn user-fqdn-name: Uses the user FQDN name as the identity. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, abc@test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.
Usage guidelines
The global local identity can be used for all IKE SA negotiations. The local identity (set by the local-identity command for an IKE profile) can be used only for IKE SA negotiations that use the IKE profile.
If the local authentication method is signature authentication, you can set an identity of any type. If the local authentication method is preshared key authentication, you cannot set the DN as the identity.
The ike signature-identity from-certificate command sets the local device to always use the identity information obtained from the local certificate for signature authentication. If the ike signature-identity from-certificate command is not set, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.
Examples
# Set the IP address 2.2.2.2 as the identity.
<sysname> system-view
[sysname] ike identity address 2.2.2.2
Related commands
local-identity
ike signature-identity from-certificate
ike invalid-spi-recovery enable
Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.
Use undo ike invalid-spi-recovery enable to disable invalid SPI recovery.
Syntax
ike invalid-spi-recovery enable
undo ike invalid-spi-recovery enable
Default
Invalid SPI recovery is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.
The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.
Use caution when you enable the invalid SPI recovery feature, because using this feature can result in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.
Examples
# Enable invalid SPI recovery.
<Sysname> system-view
[Sysname] ike invalid-spi-recovery enable
ike keepalive interval
Use ike keepalive interval to set the IKE keepalive interval.
Use undo ike keepalive interval to restore the default.
Syntax
ike keepalive interval interval
undo ike keepalive interval
Default
No IKE keepalives are sent.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800.
Usage guidelines
To detect the status of the peer, configure IKE DPD instead of the IKE keepalive feature, unless IKE DPD is not supported on the peer.
The keepalive timeout time configured at the local must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout time to three times as long as the keepalive interval.
Examples
# Set the keepalive interval to 200 seconds
<Sysname> system-view
[Sysname] ike keepalive interval 200
Related commands
ike keepalive timeout
ike keepalive timeout
Use ike keepalive timeout to set the IKE keepalive timeout time.
Use undo ike keepalive timeout to restore the default.
Syntax
ike keepalive timeout seconds
undo ike keepalive timeout
Default
The IKE keepalive timeout time is not set.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the number of seconds between IKE keepalives. The value range for this argument is 20 to 28800.
Usage guidelines
If the local end receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
The keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout time to three times as long as the keepalive interval.
Examples
# Set the keepalive timeout time to 20 seconds.
<Sysname> system-view
[Sysname] ike keepalive timeout 20
Related commands
ike keepalive interval
ike keychain
Use ike keychain to create an IKE keychain and enter its view, or enter the view of an existing IKE keychain.
Use undo ike keychain to delete an IKE keychain.
Syntax
ike keychain keychain-name [ vpn-instance vpn-instance-name ]
undo ike keychain keychain-name [ vpn-instance vpn-instance-name ]
Default
No IKE keychains exist.
Views
System view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IKE keychain belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option.
Usage guidelines
To use preshared key authentication, you must create and specify an IKE keychain for the IKE profile.
Examples
# Create the IKE keychain key1 and enter its view.
<Sysname> system-view
[Sysname] ike keychain key1
[Sysname-ike-keychain-key1]
Related commands
authentication-method
pre-shared-key
ike limit
Use ike limit to set the maximum number of half-open or established IKE SAs.
Use undo ike limit to restore the default.
Syntax
ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit }
undo ike limit { max-negotiating-sa | max-sa }
Default
There is no limit to the maximum number of half-open or established IKE SAs.
Views
System view
Predefined user roles
network-admin
Parameters
max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs and IPsec SAs. The value range for the negotiation-limit argument is 1 to 99999.
max-sa sa-limit: Specifies the maximum number of established IKE SAs. The value range for the sa-limit argument is 1 to 99999.
Usage guidelines
The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.
The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system.
Examples
# Set the maximum number of half-open IKE SAs and IPsec SAs to 200.
<Sysname> system-view
[Sysname] ike limit max-negotiating-sa 200
# Set the maximum number of established IKE SAs to 5000.
<Sysname> system-view
[Sysname] ike limit max-sa 5000
ike logging negotiation enable
Use ike logging negotiation enable to enable logging for IKE negotiation.
Use undo ike logging negotiation packet enable to disable logging for IKE negotiation.
Syntax
ike logging negotiation enable
undo ike logging negotiation enable
Default
Logging for IKE negotiation is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to output logs for the IKE negotiation process.
This command is available only in non-FIPS mode.
Examples
# Enable logging for IKE negotiation.
<Sysname> system-view
[Sysname] ike logging negotiation enable
ike nat-keepalive
Use ike nat-keepalive to set the NAT keepalive interval.
Use undo ike nat-keepalive to restore the default.
Syntax
ike nat-keepalive seconds
undo ike nat-keepalive
Default
The NAT keepalive interval is 20 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300.
Usage guidelines
This command takes effect only for a device that resides in the private network behind a NAT gateway. The device behind the NAT gateway needs to send NAT keepalives to its peer to keep the NAT session alive, so that the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime. For information about how to display the lifetime of NAT sessions, see Layer 3–IP Services Command Reference.
Examples
# Set the NAT keepalive interval to 5 seconds.
<Sysname> system-view
[Sysname] ike nat-keepalive 5
ike profile
Use ike profile to create an IKE profile and enter its view, or enter the view of an existing IKE profile.
Use undo ike profile to delete an IKE profile.
Syntax
ike profile profile-name
undo ike profile profile-name
Default
No IKE profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters.
Examples
# Create IKE profile 1 and enter its view.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1]
ike proposal
Use ike proposal to create an IKE proposal and enter its view, or enter the view of an existing IKE proposal.
Use undo ike proposal to delete an IKE proposal.
Syntax
ike proposal proposal-number
undo ike proposal proposal-number
Default
An IKE proposal exists, which has the lowest priority and uses the following settings:
· Encryption algorithm—DES-CBC in non-FIPS mode and AES-CBC-128 in FIPS mode.
· Authentication method—HMAC-SHA1 in non-FIPS mode and SHA256 in FIPS mode.
· Authentication algorithm—Preshared key authentication.
· DH group—Group1 in non-FIPS mode and group14 in FIPS mode.
· IKE SA lifetime—86400 seconds.
You cannot change the settings of the default IKE proposal.
Views
System view
Predefined user roles
network-admin
Parameters
proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal.
Usage guidelines
During IKE negotiation:
· The initiator sends its IKE proposals to the peer.
¡ If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals specified for the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.
¡ If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals to the peer. An IKE proposal with a smaller number has a higher priority.
· The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are mismatched, the two peers use their default IKE proposals to establish the IKE SA.
Examples
# Create IKE proposal 1 and enter its view.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1]
Related commands
display ike proposal
ike signature-identity from-certificate
Use ike signature-identity from-certificate to configure the local device to obtain the identity information from the local certificate for signature authentication.
Use undo ike signature-identity from-certificate to restore the default.
Syntax
ike signature-identity from-certificate
undo ike signature-identity from-certificate
Default
The local end uses the identity information specified by local-identity or ike identity for signature authentication.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command requires the local device to always use the identity information in the local certificate for signature authentication, regardless of the local-identity or ike identity configuration.
Configure this command when the aggressive mode and signature authentication are used and the device interconnects with a Comware 5-based peer device. Comware 5 supports only DN for signature authentication.
If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.
Examples
# Configure the local device to always obtain the identity information from the local certificate for signature authentication.
<Sysname> system-view
[sysname] ike signature-identity from-certificate
Related commands
local-identity
ike identity
inside-vpn
Use inside-vpn to specify an inside VPN instance.
Use undo inside-vpn to restore the default.
Syntax
inside-vpn vpn-instance vpn-instance-name
undo inside-vpn
Default
No inside VPN instance is specified for an IKE profile. The device forwards protected data to the VPN instance where the interface that receives the data resides.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the device forwards protected data. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
This command determines where the device should forward received IPsec protected data. If you configure this command, the device looks for a route in the specified VPN to forward the data. If you do not configure this command, the device looks for a route in the VPN instance where the receiving interface resides to forward the data.
Examples
# Specify the inside VPN instance vpn1 for IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] inside-vpn vpn-instance vpn1
keychain
Use keychain to specify an IKE keychain for preshared key authentication.
Use undo keychain to remove an IKE keychain.
Syntax
keychain keychain-name
undo keychain keychain-name
Default
No IKE keychain is specified for preshared key authentication.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority.
Examples
# Specify the IKE keychain abc for IKE profile 1.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] keychain abc
Related commands
ike keychain
local-identity
Use local-identity to configure the local ID, the ID that the device uses to identify itself to the peer during IKE negotiation.
Use undo local-identity to restore the default.
Syntax
local-identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }
undo local-identity
Default
No local ID is configured for an IKE profile. An IKE profile uses the local ID configured in system view by using the ike identity command. If the local ID is not configured in system view, the IKE profile uses the IP address of the interface to which the IPsec policy is applied as the local ID.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.
dn: Uses the DN in the local certificate as the local ID.
fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
user-fqdn user-fqdn-name: Uses a user FQDN as the local ID. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as adc@test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.
Usage guidelines
For digital signature authentication, the device can use any type of ID. For preshared key authentication, the device can use any type of ID other than the DN.
In digital signature authentication, if the local ID is an IP address that is different from the IP address in the local certificate, the device uses its FQDN instead. The FQDN is the device name configured by using the sysname command.
An IKE profile can have only one local ID.
An IKE profile with no local ID specified uses the local ID configured by using the ike identity command in system view.
Examples
# Set the local ID to IP address 2.2.2.2.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] local-identity address 2.2.2.2
Related commands
match remote
ike identity
match local address (IKE keychain view)
Use match local address to specify a local interface or IP address to which an IKE keychain can be applied.
Use undo match local address to restore the default.
Syntax
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
undo match local address
Default
An IKE keychain can be applied to any local interface or IP address.
Views
IKE keychain view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 or IPv6 address belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To specify an IP address on the public network, do not specify this option.
Usage guidelines
Use this command to specify which address or interface can use the IKE keychain for IKE negotiation. Specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority. To give an IKE keychain a higher priority, you can configure this command for the keychain. For example, suppose you specified IKE keychain A before specifying IKE keychain B, and you configured the peer ID 2.2.0.0/16 for IKE keychain A and the peer ID 2.2.2.0/24 for IKE keychain B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKE keychain A is preferred because IKE keychain A was specified earlier. To use IKE keychain B, you can use this command to restrict the application scope of IKE keychain B to address 3.3.3.3.
Examples
# Create the IKE keychain key1.
<Sysname> system-view
[Sysname] ike keychain key1
# Apply the IKE keychain key1 to the interface with the IP address 2.2.2.2 in the VPN instance vpn1.
[sysname-ike-keychain-key1] match local address 2.2.2.2 vpn-instance vpn1
match local address (IKE profile view)
Use match local address to specify a local interface or IP address to which an IKE profile can be applied.
Use undo match local address to restore the default.
Syntax
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }
undo match local address
Default
An IKE profile can be applied to any local interface or IP address.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 or IPv6 address belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To specify an IP address on the public network, do not specify this option.
Usage guidelines
Use this command to specify which address or interface can use the IKE profile for IKE negotiation. Specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
An IKE profile configured earlier has a higher priority. To give an IKE profile that is configured later a higher priority, you can configure this command for the profile. For example, suppose you configured IKE profile A before configuring IKE profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKE profile A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKE profile B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKE profile A is preferred because IKE profile A was configured earlier. To use IKE profile B, you can use this command to restrict the application scope of IKE profile B to address 3.3.3.3.
Examples
# Create the IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
# Apply the IKE profile prof1 to the interface with the IP address 2.2.2.2 in the VPN instance vpn1.
[sysname-ike-profile-prof1] match local address 2.2.2.2 vpn-instance vpn1
match remote
Use match remote to configure a peer ID for IKE profile matching.
Use undo match remote to delete a peer ID for IKE profile matching.
Syntax
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }
Default
No peer ID is configured for IKE profile matching.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile matching. The policy-name argument is a string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKE profile matching. The specified information is configured on the peer by using the local-identity command.
· address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKE profile matching. The mask-length argument is in the range of 0 to 32.
· address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.
· address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKE profile matching. The prefix-length argument is in the range of 0 to 128.
· address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.
· fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKE profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
· user-fqdn user-fqdn-name: Uses the peer's user FQDN as the peer ID for IKE profile matching. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as adc@test.com.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified address or addresses belong. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the address or addresses belong to the public network, do not specify this option.
Usage guidelines
When an end needs to select an IKE profile, it compares the peer's ID received with the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the matching peer ID for IKE negotiation.
Each IKE profile must have at least one peer ID configured. To make sure only one IKE profile is matched for a peer, do not configure the same peer ID for two or more IKE profiles. If you configure the same peer ID for two or more IKE profiles, which IKE profile is selected for IKE negotiation is unpredictable.
For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority.
Examples
# Create the IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
# Configure a peer ID with the identity type of FQDN and the value of www.test.com.
[Sysname-ike-profile-prof1] match remote identity fqdn www.test.com
# Configure a peer ID with the identity type of IP address and the value of 10.1.1.1.
[Sysname-ike-profile-prof1] match remote identity address 10.1.1.1
Related commands
local-identity
pre-shared-key
Use pre-shared-key to configure a preshared key.
Use undo pre-shared-key to delete a preshared key.
Syntax
In non-FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key { cipher | simple } string
undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name }
In FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key [ cipher string ]
undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name }
Default
No preshared key is configured.
Views
IKE keychain view
Predefined user roles
network-admin
Parameters
address: Specifies a peer by its address.
ipv4-address: Specifies the IPv4 address of the peer.
mask: Specifies the mask in dotted decimal notation. The default mask is 255.255.255.255.
mask-length: Specifies the mask length in the range of 0 to 32. The default mask length is 32.
ipv6: Specifies an IPv6 peer.
ipv6-address: Specifies the IPv6 address of the peer.
prefix-length: Specifies the prefix length in the range of 0 to 128. The default prefix length is 128.
hostname host-name: Specifies a peer by its hostname, a case-sensitive string of 1 to 255 characters.
key: Specifies a preshared key.
cipher: Specifies a preshared key in encrypted form.
simple: Specifies a preshared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the preshared key. The key is case sensitive. In non-FIPS mode, its plaintext form is a string of 1 to 128 characters and its encrypted form is a string of 1 to 201 characters. In FIPS mode, its plaintext form is a string of 1 to 128 characters and its encrypted form is a string of 15 to 201 characters.
Usage guidelines
The address option or the hostname option specifies the peer with which the device can use the preshared key to perform IKE negotiation.
Two peers must be configured with the same preshared key to pass preshared key authentication.
In FIPS mode, if you do not specify the cipher string option, you specify a plaintext preshared key in interactive mode. The key is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters other than the question mark (?). In non-FIPS mode, this command does not support configuring a preshared key in interactive mode.
Examples
# Create the IKE keychain key1 and enter IKE keychain view.
<Sysname> system-view
[Sysname] ike keychain key1
# Set the preshared key to be used for IKE negotiation with peer 1.1.1.2 to 123456TESTplat&!.
[Sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456TESTplat&!
Related commands
authentication-method
keychain
priority (IKE keychain view)
Use priority to specify a priority for an IKE keychain.
Use undo priority to restore the default.
Syntax
priority priority
undo priority
Default
The priority of an IKE keychain is 100.
Views
IKE keychain view
Predefined user roles
network-admin
Parameters
priority priority: Specifies a priority number in the range of 1 to 65535. The lower the priority number, the higher the priority.
Usage guidelines
To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number. An IKE keychain with the match local address command configured has a higher priority than an IKE keychain that does not have the match local address command configured.
Examples
# Set the priority to 10 for the IKE keychain key1.
<Sysname> system-view
[Sysname] ike keychain key1
[Sysname-ike-keychain-key1] priority 10
priority (IKE profile view)
Use priority to specify a priority for an IKE profile.
Use undo priority to restore the default.
Syntax
priority priority
undo priority
Default
The priority of an IKE profile is 100.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
priority priority: Specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority.
Usage guidelines
To determine the priority of an IKE profile, the device examines the existence of the match local address command before examining the priority number. An IKE profile with the match local address command configured has a higher priority than an IKE profile that does not have the match local address command configured.
Examples
# Set the priority to 10 for the IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] priority 10
proposal
Use proposal to specify IKE proposals for an IKE profile.
Use undo proposal to restore the default.
Syntax
proposal proposal-number&<1-6>
undo proposal
Default
No IKE proposals are specified for an IKE profile and the IKE proposals configured in system view are used for IKE negotiation.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
proposal-number&<1-6>: Specifies a space-separated list of up to six IKE proposals by their numbers in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority.
Usage guidelines
When acting as the initiator, the device sends the specified IKE proposals to its peer for IKE negotiation. When acting as the responder, the device uses the IKE proposals configured in system view to match the IKE proposals received from the initiator.
Examples
# Specify IKE proposal 10 for the IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] proposal 10
Related commands
ike proposal
reset ike sa
Use reset ike sa to delete IKE SAs.
Syntax
reset ike sa [ connection-id connection-id ]
Views
User view
Predefined user roles
network-admin
Parameters
connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000.
Usage guidelines
When you delete an IKE SA, the device automatically sends a notification to the peer.
Examples
# Display the current IKE SAs.
<Sysname> display ike sa
Connection-ID Remote Flag DOI
----------------------------------------------------------
1 202.38.0.2 RD IPsec
2 202.38.0.3 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
# Delete the IKE SA with the connection ID 2.
<Sysname> reset ike sa connection-id 2
# Display the current IKE SAs.
<Sysname> display ike sa
Connection-ID Remote Flag DOI
----------------------------------------------------------
1 202.38.0.2 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
reset ike statistics
Use reset ike statistics command to clear IKE MIB statistics.
Syntax
reset ike statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clears IKE MIB statistics.
<Sysname> reset ike statistics
Related commands
snmp-agent trap enable ike
sa duration
Use sa duration to set the IKE SA lifetime for an IKE proposal.
Use undo sa duration to restore the default.
Syntax
undo sa duration
Default
The IKE SA lifetime is 86400 seconds for an IKE proposal.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800.
Usage guidelines
Before an IKE SA expires, IKE negotiates a new SA. The new SA takes effect immediately after it is negotiated. The old IKE SA will be cleared when it expires.
If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect.
If the IPsec SA lifetime is also configured, set the IKE SA lifetime longer than the IPsec SA lifetime as a best practice.
Examples
# Set the IKE SA lifetime to 600 seconds for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] sa duration 600
Related commands
display ike proposal
sa soft-duration buffer
Use sa soft-duration buffer to set the IKE SA soft lifetime buffer time.
Use undo sa soft-duration buffer to restore the default.
Syntax
sa soft-duration buffer seconds
undo sa soft-duration buffer
Default
The IKE SA soft lifetime buffer time is not configured.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IKE SA soft lifetime buffer time, in seconds. The value range is 10 to 36000.
Usage guidelines
This command takes effect only when IKEv1 is used.
The IKE SA soft lifetime buffer time is used determine the IKE SA soft lifetime. A new IKE SA will be negotiated when the IKE SA soft lifetime expires.
The IKE SA soft lifetime is calculated as follows: IKE SA soft lifetime = IKE SA lifetime – IKE SA soft lifetime buffer time.
If the IKE SA soft lifetime buffer time is not configured, the system calculates a default IKE SA soft lifetime based on the IKE SA lifetime.
The default IKE SA soft lifetime is also used if the IKE soft lifetime calculated based on the soft lifetime buffer is shorter than or equal to 10 seconds.
Examples
# Set the IKE SA soft lifetime buffer time to 600 seconds.
<Sysname> system-view
[Sysname] ike profile abc
[Sysname-ike-profile-abc] sa soft-duration buffer 600
Related commands
display ike sa
snmp-agent trap enable ike
Use snmp-agent trap enable ike command to enable SNMP notifications for IKE.
Use undo snmp-agent trap enable ike to disable SNMP notifications for IKE.
Syntax
snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | global | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] *
undo snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | global | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] *
Default
All SNMP notifications for IKE are enabled.
Views
System view
Predefined user roles
network-admin
Parameters
attr-not-support: Specifies notifications about attribute-unsupported failures.
auth-failure: Specifies notifications about authentication failures.
cert-type-unsupport: Specifies notifications about certificate-type-unsupported failures.
cert-unavailable: Specifies notifications about certificate-unavailable failures.
decrypt-failure: Specifies notifications about decryption failures.
encrypt-failure: Specifies notifications about encryption failures.
global: Specifies notifications globally.
invalid-cert-auth: Specifies notifications about invalid-certificate-authentication failures.
invalid-cookie: Specifies notifications about invalid-cookie failures.
invalid-id: Specifies notifications about invalid-ID failures.
invalid-proposal: Specifies notifications about invalid-IKE-proposal failures.
invalid-protocol: Specifies notifications about invalid-protocol failures.
invalid-sign: Specifies notifications about invalid-signature failures.
no-sa-failure: Specifies notifications about SA-not-found failures.
proposal-add: Specifies notifications about events of adding IKE proposals.
proposal-delete: Specifies notifications about events of deleting IKE proposals.
tunnel-start: Specifies notifications about events of creating IKE tunnels.
tunnel-stop: Specifies notifications about events of deleting IKE tunnels.
unsupport-exch-type: Specifies notifications about negotiation-type-unsupported failures.
Usage guidelines
If you do not specify any keywords, this command enables or disables all SNMP notifications for IKE.
To generate and output SNMP notifications for a specific IKE failure type or event type, perform the following tasks:
1. Enable SNMP notifications for IKE globally.
2. Enable SNMP notifications for the failure type or event type.
Examples
# Enable SNMP notifications for IKE globally.
<Sysname> system-view
[Sysname] snmp-agent trap enable ike global
# Enable SNMP notifications for events of creating IKE tunnels.
[Sysname] snmp-agent trap enable ike tunnel-start
IKEv2 commands
aaa authorization
Use aaa authorization to enable IKEv2 AAA authorization.
Use undo aaa authorization to disable IKEv2 AAA authorization.
Syntax
aaa authorization domain domain-name username user-name
undo aaa authorization
Default
IKEv2 AAA authorization is disabled.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
domain domain-name: Specifies the ISP domain used for requesting authorization attributes. The ISP domain name is a case-insensitive string of 1 to 255 characters and must meet the following requirements:
· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).
· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
username user-name: Specifies the username used for requesting authorization attributes. The username is a case-sensitive string of 1 to 55 characters and must meet the following requirements:
· The username cannot contain the domain name.
· The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).
· The username cannot be a, al, or all.
Usage guidelines
The AAA authorization feature enables IKEv2 to request authorization attributes, such as the IKEv2 IPv4 address pool, from AAA.
IKEv2 uses the ISP domain and username to request authorization attributes. AAA uses the authorization settings in the ISP domain to request the user's authorization attributes from the remote AAA server or the local user database. After IKEv2 passes the username authentication, it obtains the authorization attributes.
This feature is applicable when AAA is used to centrally manage and deploy authorization attributes.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Enable AAA authorization. Specify the ISP domain name abc and the username test.
[Sysname-ikev2-profile-profile1] aaa authorization domain abc username test
Related commands
display ikev2 profile
address
Use address to specify the IP address or IP address range of an IKEv2 peer.
Use undo address to restore the default.
Syntax
address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
undo address
Default
The IKEv2 peer's IP address or IP address range is not specified.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the IKEv2 peer.
mask: Specifies the subnet mask of the IPv4 address.
mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.
ipv6 ipv6-address: Specifies the IPv6 address of the IKEv2 peer.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
Usage guidelines
Both the initiator and the responder can look up an IKEv2 peer by IP address in IKEv2 negotiation.
The IP addresses of different IKEv2 peers in the same IKEv2 keychain cannot be the same.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify the IKEv2 peer's IP address 3.3.3.3 with the subnet mask 255.255.255.0.
[Sysname-ikev2-keychain-key1-peer-peer1] address 3.3.3.3 255.255.255.0
Related commands
ikev2 keychain
peer
authentication-method
Use authentication-method to specify the local or remote identity authentication method.
Use undo authentication-method to remove the local or remote identity authentication method.
Syntax
authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature }
undo authentication-method local
undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share | rsa-signature }
Default
No local or remote identity authentication method is specified.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
local: Specifies the local identity authentication method.
remote: Specifies the remote identity authentication method.
dsa-signature: Specifies the DSA signatures as the identity authentication method.
ecdsa-signature: Specifies the ECDSA signatures as the identity authentication method.
pre-share: Specifies the preshared key as the identity authentication method.
rsa-signature: Specifies the RSA signatures as the identity authentication method.
Usage guidelines
The local and remote identity authentication methods must both be specified and they can be different.
You can specify only one local identity authentication method. You can specify multiple remote identity authentication methods by executing this command multiple times when there are multiple remote ends whose authentication methods are unknown.
If you use RSA, DSA, or ECDSA signature authentication, you must specify PKI domains for obtaining certificates. You can specify PKI domains by using the certificate domain command in IKEv2 profile view or by using the pki domain command in system view. PKI domains specified in IKEv2 profile view take precedence over those specified in system view.
If you specify the preshared key method, you must specify a preshared key for the IKEv2 peer in the keychain used by the IKEv2 profile.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the preshared key and RSA signatures as the local and remote authentication methods, respectively.
[Sysname-ikev2-profile-profile1] authentication local pre-share
[Sysname-ikev2-profile-profile1] authentication remote rsa-signature
# Specify the PKI domain genl as the PKI domain for obtaining certificates.
[Sysname-ikev2-profile-profile1] certificate domain genl
# Specify the keychain keychain1.
[Sysname-ikev2-profile-profile1] keychain keychain1
Related commands
display ikev2 profile
certificate domain (ikev2 profile view)
keychain (ikev2 profile view)
certificate domain
Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.
Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2 negotiation.
Syntax
certificate domain domain-name [ sign | verify ]
undo certificate domain domain-name
Default
PKI domains configured in system view are used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
sign: Uses the local certificate in the PKI domain to generate a signature.
verify: Uses the CA certificate in the PKI domain to verify the remote end's certificate.
Usage guidelines
If you do not specify the sign or verify keyword, the PKI domain is used for both purposes. You can specify a PKI domain for each purpose by executing this command multiple times. If you specify the same PKI domain for both purposes, the later configuration takes effect. For example, if you execute certificate domain abc sign and certificate domain abc verify successively, the PKI domain abc will be used only for verification.
If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for verifying the remote end's certificate. If you do not specify PKI domains, the PKI domains configured in system view will be used.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the PKI domain abc for signature. Specify the PKI domain def for verification.
[Sysname-ikev2-profile-profile1] certificate domain abc sign
[Sysname-ikev2-profile-profile1] certificate domain def verify
Related commands
authentication-method
pki domain
config-exchange
Use config-exchange to enable configuration exchange.
Use undo config-exchange to disable configuration exchange.
Syntax
config-exchange { request | set { accept | send } }
undo config-exchange { request | set { accept | send } }
Default
Configuration exchange is disabled.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
request: Enables the device to send request messages carrying the configuration request payload during the IKE_AUTH exchange.
set: Specifies the configuration set payload exchange.
accept: Enables the device to accept the configuration set payload carried in Info messages.
send: Enables the device to send Info messages carrying the configuration set payload.
Usage guidelines
The configuration exchange feature enables the local and remote ends to exchange configuration data, such as gateway address, internal IP address, and route. The exchange includes data request and response, and data push and response. The enterprise center can push IP addresses to branches. The branches can request IP addresses, but the requested IP addresses cannot be used.
You can specify both request and set for the device.
If you specify request for the local end, the remote end will respond if it can obtain the requested data through AAA authorization.
If you specify set send for the local end, you must specify set accept for the remote end.
The device with set send specified pushes an IP address after the IKEv2 SA is set up if it does not receive any configuration request from the peer.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Enable the local end to add the configuration request payload to the request message of IKE_AUTH exchange.
[Sysname-ikev2-profile-profile1] config-exchange request
Related commands
aaa authorization
configuration policy
display ikev2 profile
dh
Use dh to specify DH groups to be used in IKEv2 key negotiation.
Use undo group to restore the default.
Syntax
In non-FIPS mode:
dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *
undo dh
In FIPS mode:
dh { group14 | group19 | group20 } *
undo dh
Default
No DH group is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
group1: Uses the 768-bit Diffie-Hellman group.
group2: Uses the 1024-bit Diffie-Hellman group.
group5: Uses the 1536-bit Diffie-Hellman group.
group14: Uses the 2048-bit Diffie-Hellman group.
group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.
group19: Uses 256-bit ECP Diffie-Hellman group.
group20: Uses 384-bit ECP Diffie-Hellman group.
Usage guidelines
A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose proper DH groups for your network.
You must specify a minimum of one DH group for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless.
You can specify multiple DH groups for an IKEv2 proposal. A group specified earlier has a higher priority.
Examples
# Specify DH groups 1 for the IKEv2 proposal 1.
<Sysname> system-view
[Sysname] ikev2 proposal 1
[Sysname-ikev2-proposal-1] dh group1
Related commands
ikev2 proposal
display ikev2 policy
Use display ikev2 policy to display the IKEv2 policy configuration.
Syntax
display ikev2 policy [ policy-name | default ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an IKEv2 policy by its name, a case-insensitive string of 1 to 63 characters.
default: Specifies the default IKEv2 policy.
Usage guidelines
If you do not specify any parameters, this command displays the configuration of all IKEv2 policies.
Examples
# Display the configuration of all IKEv2 policies.
<Sysname> display ikev2 policy
IKEv2 policy: 1
Priority: 100
Match local address: 1.1.1.1
Match local address ipv6: 1:1::1:1
Match VRF: vpn1
Proposal: 1
Proposal: 2
IKEv2 policy: default
Match VRF: any
Proposal: default
Table 92 Command output
|
Field |
Description |
|
IKEv2 policy |
Name of the IKEv2 policy. |
|
Priority |
Priority of the IKEv2 policy. |
|
Match local address |
IPv4 address to which the IKEv2 policy can be applied. |
|
Match local address ipv6 |
IPv6 address to which the IKEv2 policy can be applied. |
|
Match VRF |
VPN instance name to which the IKEv2 policy can be applied. |
|
Proposal |
IKEv2 proposal that the IKEv2 policy uses. |
Related commands
ikev2 policy
display ikev2 profile
Use display ikev2 profile to display the IKEv2 profile configuration.
Syntax
display ikev2 profile [ profile-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an IKEv2 profile, this command displays the configuration of all IKEv2 profiles.
Examples
# Display the configuration of all IKEv2 profiles.
<Sysname> display ikev2 profile
IKEv2 profile: 1
Priority: 100
Match criteria:
Local address 1.1.1.1
Local address GigabitEthernet1/0/1
Local address 1:1::1:1
Remote identity ipv4 address 3.3.3.3/32
VRF vrf1
Inside-vrf:
Local identity: address 1.1.1.1
Local authentication method: pre-share
Remote authentication methods: pre-share
Keychain: Keychain1
Sign certificate domain:
Domain1
abc
Verify certificate domain:
Domain2
yy
SA duration: 500
DPD: Interval 32, retry 23, periodic
Config-exchange: Request, Set send, Set accept
NAT keepalive: 10
AAA authorization: Domain domain1, username ikev2
Table 93 Command output
|
Field |
Description |
|
IKEv2 profile |
Name of the IKEv2 profile. |
|
Priority |
Priority of the IKEv2 profile. |
|
Match criteria |
Criteria for looking up the IKEv2 profile. |
|
Local identity |
ID of the local end. |
|
Local authentication method |
Method that the local end uses for authentication. |
|
Remote authentication methods |
Methods that the remote end uses for authentication. |
|
Keychain |
IKEv2 keychain that the IKEv2 profile uses. |
|
Sign certificate domain |
PKI domain used for signature generation. |
|
Verify certificate domain |
PKI domain used for verifying the remote end's certificate. |
|
SA duration |
Lifetime of the IKEv2 SA. |
|
DPD |
DPD settings: · Detection interval in seconds. · Retry interval in seconds. · Detection mode, on demand or periodically. If DPD is disabled, this field displays Disabled. |
|
Config-exchange |
Configuration exchange settings: · Request—The local end sends request messages carrying the configuration request payload during the IKE_AUTH exchange. · Set accept—The local end accepts the configuration set payload carried in Info messages. · Set send—The local end sends Info messages carrying the configuration set payload. |
|
NAT keepalive |
NAT keepalive interval in seconds. |
|
AAA authorization |
AAA authorization settings: · ISP domain name. · Username. |
Related commands
ikev2 profile
display ikev2 proposal
Use display ikev2 proposal to display the IKEv2 proposal configuration.
Syntax
display ikev2 proposal [ name | default ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.
default: Specifies the default IKEv2 proposal.
Usage guidelines
This command displays IKEv2 proposals in descending order of priorities. If you do not specify any parameters, this command displays the configuration of all IKEv2 proposals.
Examples
# Display the configuration of all IKEv2 proposals.
<Sysname> display ikev2 proposal
IKEv2 proposal : 1
Encryption: 3DES-CBC AES-CBC-128 AES-CTR-192 CAMELLIA-CBC-128
Integrity: MD5 SHA256 AES-XCBC-MAC
PRF: MD5 SHA256 AES-XCBC-MAC
DH Group: MODP1024/Group2 MODP1536/Group5
IKEv2 proposal : default
Encryption: AES-CBC-128 3DES-CBC
Integrity: SHA1 MD5
PRF: SHA1 MD5
DH Group: MODP1536/Group5 MODP1024/Group2
Table 94 Command output
|
Field |
Description |
|
IKEv2 proposal |
Name of the IKEv2 proposal. |
|
Encryption |
Encryption algorithms that the IKEv2 proposal uses. |
|
Integrity |
Integrity protection algorithms that the IKEv2 proposal uses. |
|
PRF |
PRF algorithms that the IKEv2 proposal uses. |
|
DH Group |
DH groups that the IKEv2 proposal uses. |
Related commands
ikev2 proposal
display ikev2 sa
Use display ikev2 sa to display the IKEv2 SA information.
Syntax
display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
count: Displays the number of IKEv2 SAs.
local: Displays IKEv2 SA information for a local IP address.
remote: Displays IKEv2 SA information for a remote IP address.
ipv4-address: Specifies a local or remote IPv4 address.
ipv6 ipv6-address: Specifies a local or remote IPv6 address.
vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in a VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To display information about IKEv2 SAs on the public network, do not specify this option.
verbose: Displays detailed information. If you do not specify this keyword, the command displays the summary information.
tunnel tunnel-id: Displays detailed IKEv2 SA information for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.
Usage guidelines
If you do not specify any parameters, this command displays summary information about all IKEv2 SAs.
Examples
# Display summary information about all IKEv2 SAs.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
# Display summary IKEv2 SA information for the remote IP address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
Table 95 Command output
|
Field |
Description |
|
Tunnel ID |
ID of the IPsec tunnel to which the IKEv2 SA belongs. |
|
Local |
Local IP address of the IKEv2 SA. |
|
Remote |
Remote IP address of the IKEv2 SA. |
|
Status |
Status of the IKEv2 SA: · IN-NEGO (Negotiating)—The IKEv2 SA is under negotiation. · EST (Established)—The IKEv2 SA has been set up. · DEL (Deleting)—The IKEv2 SA is about to be deleted. |
# Display detailed information about all IKEv2 SAs.
<Sysname> display ikev2 sa verbose
Tunnel ID: 1
Local IP/Port: 1.1.1.1/500
Remote IP/Port: 1.1.1.2/500
Outside VRF: -
Inside VRF: -
Local SPI: 8f8af3dbf5023a00
Remote SPI: 0131565b9b3155fa
Local ID type: FQDN
Local ID: device_a
Remote ID type: FQDN
Remote ID: device_b
Auth sign method: Pre-shared key
Auth verify method: Pre-shared key
Integrity algorithm: HMAC_MD5
PRF algorithm: HMAC_MD5
Encryption algorithm: AES-CBC-192
Life duration: 86400 secs
Remaining key duration: 85604 secs
Diffie-Hellman group: MODP1024/Group2
NAT traversal: Not detected
DPD: Interval 20 secs, retry interval 2 secs
Transmitting entity: Initiator
Local window: 1
Remote window: 1
Local request message ID: 2
Remote request message ID:2
Local next message ID: 0
Remote next message ID: 0
Pushed IP address: 192.168.1.5
Assigned IP address: 192.168.2.24
# Display detailed IKEv2 SA information for the remote IP address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2 verbose
Tunnel ID: 1
Local IP/Port: 1.1.1.1/500
Remote IP/Port: 1.1.1.2/500
Outside VRF: -
Inside VRF: -
Local SPI: 8f8af3dbf5023a00
Remote SPI: 0131565b9b3155fa
Local ID type: FQDN
Local ID: device_a
Remote ID type: FQDN
Remote ID: device_b
Auth sign method: Pre-shared key
Auth verify method: Pre-shared key
Integrity algorithm: HMAC_MD5
PRF algorithm: HMAC_MD5
Encryption algorithm: AES-CBC-192
Life duration: 86400 secs
Remaining key duration: 85604 secs
Diffie-Hellman group: MODP1024/Group2
NAT traversal: Not detected
DPD: Interval 30 secs, retry interval 10 secs
Transmitting entity: Initiator
Local window: 1
Remote window: 1
Local request message ID: 2
Remote request message ID: 2
Local next message ID: 0
Remote next message ID: 0
Pushed IP address: 192.168.1.5
Assigned IP address: 192.168.2.24
Table 96 Command output
|
Field |
Description |
|
Tunnel ID |
ID of the IPsec tunnel to which the IKEv2 SA belongs. |
|
Local IP/Port |
IP address and port number of the local security gateway. |
|
Remote IP/Port |
IP address and port number of the remote security gateway. |
|
Outside VRF |
Name of the VPN instance to which the protected outbound data flow belongs. If the protected outbound data flow belongs to the public network, this field displays a hyphen (-). |
|
Inside VRF |
Name of the VPN instance to which the protected inbound data flow belongs. If the protected inbound data flow belongs to the public network, this field displays a hyphen (-). |
|
Local SPI |
SPI that the local end uses. |
|
Remote SPI |
SPI that the remote end uses. |
|
Local ID type |
ID type of the local security gateway. |
|
Local ID |
ID of the local security gateway. |
|
Remote ID type |
ID type of the remote security gateway. |
|
Remote ID |
ID of the remote security gateway. |
|
Auth sign method |
Signature method that the IKEv2 proposal uses in authentication. |
|
Auth verify method |
Verification method that the IKEv2 proposal uses in authentication. |
|
Integrity algorithm |
Integrity protection algorithms that the IKEv2 proposal uses. |
|
PRF algorithm |
PRF algorithms that the IKEv2 proposal uses. |
|
Encryption algorithm |
Encryption algorithms that the IKEv2 proposal uses. |
|
Life duration |
Lifetime of the IKEv2 SA, in seconds. |
|
Remaining key duration |
Remaining lifetime of the IKEv2 SA, in seconds. |
|
Diffie-Hellman group |
DH groups used in IKEv2 key negotiation. |
|
NAT traversal |
Whether a NAT gateway is detected between the local and remote ends. |
|
DPD |
DPD settings: · Detection interval in seconds. · Retry interval in seconds. If DPD is disabled, this field displays Disabled. |
|
Transmitting entity |
Role of the local end in IKEv2 negotiation, initiator or responder. |
|
Local window |
Window size that the local end uses. |
|
Remote window |
Window size that the remote end uses. |
|
Local request message ID |
ID of the request message that the local end is about to send. |
|
Remote request message ID |
ID of the request message that the remote end is about to send. |
|
Local next message ID |
ID of the message that the local end expects to receive. |
|
Remote next message ID |
ID of the message that the remote end expects to receive. |
|
Pushed IP address |
IP address pushed to the local end by the remote end. |
|
Assigned IP address |
IP address assigned to the remote end by the local end . |
# Display the number of IKEv2 SAs.
[Sysname] display ikev2 sa count
IKEv2 SAs count: 0
display ikev2 statistics
Use display ikev2 statistics to display IKEv2 statistics.
Syntax
display ikev2 statistics
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display IKEv2 statistics.
<Sysname> display ikev2 statistics
IKEv2 statistics:
Unsupported critical payload: 0
Invalid IKE SPI: 0
Invalid major version: 0
Invalid syntax: 0
Invalid message ID: 0
Invalid SPI: 0
No proposal chosen: 0
Invalid KE payload: 0
Authentication failed: 0
Single pair required: 0
TS unacceptable: 0
Invalid selectors: 0
Temporary failure: 0
No child SA: 0
Unknown other notify: 0
No enough resource: 0
Enqueue error: 0
No IKEv2 SA: 0
Packet error: 0
Other error: 0
Retransmit timeout: 0
DPD detect error: 0
Del child for IPsec message: 1
Del child for deleting IKEv2 SA: 1
Del child for receiving delete message: 0
Related commands
reset ikev2 statistics
dpd
Use dpd to configure IKEv2 DPD.
Use undo dpd to disable IKEv2 DPD.
Syntax
dpd interval interval [ retry seconds ] { on-demand | periodic }
undo dpd interval
Default
IKEv2 DPD is disabled. The global IKEv2 DPD settings are used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds.
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.
periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.
Usage guidelines
DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.
The triggering interval must be longer than the retry interval, so that the device will not trigger a new round of DPD during a DPD retry.
Examples
# Configure on-demand IKEv2 DPD. Set the DPD triggering interval to 10 seconds and the retry interval to 5 seconds.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] dpd interval 10 retry 5 on-demand
Related commands
ikev2 dpd
encryption
Use encryption to specify encryption algorithms for an IKEv2 proposal.
Use undo encryption to restore the default.
Syntax
In non-FIPS mode:
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *
undo encryption
In FIPS mode:
encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 } *
undo encryption
Default
No encryption algorithm is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
3des-cbc: Uses the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128-bit key.
aes-cbc-192: Uses the AES algorithm in CBC mode, which uses a 192-bit key.
aes-cbc-256: Uses the AES algorithm in CBC mode, which uses a 256-bit key.
aes-ctr-128: Uses the AES algorithm in CTR mode, which uses a 128-bit key.
aes-ctr-192: Uses the AES algorithm in CTR mode, which uses a 192-bit key.
aes-ctr-256: Uses the AES algorithm in CTR mode, which uses a 256-bit key.
camellia-cbc-128: Uses the Camellia algorithm in CBC mode, which uses a 128-bit key.
camellia-cbc-192: Uses the Camellia algorithm in CBC mode, which uses a 192-bit key.
camellia-cbc-256: Uses the Camellia algorithm in CBC mode, which uses a 256-bit key.
des-cbc: Uses the DES algorithm in CBC mode, which uses a 56-bit key.
Usage guidelines
You must specify a minimum of one encryption algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. You can specify multiple encryption algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Examples
# Specify the 168-bit 3DES algorithm in CBC mode as the encryption algorithm for the IKE proposal prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption 3des-cbc
Related commands
ikev2 proposal
hostname
Use hostname to specify the host name of an IKEv2 peer.
Use undo hostname to restore the default.
Syntax
hostname name
undo hostname
Default
The IKEv2 peer's host name is not specified.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
name: Specifies the host name of the IKEv2 peer, a case-insensitive string of 1 to 253 characters.
Usage guidelines
Only the initiator can look up an IKEv2 peer by host name in IKEv2 negotiation, and the initiator must use an IPsec policy rather than an IPsec profile.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify the host name test of the IKEv2 peer.
[Sysname-ikev2-keychain-key1-peer-peer1] hostname test
Related commands
ikev2 keychain
peer
identity
Use identity to specify the ID of an IKEv2 peer.
Use undo identity to restore the default.
Syntax
identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string }
undo identity
Default
The IKEv2 peer's ID is not specified.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the peer.
ipv6 ipv6-address: Specifies the IPv6 address of the peer.
fqdn fqdn-name: Specifies the FQDN of the peer. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
email email-string: Specifies the email address of the peer. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as esec@test.com.
key-id key-id: Specifies the remote gateway's key ID. The key-id argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.
Usage guidelines
Only the responder can look up an IKEv2 peer by ID in IKEv2 negotiation. The initiator does not know the peer ID when initiating the IKEv2 negotiation, so it cannot use an ID for IKEv2 peer lookup.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify the peer IPv4 address 1.1.1.2 as the ID of the IKEv2 peer.
[Sysname-ikev2-keychain-key1-peer-peer1] identity address 1.1.1.2
Related commands
ikev2 keychain
peer
identity local
Use identity local to configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2 negotiation..
Use undo identity local to restore the default.
Syntax
identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn fqdn-name | key-id key-id-string }
undo identity local
Default
No local ID is configured. The IP address of the interface to which the IPsec policy is applied is used as the local ID.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.
dn: Uses the DN in the local certificate as the local ID.
email email-string: Uses an email address as the local ID. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as sec@abc.com.
fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
key-id key-id: Uses the device's key ID as the local ID. The key-id argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.
Usage guidelines
Peers exchange local IDs for identifying each other in negotiation.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Use the IP address 2.2.2.2 as the local ID.
[Sysname-ikev2-profile-profile1] identity local address 2.2.2.2
Related commands
peer
ikev2 address-group
Use ikev2 address-group to configure an IKEv2 IPv4 address pool for assigning IPv4 addresses to remote peers.
Use undo ikev2 address-group to delete an IKEv2 IPv4 address pool.
Syntax
ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]
undo ikev2 address-group group-name
Default
No IKEv2 IPv4 address pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies an name for the IKEv2 IPv4 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters.
start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4 address.
mask: Specifies the IPv4 address mask.
mask-length: Specifies the length of the IPv4 address mask.
Usage guidelines
An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses.
Examples
# Configure an IKEv2 IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2, and the mask 255.255.255.0.
<Sysname> system-view
[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0
# Configure an IKEv2 IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2, and the mask length 32.
<Sysname> system-view
[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 32
Related commands
address-group
ikev2 cookie-challenge
Use ikev2 cookie-challenge to enable the cookie challenging feature.
Use undo ikev2 cookie-challenge to disable the cookie challenging feature.
Syntax
ikev2 cookie-challenge number
undo ikev2 cookie-challenge
Default
The cookie challenging feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 1 to 1000 half-open IKE SAs.
Usage guidelines
When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation.
This feature can protect the responder against DoS attacks which aim to exhaust the responder's system resources by using a large number of IKE_SA_INIT requests with forged source IP addresses.
Examples
# Enable the cookie challenging feature and set the threshold to 450.
<Sysname> system-view
[Sysname] ikev2 cookie-challenge 450
ikev2 dpd
Use ikev2 dpd to configure global IKEv2 DPD.
Use undo ikev2 dpd to disable global IKEv2 DPD.
Syntax
ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }
undo ikev2 dpd interval
Default
Global IKEv2 DPD is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds.
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.
periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.
Usage guidelines
DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.
The triggering interval must be longer than the retry interval, so that the device will not trigger a new round of DPD during a DPD retry.
You can configure IKEv2 DPD in both IKEv2 profile view and system view. The IKEv2 DPD settings in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.
Examples
# Configure the device to trigger IKEv2 DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for 15 seconds.
<Sysname> system-view
[Sysname] ikev2 dpd interval 15 on-demand
# Configure the device to trigger IKEv2 DPD every 15 seconds.
<Sysname> system-view
[Sysname] ikev2 dpd interval 15 periodic
Related commands
dpd (IKEv2 profile view)
ikev2 ipv6-address-group
Use ikev2 ipv6-address-group to configure an IKEv2 IPv6 address pool for assigning IPv6 addresses to remote peers.
Use undo ikev2 ipv6-address-group to delete an IKEv2 IPv6 address pool.
Syntax
ikev2 ipv6-address-group group-name prefix prefix/prefix-len assign-len assign-len
undo ikev2 ipv6-address-group group-name
Default
No IKEv2 IPv6 address pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies a name for the IKEv2 IPv6 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters.
prefix prefix/prefix-len: Specifies an IPv6 prefix in the format of prefix/prefix length. The value range for the prefix-len argument is 1 to 128.
assign-len assign-len: Specifies the assigned prefix length. The value range for the assign-len argument is 0 to 128, and the value must be greater than or equal to prefix-len. The difference between assign-len and prefix-len must be no more than 16.
Usage guidelines
Different from the IKEv2 IPv4 address pool, the device assigns an IPv6 subnet to a peer from the IKEv2 IPv6 address pool. The peer can use the assigned IPv6 subnet to assign IPv6 addresses to other devices.
IKEv2 IPv6 address pools cannot overlap with each other.
Examples
# Configure an IKEv2 IPv6 address pool with the name ipv6group, prefix 1:1::/64, and the assigned prefix length 80.
<Sysname> system-view
[Sysname] ikev2 ipv6-address-group ipv6group prefix 1:1::/64 assign-len 80
Related commands
ipv6-address-group
ikev2 keychain
Use ikev2 keychain to create an IKEv2 keychain and enter its view, or enter the view of an existing IKEv2 keychain.
Use undo ikev2 keychain to delete an IKEv2 keychain.
Syntax
ikev2 keychain keychain-name
undo ikev2 keychain keychain-name
Default
No IKEv2 keychains exist.
Views
System view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies a name for the IKEv2 keychain. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).
Usage guidelines
An IKEv2 keychain is required on both ends if either end uses preshared key authentication. The preshared key configured on both ends must be the same.
You can configure multiple IKEv2 peers in an IKEv2 keychain.
Examples
# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.
<Sysname> system-view
[Sysname] ikev2 keychain key1
[Sysname-ikev2-keychain-key1]
ikev2 nat-keepalive
Use ikev2 nat-keepalive to set the NAT keepalive interval.
Use undo ikev2 nat-keepalive to restore the default.
Syntax
ikev2 nat-keepalive seconds
undo ikev2 nat-keepalive
Default
The NAT keepalive interval is 10 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.
Usage guidelines
This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
Examples
# Set the NAT keepalive interval to 5 seconds.
<Sysname> system-view
[Sysname] ikev2 nat-keepalive 5
ikev2 policy
Use ikev2 policy to create an IKEv2 policy and enter its view, or enter the view of an existing IKEv2 policy.
Use undo ikev2 policy to delete an IKEv2 policy.
Syntax
ikev2 policy policy-name
undo ikev2 policy policy-name
Default
An IKEv2 policy named default exists, which uses the default IKEv2 proposal and matches any local addresses.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a name for the IKEv2 policy. The policy name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs. An IKEv2 policy uses IKEv2 proposals to define the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups to be used for negotiation.
You can configure multiple IKEv2 policies. An IKEv2 policy must have a minimum of one IKEv2 proposal. Otherwise, the policy is incomplete.
If the initiator uses an IPsec policy that is bound to a source interface, the initiator looks up an IKEv2 policy by the IP address of the source interface.
You can set priorities to adjust the match order of IKEv2 policies that have the same match criteria.
If no IKEv2 policy is configured, the default IKEv2 policy is used. You cannot enter the view of the default IKEv2 policy, nor modify it.
Examples
# Create an IKEv2 policy named policy1 and enter IKEv2 policy view.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1]
Related commands
display ikev2 policy
ikev2 profile
Use ikev2 profile to create an IKEv2 profile and enter its view, or enter the view of an existing IKEv2 profile.
Use undo ikev2 profile to delete an IKEv2 profile.
Syntax
ikev2 profile profile-name
undo ikev2 profile profile-name
Default
No IKEv2 profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a name for the IKEv2 profile. The profile name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IKEv2 profile contains the IKEv2 SA parameters that are not negotiated, such as the identity information and authentication methods of the peers, and the matching criteria for profile lookup.
Examples
# Create an IKEv2 profile named profile1 and enter IKEv2 profile view.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1]
Related commands
display ikev2 profile
ikev2 proposal
Use ikev2 proposal to create an IKEv2 proposal and enter its view, or enter the view of an existing IKEv2 proposal.
Use undo ikev2 proposal to delete an IKEv2 proposal.
Syntax
ikev2 proposal proposal-name
undo ikev2 proposal proposal-name
Default
An IKEv2 proposal named default exists, which has the lowest priority and uses the following settings:
· In non-FIPS mode:
¡ Encryption algorithm—AES-CBC-128 and 3DES.
¡ Integrity protection algorithm—HMAC-SHA1 and HMAC-MD5.
¡ PRF algorithm—HMAC-SHA1 and HMAC-MD5.
¡ DH group—Group 5 and group 2.
· In FIPS mode:
¡ Encryption algorithm—AES-CBC-128 and AES-CTR-128.
¡ Integrity protection algorithm—HMAC-SHA1 and HMAC-SHA256.
¡ PRF algorithm—HMAC-SHA1 and HMAC-SHA256.
¡ DH group—Group 14 and group 19.
Views
System view
Predefined user roles
network-admin
Parameters
proposal-name: Specifies a name for the IKEv2 proposal. The proposal name is a case-insensitive string of 1 to 63 characters and cannot be default.
Usage guidelines
An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups.
An IKEv2 proposal must have a minimum of one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
In an IKEv2 proposal, you can specify multiple parameters of the same type. The parameters of different types combine and form multiple sets of security parameters. If you want to use only one set of security parameters, configure only one set of security parameters for the IKEv2 proposal.
Examples
# Create an IKEv2 proposal named prop1. Specify the encryption algorithm AES-CBC-128, integrity protection algorithm SHA1, PRF algorithm SHA1, and DH group 2.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption aes-cbc-128
[Sysname-ikev2-proposal-prop1] integrity sha1
[Sysname-ikev2-proposal-prop1] prf sha1
[Sysname-ikev2-proposal-prop1] dh group2
Related commands
encryption-algorithm
integrity
prf
dh
inside-vrf
Use inside-vrf to specify an inside VPN instance.
Use undo inside-vrf to restore the default.
Syntax
inside-vrf vrf-name
undo inside-vrf
Default
No inside VPN instance is specified. The internal and external networks are in the same VPN instance. The device forwards protected data to this VPN instance.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
vrf-name: Specifies the VPN instance to which the protected data belongs. The vrf-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
This command determines where the device should forward received IPsec packets after it de-encapsulates them. If you configure this command, the device looks for a route in the specified VPN to forward the packets. If you do not configure this command, the internal and external networks are in the same VPN instance. The device looks for a route in this VPN instance to forward the packets.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the inside VPN instance vpn1.
[Sysname-ikev2-profile-profile1] inside-vrf vpn1
integrity
Use integrity to specify integrity protection algorithms for an IKEv2 proposal.
Use undo integrity to restore the default.
Syntax
In non-FIPS mode:
integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
undo integrity
In FIPS mode:
integrity { sha1 | sha256 | sha384 | sha512 } *
undo integrity
Default
No integrity protection algorithm is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Uses the HMAC-AES-XCBC-96 algorithm.
md5: Uses the HMAC-MD5 algorithm.
sha1: Uses the HMAC-SHA1 algorithm.
sha256: Uses the HMAC-SHA256 algorithm.
sha384: Uses the HMAC-SHA384 algorithm.
sha512: Uses the HMAC-SHA512 algorithm.
Usage guidelines
You must specify a minimum of one integrity protection algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. You can specify multiple integrity protection algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
# Specify HMAC-SHA1 and HMAC-MD5 as the integrity protection algorithms, with HMAC-SHA1 preferred.
[Sysname-ikev2-proposal-prop1] integrity sha1 md5
Related commands
ikev2 proposal
keychain
Use keychain to specify an IKEv2 keychain for preshared key authentication.
Use undo keychain to restore the default.
Syntax
keychain keychain-name
undo keychain
Default
No IKEv2 keychain is specified for an IKEv2 profile.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies an IKEv2 keychain by its name. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).
Usage guidelines
An IKEv2 keychain is required on both ends if either end uses preshared key authentication. You can specify only one IKEv2 keychain for an IKEv2 profile.
You can specify the same IKEv2 keychain for different IKEv2 profiles.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the IKEv2 keychain keychain1.
[Sysname-ikev2-profile-profile1] keychain keychain1
Related commands
display ikev2 profile
ikev2 keychain
match local (IKEv2 profile view)
Use match local to specify a local interface or a local IP address to which an IKEv2 profile can be applied.
Use undo match local to remove a local interface or a local IP address to which an IKEv2 profile can be applied.
Syntax
match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
undo match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
Default
An IKEv2 profile can be applied to any local interface or local IP address.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
address: Specifies a local interface or IP address to which an IKEv2 profile can be applied.
interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
Usage guidelines
Use this command to specify which address or interface can use the IKEv2 profile for IKEv2 negotiation. The interface is the interface that receives IKEv2 packets. The IP address is the IP address of the interface that receives IKEv2 packets.
An IKEv2 profile configured earlier has a higher priority. To give an IKEv2 profile that is configured later a higher priority, you can configure the priority command or this command for the profile. For example, suppose you configured IKEv2 profile A before configuring IKEv2 profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKEv2 profile A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKEv2 profile B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKEv2 profile A is preferred because IKEv2 profile A was configured earlier. To use IKEv2 profile B, you can use this command to restrict the application scope of IKEv2 profile B to IPv4 address 3.3.3.3.
You can specify multiple applicable local interfaces or IP addresses for an IKEv2 profile.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Apply the IKEv2 profile profile1 to the interface whose IP address is 2.2.2.2.
[Sysname-ikev2-profile-profile1] match local address 2.2.2.2
Related commands
match remote
match local address (IKEv2 policy view)
Use match local address to specify a local interface or a local address that an IKEv2 policy matches.
Use undo match local address to remove a local interface or a local address that an IKEv2 policy matches.
Syntax
match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
undo match local address { interface-type interface-number | ipv4-address | ipv6 ipv6-address }
Default
No local interface or address is specified, and the IKEv2 policy matches any local interface or local address.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
Usage guidelines
IKEv2 policies with this command configured are looked up before those that do not have this command configured.
Examples
# Configure the IKEv2 policy policy1 to match the local address 3.3.3.3.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] match local address 3.3.3.3
Related commands
display ikev2 policy
match vrf
match remote
Use match remote to configure a peer ID that an IKEv2 profile matches.
Use undo match remote to delete a peer ID that an IKEv2 profile matches.
Syntax
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask |mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }
Default
No matching peer ID is configured for the IKEv2 profile.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
certificate policy-name: Uses the information in the peer's digital certificate as the peer ID for IKEv2 profile matching. The policy-name argument specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKEv2 profile matching. The specified information is configured on the peer by using the local-identity command.
· address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKEv2 profile matching. The value range for the mask-length argument is 0 to 32.
· address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.
· address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKEv2 profile matching. The value range for the prefix-length argument is 0 to 128.
· address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.
· fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKEv2 profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
· email email-string: Uses peer's email address as the peer ID for IKEv2 profile matching. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as sec@abc.com.
· key-id key-id: Uses the peer's key ID as the peer ID for IKEv2 profile matching. The key-id argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.
Usage guidelines
The device compares the received peer ID with the peer IDs configured in local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. If you have configured the match local address and match vrf commands, the IKEv2 profile must also match the specified local interface or address and the specified VPN instance.
To make sure only one IKEv2 profile is matched for a peer, do not configure the same peer ID for two or more IKEv2 profiles. If you configure the same peer ID for two or more IKEv2 profiles, which IKEv2 profile is selected for IKEv2 negotiation is unpredictable.
You can configure an IKEv2 profile to match multiple peer IDs. A peer ID configured earlier has a higher priority.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Configure the IKEv2 profile to match the peer ID that is the FQDN name www.test.com.
[Sysname-ikev2-profile-profile1] match remote identity fqdn www.test.com
# Configure the IKEv2 profile to match the peer ID that is the IP address 10.1.1.1.
[Sysname-ikev2-profile-profile1]match remote identity address 10.1.1.1
Related commands
identity local
match local address
match vrf
match vrf (IKEv2 policy view)
Use match vrf to specify a VPN instance that an IKEv2 policy matches.
Use undo match vrf to restore the default.
Syntax
match vrf { name vrf-name | any }
undo match vrf
Default
No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public network.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.
any: Specifies the public network and all VPN instances.
Usage guidelines
Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs.
IKEv2 policies with this command configured are looked up before those that do not have this command configured.
Examples
# Create an IKEv2 policy named policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
# Configure the IKEv2 policy to match the VPN instance vpn1.
[Sysname-ikev2-policy-policy1] match vrf name vpn1
Related commands
display ikev2 policy
match local address
match vrf (IKEv2 profile view)
Use match vrf to specify a VPN instance for an IKEv2 profile.
Use undo match vrf to restore the default.
Syntax
match vrf { name vrf-name | any }
undo match vrf
Default
The IKEv2 profile belongs to the public network.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.
any: Specifies the public network and all VPN instances.
Usage guidelines
If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2 profile for IKEv2 negotiation. The VPN instance is the VPN instance to which the interface that receives IKEv2 packets belongs. If you specify the any keyword, interfaces in any VPN instance can use the IKEv2 profile for IKEv2 negotiation.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify vrf1 as the VPN instance that the IKEv2 profile belongs to.
[Sysname-ikev2-profile-profile1] match vrf name vrf1
Related commands
match remote
nat-keepalive
Use nat-keepalive to set the NAT keepalive interval.
Use ikev2 nat-keepalive to restore the default.
Syntax
nat-keepalive seconds
undo nat-keepalive
Default
The NAT keepalive interval set in system view is used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.
Usage guidelines
This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Set the NAT keepalive interval to 1200 seconds.
[Sysname-ikev2-profile-profile1]nat-keepalive 1200
Related commands
display ikev2 profile
ikev2 nat-keepalive
peer
Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer.
Use undo peer to delete an IKEv2 peer.
Syntax
peer name
undo peer name
Default
No IKEv2 peers exist.
Views
IKEv2 keychain view
Predefined user roles
network-admin
Parameters
name: Specifies a name for the IKEv2 peer. The peer name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IKEv2 peer contains a preshared key and the criteria for looking up the peer. The criteria for peer lookup includes the peer's host name, IP address, IP address range, and ID. The IKEv2 negotiation initiator uses the peer's host name, IP address, or IP address range to look up its peer. The responder uses the peer's IP address, IP address range, or ID to look up its peer.
Examples
# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
Related commands
address
hostname
identity
ikev2 keychain
pre-shared-key
Use pre-shared-key to configure a preshared key.
Use undo pre-shared-key to delete a preshared key.
Syntax
pre-shared-key [ local | remote ] { ciphertext | plaintext } string
undo pre-shared-key [ local | remote ]
Default
No preshared key exists.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
local: Specifies a preshared key for certificate signing.
remote: Specifies a preshared key for certificate authentication.
ciphertext: Specifies a preshared key in encrypted form.
plaintext: Specifies a preshared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the preshared key. The key is case sensitive. In non-FIPS mode, its plaintext form is a string of 1 to 128 characters and its encrypted form is a string of 1 to 201 characters. In FIPS mode, its plaintext form is a string of 15 to 128 characters and its encrypted form is a string of 15 to 201 characters.
Usage guidelines
If you specify the local or remote keyword, you configure an asymmetric key. If you specify neither the local nor the remote keyword, you configure a symmetric key.
To delete a key by using the undo command, you must specify the correct key type. For example, if you configure a key by using the pre-shared-key local command, you cannot delete the key by using the undo pre-shared-key or undo pre-shared-key remote command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
· On the initiator:
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Configure the symmetric plaintext preshared key 111-key.
[Sysname-ikev2-keychain-key1-peer-peer1] pre-shared-key plaintext 111-key
[Sysname-ikev2-keychain-key1-peer-peer1] quit
# Create an IKEv2 peer named peer2.
[Sysname-ikev2-keychain-key1] peer peer2
# Configure asymmetric plaintext preshared keys. The key for certificate signing is 11-key-a and the key for certificate authentication is 111-key-b.
[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key local plaintext 111-key-a
[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key remote plaintext 111-key-b
· On the responder:
# Create an IKEv2 keychain named telecom.
<Sysname> system-view
[Sysname] ikev2 keychain telecom
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-telecom] peer peer1
# Configure the symmetric plaintext preshared key 111-key.
[Sysname-ikev2-keychain-telecom-peer-peer1] pre-shared-key plaintext 111-key
[Sysname-ikev2-keychain-telecom-peer-peer1] quit
# Create an IKEv2 peer named peer2.
[Sysname-ikev2-keychain-telecom] peer peer2
# Configure asymmetric plaintext preshared keys. The key for certificate signing is 11-key-b and the key for certificate authentication is 111-key-a.
[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key local plaintext 111-key-b
[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key remote plaintext 111-key-a
Related commands
ikev2 keychain
peer
prf
Use prf to specify pseudo-random function (PRF) algorithms for an IKEv2 proposal.
Use undo prf to restore the default.
Syntax
In non-FIPS mode:
prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
undo prf
In FIPS mode:
prf { sha1 | sha256 | sha384 | sha512 } *
undo prf
Default
An IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm.
md5: Uses the HMAC-MD5 algorithm.
sha1: Uses the HMAC-SHA1 algorithm.
sha256: Uses the HMAC-SHA256 algorithm.
sha384: Uses the HMAC-SHA384 algorithm.
sha512: Uses the HMAC-SHA512 algorithm.
Usage guidelines
You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
# Specify HMAC-SHA1 and HMAC-MD5 as the PRF algorithms, with HMAC-SHA1 preferred.
[Sysname-ikev2-proposal-prop1] prf sha1 md5
Related commands
ikev2 proposal
integrity
priority (IKEv2 policy view)
Use priority to set a priority for an IKEv2 policy.
Use undo priority to restore the default.
Syntax
priority priority
undo priority
Default
The priority of an IKEv2 policy is 100.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
priority: Specifies the priority of the IKEv2 policy, in the range of 1 to 65535. A smaller number represents a higher priority.
Usage guidelines
The priority set by this command can only be used to adjust the match order of IKEv2 policies.
Examples
# Set the priority to 10 for the IKEv2 policy policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] priority 10
Related commands
display ikev2 policy
priority (IKEv2 profile view)
Use priority to set a priority for an IKEv2 profile.
Use undo priority to restore the default.
Syntax
priority priority
undo priority
Default
The priority of an IKEv2 profile is 100.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
priority: Specifies the priority of the IKEv2 profile, in the range of 1 to 65535. A smaller number represents a higher priority.
Usage guidelines
The priority set by this command can only be used to adjust the match order of IKEv2 profiles.
Examples
# Set the priority to 10 for the IKEv2 profile profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] priority 10
proposal
Use proposal to specify an IKEv2 proposal for an IKEv2 policy.
Use undo proposal to remove an IKEv2 proposal from an IKEv2 policy.
Syntax
proposal proposal-name
undo proposal proposal-name
Default
No IKEv2 proposal is specified for an IKEv2 policy.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
proposal-name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.
Examples
# Specify the IKEv2 proposal proposal1 for the IKEv2 policy policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] proposal proposal1
Related commands
display ikev2 policy
ikev2 proposal
reset ikev2 sa
Use reset ikev2 sa to delete IKEv2 SAs.
Syntax
reset ikev2 sa [ [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]
Views
User view
Predefined user roles
network-admin
Parameters
local: Deletes IKEv2 SAs for a local IP address.
remote: Deletes IKEv2 SAs for a remote IP address.
ipv4-address: Specifies a local or remote IPv4 address.
ipv6 ipv6-address: Specifies a local or remote IPv6 address.
vpn-instance vpn-instance-name: Deletes IKEv2 SAs in a VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To delete IKEv2 SAs on the public network, do not specify this option.
tunnel tunnel-id: Deletes IKEv2 SAs for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.
fast: Notifies the peers of the deletion and deletes IKEv2 SAs directly before receiving the peers' responses. If you do not specify this keyword, the device notifies the peers of the deletion and deletes IKEv2 SAs after it receives the peers' responses.
Usage guidelines
Deleting an IKEv2 SA will also delete the child SAs negotiated through the IKEv2 SA.
If you do not specify any parameters, this command deletes all IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs.
Examples
# Display information about IKEv2 SAs.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
# Delete the IKEv2 SA whose remote IP address is 1.1.1.2.
<Sysname> reset ikev2 sa remote 1.1.1.2
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
Related commands
display ikev2 sa
reset ikev2 statistics
Use reset ikev2 statistics to clear IKEv2 statistics.
Syntax
reset ikev2 statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clear IKEv2 statistics.
<Sysname> reset ikev2 statistics
Related commands
display ikev2 statistics
sa duration
Use sa duration to set the IKEv2 SA lifetime.
Use undo sa duration to restore the default.
Syntax
sa duration seconds
undo sa duration
Default
The IKEv2 SA lifetime is 86400 seconds.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400.
Usage guidelines
An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot of negotiation time. However, the longer the lifetime, the higher the possibility that attackers collect enough information and initiate attacks.
Two peers can have different IKEv2 SA lifetime settings, and they do not perform lifetime negotiation. The peer with a shorter lifetime always initiates the rekeying.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Set the IKEv2 SA lifetime to 1200 seconds.
[Sysname-ikev2-profile-profile1] sa duration 1200
Related commands
display ikev2 profile
Group domain VPN commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
The following matrix shows the feature and hardware compatibility:
|
Hardware |
Group domain VPN compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
|
MSR 2630 |
Yes |
|
|
MSR3600-28/3600-51 |
Yes |
|
|
MSR3600-28-SI/3600-51-SI |
No |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
|
Hardware |
Group domain VPN compatibility |
|
MSR810-LM-GL |
No |
|
MSR810-W-LM-GL |
No |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
No |
client anti-replay window
Use client anti-replay window to set the anti-replay window size for a GDOI GM group.
Use undo client anti-replay window to restore the default.
Syntax
client anti-replay window { sec seconds | msec milliseconds }
undo client anti-replay window
Default
The anti-replay window size is not set for a GDOI GM group.
Views
GDOI GM group view
Predefined user roles
network-admin
Parameters
sec seconds: Specifies the anti-replay window size in seconds in the range of 1 to 100.
msec milliseconds: Specifies the anti-replay window size in milliseconds in the range of 100 to 10000.
Usage guidelines
The anti-replay window size set in this command takes precedence over the anti-replay window size obtained from the KS.
This command must be used together with the Cisco IP-D3P feature.
Examples
# Set the anti-replay window size to 50 seconds for GDOI GM group group1.
<Sysname> system-view
[Sysname] gdoi gm group group1
[Sysname-gdoi-gm-group-group1] client anti-replay window sec 50
Related commands
display gdoi gm anti-replay
client registration
Use client registration to specify a registration interface for a GM in a GDOI GM group. The GM uses the registration interface to send packets to the KS.
Use undo client registration to restore the default.
Syntax
client registration interface interface-type interface-number
undo client registration interface
Default
A GM uses the output interface of the route to the KS as the registration interface.
Views
GDOI GM group view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a registration interface by its type and number.
Usage guidelines
The default registration interface of a GM is the output interface of the route from the GM to the KS. The interface might also be used for traffic forwarding. When a lot of traffic travels through the interface, packet exchange between the GM and the KS is affected. To resolve the problem, specify an interface that is not used for traffic forwarding as the registration interface.
A GM uses the primary IPv4 address of the registration interface as the source address to register with the KS.
For a successful GM registration, make sure the registration interface and a KS in the GDOI GM group belong to the same VRF.
Examples
# In GDOI GM group abc, specify interface GigabitEthernet 1/0/1 as the registration interface for the GM.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc] client registration interface gigabitethernet 1/0/1
Related commands
gdoi gm group
client rekey encryption
Use client rekey encryption to specify KEK encryption algorithms supported by a GM.
Use undo client rekey encryption to restore the default.
Syntax
In non-FIPS mode:
client rekey encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } *
undo client rekey encryption
In FIPS mode:
client rekey encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 } *
undo client rekey encryption
Default
In non-FIPS mode, a GM supports DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-192, and AES-CBC-256.
In FIPS mode, a GM supports AES-CBC-128, AES-CBC-192, and AES-CBC-256.
Views
GDOI GM group view
Predefined user roles
network-admin
Parameters
des-cbc: Specifies the DES algorithm in CBC mode, which uses a 64-bit key.
3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Specifies the AES algorithm in CBC mode that uses a 128-bit key.
aes-cbc-192: Specifies the AES algorithm in CBC mode that uses a 192-bit key.
aes-cbc-256: Specifies the AES algorithm in CBC mode that uses a 256-bit key.
Usage guidelines
This command specifies the KEK encryption algorithms supported in registration and rekey processes.
· During GM registration, a GM terminates the negotiation with the KS if the KEK encryption algorithm sent by the KS is not supported, and the registration fails.
· During rekey, the GM discards rekey messages received from the KS if the KEK encryption algorithm sent by the KS is not supported.
Examples
# Specify the supported KEK encryption algorithm as AES-CBC-128 for the GDOI GM group abc.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc] client rekey encryption aes-cbc-128
Related commands
gdoi gm group
client transform-sets
Use client transform-sets to specify IPsec transform sets supported by a GM.
Use undo client transform-sets to restore the default.
Syntax
client transform-sets transform-set-name&<1-6>
undo client transform-sets
Default
A GM supports the IPsec transform set configured with the following security parameters:
· The ESP security protocol.
· The tunnel or transport encapsulation mode.
· The DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-192, or AES-CBC-256 encryption algorithm.
· The MD5 or SHA1 authentication algorithm.
Views
GDOI GM group view
Predefined user roles
network-admin
Parameters
transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets by their names. An IPsec transform set name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
This command specifies the IPsec transform sets supported in registration and rekey processes.
· During GM registration, a GM terminates the negotiation with the KS if the IPsec transform set sent by the KS is not supported, and the registration fails.
· During rekey, the GM discards rekey messages received from the KS if the IPsec transform set sent by the KS is not supported.
GMs support only the ESP security protocol. For a successful registration, do not specify an IPsec transform set that uses the AH security protocol for GMs.
Examples
# Specify the supported IPsec transform set as gdoi-esp-aes for the GDOI GM group abc.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc] client transform-sets gdoi-esp-aes
Related commands
gdoi gm group
display gdoi gm
Use display gdoi gm to display GDOI GM group information, including GDOI configuration parameters, negotiation parameters, and the IPsec information obtained after successful registrations.
Syntax
display gdoi gm [ group group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays information about all GDOI GM groups.
Examples
# Display information about all GDOI GM groups.
<Sysname> display gdoi gm
Group name: GDOI-GROUP1
Group identity : 12345
Address family : IPv4
Rekeys received : 1
Group server : 90.1.1.1
VRF name : vrf1
Group server : 90.1.1.2
Group member : 80.1.1.1
VRF name : vrf1
Registration status : Registered
Registered with : 90.1.1.1
Re-register in : 346 sec
Succeeded registrations : 1125
Attempted registrations : 1133
Last rekey from : 90.1.1.1
Last rekey seq num : 3
Multicast rekeys received: 1
Allowable rekey cipher : Any
Allowable rekey hash : Any
Allowable transform : Any
Rekeys cumulative:
Total received : 5
Rekeys after latest registration: 3
Last rekey received for : 00hr 02min 11sec
ACL downloaded from KS 90.1.1.1:
rule 0 deny udp source-port eq 848 destination-port eq 848
rule 1 deny ospf
rule 2 permit icmp
KEK:
Rekey transport type : Multicast
Remaining key lifetime : 159 sec
Encryption algorithm : AES-CBC
Key size : 128
Signature algorithm : RSA
Signature hash algorithm : SHA1
Signature key length : 1024 bits
TEK:
SPI : 0x9AE5951E(2598737182)
Transform : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
Remaining key lifetime : 190 sec
SPI : 0x12C55CFF(314924287)
Transform : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
Remaining key lifetime : 402 sec
# Display information about the GDOI GM group GDOI-GROUP2.
<Sysname> display gdoi gm group GDOI-GROUP2
Group name: GDOI-GROUP2
Group identity : 12345
Address family : IPv4
Rekeys received : 52
Group server : 90.1.1.1
VRF name : vrf1
Group server : keyserver
Group member : 80.1.1.1
VRF name : vrf1
Registration status : Registered
Registered with : keyserver(90.1.1.2)
Re-register in : 143 sec
Succeeded registrations : 10
Attempted registrations : 15
Last rekey from : 90.1.1.2
Last rekey seq num : 13
Unicast rekeys received : 10
Rekey ACKs sent : 10
Allowable rekey cipher : Any
Allowable rekey hash : Any
Allowable transform : Any
Rekeys cumulative:
Total received : 52
Rekeys after latest registration: 3
Total rekey ACKs sent : 23
ACL downloaded from KS 90.1.1.2:
rule 0 deny udp source-port eq 848 destination-port eq 848
rule 1 deny ospf
rule 2 permit icmp
KEK:
Rekey transport type : Unicast
Remaining key lifetime : 159 sec
Encryption algorithm : AES-CBC
Key size : 128
Signature algorithm : RSA
Signature hash algorithm : SHA1
Signature key length : 1024 bits
TEK:
SPI : 0x9AE5951E(2598737182)
Transform : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
Remaining key lifetime : 190 sec
SPI : 0x12C55CFF(314924287)
Transform : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
Remaining key lifetime : 402 sec
Table 97 Command output
|
Field |
Description |
|
Group name |
GDOI GM group name. |
|
Group identity |
GDOI GM group ID (a number or an IPv4 address). N/A indicates that the group is not configured with an ID. |
|
Address family |
Address family of data flows protected by the GDOI GM group, IPv4 or IPv6. |
|
Rekeys received |
Number of rekey messages received. |
|
Group server |
IP addresses or host names of KSs in the GDOI GM group. A group supports a maximum of 16 KS IP addresses or host names. |
|
VRF name |
Name of the VRF to which the KS belongs. If the KS belongs to the public network, this field is not displayed. |
|
Group member |
IP address of the GM. |
|
VRF name |
Name of the VRF to which the GM belongs. If the GM belongs to the public network, this field is not displayed. |
|
Registration status |
Registration status: Registered, Registering, or Not registered. |
|
Registered with |
IP address or host name of the KS with which the GM registers. If a host name is displayed, this field also displays the IP address of the host in brackets. |
|
Re-register in |
Period of time after which the GM re-registers with a KS. N/A indicates that the GM does not re-register with a KS. |
|
Succeeded registrations |
Number of successful registrations. |
|
Attempted registrations |
Number of registration attempts. |
|
Last rekey from |
KS from which the GM receives the last rekey message. N/A indicates that the GM does not receive any rekey messages. |
|
Last rekey seq num |
Sequence number of the last received rekey message. N/A indicates that the GM does not receive any rekey messages. |
|
Multicast rekeys received |
Number of multicast rekeys received. This field is displayed only when the GDOI GM group is a multicast group. |
|
Unicast rekeys received |
Number of unicast rekeys received. This field is displayed only when the GDOI GM group is a unicast group. |
|
Rekey ACKs sent |
Number of rekey ACK messages sent. This field is displayed only when the GDOI GM group is a unicast group. |
|
Allowable rekey cipher |
Rekey encryption algorithms that the GM allows. Any indicates that the GM allows all encryption algorithms. |
|
Allowable rekey hash |
Rekey hash algorithms that the GM allows. Any indicates that the GM allows all hash algorithms. |
|
Allowable transform |
Rekey transform modes that the GM allows. Any indicates that the GM allows all transform modes. |
|
Rekeys cumulative |
Rekey statistics. |
|
Total received |
Total number of rekeys that the GM has received. |
|
Rekeys after latest registration |
Number of rekeys that the GM has received after the last successful registration. |
|
Last rekey received for |
Period of time for which the key has existed after the last rekey operation. N/A indicates that no rekey message is received. This field is displayed only in multicast mode. |
|
Total rekey ACKs sent |
Number of rekey ACK messages sent. This field is displayed only in unicast mode. |
|
ACL downloaded from KS 90.1.1.1 |
ACL information downloaded from the KS at 90.1.1.1. |
|
rule 0 deny udp source-port eq 848 destination-port eq 848 |
UDP packets whose source and destination port numbers are both 848 do not need to be protected by IPsec. |
|
rule 1 deny ospf |
OSPF protocol packets do not need to be protected by IPsec. |
|
rule 2 permit icmp |
All ICMP packets need to be protected by IPsec. |
|
KEK |
KEK information. |
|
Rekey transport type |
Transport type of rekey messages: Multicast or Unicast. |
|
Remaining key lifetime |
KEK lifetime in seconds. |
|
Encrypt algorithm |
KEK encryption algorithm. |
|
Key size |
KEK key length. |
|
Signature algorithm |
KEK signature algorithm. |
|
Signature hash algorithm |
KEK signature hash algorithm. |
|
Signature key length |
KEK signature key length in bits. |
|
TEK |
TEK information. |
|
SPI |
SPI of the IPsec SA. |
|
Transform |
Transform set list. |
|
Remaining key lifetime |
IPsec SA remaining lifetime in seconds. |
display gdoi gm acl
Use display gdoi gm acl to display ACL information for the GM.
Syntax
display gdoi gm acl [ download | local ] [ group group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
download: Displays the ACL information that the GM downloaded from the KS.
local: Displays the ACL information locally configured on the GM.
group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays ACL information for all GM groups.
Usage guidelines
If you do not specify any parameters, this command displays information about all ACLs for all GM groups, including the downloaded ACLs and the locally configured ACLs. A locally configured ACL refers to the ACL used by the GDOI IPsec policy.
Examples
# Display information about all ACLs for all GM groups.
<Sysname> display gdoi gm acl
Group name: abc
ACL downloaded from KS 12.1.1.100:
rule 0 permit ip
rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255
ACL configured locally:
IPsec policy name: gdoi-group1
ACL identifier: 3001
rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
Group Name: 123
ACL downloaded from KS 12.1.1.100:
rule 1 permit ip source 13.1.1.0 0.0.0.255 destination 13.1.2.0 0.0.0.255
Group name: ipv6
ACL configured locally:
IPsec policy name: gdoi-group1
IPv6 ACL identifier: 3001
rule 0 permit ipv6 source 1::/64 destination 2::/64
# Display information about ACLs that the GM downloaded from the KS.
<Sysname> display gdoi gm acl download
Group name: abc
ACL downloaded from KS 12.1.1.100:
rule 0 permit ip
rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255
# Display information about ACLs that are locally configured on the GM.
<Sysname> display gdoi gm acl local
Group name: abc
ACL configured locally:
IPsec policy name: gdoi-group1
ACL identifier: 3001
rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
Table 98 Command output
|
Field |
Description |
|
Group name |
GDOI GM group name. |
|
rule 0 permit ip |
IPsec protects any IP packets. |
|
rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255 |
IPsec protects IP packets whose source and destination addresses are within subnet 12.1.1.0/24. |
|
rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255 |
IPsec does not protect IP packets whose source and destination addresses are within subnet 10.1.1.0/24. |
display gdoi gm anti-replay
Use display gdoi gm anti-replay to display anti-replay information, including the timestamp type and window size, for a GDOI GM group.
Syntax
display gdoi gm anti-replay [ group group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays anti-replay information for all GDOI GM groups.
Examples
# Display anti-replay information for all GDOI GM groups.
<Sysname> display gdoi gm anti-replay
Group name: abc
Anti-replay timestamp type : POSIX-TIME
Anti-replay window : 200.16 ms
Related commands
client anti-replay window
display gdoi gm ipsec sa
Use display gdoi gm ipsec sa to display IPsec SA information obtained by the GM.
Syntax
display gdoi gm ipsec sa [ group group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays IPsec SA information obtained by all GM groups.
Examples
# Display IPsec SA information obtained by all GM groups.
<Sysname> display gdoi gm ipsec sa
SA created for group abc:
SPI : 0x9AE5951E(2598737182)
Transform : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
Remaining key lifetime : 190 sec
SPI : 0x9AE5951F(2598737183)
Transform : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
Remaining key lifetime : 3600 sec
SA created for group hh:
SPI : 0xDCC66F7B(3703992187)
Transform : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
Remaining key lifetime : 280 sec
Table 99 Command output
|
Field |
Description |
|
SA created for group abc |
IPsec SAs created for the GDOI GM group abc. |
|
SPI |
SPI of the IPsec SA. |
|
Transform |
Transform set. |
|
Remaining key lifetime |
Remaining lifetime of the IPsec SA, in seconds. |
display gdoi gm members
Use display gdoi gm members to display brief information about the GM.
Syntax
display gdoi gm members [ group group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
Examples
# Display brief information about all GM groups.
<Sysname> display gdoi gm members
Group member information for group GDOI-GROUP1:
Group member : 80.1.1.1
VRF name : vrf1
Registration status : Registered
Registered with : 90.1.1.1
Re-register in : 308 sec
Succeeded registrations : 1131
Attempted registrations : 1139
Last rekey from : 90.1.1.1
Last rekey seq num : 3
Multicast rekeys received: 1
Table 100 Command output
|
Field |
Description |
|
Group member information for group GDOI-GROUP1 |
Brief information about GMs of the GDOI GM group GDOI-GROUP1. |
|
Group member |
IP address of the GM. |
|
VRF name |
Name of the VRF to which the GM belongs. If the GM belongs to the public network, this field is not displayed. |
|
Registration status |
Registration status: Registered, Registering, or Not registered. |
|
Registered with |
IP address or host name of the KS with which the GM registers. If the host name is displayed, this field also displays the IP address of the host in brackets. |
|
Re-register in |
Period of time after which the GM re-registers with a KS. |
|
Succeeded registrations |
Number of successful registrations. |
|
Attempted registrations |
Number of registration attempts. |
|
Last rekey from |
KS from which the GM receives the last rekey message. N/A indicates that the GM does not receive any rekey messages. |
|
Last rekey seq num |
Sequence number of the last received rekey message. N/A indicates that the GM does not receive any rekey messages. |
|
Multicast rekeys received |
Number of multicast rekeys received. This field is displayed only when the GDOI GM group is a multicast group. |
|
Unicast rekeys received |
Number of unicast rekeys received. This field is displayed only when the GDOI GM group is a unicast group. |
|
Rekey ACKs sent |
Number of rekey ACK messages sent. This field is displayed only when the GDOI GM group is a unicast group. |
display gdoi gm pubkey
Use display gdoi gm pubkey to display public key information received by the GM.
Syntax
display gdoi gm pubkey [ group group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays the public key information received by all GM groups.
Examples
# Display public key information received by all GM groups.
<Sysname> display gdoi gm pubkey
Group name: GDOI-GROUP1
KS address: 90.1.1.1
Conn-ID: 2044 My cookie: 7C9CB398 His cookie: 4E54C7EA
Key data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00BB0F5B
6B5788E7 6220C0C1 C4BCAAD7 D81322FF 7DB9436E 46E308DA D589243B 64946D2D
FC502F64 7F38DDF5 E999F8F7 4A247508 9AF7765B F0B080AC 11CC08E4 B48A976F
D3721818 B66201F0 BD1987BE DD28D533 C38E7D42 939D2B71 3FAAA17A 128DF862
E45C531D A0C8593E D7D602E9 7A7E675A 94AF6B25 2972CF85 94E601BD 19020301
0001
Table 101 Command output
|
Field |
Description |
|
Group name |
GDOI GM group name. |
|
KS address |
IPv4 or IPv6 address of the KS. |
|
Conn-ID |
ID of the rekey SA. |
|
My cookie |
Local cookie of the rekey SA. |
|
His cookie |
Peer cookie of the rekey SA. |
|
Key data |
Public key data. |
display gdoi gm rekey
Use display gdoi gm rekey to display rekey information for the GM.
Syntax
display gdoi gm rekey [ verbose ] [ group group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
verbose: Displays detailed rekey information for the GM. If you do not specify this keyword, the command displays brief rekey information for the GM.
group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays rekey information for all GM groups.
Examples
# Display brief rekey information for all GM groups.
<Sysname> display gdoi gm rekey
Group name: abc (Unicast)
Number of rekeys received (cumulative) : 9
Number of rekeys received after registration : 9
Number of rekey ACKs sent : 105
Group name: 123 (Multicast)
Number of rekeys received (cumulative) : 9
Number of rekeys received after registration : 9
Multicast destination address : 239.192.1.190
# Display detailed rekey information for all GM groups.
<Sysname> display gdoi gm rekey verbose
Group name: GDOI-GROUP1 (Multicast)
Number of rekeys received (cumulative) : 1904
Number of rekeys received after registration : 889
Multicast destination address : 239.192.1.190
Rekey (KEK) SA information:
Destination Source Conn-ID My cookie His cookie
New : 239.192.1.190 90.1.1.1 9646 14406D26 8C58E504
Current : 239.192.1.190 90.1.1.1 9646 14406D26 8C58E504
Previous : --- --- --- --- ---
Table 102 Command output
|
Field |
Description |
|
Group name |
GDOI GM group name. |
|
Unicast |
Unicast rekey transport type. |
|
Multicast |
Multicast rekey transport type. |
|
Multicast destination address |
Multicast destination address of the rekey messages. |
|
Rekey (KEK) SA information |
SA that protects the rekey messages. |
|
Destination |
Destination IP address of the rekey SA. |
|
Source |
Source IP address of the rekey SA. |
|
Conn-ID |
ID of the rekey SA. |
|
My cookie |
Local cookie of the rekey SA. |
|
His cookie |
Peer cookie of the rekey SA. |
|
New |
Information about the new rekey SA. |
|
Current |
Information about the currently used rekey SA. |
|
Previous |
Information about the most recently used rekey SA. |
gdoi gm group
Use gdoi gm group to create a GDOI GM group and enter its view, or enter the view of an existing GDOI GM group.
Use undo gdoi gm group to delete a GDOI GM group.
Syntax
gdoi gm group [ ipv6 ] group-name
undo gdoi gm group [ ipv6 ] group-name
Default
No GDOI GM groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 GDOI GM group. If you do not specify this keyword, the command creates an IPv4 GDOI GM group.
group-name: Specifies a name for the GDOI GM group, a case-insensitive string of 1 to 63 characters.
Usage guidelines
IPv4 GDOI GM groups and IPv6 GDOI GM groups share the same namespace. You cannot specify the same name for an IPv4 GDOI GM group and an IPv6 GDOI GM group.
Examples
# Create a GDOI GM group named abc, and enter its view.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc]
group
Use group to specify a GDOI GM group for a GDOI IPsec policy.
Use undo group to restore the default.
Syntax
group group-name
undo group
Default
No GDOI GM group is specified for a GDOI IPsec policy.
Views
GDOI IPsec policy view
Predefined user roles
network-admin
Parameters
group-name: Specifies the name of a GDOI GM group, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can specify only one GDOI GM group for a GDOI IPsec policy. If you execute this command multiple times, the most recent configuration takes effect.
A GDOI GM group can be specified for entries of different GDOI IPsec policies, but it cannot be specified for entries of the same GDOI IPsec policy.
An IPv6 GDOI GM group can be specified only for an IPv6 GDOI IPsec policy. An IPv4 GDOI GM group can be specified only for an IPv4 GDOI IPsec policy.
Examples
# Create a GDOI IPsec policy entry, and specify the IPsec policy name as map and the sequence number as 1.
<Sysname> system-view
[Sysname] ipsec policy map 1 gdoi
# Specify the GDOI GM group abc for the GDOI IPsec policy.
[Sysname-ipsec-policy-gdoi-map-1] group abc
Related commands
gdoi gm group
ipsec { ipv6-policy | policy }
identity
Use identity to configure an ID for a GDOI GM group.
Use undo identity to restore the default.
Syntax
identity { address ip-address | number number }
undo identity
Default
No ID is configured for a GDOI GM group.
Views
GDOI GM group view
Predefined user roles
network-admin
Parameters
address ip-address: Specifies any valid IPv4 address to identify the GDOI GM group.
number number: Specifies a number in the range of 0 to 2147483647 to identify the GDOI GM group.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Only GMs in the same GDOI GM group can communicate with each other.
Examples
# Configure the ID for the GDOI GM group abc as 123456.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc] identity number 123456
# Configure the ID for the GDOI GM group def as 202.202.202.10.
<Sysname> system-view
[Sysname] gdoi group def
[Sysname-gdoi-gm-group-def] identity address 202.202.202.10
reset gdoi gm
Use reset gdoi gm to clear GDOI information that the GM downloaded from a KS, and trigger the GM to re-register with the KS. The downloaded GDOI information includes the IKE SA, rekey SA, IPsec SA, and ACL.
Syntax
reset gdoi gm [ group group-name ]
Views
User view
Predefined user roles
network-admin
Parameters
group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command clears GDOI information for all GM groups.
Examples
# Clear GDOI information for all GM groups, and trigger the GM to re-register with the KS.
<Sysname> reset gdoi gm
# Clear GDOI information for the GDOI GM group abc, and trigger the GM to re-register with the KS.
<Sysname> reset gdoi gm group abc
server address
Use server address to specify the IP address of a key server (KS).
Use undo server address to delete a KS IP address.
Syntax
server address host [ vrf vrf-name ]
undo server address host [ vrf vrf-name ]
Default
No KS IP address is specified.
Views
GDOI GM group view
Predefined user roles
network-admin
Parameters
host: Specifies a KS IP address, a case-sensitive string of 1 to 253 characters.
vrf vrf-name: Specifies the VRF to which the KS IP address belongs. The vrf-name argument represents the VRF name, a case-sensitive string of 1 to 31 characters. If you do not specify a VRF, the KS IP address belongs to the public network.
Usage guidelines
You must specify KSs for GMs in a GDOI GM group.
A GDOI GM group can have a maximum of 16 KS addresses. A GM first sends a registration request to the first-specified KS. If the registration fails before the registration timer expires, the GM registers with other KSs one by one in the order they are configured until the registration succeeds. If all registration attempts fail, the GM repeats the registration process.
Examples
# Specify two KS addresses, 3.3.3.3 and 3.3.3.4, for the GDOI GM group abc.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc] server address 3.3.3.3
[Sysname-gdoi-gm-group-abc] server address 3.3.3.4
SSH commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/ 810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
· MSR810-LM-GL/810-W-LM-GL/830-6EI-GL/830-10EI-GL/830-6HI-GL/830-10HI-GL/2600-6-X1-GL/3600-28-SI-GL.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
SSH server commands
display ssh server
Use display ssh server on an SSH server to display the SSH server status or sessions.
Syntax
Centralized devices in standalone mode:
display ssh server { session | status }
Distributed devices in standalone mode/centralized devices in IRF mode:
display ssh server { session [ slot slot-number ] | status }
Distributed devices in IRF mode:
display ssh server { session [ chassis chassis-number slot slot-number ] | status }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
session: Displays SSH server session information.
status: Displays the SSH server status.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays SSH server session information for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays SSH server session information for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays SSH server session information for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Display the SSH server status.
<Sysname> display ssh server status
Stelnet server: Disable
SSH version : 2.0
SSH authentication-timeout : 60 second(s)
SSH server key generating interval : 0 hour(s)
SSH authentication retries : 3 time(s)
SFTP server: Disable
SFTP server Idle-Timeout: 10 minute(s)
NETCONF server: Disable
SCP server: Disable
SSH Server PKI domain name: aaa
Table 103 Command output
|
Field |
Description |
|
Stelnet server |
Whether the Stelnet server is enabled. |
|
SSH version |
SSH protocol version. When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2. |
|
SSH authentication-timeout |
Authentication timeout timer. |
|
SSH server key generating interval |
Minimum interval for updating the RSA server key pair. |
|
SSH authentication retries |
Maximum number of authentication attempts for SSH users. |
|
SFTP server |
Whether the SFTP server is enabled. |
|
SFTP server Idle-Timeout |
SFTP connection idle timeout timer. |
|
NETCONF server |
Whether NETCONF over SSH is enabled. |
|
Whether the SCP server is enabled. |
|
|
SSH Server PKI domain name |
Name of the PKI domain specified for the SSH server. |
# Display the SSH server sessions.
<Sysname> display ssh server session
UserPid SessID Ver Encrypt State Retries Serv Username Idx
184 0 2.0 aes128-cbc Established 1 Stelnet abc@123
Table 104 Command output
|
Field |
Description |
|
UserPid |
User process ID. |
|
SessID |
Session ID. |
|
Ver |
Protocol version of the SSH server. |
|
Encrypt |
Encryption algorithm used on the SSH server. |
|
State |
Session state: · Init—Initialization. · Ver-exchange—Version negotiation. · Keys-exchange—Key exchange. · Auth-request—Authentication request. · Serv-request—Session service request. · Established—The session is established. · Disconnected—The session is terminated. |
|
Retries |
Number of authentication failures. |
|
Serv |
Service type: · SCP. · SFTP. · Stelnet. · NETCONF. |
|
Username |
Username that the client uses to log in to the server. |
|
Idx |
Absolute number of the user line. This field is empty if the SSH connection for the user is not redirected. |
display ssh user-information
Use display ssh user-information to display information about SSH users on an SSH server.
Syntax
display ssh user-information [ username ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If you do not specify an SSH user, this command displays information about all SSH users.
Usage guidelines
This command displays information only about SSH users that are configured by using the ssh user command on the SSH server.
Examples
# Display information about all SSH users.
<Sysname> display ssh user-information
Total ssh users:2
Username Authentication-type User-public-key-name Service-type
yemx password Stelnet|SFTP
test publickey pubkey SFTP
Table 105 Command output
|
Field |
Description |
|
Total ssh users |
Total number of SSH users. |
|
Authentication-type |
Authentication methods: · Password authentication. · Publickey authentication. · Password-publickey authentication. · Any authentication. |
|
User-public-key-name |
Public key name of the user. This field is empty if the authentication method is password authentication. |
|
Service-type |
Service types: · Stelnet. · SFTP. · SCP. · NETCONF. If multiple service types are available for an SSH user, they are separated by vertical bars (|). |
Related commands
ssh user
scp server enable
Use scp server enable to enable the SCP server.
Use undo scp server enable to disable the SCP server.
Syntax
scp server enable
undo scp server enable
Default
The SCP server is disabled.
Views
System view
Predefined user roles
network-admin
Examples
# Enable the SCP server.
<Sysname> system-view
[Sysname] scp server enable
Related commands
display ssh server
sftp server enable
Use sftp server enable to enable the SFTP server.
Use undo sftp server enable to disable the SFTP server.
Syntax
sftp server enable
undo sftp server enable
Default
The SFTP server is disabled.
Views
System view
Predefined user roles
network-admin
Examples
# Enable the SFTP server.
<Sysname> system-view
[Sysname] sftp server enable
Related commands
display ssh server
sftp server idle-timeout
Use sftp server idle-timeout to set the idle timeout timer for SFTP connections on an SFTP server.
Use undo sftp server idle-timeout to restore the default.
Syntax
sftp server idle-timeout time-out-value
undo sftp server idle-timeout
Default
The idle timeout timer is 10 minutes for SFTP connections.
Views
System view
Predefined user roles
network-admin
Parameters
time-out-value: Specifies an idle timeout timer in the range of 1 to 35791 minutes.
Usage guidelines
If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. To promptly release connection resources, set the idle timeout timer to a small value when many SFTP connections concurrently exist.
Examples
# Set the idle timeout timer to 500 minutes for SFTP connections.
<Sysname> system-view
[Sysname] sftp server idle-timeout 500
Related commands
display ssh server
ssh ip alias
Use ssh ip alias to associate an SSH redirect listening port with an IP address.
Use undo ssh ip alias to delete the IP address associated with the SSH redirect listening port.
Syntax
ssh ip alias ip-address port-number
undo ssh ip alias ip-address
Default
An SSH redirect listening port is not associated with an IP address.
Views
System view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address to be associated with the SSH redirect listening port. The IP address cannot be the address of an interface on the device, but it can be on the same subnet as an interface IP address on the device.
port-number: Specifies an SSH redirect listening port number in the range of 4000 to 50000.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
|
MSR 2630 |
Yes |
|
|
MSR3600-28/3600-51 |
Yes |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
No |
|
|
Hardware |
Command compatibility |
|
MSR810-LM-GL |
No |
|
MSR810-W-LM-GL |
No |
|
MSR830-6EI-GL |
No |
|
MSR830-10EI-GL |
No |
|
MSR830-6HI-GL |
No |
|
MSR830-10HI-GL |
No |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
The SSH redirect server can provide the SSH redirect service after SSH redirect is enabled and an SSH redirect listening port is configured. The SSH client can use the ssh2 ip address port number command to access the destination device. The ip address argument and the port number argument specify the IP address of the SSH redirect server and the SSH redirect listening port, respectively.
After the ssh ip alias command is configured, the client can use the ssh2 ip address command to access the destination device. The ip address argument specifies the IP address associated with the SSH redirect listening port.
If you specify multiple SSH redirect listening ports for an IP address, the most recent configuration takes effect.
Examples
# Associate SSH redirect listening port 4000 with IP address 1.1.1.1.
<Sysname> system-view
[Sysname] ssh ip alias 1.1.1.1 4000
Related commands
ssh redirect disconnect
ssh redirect listen-port
ssh redirect disconnect
Use ssh redirect disconnect to terminate the redirected SSH connection.
Syntax
ssh redirect disconnect
Views
AUX line view
TTY line view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
|
MSR 2630 |
Yes |
|
|
MSR3600-28/3600-51 |
Yes |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
No |
|
|
Hardware |
Command compatibility |
|
MSR810-LM-GL |
No |
|
MSR810-W-LM-GL |
No |
|
MSR830-6EI-GL |
No |
|
MSR830-10EI-GL |
No |
|
MSR830-6HI-GL |
No |
|
MSR830-10HI-GL |
No |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
Examples
# Terminate the redirected SSH connection on TTY line 1.
<Sysname> system-view
[Sysname] line tty 1
[Sysname-line-tty1] ssh redirect disconnect
Related commands
ssh redirect enable
ssh redirect enable
Use ssh redirect enable to enable SSH redirect for a user line.
Use undo ssh redirect enable to disable SSH redirect for a user line.
Syntax
ssh redirect enable
undo ssh redirect enable
Default
SSH redirect is disabled for a user line.
Views
AUX line view
TTY line view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
|
MSR 2630 |
Yes |
|
|
MSR3600-28/3600-51 |
Yes |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
No |
|
|
Hardware |
Command compatibility |
|
MSR810-LM-GL |
No |
|
MSR810-W-LM-GL |
No |
|
MSR830-6EI-GL |
No |
|
MSR830-10EI-GL |
No |
|
MSR830-6HI-GL |
No |
|
MSR830-10HI-GL |
No |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
The user line on the SSH redirect server must use the same transmission rate as the destination device. To set the transmission rate for the user line, use the speed command.
As a best practice, configure the user line on the SSH redirect server to use the same number of stop bits as the destination device. To identify whether the user line and the destination device are using the same number of stop bits, use the stopbit-error intolerance command. To change the number of stop bits, use the stopbits command.
For more information about the transmission rate and stop bits, see the login management configuration in Fundamentals Configuration Guide.
Examples
# Enable SSH redirect on TTY line 7.
<Sysname> system-view
[Sysname] line tty 7
[Sysname-line-tty7] ssh redirect enable
Related commands
ssh redirect listen-port
ssh redirect disconnect
ssh redirect listen-port
Use ssh redirect listen-port to set a listening port of SSH redirect.
Use undo ssh redirect listen-port to restore the default.
Syntax
ssh redirect listen-port port-number
undo ssh redirect listen-port
Default
The SSH redirect listening port number is the absolute user line number plus 4000.
Views
AUX line view
TTY line view
Predefined user roles
network-admin
Parameters
port-number: Specifies the number of the SSH redirect listening port, in the range of 4000 to 50000.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
|
MSR 2630 |
Yes |
|
|
MSR3600-28/3600-51 |
Yes |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
No |
|
|
Hardware |
Command compatibility |
|
MSR810-LM-GL |
No |
|
MSR810-W-LM-GL |
No |
|
MSR830-6EI-GL |
No |
|
MSR830-10EI-GL |
No |
|
MSR830-6HI-GL |
No |
|
MSR830-10HI-GL |
No |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
The device redirects only SSH connection requests destined for the SSH redirect listening port.
The redirected SSH connection is terminated if the SSH redirect listening port for the connection is modified.
Examples
# Set the SSH redirect listening port number to 5000 on TTY line 1.
<Sysname> system-view
[Sysname] line tty 1
[Sysname-line-tty1] ssh redirect listen-port 5000
Related commands
ssh redirect enable
ssh redirect timeout
Use ssh redirect timeout to set the idle-timeout timer for the redirected SSH connection.
Use undo ssh redirect timeout to restore the default.
Syntax
ssh redirect timeout time
undo ssh redirect timeout
Default
The idle-timeout timer is 360 seconds.
Views
AUX line view
TTY line view
Predefined user roles
network-admin
Parameters
time: Specifies the idle-timeout timer in seconds. The value range is 0 to 86400. To disable the timeout mechanism, set the timeout timer to 0.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
|
MSR 2630 |
Yes |
|
|
MSR3600-28/3600-51 |
Yes |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
No |
|
|
Hardware |
Command compatibility |
|
MSR810-LM-GL |
No |
|
MSR810-W-LM-GL |
No |
|
MSR830-6EI-GL |
No |
|
MSR830-10EI-GL |
No |
|
MSR830-6HI-GL |
No |
|
MSR830-10HI-GL |
No |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
Yes |
The redirected SSH connection is idle when no data is received from the SSH client. This command sets the maximum length of time that the redirected connection can be idle before it is terminated.
Examples
# Set the idle-timeout timer to 200 seconds for the redirected SSH connection.
<Sysname> system-view
[Sysname] line tty 1
[Sysname-line-tty1] ssh redirect timeout 200
Related commands
ssh redirect enable
ssh server acl
Use ssh server acl to specify an ACL to control IPv4 SSH connections.
Use undo ssh server acl to restore the default.
Syntax
ssh server acl { basic-acl-number | advanced-acl-number | mac mac-acl-number }
undo ssh server acl
Default
No ACLs are specified and all IPv4 SSH clients can initiate SSH connections to the server.
Views
System view
Predefined user roles
network-admin
Parameters
basic-acl-number: Specifies an IPv4 basic ACL number in the range of 2000 to 2999.
advanced-acl-number: Specifies an IPv4 advanced ACL number in the range of 3000 to 3999.
mac mac-acl-number: Specifies a Layer 2 ACL by its number in the range of 4000 to 4999.
Usage guidelines
The specified ACL filters IPv4 SSH clients' connection requests. Only the IPv4 SSH clients that the ACL permits can initiate SSH connections to the server.
All IPv4 SSH clients can initiate SSH connections to the device when any one of the following conditions exists:
· You do not specify an ACL.
· The specified ACL does not exist.
· The specified ACL does not have rules.
This command takes effect only on SSH connections that are initiated after the configuration of this command.
This command does not take effect on NETCONF-over-SSH connections initiated by IPv4 SSH clients. To control IPv4 clients to establish NETCONF-over-SSH connections to the server, use the netconf ssh acl command. For more information about the netconf ssh acl command, see NETCONF commands in Network Management and Monitoring Command Reference.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure ACL 2001 and permit only the users at 1.1.1.1 to initiate SSH connections to the server.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 1.1.1.1 0
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] ssh server acl 2001
Related commands
display ssh server
ssh server acl-deny-log enable
Use ssh server acl-deny-log enable to enable logging for SSH login attempts that are denied by the SSH login control ACL.
Use undo ssh server acl-deny-log enable to disable logging for SSH login attempts that are denied by the SSH login control ACL.
Syntax
ssh server acl-deny-log enable
undo ssh server acl-deny-log enable
Default
Logging is disabled for SSH login attempts that are denied by the SSH login control ACL.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Only SSH clients permitted by the SSH login control ACL can access the SSH server. The logging feature generates log messages for SSH login attempts that are denied by the SSH login control ACL, and sends the messages to the information center.
For information about log message output, see the information center in Network Management and Monitoring Configuration Guide. For information about configuring an SSH login control ACL, see the ssh server acl or ssh server ipv6 acl command.
Examples
# Enable logging for SSH login attempts that are denied by the SSH login control ACL.
<Sysname> system-view
[Sysname] ssh server acl-deny-log enable
Related commands
ssh server acl
ssh server ipv6 acl
ssh server authentication-retries
Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users.
Use undo ssh server authentication-retries to restore the default.
Syntax
ssh server authentication-retries retries
undo ssh server authentication-retries
Default
The maximum number of authentication attempts is 3 for SSH users.
Views
System view
Predefined user roles
network-admin
Parameters
retries: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5.
Usage guidelines
Setting the maximum number of authentication attempts prevents malicious hacking of usernames and passwords.
If the total number of authentication attempts exceeds the upper limit specified in this command, further authentication is not allowed.
· For any authentication, an authentication attempt is a publickey or password authentication process.
· For password-publickey authentication, an authentication attempt contains both a publickey authentication process and a password authentication process. The server first uses publickey authentication, and then uses password authentication to authenticate the SSH user.
This configuration does not affect logged-in users. It affects only users that attempt to log in after the configuration.
Examples
# Set the maximum number of authentication attempts to 4 for SSH users.
<Sysname> system-view
[Sysname] ssh server authentication-retries 4
Related commands
display ssh server
ssh server authentication-timeout
Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server.
Use undo ssh server authentication-timeout to restore the default.
Syntax
ssh server authentication-timeout time-out-value
undo ssh server authentication-timeout
Default
The SSH user authentication timeout timer is 60 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time-out-value: Specifies an authentication timeout timer in the range of 1 to 120 seconds.
Usage guidelines
If a user does not finish the authentication when the timeout timer expires, the connection cannot be established.
To prevent malicious occupation of TCP connections, set the authentication timeout timer to a small value.
Examples
# Set the authentication timeout timer to 10 seconds for SSH users.
<Sysname> system-view
[Sysname] ssh server authentication-timeout 10
Related commands
display ssh server
ssh server compatible-ssh1x enable
Use ssh server compatible-ssh1x enable to enable the SSH server to support SSH1 clients.
Use undo ssh server compatible-ssh1x [ enable ] to restore the default.
Syntax
ssh server compatible-ssh1x enable
undo ssh server compatible-ssh1x [ enable ]
Default
The SSH server does not support SSH1 clients.
Views
System view
Predefined user roles
network-admin
network-operator
Usage guidelines
This command is not available in FIPS mode.
This configuration does not affect logged-in users. It affects only users that attempt to log in after the configuration.
Examples
# Enable the SSH server to support SSH1 clients.
<Sysname> system-view
[Sysname] ssh server compatible-ssh1x enable
Related commands
display ssh server
ssh server dscp
Use ssh server dscp to set the DSCP value in the IPv4 SSH packets that the SSH server sends to SSH clients.
Use undo ssh server dscp to restore the default.
Syntax
ssh server dscp dscp-value
undo ssh server dscp
Default
The DSCP value is 48 in IPv4 SSH packets.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies the DSCP value in the IPv4 SSH packets, in the range of 0 to 63. A bigger DSCP value represents a higher priority.
Usage guidelines
The DSCP value of a packet specifies the priority of the packet and affects the transmission priority of the packet.
Examples
# Set the DSCP value to 30 for IPv4 SSH packets.
<Sysname> system-view
[Sysname] ssh server dscp 30
ssh server enable
Use ssh server enable to enable the Stelnet server.
Use undo ssh server enable to disable the Stelnet server.
Syntax
ssh server enable
undo ssh server enable
Default
The Stelnet server is disabled.
Views
System view
Predefined user roles
network-admin
Examples
# Enable the Stelnet server.
<Sysname> system-view
[Sysname] ssh server enable
Related commands
display ssh server
ssh server ipv6 acl
Use ssh server ipv6 acl to specify an ACL to control IPv6 SSH connections to the server.
Use undo ssh server ipv6 acl to restore the default.
Syntax
ssh server ipv6 acl { ipv6 basic-acl-number | ipv6 advanced-acl-number | mac mac-acl-number }
undo ssh server ipv6 acl
Default
No ACLs are specified and all IPv6 SSH clients can initiate SSH connections to the server.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6 basic-acl-number: Specifies an IPv6 basic ACL number in the range of 2000 to 2999.
ipv6 advanced-acl-number: Specifies an IPv6 advanced ACL number in the range of 3000 to 3999.
mac mac-acl-number: Specifies a Layer 2 ACL by its number in the range of 4000 to 4999.
Usage guidelines
The specified ACL filters IPv6 SSH clients' connection requests. Only the IPv6 SSH clients that the ACL permits can initiate SSH connections to the device.
All IPv6 SSH clients can initiate SSH connections to the device when any one of the following conditions exists:
· You do not specify an ACL.
· The specified ACL does not exist.
· The specified ACL does not have rules.
This command takes effect only on SSH connections that are initiated after the configuration of this command.
This command does not take effect on NETCONF-over-SSH connections initiated by IPv6 SSH clients.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure ACL 2001 and permit only the users on the subnet 1::1/64 to initiate SSH connections to the server.
<Sysname> system-view
[Sysname] acl ipv6 basic 2001
[Sysname-acl6-ipv6-basic-2001] rule permit source 1::1 64
[Sysname-acl6-ipv6-basic-2001] quit
[Sysname] ssh server ipv6 acl ipv6 2001
Related commands
display ssh server
ssh server ipv6 dscp
Use ssh server ipv6 dscp to set the DSCP value in the IPv6 SSH packets that the SSH server sends to SSH clients.
Use undo ssh server ipv6 dscp to restore the default.
Syntax
ssh server ipv6 dscp dscp-value
undo ssh server ipv6 dscp
Default
The DSCP value is 48 in IPv6 SSH packets.
Views
System view
Predefined user roles
network-admin
Parameters
dscp-value: Specifies the DSCP value in the IPv6 SSH packets, in the range of 0 to 63. A bigger DSCP value represents a higher priority.
Usage guidelines
The DSCP value of an IPv6 packet specifies the priority of the packet and affects the transmission priority of the packet.
Examples
# Set the DSCP value to 30 for IPv6 SSH packets.
<Sysname> system-view
[Sysname] ssh server ipv6 dscp 30
ssh server pki-domain
Use ssh server pki-domain to specify a PKI domain for an SSH server.
Use undo ssh server pki-domain to restore the default.
Syntax
ssh server pki-domain domain-name
undo ssh server pki-domain
Default
No PKI domain is specified for an SSH server.
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of the PKI domain used to verify the SSH server. The PKI domain name is a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
Examples
# Specify PKI domain serverpkidomain for the SSH server.
<Sysname> system-view
[Sysname] ssh server pki-domain serverpkidomain
ssh server port
Use ssh server port to specify the SSH service port.
Use undo ssh server port to restore the default.
Syntax
ssh server port port-number
undo ssh server port
Default
The SSH service port is 22.
Views
System view
Predefined user roles
network-admin
Parameters
port-number: Specifies a port number in the range of 1 to 65535.
Usage guidelines
If you modify the SSH port number when the SSH service is enabled, the SSH service is restarted and all SSH connections are terminated after the modification. SSH users must reconnect to the SSH server to access the server.
When the device acts as an SSH redirect server, modifying the SSH service port on the device affects existing SSH redirect connections as follows:
· If an SSH user accesses the destination device by specifying the SSH redirect listening port, modifying the SSH service port does not affect the existing SSH redirect connection.
· If an SSH user accesses the destination device by specifying the absolute number of the user line, modifying the SSH service port terminates the SSH redirect connection. The SSH user must reconnect to the SSH redirect server to access the destination device.
If you set the SSH port to a well-known port number, the service that uses the well-known port number might fail to start. Well-known port numbers are in the range of 1 to 1024.
Examples
# Set the SSH service port to 1025.
<Sysname> system-view
[Sysname] ssh server port 1025
ssh server rekey-interval
Use ssh server rekey-interval to set the minimum interval for updating the RSA server key pair.
Use undo ssh server rekey-interval to restore the default.
Syntax
ssh server rekey-interval interval
undo ssh server rekey-interval
Default
The minimum interval for updating the RSA server key pair is 0 hours. The system does not update the RSA server key pair.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the minimum interval for updating the RSA server key pair, in the range of 1 to 24 hours.
Usage guidelines
Periodically updating the RSA server key pair prevents malicious hacking to the key pair and enhances security of the SSH connections.
This command takes effect only on SSH1 clients.
The system starts to count down the configured minimum update interval after the first SSH1 user logs in to the server. If a new SSH1 user logs in to the server after the interval, the system performs the following operations:
1. Updates the RSA server key pair.
2. Uses the updated RSA server key pair for key pair negotiation with the new user.
3. Resets the interval and starts to count down the interval again.
This command is not available in FIPS mode.
Examples
# Set the minimum interval to 3 hours for updating the RSA server key pair.
<Sysname> system-view
[Sysname] ssh server rekey-interval 3
Related commands
display ssh server
ssh user
Use ssh user to create an SSH user and specify the service type and authentication method.
Use undo ssh user to delete an SSH user.
Syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } [ assign { pki-domain domain-name | publickey keyname } ] }
undo ssh user username
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | password-publickey [ assign { pki-domain domain-name | publickey keyname } ] }
undo ssh user username
Default
No SSH users exist.
Views
System view
Predefined user roles
network-admin
Parameters
username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. The username cannot be a, al, or all. In addition, the username cannot include vertical bars (|), colons (:), asterisks (*), question marks (?), or angle brackets (< >). The at sign (@), slash (/), and backslash (\) can only be used to append ISP domain names to usernames in the pureusername@domain, pureusername/domain, and domain\pureusername format. Do not include hyphens (-) in the username of an SCP user. Otherwise, SCP logins using that username will fail.
service-type: Specifies a service type for the SSH user.
· all: Specifies service types Stelnet, SFTP, SCP, and NETCONF.
· scp: Specifies the service type SCP.
· sftp: Specifies the service type SFTP.
· stelnet: Specifies the service type Stelnet.
· netconf: Specifies the service type NETCONF.
authentication-type: Specifies an authentication method for the SSH user.
· password: Specifies password authentication. This authentication method provides easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting.
· any: Specifies either password authentication or publickey authentication.
· password-publickey: Specifies both password authentication and publickey authentication for SSH2 clients. In SSH2, the password-publickey authentication method provides higher security. If the client runs SSH1, this keyword specifies either password authentication or publickey authentication.
· publickey: Specifies publickey authentication. This authentication method has complicated and slow encryption, but it provides strong authentication that can defend against brute-force attacks. This authentication method is easy to use. If this method is configured, the authentication process completes automatically without entering any password.
assign: Specifies parameters used for client verification.
· pki-domain domain-name: Specifies the PKI domain that verifies the client's digital certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). The server uses the CA certificate that is saved in the PKI domain to verify the client's digital certificate. In this scenario, the server does not need to save clients' public keys in advance.
· publickey keyname: Specifies the public key of the SSH client. The keyname argument represents the SSH client's public key configured on the server. It is a case-insensitive string of 1 to 64 characters. The server uses the client's public key to check the validity of the client. If the public key file of the client is changed, you must update the client's public key on the server promptly.
Usage guidelines
Use this command to configure an SSH user depending on the authentication method.
· If the authentication method is publickey, you must create an SSH user and a local user on the SSH server. The two users must have the same username, so that the SSH user can be assigned the correct working directory and user role.
· If the authentication method is password, you must perform one of the following tasks:
¡ For local authentication, configure a local user on the SSH server.
¡ For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.
You do not need to create an SSH user by using the ssh user command. However, if you want to display all SSH users, including the password-only SSH users, for centralized management, you can use this command to create them. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.
· If the authentication method is password-publickey or any, you must create an SSH user on the SSH server and perform one of the following tasks:
¡ For local authentication, configure a local user on the SSH server.
¡ For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.
In either case, the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user.
If you use this command to specify a host public key or a PKI domain for a user multiple times, the most recent configuration takes effect. If neither a host public key nor a PKI domain is specified for the user, the server performs certificate authentication for the user at login. The server uses the PKI domain of its own certificate to verify the client's certificate.
This configuration does not affect logged-in users. It affects only users that attempt to log in after the configuration.
For an SFTP or SCP user, the working directory depends on the authentication method.
· If the authentication method is publickey or password-publickey, the working directory is specified by the authorization-attribute command in the associated local user view.
· If the authentication method is password, the working directory is authorized by AAA.
For an SSH user, the user role also depends on the authentication method.
· If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view.
· If the authentication method is password, the user role is authorized by AAA.
Examples
# Create an SSH user named user1. Specify the service type as sftp and the authentication method as password-publickey for the user. Assign the host public key key1 to the user.
<Sysname> system-view
[Sysname] ssh user user1 service-type sftp authentication-type password-publickey assign publickey key1
# Create a local device management user named user1. Specify the password as 123456TESTplat&! in plain text and the service type as ssh for the user. Assign the working directory flash: and the user role network-admin to the user.
[Sysname] local-user user1 class manage
[Sysname-luser-manage-user1] password simple 123456TESTplat&!
[Sysname-luser-manage-user1] service-type ssh
[Sysname-luser-manage-user1] authorization-attribute work-directory flash: user-role network-admin
Related commands
authorization-attribute
display ssh user-information
local-user
pki domain
SSH client commands
bye
Use bye to terminate the connection with the SFTP server and return to user view.
Syntax
bye
Views
SFTP client view
Predefined user roles
network-admin
Usage guidelines
This command has the same function as the exit and quit commands.
Examples
# Terminate the connection with the SFTP server.
sftp> bye
<Sysname>
cd
Use cd to change the working directory on the SFTP server.
Syntax
cd [ remote-path ]
Views
SFTP client view
Predefined user roles
network-admin
Parameters
remote-path: Specifies the name of a directory on the server.
Usage guidelines
You can use the cd .. command to return to the upper-level directory.
You can use the cd / command to return to the root directory of the system.
Examples
# Change the working directory to new1.
sftp> cd new1
Current Directory is:/new1
sftp> pwd
Remote working directory: /new1
sftp>
cdup
Use cdup to return to the upper-level directory.
Syntax
cdup
Views
SFTP client view
Predefined user roles
network-admin
Example
# Return to the upper-level directory from the current working directory /test1.
sftp> cd test1
Current Directory is:/test1
sftp> pwd
Remote working directory: /test1
sftp> cdup
Current Directory is:/
sftp> pwd
Remote working directory: /
sftp>
delete
Use delete to delete a file from the SFTP server.
Syntax
delete remote-file
Views
SFTP client view
Predefined user roles
network-admin
Parameters
remote-file: Specifies a file by its name.
Usage guidelines
This command has the same function as the remove command.
Examples
# Delete the file temp.c from the SFTP server.
sftp> delete temp.c
Removing /temp.c
dir
Use dir to display information about the files and subdirectories under a directory.
Syntax
dir [ -a | -l ] [ remote-path ]
Views
SFTP client view
Predefined user roles
network-admin
Parameters
-a: Displays detailed information about files and subdirectories under a directory in a list, including the files and subdirectories with names starting with dots (.).
-l: Displays detailed information about the files and subdirectories under a directory in a list, excluding the files and subdirectories with names starting with dots (.).
remote-path: Specifies the name of the directory to be queried. If you do not specify this argument, the command displays information about the files and subdirectories under the current working directory.
Usage guidelines
If you do not specify both of the –a and –l keywords, this command displays the names of the files and subdirectories under a directory.
This command has the same function as the ls command.
Examples
# Display detailed information about the files and subdirectories under the current directory, including the files and subdirectories with names starting with dots (.).
sftp> dir -a
drwxrwxrwx 2 1 1 512 Dec 18 14:12 .
drwxrwxrwx 2 1 1 512 Dec 18 14:12 ..
-rwxrwxrwx 1 1 1 301 Dec 18 14:11 010.pub
-rwxrwxrwx 1 1 1 301 Dec 18 14:12 011.pub
-rwxrwxrwx 1 1 1 301 Dec 18 14:12 012.pub
# Display detailed information about the files and subdirectories under the current directory, excluding the files and subdirectories with names starting with dots (.).
sftp> dir -l
-rwxrwxrwx 1 1 1 301 Dec 18 14:11 010.pub
-rwxrwxrwx 1 1 1 301 Dec 18 14:12 011.pub
-rwxrwxrwx 1 1 1 301 Dec 18 14:12 012.pu
|
|
NOTE: The output format varies by SSH server device model. |
display sftp client source
Use display sftp client source to display the source IP address configured for the SFTP client.
Syntax
display sftp client source
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the source IP address configured for the SFTP client.
<Sysname> display sftp client source
The source IP address of the SFTP client is 192.168.0.1
The source IPv6 address of the SFTP client is 2:2::2:2.
Related commands
sftp client ipv6 source
sftp client source
display ssh client source
Use display ssh client source to display the source IP address configured for the Stelnet client.
Syntax
display ssh client source
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the source IP address configured for the Stelnet client.
<Sysname> display ssh client source
The source IP address of the SSH client is 192.168.0.1
The source IPv6 address of the SSH client is 2:2::2:2.
Related commands
ssh client ipv6 source
ssh client source
exit
Use exit to terminate the SFTP connection and return to user view.
Syntax
exit
Views
SFTP client view
Predefined user roles
network-admin
Usage guidelines
This command has the same function as the bye and quit commands.
Examples
# Terminate the SFTP connection.
sftp> exit
<Sysname>
get
Use get to download a file from the SFTP server and save it locally.
Syntax
get remote-file [ local-file ]
Views
SFTP client view
Predefined user roles
network-admin
Parameters
remote-file: Specifies the name of a file on the SFTP server.
local-file: Specifies the name for the local file. If you do not specify this argument, the file will be saved locally with the same name as the file on the SFTP server.
Examples
# Download the file temp1.c and save it as temp.c locally.
sftp> get temp1.c temp.c
Fetching /temp1.c to temp.c
/temp.c 100% 1424 1.4KB/s 00:00
help
Use help to display help information on the SFTP client.
Syntax
help
Views
SFTP client view
Predefined user roles
network-admin
Usage guidelines
This command has the same function as entering the question mark (?).
Examples
# Display help information on the SFTP client.
sftp> help
Available commands:
bye Quit sftp
cd [path] Change remote directory to 'path'
cdup Change remote directory to the parent directory
delete path Delete remote file
dir [-a|-l][path] Display remote directory listing
-a List all filenames
-l List filename including the specific
information of the file
exit Quit sftp
get remote-path [local-path] Download file
help Display this help text
ls [-a|-l][path] Display remote directory
-a List all filenames
-l List filename including the specific
information of the file
mkdir path Create remote directory
put local-path [remote-path] Upload file
pwd Display remote working directory
quit Quit sftp
rename oldpath newpath Rename remote file
remove path Delete remote file
rmdir path Delete remote empty directory
? Synonym for help
ls
Use ls to display information about the files and subdirectories under a directory.
Syntax
ls [ -a | -l ] [ remote-path ]
Views
SFTP client view
Predefined user roles
network-admin
Parameters
-a: Displays detailed information about files and subdirectories under a directory in a list, including the files and subdirectories with names starting with dots (.).
-l: Displays detailed information about the files and subdirectories under a directory in a list, excluding the files and subdirectories with names starting with dots (.).
remote-path: Specifies the name of the directory to be queried. If you do not specify this argument, the command displays information about the files and subdirectories under the current working directory.
Usage guidelines
If you do not specify both of the –a and –l keywords, this command displays the names of the files and subdirectories under a directory.
This command has the same function as the dir command.
Examples
# Display detailed information about the files and subdirectories under the current directory, including the files and subdirectories with names starting with dots (.).
sftp> ls -a
drwxrwxrwx 2 1 1 512 Dec 18 14:12 .
drwxrwxrwx 2 1 1 512 Dec 18 14:12 ..
-rwxrwxrwx 1 1 1 301 Dec 18 14:11 010.pub
-rwxrwxrwx 1 1 1 301 Dec 18 14:12 011.pub
-rwxrwxrwx 1 1 1 301 Dec 18 14:12 012.pub
# Display detailed information about the files and subdirectories under the current working directory, excluding the files and subdirectories with names starting with dots (.).
sftp> ls -l
-rwxrwxrwx 1 1 1 301 Dec 18 14:11 010.pub
-rwxrwxrwx 1 1 1 301 Dec 18 14:12 011.pub
-rwxrwxrwx 1 1 1 301 Dec 18 14:12 012.pub
|
|
NOTE: The output format varies by SSH server device model. |
mkdir
Use mkdir to create a directory on the SFTP server.
Syntax
mkdir remote-path
Views
SFTP client view
Predefined user roles
network-admin
Parameters
remote-path: Specifies the name of a directory.
Examples
# Create a directory named test on the SFTP server.
sftp> mkdir test
put
Use put to upload a local file to the SFTP server.
Syntax
put local-file [ remote-file ]
Views
SFTP client view
Predefined user roles
network-admin
Parameters
local-file: Specifies the name of a local file.
remote-file: Specifies the name of a file on an SFTP server. If you do not specify this argument, the file will be remotely saved with the same name as the local file.
Examples
# Upload the local file startup.bak to the SFTP server and save it as startup01.bak.
sftp> put startup.bak startup01.bak
Uploading startup.bak to /startup01.bak
startup01.bak 100% 1424 1.4KB/s 00:00
pwd
Use pwd to display the current working directory of the SFTP server.
Syntax
pwd
Views
SFTP client view
Predefined user roles
network-admin
Examples
# Display the current working directory of the SFTP server.
sftp> pwd
Remote working directory: /
The output shows that the current working directory is the root directory.
quit
Use quit to terminate the SFTP connection and return to user view.
Syntax
quit
Views
SFTP client view
Predefined user roles
network-admin
Usage guidelines
This command has the same function as the bye and exit commands.
Examples
# Terminate the SFTP connection.
sftp> quit
<Sysname>
remove
Use remove to delete a file from the SFTP server.
Syntax
remove remote-file
Views
SFTP client view
Predefined user roles
network-admin
Parameters
remote-file: Specifies a file by its name.
Usage guidelines
This command has the same function as the delete command.
Examples
# Delete the file temp.c from the SFTP server.
sftp> remove temp.c
Removing /temp.c
rename
Use rename to change the name of a file or directory on the SFTP server.
Syntax
rename old-name new-name
Views
SFTP client view
Predefined user roles
network-admin
Parameters
oldname: Specifies the name of an existing file or directory.
newname: Specifies a new name for the existing file or directory.
Examples
# Change the name of a file on the SFTP server from temp1.c to temp2.c.
sftp> dir
aa.pub temp1.c
sftp> rename temp1.c temp2.c
sftp> dir
aa.pub temp2.c
rmdir
Use rmdir to delete a directory from the SFTP server.
Syntax
rmdir remote-path
Views
SFTP client view
Predefined user roles
network-admin
Parameters
remote-path: Specifies a directory.
Examples
# Delete the subdirectory temp1 under the current directory on the SFTP server.
sftp> rmdir temp1
scp
Use scp to establish a connection to an IPv4 SCP server and transfer files with the server.
Syntax
In non-FIPS mode:
In FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | { x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } pki-domain domain-name } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type interface-number | ip ip-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
get: Downloads the file.
put: Uploads the file.
source-file-name: Specifies the name of the source file, a case-sensitive string of 1 to 255 characters.
destination-file-name: Specifies the name of the target file, a case-sensitive string of 1 to 255 characters. If you do not specify this argument, the target file uses the same file name as the source file.
identity-key: Specifies a public key algorithm for publickey authentication of the client. The default is DSA in non-FIPS mode and is RSA in FIPS mode. If the server uses publickey authentication, you must specify this keyword. The client generates the digital signature or certificate by using the local private key that is associated with the specified algorithm.
· dsa: Specifies public key algorithm DSA.
· ecdsa-sha2-nistp256: Specifies the ECDSA algorithm with 256-bit key strength.
· ecdsa-sha2-nistp384: Specifies the ECDSA algorithm with 384-bit key strength.
· rsa: Specifies public key algorithm RSA.
· x509v3-ecdsa-sha2-nistp256: Specifies public key algorithm x509v3-ecdsa-sha2-nistp256.
· x509v3-ecdsa-sha2-nistp384: Specifies public key algorithm x509v3-ecdsa-sha2-nistp384.
· pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is AES128-CTR. Supported algorithms are DES-CBC, 3DES-CBC, AES128-CBC, AES128-CTR, AES128-GCM, AES192-CTR, AES256-CBC, AES256-CTR, and AES256-GCM, in ascending order of security strength and computation time.
· 3des-cbc: Specifies encryption algorithm 3DES-CBC.
· aes128-cbc: Specifies encryption algorithm AES128-CBC.
· aes128-ctr: Specifies encryption algorithm AES128-CTR.
· aes128-gcm: Specifies encryption algorithm AES128-GCM.
· aes192-ctr: Specifies encryption algorithm AES192-CTR.
· aes256-cbc: Specifies encryption algorithm AES256-CBC.
· aes256-ctr: Specifies encryption algorithm AES256-CTR.
· aes256-gcm: Specifies encryption algorithm AES256-GCM.
· des-cbc: Specifies encryption algorithm DES-CBC.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is SHA2-256. Supported algorithms are MD5, MD5-96, SHA1, SHA1-96, SHA2-256, SHA2-512, in ascending order of security strength and computation time.
· md5: Specifies HMAC algorithm HMAC-MD5.
· md5-96: Specifies HMAC algorithm HMAC-MD5-96.
· sha1: Specifies HMAC algorithm HMAC-SHA1.
· sha1-96: Specifies HMAC algorithm HMAC-SHA1-96.
· sha2-256: Specifies HMAC algorithm HMAC-SHA2-256.
· sha2-512: Specifies HMAC algorithm HMAC-SHA2-512.
prefer-kex: Specifies the preferred key exchange algorithm. The default is ecdh-sha2-nistp256. Supported algorithms are diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, and ecdh-sha2-nistp384, in ascending order of security strength and computation time.
· dh-group-exchange-sha1: Specifies key exchange algorithm diffie-hellman-group-exchange-sha1.
· dh-group1-sha1: Specifies key exchange algorithm diffie-hellman-group1-sha1.
· dh-group14-sha1: Specifies key exchange algorithm diffie-hellman-group14-sha1.
· ecdh-sha2-nistp256: Specifies key exchange algorithm ecdh-sha2-nistp256.
· ecdh-sha2-nistp384: Specifies key exchange algorithm ecdh-sha2-nistp384.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is AES128-CTR. Supported algorithms are the same as the client-to-server encryption algorithms (see the prefer-ctos-cipher keyword).
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is SHA2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword).
public-key keyname: Specifies the host public key of the server that the client uses to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
source: Specifies a source IPv4 address or source interface for SCP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source IPv4 address of SCP packets. As a best practice to ensure successful IPv4 SCP connections, specify a loopback interface as the source interface or specify the IPv4 address of a loopback or dialer interface as the source address.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv4 address of this interface is the source IPv4 address of the SCP packets.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's PKI domain on the client by using the server-pki-domain domain-name option. The client uses the CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication.
Examples
# Connect the SCP client to the SCP server 200.1.1.1. Specify the public key of the server as svkey, and download the file abc.txt from the server. The SCP client uses publickey authentication. Use the following algorithms:
· Preferred key exchange algorithm: dh-group14-sha1.
· Preferred server-to-client encryption algorithm: aes128-cbc.
· Preferred client-to-server HMAC algorithm: sha1.
· Preferred server-to-client HMAC algorithm: sha1-96.
· Preferred compression algorithm: zlib.
<Sysname> scp 200.1.1.1 get abc.txt prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey
scp ipv6
Use scp ipv6 to establish a connection to an IPv6 SCP server and transfer files with the server.
Syntax
In non-FIPS mode:
In FIPS mode:
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for SCP packets. This option is used only when the server uses a link-local address to provide the SCP service for the client. The specified output interface on the SCP client must have a link-local address.
get: Downloads the file.
put: Uploads the file.
source-file-name: Specifies the name of the source file, a case-sensitive string of 1 to 255 characters.
destination-file-name: Specifies the name of the target file, a case-sensitive string of 1 to 255 characters. If you do not specify this argument, the target file uses the same file name as the source file.
identity-key: Specifies a public key algorithm for publickey authentication of the client. The default is DSA in non-FIPS mode and is RSA in FIPS mode. If the server uses publickey authentication, you must specify this keyword. The client generates the digital signature or certificate by using the local private key that is associated with the specified algorithm.
· dsa: Specifies public key algorithm DSA.
· ecdsa-sha2-nistp256: Specifies the ECDSA algorithm with 256-bit key strength.
· ecdsa-sha2-nistp384: Specifies the ECDSA algorithm with 384-bit key strength.
· rsa: Specifies public key algorithm RSA.
· x509v3-ecdsa-sha2-nistp256: Specifies public key algorithm x509v3-ecdsa-sha2-nistp256.
· x509v3-ecdsa-sha2-nistp384: Specifies public key algorithm x509v3-ecdsa-sha2-nistp384.
· pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is AES128-CTR. Supported algorithms are DES-CBC, 3DES-CBC, AES128-CBC, AES128-CTR, AES128-GCM, AES192-CTR, AES256-CBC, AES256-CTR, and AES256-GCM, in ascending order of security strength and computation time.
· 3des-cbc: Specifies encryption algorithm 3DES-CBC.
· aes128-cbc: Specifies encryption algorithm AES128-CBC.
· aes128-ctr: Specifies encryption algorithm AES128-CTR.
· aes128-gcm: Specifies encryption algorithm AES128-GCM.
· aes192-ctr: Specifies encryption algorithm AES192-CTR.
· aes256-cbc: Specifies encryption algorithm AES256-CBC.
· aes256-ctr: Specifies encryption algorithm AES256-CTR.
· aes256-gcm: Specifies encryption algorithm AES256-GCM.
· des-cbc: Specifies encryption algorithm DES-CBC.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is SHA2-256. Supported algorithms are MD5, MD5-96, SHA1, SHA1-96, SHA2-256, SHA2-512, in ascending order of security strength and computation time.
· md5: Specifies HMAC algorithm HMAC-MD5.
· md5-96: Specifies HMAC algorithm HMAC-MD5-96.
· sha1: Specifies HMAC algorithm HMAC-SHA1.
· sha1-96: Specifies HMAC algorithm HMAC-SHA1-96.
· sha2-256: Specifies HMAC algorithm HMAC-SHA2-256.
· sha2-512: Specifies HMAC algorithm HMAC-SHA2-512.
prefer-kex: Specifies the preferred key exchange algorithm. The default is ecdh-sha2-nistp256. Supported algorithms are diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, and ecdh-sha2-nistp384, in ascending order of security strength and computation time.
· dh-group-exchange-sha1: Specifies key exchange algorithm diffie-hellman-group-exchange-sha1.
· dh-group1-sha1: Specifies key exchange algorithm diffie-hellman-group1-sha1.
· dh-group14-sha1: Specifies key exchange algorithm diffie-hellman-group14-sha1.
· ecdh-sha2-nistp256: Specifies key exchange algorithm ecdh-sha2-nistp256.
· ecdh-sha2-nistp384: Specifies key exchange algorithm ecdh-sha2-nistp384.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is AES128-CTR. Supported algorithms are the same as the client-to-server encryption algorithms (see the prefer-ctos-cipher keyword).
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is SHA2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword).
publickey keyname: Specifies the host public key of the server, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
source: Specifies a source IPv6 address or source interface for IPv6 SCP packets. By default, the device automatically selects a source IPv6 address for IPv6 SCP packets in compliance with RFC 3484. As a best practice to ensure successful IPv6 SCP connections, specify a loopback interface as the source interface or specify the IPv6 address of a loopback or dialer interface as the source address.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's PKI domain on the client by using the server-pki-domain domain-name option. The client uses the CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication.
Examples
# Connect an SCP client to the SCP server 2000::1. Specify the public key of the server as svkey, and download the file abc.txt from the server. The SCP client uses publickey authentication. Use the following algorithms:
· Preferred key exchange algorithm: dh-group14-sha1.
· Preferred server-to-client encryption algorithm: aes128-cbc.
· Preferred client-to-server HMAC algorithm: sha1.
· Preferred server-to-client HMAC algorithm: sha1-96.
· Preferred compression algorithm: zlib.
<Sysname> scp ipv6 2000::1 get abc.txt prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey
scp ipv6 suite-b
Use scp ipv6 suite-b to establish a connection to an IPv6 SCP server based on Suite B algorithms and transfer files with the server.
Syntax
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { get | put } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ipv6 ipv6-address } ]
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for SCP packets. Specify this option when the server uses a link-local address to provide the SCP service for the client. The specified output interface on the SCP client must have a link-local address.
get: Downloads the file.
put: Uploads the file.
source-file-name: Specifies the name of the source file, a case-sensitive string of 1 to 255 characters.
destination-file-name: Specifies the name of the target file, a case-sensitive string of 1 to 255 characters. If you do not specify this argument, the target file uses the same file name as the source file.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 106.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies compression algorithm zlib.
source: Specifies a source IPv6 address or source interface for IPv6 SCP packets. By default, the device automatically selects a source address for IPv6 SCP packets in compliance with RFC 3484. As a best practice to ensure successful SCP connections, specify a loopback interface as the source interface or specify the IPv6 address of a loopback or dialer interface as the source address.
· interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets.
· ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
|
Security level |
Key exchange algorithm |
Encryption algorithm and HMAC algorithm |
Public key algorithm |
|
128-bit |
ecdh-sha2-nistp256 |
AES128-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
|
192-bit |
ecdh-sha2-nistp384 |
AES256-GCM |
x509v3-ecdsa-sha2-nistp384 |
|
Both |
ecdh-sha2-nistp256 ecdh-sha2-nistp384 |
AES128-GCM AES256-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
Examples
# Use the 192-bit Suite B algorithms to establish a connection to SCP server 2000::1 and download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> scp ipv6 2000::1 get abc.txt suite-b 192-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
Username:
scp suite-b
Use scp suite-b to establish a connection to an SCP server based on Suite B algorithms and transfer files with the server.
Syntax
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { get | put } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ip ip-address } ]
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
get: Downloads the file.
put: Uploads the file.
source-file-name: Specifies the name of the source file, a case-sensitive string of 1 to 255 characters.
destination-file-name: Specifies the name of the target file, a case-sensitive string of 1 to 255 characters. If you do not specify this argument, the target file uses the same file name as the source file.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 107.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies compression algorithm zlib.
source: Specifies a source IP address or source interface for SCP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SCP packets. As a best practice to ensure successful SCP connections, specify a loopback interface as the source interface or specify the IPv4 address of a loopback or dialer interface as the source address.
· interface interface-type interface-number: Specifies a source interface by its type and number. The IPv4 address of this interface is the source IPv4 address of the SCP packets.
· ip ip-address: Specifies a source IPv4 address.
Usage guidelines
|
Security level |
Key exchange algorithm |
Encryption algorithm and HMAC algorithm |
Public key algorithm |
|
128-bit |
ecdh-sha2-nistp256 |
AES128-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
|
192-bit |
ecdh-sha2-nistp384 |
AES256-GCM |
x509v3-ecdsa-sha2-nistp384 |
|
Both |
ecdh-sha2-nistp256 ecdh-sha2-nistp384 |
AES128-GCM AES256-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
Examples
# Use the 128-bit Suite B algorithms to establish a connection to SCP server 200.1.1.1 and download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> scp 200.1.1.1 get abc.txt suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
Username:
sftp
Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view.
Syntax
In non-FIPS mode:
In FIPS mode:
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
identity-key: Specifies a public key algorithm for publickey authentication of the client. The default is DSA in non-FIPS mode and is RSA in FIPS mode. If the server uses publickey authentication, you must specify this keyword. The client generates the digital signature or certificate by using the local private key that is associated with the specified algorithm.
· dsa: Specifies public key algorithm DSA.
· ecdsa-sha2-nistp256: Specifies the ECDSA algorithm with 256-bit key strength.
· ecdsa-sha2-nistp384: Specifies the ECDSA algorithm with 384-bit key strength.
· rsa: Specifies public key algorithm RSA.
· x509v3-ecdsa-sha2-nistp256: Specifies public key algorithm x509v3-ecdsa-sha2-nistp256.
· x509v3-ecdsa-sha2-nistp384: Specifies public key algorithm x509v3-ecdsa-sha2-nistp384.
· pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is AES128-CTR. Supported algorithms are DES-CBC, 3DES-CBC, AES128-CBC, AES128-CTR, AES128-GCM, AES192-CTR, AES256-CBC, AES256-CTR, and AES256-GCM, in ascending order of security strength and computation time.
· 3des-cbc: Specifies encryption algorithm 3DES-CBC.
· aes128-cbc: Specifies encryption algorithm AES128-CBC.
· aes128-ctr: Specifies encryption algorithm AES128-CTR.
· aes128-gcm: Specifies encryption algorithm AES128-GCM.
· aes192-ctr: Specifies encryption algorithm AES192-CTR.
· aes256-cbc: Specifies encryption algorithm AES256-CBC.
· aes256-ctr: Specifies encryption algorithm AES256-CTR.
· aes256-gcm: Specifies encryption algorithm AES256-GCM.
· des-cbc: Specifies encryption algorithm DES-CBC.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is SHA2-256. Supported algorithms are MD5, MD5-96, SHA1, SHA1-96, SHA2-256, SHA2-512, in ascending order of security strength and computation time.
· md5: Specifies HMAC algorithm HMAC-MD5.
· md5-96: Specifies HMAC algorithm HMAC-MD5-96.
· sha1: Specifies HMAC algorithm HMAC-SHA1.
· sha1-96: Specifies HMAC algorithm HMAC-SHA1-96.
· sha2-256: Specifies HMAC algorithm HMAC-SHA2-256.
· sha2-512: Specifies HMAC algorithm HMAC-SHA2-512.
prefer-kex: Specifies the preferred key exchange algorithm. The default is ecdh-sha2-nistp256. Supported algorithms are diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, and ecdh-sha2-nistp384, in ascending order of security strength and computation time.
· dh-group-exchange-sha1: Specifies key exchange algorithm diffie-hellman-group-exchange-sha1.
· dh-group1-sha1: Specifies key exchange algorithm diffie-hellman-group1-sha1.
· dh-group14-sha1: Specifies key exchange algorithm diffie-hellman-group14-sha1.
· ecdh-sha2-nistp256: Specifies key exchange algorithm ecdh-sha2-nistp256.
· ecdh-sha2-nistp384: Specifies key exchange algorithm ecdh-sha2-nistp384.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is AES128-CTR. Supported algorithms are the same as the client-to-server encryption algorithms (see the prefer-ctos-cipher keyword).
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is SHA2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword).
dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
public-key keyname: Specifies the host public key of the server that the client uses to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
source: Specifies a source IPv4 address or source interface for the SFTP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source IPv4 address of SFTP packets. As a best practice to ensure successful IPv4 SFTP connections, specify a loopback interface as the source interface or specify the IPv4 address of a loopback or dialer interface as the source address.
interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IPv4 address of the SFTP packets.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's PKI domain on the client by using the server-pki-domain domain-name option. The client uses the CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication.
Examples
# Connect an SFTP client to the IPv4 SFTP server 10.1.1.2 and specify the public key of the server as svkey. The SFTP client uses publickey authentication. Use the following algorithms:
· Preferred key exchange algorithm: dh-group14-sha1.
· Preferred server-to-client encryption algorithm: aes128-cbc.
· Preferred client-to-server HMAC algorithm: sha1.
· Preferred server-to-client HMAC algorithm: sha1-96.
· Preferred compression algorithm: zlib.
<Sysname> sftp 10.1.1.2 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey
sftp client ipv6 source
Use sftp client ipv6 source to configure the source IPv6 address for SFTP packets.
Use undo sftp client ipv6 source to restore the default.
Syntax
sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }
undo sftp client ipv6 source
Default
The source IPv6 address for SFTP packets is not configured. The SFTP client automatically selects an IPv6 address for SFTP packets in compliance with RFC 3484.
Views
System view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the longest-matching IPv6 address of the specified interface as their source address.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
This command takes effect on all IPv6 SFTP connections. The source IPv6 address specified in the sftp ipv6 command takes effect only on the current IPv6 SFTP connection.
If you specify the source IPv6 address both in this command and the sftp ipv6 command, the source IPv6 address specified in the sftp ipv6 command takes effect.
Examples
# Specify 2:2::2:2 as the source IPv6 address for SFTP packets.
<Sysname> system-view
[Sysname] sftp client ipv6 source ipv6 2:2::2:2
Related commands
display sftp client source
sftp client source
Use sftp client source to configure the source IPv4 address for SFTP packets.
Use undo sftp client source to restore the default.
Syntax
sftp client source { interface interface-type interface-number | ip ip-address }
undo sftp client source
Default
The source IPv4 address for SFTP packets is not configured. The SFTP client uses the primary IPv4 address of the output interface in the routing entry as the source IPv4 address of the SFTP packets.
Views
System view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number. The SFTP packets use the primary IPv4 address of the interface as their source address.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
This command takes effect on all SFTP connections. The source IPv4 address specified in the sftp command takes effect only on the current SFTP connection.
If you specify the source IPv4 address both in this command and the sftp command, the source IPv4 address specified in the sftp command takes effect.
Examples
# Specify 192.168.0.1 as the source IPv4 address for SFTP packets.
<Sysname> system-view
[Sysname] sftp client source ip 192.168.0.1
Related commands
display sftp client source
sftp ipv6
Use sftp ipv6 to connect an SFTP client to an IPv6 SFTP server and enter SFTP client view.
Syntax
In non-FIPS mode:
In FIPS mode:
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SFTP packets. This option is used only when the server uses a link-local address to provide the SFTP service for the client. The specified output interface on the SFTP client must have a link-local address.
identity-key: Specifies a public key algorithm for publickey authentication of the client. The default is DSA in non-FIPS mode and is RSA in FIPS mode. If the server uses publickey authentication, you must specify this keyword. The client generates the digital signature or certificate by using the local private key that is associated with the specified algorithm.
· dsa: Specifies public key algorithm DSA.
· ecdsa-sha2-nistp256: Specifies the ECDSA algorithm with 256-bit key strength.
· ecdsa-sha2-nistp384: Specifies the ECDSA algorithm with 384-bit key strength.
· rsa: Specifies public key algorithm RSA.
· x509v3-ecdsa-sha2-nistp256: Specifies public key algorithm x509v3-ecdsa-sha2-nistp256.
· x509v3-ecdsa-sha2-nistp384: Specifies public key algorithm x509v3-ecdsa-sha2-nistp384.
· pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is AES128-CTR. Supported algorithms are DES-CBC, 3DES-CBC, AES128-CBC, AES128-CTR, AES128-GCM, AES192-CTR, AES256-CBC, AES256-CTR, and AES256-GCM, in ascending order of security strength and computation time.
· 3des-cbc: Specifies encryption algorithm 3DES-CBC.
· aes128-cbc: Specifies encryption algorithm AES128-CBC.
· aes128-ctr: Specifies encryption algorithm AES128-CTR.
· aes128-gcm: Specifies encryption algorithm AES128-GCM.
· aes192-ctr: Specifies encryption algorithm AES192-CTR.
· aes256-cbc: Specifies encryption algorithm AES256-CBC.
· aes256-ctr: Specifies encryption algorithm AES256-CTR.
· aes256-gcm: Specifies encryption algorithm AES256-GCM.
· des-cbc: Specifies encryption algorithm DES-CBC.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is SHA2-256. Supported algorithms are MD5, MD5-96, SHA1, SHA1-96, SHA2-256, SHA2-512, in ascending order of security strength and computation time.
· md5: Specifies HMAC algorithm HMAC-MD5.
· md5-96: Specifies HMAC algorithm HMAC-MD5-96.
· sha1: Specifies HMAC algorithm HMAC-SHA1.
· sha1-96: Specifies HMAC algorithm HMAC-SHA1-96.
· sha2-256: Specifies HMAC algorithm HMAC-SHA2-256.
· sha2-512: Specifies HMAC algorithm HMAC-SHA2-512.
prefer-kex: Specifies the preferred key exchange algorithm. The default is ecdh-sha2-nistp256. Supported algorithms are diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, and ecdh-sha2-nistp384, in ascending order of security strength and computation time.
· dh-group-exchange-sha1: Specifies key exchange algorithm diffie-hellman-group-exchange-sha1.
· dh-group1-sha1: Specifies key exchange algorithm diffie-hellman-group1-sha1.
· dh-group14-sha1: Specifies key exchange algorithm diffie-hellman-group14-sha1.
· ecdh-sha2-nistp256: Specifies key exchange algorithm ecdh-sha2-nistp256.
· ecdh-sha2-nistp384: Specifies key exchange algorithm ecdh-sha2-nistp384.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is AES128-CTR. Supported algorithms are the same as the client-to-server encryption algorithms (see the prefer-ctos-cipher keyword).
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is SHA2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword).
dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
public-key keyname: Specifies the host public key of the server that the client uses to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
source: Specifies a source IPv6 address or source interface for IPv6 SFTP packets. By default, the device automatically selects a source IPv6 address for IPv6 SFTP packets in compliance with RFC 3484. As a best practice to ensure successful IPv6 SFTP connections, specify a loopback interface as the source interface or specify the IPv6 address of a loopback or dialer interface as the source address.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IP address of the IPv6 SFTP packets.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's PKI domain on the client by using the server-pki-domain domain-name option. The client uses the CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication.
Examples
# Connect an SFTP client to the IPv6 SFTP server 2000::1 and specify the public key of the server as svkey. The SFTP client uses publickey authentication. Use the following algorithms:
· Preferred key exchange algorithm: dh-group14-sha1.
· Preferred server-to-client encryption algorithm: aes128-cbc.
· Preferred client-to-server HMAC algorithm: sha1.
· Preferred server-to-client HMAC algorithm: sha1-96.
· Preferred compression algorithm: zlib.
<Sysname> sftp ipv6 2000::1 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey
Username:
sftp ipv6 suite-b
Use sftp ipv6 suite-b to establish a connection to an IPv6 SFTP server based on Suite B algorithms and enter SFTP client view.
Syntax
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number | ipv6 ipv6-address } ]
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SFTP packets. The specified outgoing interface must have a link-local address. This option is used only when the server uses a link-local address to provide the SFTP service for the client.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 108.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
source: Specifies a source IP address or source interface for IPv6 SFTP packets. By default, the device automatically selects a source address for IPv6 SFTP packets in compliance with RFC 3484. As a best practice to ensure successful SFTP connections, specify a loopback interface as the source interface or specify the IPv6 address of a loopback or dialer interface as the source address.
· interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IP address of the IPv6 SFTP packets.
· ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
|
Security level |
Key exchange algorithm |
Encryption algorithm and HMAC algorithm |
Public key algorithm |
|
128-bit |
ecdh-sha2-nistp256 |
AES128-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
|
192-bit |
ecdh-sha2-nistp384 |
AES256-GCM |
x509v3-ecdsa-sha2-nistp384 |
|
Both |
ecdh-sha2-nistp256 ecdh-sha2-nistp384 |
AES128-GCM AES256-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
Examples
# Use the 192-bit Suite B algorithms to establish a connection to SFTP server 2000::1. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> sftp ipv6 2000::1 suite-b 192-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
Username:
sftp suite-b
Use sftp suite-b to establish a connection to an IPv4 SFTP server based on Suite B algorithms and enter SFTP client view.
Syntax
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number | ip ip-address } ]
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 109.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
source: Specifies a source IP address or source interface for the SFTP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SFTP packets. As a best practice to ensure successful SFTP connections, specify a loopback interface as the source interface or specify the IPv4 address of a loopback or dialer interface as the source address.
· interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IPv4 address of the SFTP packets.
· ip ip-address: Specifies a source IPv4 address.
Usage guidelines
|
Security level |
Key exchange algorithm |
Encryption algorithm and HMAC algorithm |
Public key algorithm |
|
128-bit |
ecdh-sha2-nistp256 |
AES128-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
|
192-bit |
ecdh-sha2-nistp384 |
AES256-GCM |
x509v3-ecdsa-sha2-nistp384 |
|
Both |
ecdh-sha2-nistp256 ecdh-sha2-nistp384 |
AES128-GCM AES256-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
Examples
# Use the 128-bit Suite B algorithms to establish a connection to SFTP server 10.1.1.2. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> sftp 10.1.1.2 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
Username:
ssh client ipv6 source
Use ssh client ipv6 source to configure the source IPv6 address for SSH packets that are sent by the Stelnet client.
Use undo ssh client ipv6 source to restore the default.
Syntax
ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }
undo ssh client ipv6 source
Default
The source IPv6 address for SSH packets is not configured. The Stelnet client automatically selects an IPv6 address for SSH packets in compliance with RFC 3484.
Views
System view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number. The SSH packets use the longest-matching IPv6 address of the specified interface as their source address.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
This command takes effect on all IPv6 Stelnet connections. The source IPv6 address specified in the ssh2 ipv6 command takes effect only on the current IPv6 Stelnet connection.
If you specify the source IPv6 address both in this command and the ssh2 ipv6 command, the source IPv6 address specified in the ssh2 ipv6 command takes effect.
Examples
# Specify 2:2::2:2 as the source IPv6 address for SSH packets.
<Sysname> system-view
[Sysname] ssh client ipv6 source ipv6 2:2::2:2
Related commands
display ssh client source
ssh client source
Use ssh client source to configure the source IPv4 address for SSH packets that are sent by the Stelnet client.
Use undo ssh client source to restore the default.
Syntax
ssh client source { interface interface-type interface-number | ip ip-address }
undo ssh client source
Default
The source IPv4 address for SSH packets is not configured. The Stelnet client uses the primary IPv4 address of the output interface in the routing entry as the source address of the SSH packets.
Views
System view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number. The SSH packets use the primary IPv4 address of the interface as their source address.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
This command takes effect on all Stelnet connections. The source IPv4 address specified in the ssh2 command takes effect only on the current Stelnet connection.
If you specify the source IPv4 address both in this command and the ssh2 command, the source IPv4 address specified in the ssh2 command takes effect.
Examples
# Specify 192.168.0.1 as the source IPv4 address for SSH packets.
<Sysname> system-view
[Sysname] ssh client source ip 192.168.0.1
Related commands
display ssh client source
ssh2
Use ssh2 to establish a connection to an IPv4 Stelnet server.
Syntax
In non-FIPS mode:
In FIPS mode:
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
identity-key: Specifies a public key algorithm for publickey authentication of the client. The default is DSA in non-FIPS mode and is RSA in FIPS mode. If the server uses publickey authentication, you must specify this keyword. The client generates the digital signature or certificate by using the local private key that is associated with the specified algorithm.
· dsa: Specifies public key algorithm DSA.
· ecdsa-sha2-nistp256: Specifies the ECDSA algorithm with 256-bit key strength.
· ecdsa-sha2-nistp384: Specifies the ECDSA algorithm with 384-bit key strength.
· rsa: Specifies public key algorithm RSA.
· x509v3-ecdsa-sha2-nistp256: Specifies public key algorithm x509v3-ecdsa-sha2-nistp256.
· x509v3-ecdsa-sha2-nistp384: Specifies public key algorithm x509v3-ecdsa-sha2-nistp384.
· pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is AES128-CTR. Supported algorithms are DES-CBC, 3DES-CBC, AES128-CBC, AES128-CTR, AES128-GCM, AES192-CTR, AES256-CBC, AES256-CTR, and AES256-GCM, in ascending order of security strength and computation time.
· 3des-cbc: Specifies encryption algorithm 3DES-CBC.
· aes128-cbc: Specifies encryption algorithm AES128-CBC.
· aes128-ctr: Specifies encryption algorithm AES128-CTR.
· aes128-gcm: Specifies encryption algorithm AES128-GCM.
· aes192-ctr: Specifies encryption algorithm AES192-CTR.
· aes256-cbc: Specifies encryption algorithm AES256-CBC.
· aes256-ctr: Specifies encryption algorithm AES256-CTR.
· aes256-gcm: Specifies encryption algorithm AES256-GCM.
· des-cbc: Specifies encryption algorithm DES-CBC.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is SHA2-256. Supported algorithms are MD5, MD5-96, SHA1, SHA1-96, SHA2-256, SHA2-512, in ascending order of security strength and computation time.
· md5: Specifies HMAC algorithm HMAC-MD5.
· md5-96: Specifies HMAC algorithm HMAC-MD5-96.
· sha1: Specifies HMAC algorithm HMAC-SHA1.
· sha1-96: Specifies HMAC algorithm HMAC-SHA1-96.
· sha2-256: Specifies HMAC algorithm HMAC-SHA2-256.
· sha2-512: Specifies HMAC algorithm HMAC-SHA2-512.
prefer-kex: Specifies the preferred key exchange algorithm. The default is ecdh-sha2-nistp256. Supported algorithms are diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, and ecdh-sha2-nistp384, in ascending order of security strength and computation time.
· dh-group-exchange-sha1: Specifies key exchange algorithm diffie-hellman-group-exchange-sha1.
· dh-group1-sha1: Specifies key exchange algorithm diffie-hellman-group1-sha1.
· dh-group14-sha1: Specifies key exchange algorithm diffie-hellman-group14-sha1.
· ecdh-sha2-nistp256: Specifies key exchange algorithm ecdh-sha2-nistp256.
· ecdh-sha2-nistp384: Specifies key exchange algorithm ecdh-sha2-nistp384.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is AES128-CTR. Supported algorithms are the same as the client-to-server encryption algorithms (see the prefer-ctos-cipher keyword).
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is SHA2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword).
dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).
public-key keyname: Specifies the host public key of the server that the client uses to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
source: Specifies a source IPv4 address or source interface for SSH packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source IPv4 address of SSH packets. As a best practice to ensure successful IPv4 Stelnet connections, specify a loopback interface as the source interface or specify the IPv4 address of a loopback or dialer interface as the source address.
interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IPv4 address of the SSH packets.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's PKI domain on the client by using the server-pki-domain domain-name option. The client uses the CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication.
The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next line.
As a best practice, use the default escape character (~). Do not use any character in SSH usernames as the escape character.
Examples
# Establish a connection to the IPv4 Stelnet server 3.3.3.3 and specify the public key of the server as svkey. The Stelnet client uses publickey authentication. Specify the dollar sign ($) as the escape character. Use the following algorithms:
· Preferred key exchange algorithm: dh-group14-sha1.
· Preferred server-to-client encryption algorithm: aes128-cbc.
· Preferred client-to-server HMAC algorithm: sha1.
· Preferred server-to-client HMAC algorithm: sha1-96.
· Preferred compression algorithm: zlib.
<Sysname> ssh2 3.3.3.3 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey escape $
ssh2 ipv6
Use ssh2 ipv6 to establish a connection to an IPv6 Stelnet server.
Syntax
In non-FIPS mode:
In FIPS mode:
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SSH packets. This option is used only when the server uses a link-local address to provide the Stelnet service for the client. The specified output interface on the Stelnet client must have a link-local address.
identity-key: Specifies a public key algorithm for publickey authentication of the client. The default is DSA in non-FIPS mode and is RSA in FIPS mode. If the server uses publickey authentication, you must specify this keyword. The client generates the digital signature or certificate by using the local private key that is associated with the specified algorithm.
· dsa: Specifies public key algorithm DSA.
· ecdsa-sha2-nistp256: Specifies the ECDSA algorithm with 256-bit key strength.
· ecdsa-sha2-nistp384: Specifies the ECDSA algorithm with 384-bit key strength.
· rsa: Specifies public key algorithm RSA.
· x509v3-ecdsa-sha2-nistp256: Specifies public key algorithm x509v3-ecdsa-sha2-nistp256.
· x509v3-ecdsa-sha2-nistp384: Specifies public key algorithm x509v3-ecdsa-sha2-nistp384.
· pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. When the x509v3 public key algorithm is used, you must specify this option for the client to get the correct local certificate.
prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is AES128-CTR. Supported algorithms are DES-CBC, 3DES-CBC, AES128-CBC, AES128-CTR, AES128-GCM, AES192-CTR, AES256-CBC, AES256-CTR, and AES256-GCM, in ascending order of security strength and computation time.
· 3des-cbc: Specifies encryption algorithm 3DES-CBC.
· aes128-cbc: Specifies encryption algorithm AES128-CBC.
· aes128-ctr: Specifies encryption algorithm AES128-CTR.
· aes128-gcm: Specifies encryption algorithm AES128-GCM.
· aes192-ctr: Specifies encryption algorithm AES192-CTR.
· aes256-cbc: Specifies encryption algorithm AES256-CBC.
· aes256-ctr: Specifies encryption algorithm AES256-CTR.
· aes256-gcm: Specifies encryption algorithm AES256-GCM.
· des-cbc: Specifies encryption algorithm DES-CBC.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is SHA2-256. Supported algorithms are MD5, MD5-96, SHA1, SHA1-96, SHA2-256, SHA2-512, in ascending order of security strength and computation time.
· md5: Specifies HMAC algorithm HMAC-MD5.
· md5-96: Specifies HMAC algorithm HMAC-MD5-96.
· sha1: Specifies HMAC algorithm HMAC-SHA1.
· sha1-96: Specifies HMAC algorithm HMAC-SHA1-96.
· sha2-256: Specifies HMAC algorithm HMAC-SHA2-256.
· sha2-512: Specifies HMAC algorithm HMAC-SHA2-512.
prefer-kex: Specifies the preferred key exchange algorithm. The default is ecdh-sha2-nistp256. Supported algorithms are diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, and ecdh-sha2-nistp384, in ascending order of security strength and computation time.
· dh-group-exchange-sha1: Specifies key exchange algorithm diffie-hellman-group-exchange-sha1.
· dh-group1-sha1: Specifies key exchange algorithm diffie-hellman-group1-sha1.
· dh-group14-sha1: Specifies key exchange algorithm diffie-hellman-group14-sha1.
· ecdh-sha2-nistp256: Specifies key exchange algorithm ecdh-sha2-nistp256.
· ecdh-sha2-nistp384: Specifies key exchange algorithm ecdh-sha2-nistp384.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is AES128-CTR. Supported algorithms are the same as the client-to-server encryption algorithms (see the prefer-ctos-cipher keyword).
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is SHA2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the prefer-ctos-hmac keyword).
dscp dscp-value: Specifies the DSCP value in the IPv6 SSH packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).
public-key keyname: Specifies the server by its host public key that the client uses to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
source: Specifies a source IPv6 address or source interface for IPv6 SSH packets. By default, the device automatically selects a source IPv6 address for IPv6 SSH packets in compliance with RFC 3484. As a best practice to ensure successful IPv6 Stelnet connections, specify a loopback interface as the source interface or specify the IPv6 address of a loopback or dialer interface as the source address.
interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IP address of the IPv6 SSH packets.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's PKI domain on the client by using the server-pki-domain domain-name option. The client uses the CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication.
The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next line.
As a best practice, use the default escape character (~). Do not use any characters in SSH usernames as the escape character.
Examples
# Establish a connection to the IPv6 Stelnet server 2000::1 and specify the public key of the server as svkey. The SSH client uses publickey authentication. Specify the dollar sign ($) as the escape character. Use the following algorithms:
· Preferred key exchange algorithm: dh-group14-sha1.
· Preferred server-to-client encryption algorithm: aes128-cbc.
· Preferred client-to-server HMAC algorithm: sha1.
· Preferred server-to-client HMAC algorithm: sha1-96.
· Preferred compression algorithm: zlib.
<Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey escape $
ssh2 ipv6 suite-b
Use ssh2 ipv6 suite-b to establish a connection to an IPv6 Stelnet server based on Suite B algorithms.
Syntax
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ipv6 ipv6-address } ]
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SSH packets. Specify this option when the server uses a link-local address to provide the Stelnet service for the client. The specified output interface on the Stelnet client must have a link-local address.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 110.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv6 SSH packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).
source: Specifies a source IP address or source interface for IPv6 SSH packets. By default, the device automatically selects a source address for IPv6 SSH packets in compliance with RFC 3484. As a best practice to ensure successful Stelnet connections, specify a loopback interface as the source interface or specify the IPv6 address of a loopback or dialer interface as the source address.
· interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IP address of the IPv6 SSH packets.
· ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
|
Security level |
Key exchange algorithm |
Encryption algorithm and HMAC algorithm |
Public key algorithm |
|
128-bit |
ecdh-sha2-nistp256 |
AES128-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
|
192-bit |
ecdh-sha2-nistp384 |
AES256-GCM |
x509v3-ecdsa-sha2-nistp384 |
|
Both |
ecdh-sha2-nistp256 ecdh-sha2-nistp384 |
AES128-GCM AES256-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next line. As a best practice, use the default escape character (~). Do not use any character in SSH usernames as the escape character.
Examples
# Use the 192-bit Suite B algorithms to establish a connection to Stelnet server 2000::1. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> ssh2 ipv6 2000::1 suite-b 192-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
Username:
ssh2 suite-b
Use ssh2 suite-b to establish a connection to an IPv4 Stelnet server based on Suite B algorithms.
Syntax
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type interface-number | ip ip-address } ]
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see Table 111.
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).
source: Specifies a source IP address or source interface for SSH packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SSH packets. As a best practice to ensure successful Stelnet connections, specify a loopback interface as the source interface or specify the IPv4 address of a loopback or dialer interface as the source address.
· interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IPv4 address of the SSH packets.
· ip ip-address: Specifies a source IPv4 address.
Usage guidelines
|
Security level |
Key exchange algorithm |
Encryption algorithm and HMAC algorithm |
Public key algorithm |
|
128-bit |
ecdh-sha2-nistp256 |
AES128-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
|
192-bit |
ecdh-sha2-nistp384 |
AES256-GCM |
x509v3-ecdsa-sha2-nistp384 |
|
Both |
ecdh-sha2-nistp256 ecdh-sha2-nistp384 |
AES128-GCM AES256-GCM |
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 |
The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next line. As a best practice, use the default escape character (~). Do not use any character in SSH usernames as the escape character.
Examples
# Use the 128-bit Suite B algorithms to establish a connection to Stelnet server 3.3.3.3. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> ssh2 3.3.3.3 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
Username:
SSH2 commands
display ssh2 algorithm
Use display ssh2 algorithm to display algorithms used by SSH2 in the algorithm negotiation stage.
Syntax
display ssh2 algorithm
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display algorithms used by SSH2 in the algorithm negotiation stage.
<Sysname> display ssh2 algorithm
Key exchange algorithms : ecdh-sha2-nistp256 ecdh-sha2-nistp384 dh-group-exchange-sha1 dh-group14-sha1 dh-group1-sha1
Public key algorithms : x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 rsa dsa
Encryption algorithms : aes128-ctr aes192-ctr aes256-ctr aes128-gcm aes256-gcm aes128-cbc 3des-cbc aes256-cbc des-cbc
MAC algorithms : sha2-256 sha2-512 sha1 md5 sha1-96 md5-96
Table 112 Command output
|
Field |
Description |
|
Key exchange algorithms |
Key exchange algorithms in descending order of priority for algorithm negotiation. |
|
Public key algorithms |
Public key algorithms in descending order of priority for algorithm negotiation. |
|
Encryption algorithms |
Encryption algorithms in descending order of priority for algorithm negotiation. |
|
MAC algorithms |
MAC algorithms in descending order of priority for algorithm negotiation. |
Related commands
ssh2 algorithm cipher
ssh2 algorithm key-exchange
ssh2 algorithm mac
ssh2 algorithm public-key
ssh2 algorithm cipher
Use ssh2 algorithm cipher to specify encryption algorithms for SSH2.
Use undo ssh2 algorithm cipher to restore the default.
Syntax
In non-FIPS mode:
ssh2 algorithm cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } *
undo ssh2 algorithm cipher
In FIPS mode:
ssh2 algorithm cipher { aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm } *
undo ssh2 algorithm cipher
Default
SSH2 uses encryption algorithms AES128-CTR, AES192-CTR, AES256-CTR, AES128-GCM, AES256-GCM, AES128-CBC, 3DES-CBC, AES256-CBC, and DES-CBC in descending order of priority for algorithm negotiation.
Views
System view
Predefined user roles
network-admin
Parameters
3des-cbc: Specifies encryption algorithm 3DES-CBC.
aes128-cbc: Specifies encryption algorithm AES128-CBC.
aes128-ctr: Specifies encryption algorithm AES128-CTR.
aes128-gcm: Specifies encryption algorithm AES128-GCM.
aes192-ctr: Specifies encryption algorithm AES192-CTR.
aes256-cbc: Specifies encryption algorithm AES256-CBC.
aes256-ctr: Specifies encryption algorithm AES256-CTR.
aes256-gcm: Specifies encryption algorithm AES256-GCM.
des-cbc: Specifies encryption algorithm DES-CBC.
Usage guidelines
If you specify the encryption algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm 3des-cbc as the encryption algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm cipher 3des-cbc
Related commands
display ssh2 algorithm
ssh2 algorithm key-exchange
ssh2 algorithm mac
ssh2 algorithm public-key
ssh2 algorithm key-exchange
Use ssh2 algorithm key-exchange to specify key exchange algorithms for SSH2.
Use undo ssh2 algorithm key-exchange to restore the default.
Syntax
In non-FIPS mode:
ssh2 algorithm key-exchange { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *
undo ssh2 algorithm key-exchange
In FIPS mode:
ssh2 algorithm key-exchange { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *
undo ssh2 algorithm key-exchange
Default
SSH2 uses key exchange algorithms ecdh-sha2-nistp256, ecdh-sha2-nistp384, diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, and diffie-hellman-group1-sha1 in descending order of priority for algorithm negotiation.
Views
System view
Predefined user roles
network-admin
Parameters
dh-group-exchange-sha1: Specifies key exchange algorithm diffie-hellman-group-exchange-sha1.
dh-group1-sha1: Specifies key exchange algorithm diffie-hellman-group1-sha1.
dh-group14-sha1: Specifies key exchange algorithm diffie-hellman-group14-sha1.
ecdh-sha2-nistp256: Specifies key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies key exchange algorithm ecdh-sha2-nistp384.
Usage guidelines
If you specify the key exchange algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm dh-group1-sha1 as the key exchange algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm key-exchange dh-group1-sha1
Related commands
display ssh2 algorithm
ssh2 algorithm cipher
ssh2 algorithm mac
ssh2 algorithm public-key
ssh2 algorithm mac
Use ssh2 algorithm mac to specify MAC algorithms for SSH2.
Use undo ssh2 algorithm mac to restore the default.
Syntax
In non-FIPS mode:
ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *
undo ssh2 algorithm mac
In FIPS mode:
ssh2 algorithm mac { sha1 | sha1-96 | sha2-256 | sha2-512 } *
undo ssh2 algorithm mac
Default
SSH2 uses HMAC algorithms SHA2-256, SHA2-512, SHA1, MD5, SHA1-96, and MD5-96 in descending order of priority for algorithm negotiation.
Views
System view
Predefined user roles
network-admin
Parameters
md5: Specifies HMAC algorithm HMAC-MD5.
md5-96: Specifies HMAC algorithm HMAC-MD5-96.
sha1: Specifies the HMAC algorithm hmac-sha1.
sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
sha2-256: Specifies HMAC algorithm HMAC-SHA2-256.
sha2-512: Specifies HMAC algorithm HMAC-SHA2-512.
Usage guidelines
If you specify the MAC algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm md5 as the MAC algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm mac md5
Related commands
display ssh2 algorithm
ssh2 algorithm cipher
ssh2 algorithm key-exchange
ssh2 algorithm public-key
ssh2 algorithm public-key
Use ssh2 algorithm public-key to specify public key algorithms for SSH2.
Use undo ssh2 algorithm public-key to restore the default.
Syntax
In non-FIPS mode:
ssh2 algorithm public-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } *
undo ssh2 algorithm public-key
In FIPS mode:
ssh2 algorithm public-key { ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } *
undo ssh2 algorithm public-key
Default
SSH2 uses public key algorithms x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, RSA, and DSA in descending order of priority for algorithm negotiation.
Views
System view
Predefined user roles
network-admin
Parameters
dsa: Specifies public key algorithm DSA.
ecdsa-sha2-nistp256: Specifies the ECDSA algorithm with 256-bit key strength.
ecdsa-sha2-nistp384: Specifies the ECDSA algorithm with 384-bit key strength.
rsa: Specifies public key algorithm RSA.
x509v3-ecdsa-sha2-nistp256: Specifies public key algorithm x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies public key algorithm x509v3-ecdsa-sha2-nistp384.
Usage guidelines
If you specify the public key algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm dsa as the public key algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm public-key dsa
Related commands
display ssh2 algorithm
ssh2 algorithm cipher
ssh2 algorithm key-exchange
ssh2 algorithm mac
SSL commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
The following matrix shows the feature and hardware compatibility:
|
Hardware |
SSL compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
Yes |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
certificate-chain-sending enable
Use certificate-chain-sending enable to enable the SSL server to send the complete certificate chain to the client during SSL negotiation.
Use undo certificate-chain-sending enable to restore the default.
Syntax
certificate-chain-sending enable
undo certificate-chain-sending enable
Default
During SSL negotiation, the SSL server sends the server certificate rather than the complete certificate chain to the client.
Views
SSL server policy view
Predefined user roles
network-admin
Usage guidelines
This feature causes additional overheads in the SSL negotiation process. Enable it only when the SSL client does not have the complete certificate chain to verify the server certificate.
Examples
# Enable the SSL server to send the complete certificate chain to the client during SSL negotiation.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] certificate-chain-sending enable
ciphersuite
Use ciphersuite to specify the cipher suites supported by an SSL server policy.
Use undo ciphersuite to restore the default.
Syntax
In non-FIPS mode:
undo ciphersuite
In FIPS mode:
undo ciphersuite
Default
An SSL server policy supports all cipher suites.
Views
SSL server policy view
Predefined user roles
network-admin
Parameters
dhe_rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_256_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
ecdhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_rsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_rsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_rsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
exp_rsa_des_cbc_sha: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
exp_rsa_rc2_md5: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm RC2, and MAC algorithm MD5.
exp_rsa_rc4_md5: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm RC4, and MAC algorithm MD5.
rsa_3des_ede_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 3DES_EDE_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_256_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
rsa_des_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
rsa_rc4_128_md5: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit RC4, and MAC algorithm MD5.
rsa_rc4_128_sha: Specifies key exchange algorithm RSA, data encryption algorithm 128-bit RC4, and MAC algorithm SHA.
Usage guidelines
SSL employs the following algorithms:
· Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms, such as DES_CBC, 3DES_EDE_CBC, AES_CBC, and RC4. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key.
· Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity. Commonly used MAC algorithms include MD5 and SHA. When using a MAC algorithm, the SSL server and the SSL client must use the same key.
· Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and the MAC algorithm. Commonly used key exchange algorithms are usually asymmetric key algorithms, such as RSA.
After the SSL server receives a cipher suite from a client, the server compares the received cipher suite with the cipher suits it supports. If a match is found, the cipher suite negotiation succeeds. If no match is found, the negotiation fails.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure SSL server policy policy1 to support the following cipher suites:
· Key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA.
· Key exchange algorithm RSA, data encryption algorithm 128-bit AES, and MAC algorithm SHA.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] ciphersuite dhe_rsa_aes_128_cbc_sha rsa_aes_128_cbc_sha
Related commands
display ssl server-policy
prefer-cipher
client-verify
Use client-verify to enable mandatory or optional SSL client authentication.
Use undo client-verify to restore the default.
Syntax
client-verify { enable | optional }
Default
SSL client authentication is disabled. The SSL server does not authenticate SSL clients based on digital certificates.
Views
SSL server policy view
Predefined user roles
network-admin
Parameters
enable: Enables mandatory SSL client authentication.
optional: Enables optional SSL client authentication.
Usage guidelines
SSL uses digital certificates to authenticate communicating parties. For more information about digital certificates, see Security Configuration Guide.
Mandatory SSL client authentication—The SSL server requires an SSL client to submit its digital certificate for identity authentication. The SSL client can access the SSL server only after it passes identity authentication.
Optional SSL client authentication—The SSL server does not require an SSL client to submit its digital certificate for identity authentication.
· If an SSL client submits its certificate to the SSL server, the server authenticates the client identity. The client must pass authentication to access the server.
· If an SSL client does not submit its certificate to the SSL server, the server does not authenticate the client identity. The client can access the SSL server without authentication.
If SSL client authentication is disabled, the SSL server does not authenticate SSL clients regardless of whether the clients submit digital certificates or not. SSL clients can access the SSL server without authentication.
When authenticating a client by using the digital certificate, the SSL server performs the following operations:
· Verifies the certificate chain presented by the client.
· Checks that the certificates in the certificate chain (except the root CA certificate) are not revoked.
Examples
# Enable mandatory SSL client authentication.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify enable
# Enable optional SSL client authentication.
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify optional
# Disable SSL client authentication.
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] undo client-verify
Related commands
display ssl server-policy
display ssl client-policy
Use display ssl client-policy to display SSL client policy information.
Syntax
display ssl client-policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a policy name, this command displays information about all SSL client policies.
Examples
# Display information about SSL client policy policy1.
<Sysname> display ssl client-policy policy1
SSL client policy: policy1
SSL version: SSL 3.0
PKI domain: client-domain
Preferred ciphersuite:
RSA_AES_128_CBC_SHA
Server-verify: enabled
Table 113 Command output
|
Field |
Description |
|
Server-verify |
Indicates whether the client is enabled to use digital certificates to authenticate servers. |
display ssl server-policy
Use display ssl server-policy to display SSL server policy information.
Syntax
display ssl server-policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a policy name, this command displays information about all SSL server policies.
Examples
# Display information about SSL server policy policy1.
<Sysname> display ssl server-policy policy1
SSL server policy: policy1
Version info:
SSL3.0: Disabled
TLS1.0: Enabled
TLS1.1: Disabled
TLS1.2: Enabled
PKI domain: server-domain
Ciphersuites:
DHE_RSA_AES_128_CBC_SHA
RSA_AES_128_CBC_SHA
Session cache size: 600
Caching timeout: 3600 seconds
Client-verify: Enabled
Table 114 Command output
|
Field |
Description |
|
Session cache timeout time in seconds. |
|
|
Version info |
Enabling status of the SSL protocol versions in the SSL server policy. The SSL server can use only the enabled SSL protocol versions for session negotiation. SSL 3.0 is supported only in non-FIPS mode. |
|
Client-verify |
SSL client authentication mode, including: · Disabled—SSL client authentication is disabled. · Enabled—SSL client authentication is mandatory. · Optional—SSL client authentication is optional. |
pki-domain
Use pki-domain to specify a PKI domain for an SSL client policy or an SSL server policy.
Use undo pki-domain to restore the default.
Syntax
pki-domain domain-name
undo pki-domain
Default
No PKI domain is specified for an SSL client policy or an SSL server policy.
Views
SSL client policy view
SSL server policy view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you specify a PKI domain for an SSL client policy, the SSL client that uses the SSL client policy will obtain its digital certificate through the specified PKI domain.
If you specify a PKI domain for an SSL server policy, the SSL server that uses the SSL server policy will obtain its digital certificate through the specified PKI domain.
Examples
# Specify PKI domain client-domain for the SSL client policy policy1.
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] pki-domain client-domain
# Specify PKI domain server-domain for the SSL server policy policy1.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] pki-domain server-domain
Related commands
display ssl server-policy
pki domain
prefer-cipher
Use prefer-cipher to specify a preferred cipher suite for an SSL client policy.
Use undo prefer-cipher to restore the default.
Syntax
In non-FIPS mode:
prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_128_cbc_sha256 | dhe_rsa_aes_256_cbc_sha | dhe_rsa_aes_256_cbc_sha256 | ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }
undo prefer-cipher
In FIPS mode:
prefer-cipher { ecdhe_ecdsa_aes_128_cbc_sha256 | ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_cbc_sha384 | ecdhe_ecdsa_aes_256_gcm_sha384 | ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_128_gcm_sha256 | ecdhe_rsa_aes_256_cbc_sha384 | ecdhe_rsa_aes_256_gcm_sha384 | rsa_aes_128_cbc_sha | rsa_aes_128_cbc_sha256 | rsa_aes_256_cbc_sha | rsa_aes_256_cbc_sha256 }
undo prefer-cipher
Default
In non-FIPS mode:
The preferred cipher suites of an SSL client policy are dhe_rsa_aes_128_cbc_sha, dhe_rsa_aes_256_cbc_sha, rsa_3des_ede_cbc_sha, rsa_aes_128_cbc_sha, and rsa_aes_256_cbc_sha..
In FIPS mode:
The preferred cipher suites of an SSL client policy are rsa_aes_128_cbc_sha and rsa_aes_256_cbc_sha.
Views
SSL client policy view
Predefined user roles
network-admin
Parameters
dhe_rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
dhe_rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
dhe_rsa_aes_256_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm DHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE ECDSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
ecdhe_rsa_aes_128_cbc_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
ecdhe_rsa_aes_128_gcm_sha256: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 128-bit AES_GCM, and MAC algorithm SHA256.
ecdhe_rsa_aes_256_cbc_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA384.
ecdhe_rsa_aes_256_gcm_sha384: Specifies the cipher suite that uses key exchange algorithm ECDHE RSA, data encryption algorithm 256-bit AES_GCM, and MAC algorithm SHA384.
exp_rsa_des_cbc_sha: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
exp_rsa_rc2_md5: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm RC2, and MAC algorithm MD5.
exp_rsa_rc4_md5: Specifies the export cipher suite that uses key exchange algorithm RSA, data encryption algorithm RC4, and MAC algorithm MD5.
rsa_3des_ede_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 3DES_EDE_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_128_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA256.
rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA.
rsa_aes_256_cbc_ sha256: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA256.
rsa_des_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA.
rsa_rc4_128_md5: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit RC4, and MAC algorithm MD5.
rsa_rc4_128_sha: Specifies key exchange algorithm RSA, data encryption algorithm 128-bit RC4, and MAC algorithm SHA.
Usage guidelines
SSL employs the following algorithms:
· Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms, such as DES_CBC, 3DES_EDE_CBC, AES_CBC, and RC4. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key.
· Message Authentication Code (MAC) algorithms—Calculate the MAC value for data to ensure integrity. Commonly used MAC algorithms include MD5 and SHA. When using a MAC algorithm, the SSL server and the SSL client must use the same key.
· Key exchange algorithms—Implement secure exchange of the keys used by the symmetric key algorithm and the MAC algorithm. Commonly used key exchange algorithms are asymmetric key algorithms, such as RSA.
The SSL client sends the preferred cipher suite to the SSL server. The server compares the received cipher suite with the cipher suits it supports. If a match is found, the cipher suite negotiation succeeds. If no match is found, the negotiation fails.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure SSL client policy policy1 to support key exchange algorithm RSA, data encryption algorithm 128-bit AES_CBC, and MAC algorithm SHA.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha
Related commands
ciphersuite
display ssl client-policy
server-verify enable
Use server-verify enable to enable the SSL client to use digital certificates to authenticate SSL servers.
Use undo server-verify enable to disable SSL server authentication. The SSL client does not authenticate any SSL servers.
Syntax
server-verify enable
undo server-verify enable
Default
The SSL client uses digital certificates to authenticate SSL servers.
Views
SSL client policy view
Predefined user roles
network-admin
Usage guidelines
SSL uses digital certificates to authenticate communicating parties. For more information about digital certificates, see Security Configuration Guide.
If you execute the server-verify enable command, an SSL server must send its digital certificate to the SSL client for authentication. The client can access the SSL server only after the server passes the authentication.
Examples
# Enable the SSL client to use digital certificates to authenticate SSL servers.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] server-verify enable
Related commands
display ssl client-policy
session
Use session to set the maximum number of sessions that the SSL server can cache and the timeout time for cached sessions.
Use undo session to restore the default.
Syntax
session { cachesize size | timeout time } *
undo session { cachesize | timeout } *
Default
The SSL server can cache a maximum of 500 sessions, and the timeout time for cached sessions is 3600 seconds.
Views
SSL server policy view
Predefined user roles
network-admin
Parameters
cachesize size: Sets the maximum number of cached sessions, in the range of 100 to 20480.
timeout time: Sets the session cache timeout in the range of 1 to 4294967295 seconds.
Usage guidelines
The SSL server caches SSL sessions to reuse negotiated session parameters to simplify SSL handshake. Use this command to limit the maximum number and timeout time for cached sessions. When the number of cached sessions reaches the maximum, SSL does not cache new sessions. When the timeout timer for a cached session expires, SSL deletes the session.
Examples
# Set the maximum number of cached sessions to 600, and the timeout time for cached sessions to 1800 seconds.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] session cachesize 600 timeout 1800
Related commands
display ssl server-policy
ssl client-policy
Use ssl client-policy to create an SSL client policy and enter its view, or enter the view of an existing SSL client policy.
Use undo ssl client-policy to delete an SSL client policy.
Syntax
ssl client-policy policy-name
undo ssl client-policy policy-name
Default
No SSL client policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command creates an SSL client policy for which you can configure SSL parameters that the client uses to establish a connection to the server. The parameters include a PKI domain and a preferred cipher suite. An SSL client policy takes effect only after it is associated with an application such as DDNS.
Examples
# Create an SSL client policy named policy1 and enter its view.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1]
Related commands
display ssl client-policy
ssl renegotiation disable
Use ssl renegotiation disable to disable SSL session renegotiation.
Use undo ssl renegotiation disable to restore the default.
Syntax
ssl renegotiation disable
undo ssl renegotiation disable
Default
SSL session renegotiation is enabled.
Views
System view
Predefined user roles
Usage guidelines
The SSL session renegotiation feature enables the SSL client and server to reuse a previously negotiated SSL session for an abbreviated handshake.
Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks. Disable SSL session renegotiation only when explicitly required.
Examples
#Disable SSL session renegotiation.
[Sysname] ssl renegotiation disable
ssl server-policy
Use ssl server-policy to create an SSL server policy and enter its view, or enter the view of an existing SSL server policy.
Use undo ssl server-policy to delete an SSL server policy.
Syntax
ssl server-policy policy-name
undo ssl server-policy policy-name
Default
No SSL server policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a name for the SSL server policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command creates an SSL server policy for which you can configure SSL parameters such as a PKI domain and supported cipher suits. An SSL server policy takes effect only after it is associated with an application such as HTTPS.
Examples
# Create an SSL server policy named policy1 and enter its view.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1]
Related commands
display ssl server-policy
ssl version disable
Use ssl version disable to disable the SSL server from using specific SSL protocol versions for session negotiation.
Use undo ssl version disable restore the default.
Syntax
In non-FIPS mode:
ssl version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 } *disable
undo ssl version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 } * disable
In FIPS mode:
ssl version { tls1.0 | tls1.1 | tls1.2 } * disable
undo ssl version { tls1.0 | tls1.1 | tls1.2 } * disable
Default
In non-FIPS mode
The SSL server supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
In FIPS mode:
The SSL server supports TLS 1.0, TLS 1.1, and TLS 1.2.
Views
System view
Predefined user roles
network-admin
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
tls1.1: Specifies TLS 1.1.
tls1.2: Specifies TLS 1.2.
Usage guidelines
This command allows you to disable SSL protocol versions in system view. You can also enable or disable an SSL protocol version in SSL server policy view by using the version disable command.
Make sure the SSL server is allowed to use a minimum of one SSL protocol version for session negotiation.
Disabling an SSL protocol version does not affect the availability of earlier SSL protocol versions. For example, if you execute the ssl version tls1.1 disable command, TLS 1.1 is disabled but TLS 1.0 is still available for the SSL server.
Examples
# Disable SSL 3.0.
<Sysname> system-view
[Sysname] ssl version ssl3.0 disable
Related commands
version disable
version
Use version to specify an SSL protocol version for an SSL client policy.
Use undo version to restore the default.
Syntax
In non-FIPS mode:
version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }
undo version
In FIPS mode:
version { tls1.0 | tls1.1 | tls1.2 }
undo version
Default
The SSL protocol version for an SSL client policy is TLS 1.0.
Views
SSL client policy view
Predefined user roles
network-admin
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
tls1.1: Specifies TLS 1.1.
tls1.2: Specifies TLS 1.2.
Usage guidelines
To ensure security, do not specify SSL 3.0 for an SSL client policy.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the SSL protocol version to TLS 1.0 for SSL client policy policy1.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] version tls1.0
Related commands
display ssl client-policy
version disable
Use version disable to disable SSL protocol versions for the SSL server in an SSL server policy.
Use undo version disable restore the default.
Syntax
In non-FIPS mode:
version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 } * disable
undo version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 } * disable
In FIPS mode:
version { tls1.0 | tls1.1 | tls1.2 } * disable
undo version { tls1.0 | tls1.1 | tls1.2 } * disable
Default
An SSL protocol version is enabled in an SSL sever policy unless it is explicitly disabled in system view by using the ssl version disable command.
Views
SSL server policy view
Predefined user roles
network-admin
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
tls1.1: Specifies TLS 1.1.
tls1.2: Specifies TLS 1.2.
Usage guidelines
You can enable or disable an SSL protocol version in system view or in SSL server policy view. An SSL server can use an SSL protocol version for session negotiation only when the status of the SSL protocol version in the SSL server policy is Enabled. The status of an SSL protocol version in an SSL server policy is determined in the following sequence:
1. Configuration of the version disable command in SSL server policy view.
2. Configuration of the ssl version disable command in system view.
3. Default setting (Enabled).
Make sure the SSL server is allowed to use a minimum of one SSL protocol version for session negotiation.
Disabling an SSL protocol version does not affect the availability of earlier SSL protocol versions. For example, if you execute the version tls1.1 disable command in SSL server policy view, TLS 1.1 is disabled but TLS 1.0 is still available for the SSL server.
Examples
# Disable TLS 1.0 in SSL server policy policy1.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] version tls1.0 disable
Related commands
ssl version disable
SSL VPN commands
The following matrix shows the feature and hardware compatibility:
|
Hardware |
SSL VPN compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
No |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
|
Hardware |
SSL VPN compatibility |
|
MSR810-LM-GL |
Yes |
|
MSR810-W-LM-GL |
Yes |
|
MSR830-6EI-GL |
Yes |
|
MSR830-10EI-GL |
Yes |
|
MSR830-6HI-GL |
Yes |
|
MSR830-10HI-GL |
Yes |
|
MSR2600-6-X1-GL |
Yes |
|
MSR3600-28-SI-GL |
No |
aaa domain
Use aaa domain to specify an ISP domain for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context.
Use undo aaa domain to restore the default.
Syntax
aaa domain domain-name
undo aaa domain
Default
The default ISP domain is used for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:
· The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).
· The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.
Usage guidelines
An SSL VPN username cannot carry ISP domain information. After this command is executed, an SSL VPN gateway uses the specified ISP domain for authentication, authorization, and accounting of SSL VPN users in the context.
Examples
# Specify ISP domain myserver for authentication, authorization, and accounting of SSL VPN users in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] aaa domain myserver
authentication use
Use authentication use to specify the authentication methods required for user login.
Use undo authentication use to restore the default.
Syntax
authentication use { all | any-one }
undo authentication use
Default
To log in to an SSL VPN context, a user must pass all the authentication methods enabled for the context.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
all: Uses all enabled authentication methods.
any-one: Uses any enabled authentication method.
Usage guidelines
You can enable username/password authentication, certificate authentication, or both for an SSL VPN context. The authentication methods required for logging in to the SSL VPN context depend on the configuration of this command:
· If the authentication use all command is configured, a user must pass all the enabled authentication methods for login.
· If the authentication use any-one command is configured, a user can log in after passing any enabled authentication method.
Examples
# Configure SSL VPN context ctx to allow users to log in after passing any enabled authentication method.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] authentication use any-one
Related commands
certificate-authentication enable
display sslvpn context
password-authentication enable
bandwidth
Use bandwidth to set the expected bandwidth for an interface.
Use undo bandwidth to restore the default.
Syntax
bandwidth bandwidth-value
undo bandwidth
Default
The expected bandwidth is 64 kbps for an interface.
Views
SSL VPN AC interface view
Predefined user roles
network-admin
Parameters
bandwidth-value: Specifies the expected bandwidth in the range of 1 to 400000000 kbps.
Usage guidelines
The expected bandwidth for an interface affects CBQ bandwidth and link costs in OSPF, OSPFv3, and IS-IS. For more information about CBQ bandwidth, see ACL and QoS Configuration Guide. For more information about link costs, see Layer 3—IP Routing Configuration Guide.
Examples
# Set the expected bandwidth to 10000 kbps for SSL VPN AC 1000.
<Sysname> system-view
[Sysname] interface sslvpn-ac 1000
[Sysname-SSLVPN-AC1000] bandwidth 10000
certificate-authentication enable
Use certificate-authentication enable to enable certificate authentication.
Use undo certificate-authentication enable to disable certificate authentication.
Syntax
certificate-authentication enable
undo certificate-authentication enable
Default
Certificate authentication is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Usage guidelines
After you enable certificate authentication, you must also execute the client-verify command in SSL server policy view. The SSL VPN gateway uses the digital certificate sent by an SSL VPN client to authenticate the client's identity. If the client's username and the username in the digital certificate are not the same, the client cannot log in to the SSL VPN gateway.
Examples
# Enable certificate authentication.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] certificate-authentication enable
Related commands
client-verify enable
content-type
Use content-type to configure a file policy to rewrite a file in an HTTP response to a specific type of file.
Use undo content-type to restore the default.
Syntax
content-type { css | html | javascript | other }
undo content-type
Default
A file policy rewrites a file carried in an HTTP response to a file of the type indicated by the content-type field in the HTTP response.
Views
File policy view
Predefined user roles
network-admin
Parameters
css: Changes the file type to CSS.
html: Changes the file type to HTML.
javascript: Changes the file type to JavaScript.
other: Does not change the file type.
Usage guidelines
A file policy rewrites a file carried in an HTTP response to a file of the type specified by this command. If the specified file type is different from that indicated by the content-type field in the HTTP response, users might not be able to read the file correctly.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure file policy fp to rewrite files to HTML files.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp] content-type html
default
Use default to restore the default settings for an SSL VPN AC interface.
Syntax
default
Views
SSL VPN AC interface view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: The default command might interrupt ongoing network services. Make sure you are fully aware of the impact of this command when you use it on a live network. |
This command might fail to restore the default settings for some commands for reasons such as command dependencies or system restrictions. Use the display this command in interface view to identify these commands. Use their undo forms or follow the command reference to restore their default settings. If your restoration attempt still fails, follow the error message instructions to resolve the problem.
Examples
# Restore the default settings of sslvpn-ac 1000.
<Sysname> system-view
[Sysname] interface sslvpn-ac 1000
[Sysname-SSLVPN-AC1000] default
This command will restore the default settings. Continue? [Y/N]:y
default-policy-group
Use default-policy-group to specify a policy group as the default policy group.
Use undo default-policy-group to restore the default.
Syntax
default-policy-group group-name
undo default-policy-group
Default
No policy group is specified as the default policy group.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
group-name: Specifies the name of a policy group, a case-insensitive string of 1 to 31 characters. The specified policy group must have been created by using the policy-group command.
Usage guidelines
You can configure multiple policy groups for an SSL VPN context. When a remote user accesses the SSL VPN context, the AAA server issues the authorized policy group to the associated SSL VPN gateway. The user can access only the resources allowed by the authorized policy group. If the AAA server does not issue an authorized policy group to the user, the user can access only the resources allowed by the default policy group.
Examples
# Specify policy group pg1 as the default policy group.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] quit
[Sysname-sslvpn-context-ctx1] default-policy-group pg1
Related commands
display sslvpn context
policy-group
description (shortcut view)
Use description to configure a description for a shortcut.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for a shortcut.
Views
Shortcut view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 63 characters.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure a description for shortcut shortcut1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut shortcut1
[Sysname-sslvpn-context-ctx1-shortcut-shortcut1] description shortcut1
description (SSL VPN AC interface view)
Use description to configure a description for an SSL VPN AC interface.
Use undo description to restore the default.
Syntax
description text
undo description
Default
The description for an interface is interface name Interface, for example, SSLVPN-AC1000 Interface.
Views
SSL VPN AC interface view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 255 characters.
Usage guidelines
Configure descriptions for interfaces for identification and management purposes.
You can use the display interface command to display the configured interface descriptions.
Examples
# Configure the description for SSL VPN AC 1000 as SSL VPN A.
<Sysname> system-view
[Sysname] interface sslvpn-ac 1000
[Sysname-SSLVPN-AC1000] description SSL VPN A
display interface sslvpn-ac
Use display interface sslvpn-ac to display SSL VPN AC interface information.
Syntax
display interface sslvpn-ac [ interface-number ] [ brief [ description | down ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
sslvpn-ac interface-number: Specifies an SSL VPN AC interface by its number in the range of 0 to 4095. If you specify the sslvpn-ac keyword without the interface-number argument, this command displays information about all SSL VPN AC interfaces.
brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.
description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of interface descriptions.
down: Displays information about interfaces in the physical state of DOWN and the causes. If you do not specify this keyword, the command displays information about interfaces in all states.
Examples
# Display detailed information about SSL VPN AC 1000.
<Sysname> display interface sslvpn-ac 1000
SSLVPN-AC1000
Current state: UP
Line protocol state: DOWN
Description: SSLVPN-AC1000 Interface
Bandwidth: 64kbps
Maximum transmission unit: 1500
Internet protocol processing: Disabled
Link layer protocol is SSLVPN
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
Table 115 Command output
|
Field |
Description |
|
SSLVPN-AC1000 |
Information about interface SSL VPN AC 1000. |
|
Current state |
State of the interface: · Administratively DOWN—The interface has been shut down by using the shutdown command. · DOWN—The interface is administratively up but its physical state is down. · UP—Both the administrative and physical states of the interface are up. |
|
Line protocol state |
Link layer protocol state of the interface: · UP—The protocol state of the interface is up. · UP (spoofing)—The link protocol state of the interface is up, but the link is temporarily set up on demand or does not exist. This attribute is available for null interfaces and loopback interfaces. · DOWN—The protocol state of the interface is down. |
|
Description |
Description for the interface. |
|
Bandwidth |
Expected bandwidth for the interface. |
|
Maximum transmission unit |
MTU of the interface. |
|
Internet protocol processing |
IP address of the interface. If no IP address is assigned to the interface, this field displays Internet protocol processing: Disabled, and the interface cannot process packets. Primary indicates that the IP address is the primary IP address of the interface. |
|
Last clearing of counters |
Most recent time the counters were cleared by using the reset counters interface command. If the reset counters interface command has never been executed since the device starts up, this field displays Never. |
|
Last 300 seconds input rate |
Average input rate in the last 300 seconds. |
|
Last 300 seconds output rate |
Average output rate in the last 300 seconds. |
# Display brief information about all SSL VPN AC interfaces.
<Sysname> display interface sslvpn-ac brief
Brief information of interfaces in route mode:
Link: ADM - administratively down
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
SSLVPN-AC1000 UP DOWN --
# Display brief information about SSL VPN AC 1000, including the complete interface description.
<Sysname> display interface sslvpn-ac 1000 brief description
Brief information of interfaces in route mode:
Link: ADM - administratively down
Protocol: (s) - spoofing
Interface Link Protocol Primary IP Description
SSLVPN-AC1000 UP UP 1.1.1.1
# Display information about interfaces in DOWN state and the causes.
<Sysname> display interface sslvpn-ac brief down
Brief information on interfaces in route mode:
Link: ADM - administratively down
Interface Link Cause
SSLVPN-AC1000 ADM Administratively
SSLVPN-AC1001 ADM
Table 116 Command output
|
Field |
Description |
|
Brief information of interfaces in route mode: |
Brief information about Layer 3 interfaces. |
|
Link: ADM - administratively down |
Link status. ADM indicates that the interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. |
|
Protocol: (s) - spoofing |
(s) indicates that the data link layer protocol state is UP, but the link is temporarily set up on demand or does not exist. |
|
Interface |
Abbreviated interface name. |
|
Link |
Physical link state of the interface: · UP—The link is physically up. · DOWN—The link is physically down. · ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. |
|
Protocol |
Data link layer protocol state of the interface: · UP—The data link protocol state of the interface is up. · UP(s)—The data link protocol state of the interface is up, but the link is temporarily set up on demand or does not exist. This attribute is available for null interfaces and loopback interfaces. · DOWN—The data link protocol state of the interface is down. |
|
Primary IP |
Primary IP address of the interface. |
|
Description |
Description for the interface. |
|
Cause |
Causes for the physical state of DOWN: · Administratively—The link has been shut down by using the shutdown command. To bring it up, use the undo shutdown command. · Not connected—No physical connection exists. |
Related commands
reset counters interface
display sslvpn context
Use display sslvpn context to display SSL VPN context information.
Syntax
display sslvpn context [ brief | name context-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
brief: Displays brief SSL VPN context information. If you do not specify this keyword, the command displays detailed SSL VPN context information.
name context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about all SSL VPN contexts.
Examples
# Display detailed information about all SSL VPN contexts.
<Sysname> display sslvpn context
Context name: ctx1
Operation state: Up
AAA domain: domain1
Certificate authentication: Enabled
Password authentication: Enabled
Authentication use: All
Dynamic password: Enabled
Code verification: Enabled
Default policy group: Not configured
Associated SSL VPN gateway: gw1
Domain name: 1
Associated SSL VPN gateway: gw2
Virtual host: abc.com
Associated SSL VPN gateway: gw3
SSL client policy configured: ssl1
SSL client policy in use: ssl
Maximum users allowed: 200
VPN instance:vpn1
Idle timeout: 30 min
Idle-cut traffic threshold: 100 Kilobytes
Context name: ctx2
Operation state: Down
Down reason: Administratively down
AAA domain not specified
Certificate authentication: Enabled
Password authentication: Disabled
Authentication use: Any-one
Dynamic password: Disabled
Code verification: Disabled
Default group policy: gp
Associated SSL VPN gateway: -
SSL client policy configured: ssl1
SSL client policy in use: ssl
Maximum users allowed: 200
VPN instance not configured
Idle timeout: 50 min
Idle-cut traffic threshold: 100 Kilobytes
Address pool: Conflicted with an IP address on the device
Table 117 Command output
|
Field |
Description |
|
Context name |
Name of the SSL VPN context. |
|
Operation state |
Operation status of the SSL VPN context: · Up—The context is running. · Down—The context is not running. |
|
Down reason |
Causes for the Down operations status: · Administratively down—The context is disabled. To enable the context, use the service enable command. · No gateway associated—The context is not associated with an SSL VPN gateway. |
|
AAA domain |
ISP domain for the SSL VPN context. |
|
Certificate authentication |
Whether certificate authentication is enabled for the SSL VPN context. |
|
Password authentication |
Whether username/password authentication is enabled for the SSL VPN context. |
|
Authentication use |
Authentication methods required for user login: · All—A user must pass all the enabled authentication methods to log in to the SSL VPN context. · Any-one—A user can log in to the SSL VPN context after passing any enabled authentication method. |
|
Dynamic password |
Whether dynamic password is enabled for the SSL VPN context. |
|
Code verification |
Whether code verification is enabled for the SSL VPN context. |
|
Default policy group |
Default policy group used by the SSL VPN context. |
|
Associated SSL VPN gateway |
SSL VPN gateway associated with the SSL VPN context. |
|
Domain name |
Domain name specified for the SSL VPN context. |
|
Virtual host |
Virtual host name specified for the SSL VPN context. |
|
SSL client policy configured |
SSL client policy configured for the SSL VPN context. A newly configured SSL client policy takes effect only after the SSL VPN context is restarted. |
|
SSL client policy in use |
SSL client policy being used by the SSL VPN context. |
|
Maximum users allowed |
Maximum number of sessions allowed in the SSL VPN context. |
|
VPN instance |
VPN instance associated with the SSL VPN context. |
|
Idle timeout |
Maximum idle time of an SSL VPN session, in minutes. |
|
Idle-cut traffic threshold |
SSL VPN idle session disconnection traffic threshold. |
|
Address pool: Conflicted with an IP address on the device |
An IP address conflict was detected in the SSL VPN context. |
# Display brief information about all SSL VPN contexts.
<Sysname> display sslvpn context brief
Context name Admin Operation VPN instance Gateway Domain/VHost
ctx1 Down Down - - -/-
ctx2 Up Up - gw2 abc.com
Table 118 Command output
|
Field |
Description |
|
Context name |
Name of the SSL VPN context. |
|
Admin |
Administrative status of the SSL VPN context: · Up—The context has been enabled by using the service enable command. · Down—The context is disabled. |
|
Operation |
Operation status of the SSL VPN context: · Up—The context is running. · Down—The context is not running. |
|
VPN instance |
VPN instance associated with the SSL VPN context. |
|
Gateway |
SSL VPN gateway associated with the SSL VPN context. |
|
Domain/VHost |
Domain name or virtual host name specified for the SSL VPN context. |
display sslvpn gateway
Use display sslvpn gateway to display SSL VPN gateway information.
Syntax
display sslvpn gateway [ brief | name gateway-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
brief: Displays brief SSL VPN gateway information. If you do not specify this keyword, the command displays detailed SSL VPN gateway information.
name gateway-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about all SSL VPN gateways.
Examples
# Display detailed information about all SSL VPN gateways.
<Sysname> display sslvpn gateway
Gateway name: gw1
Operation state: Up
IP: 192.168.10.75 port: 443
HTTP redirect port: 80
SSL server policy configured: ssl1
SSL server policy in use: ssl
Front VPN instance: vpn1
Gateway name: gw2
Operation state: Down
Down reason: Administratively down
IP: 0.0.0.0 Port: 443
SSL server policy configured: ssl1
SSL server policy in use: ssl
Front VPN instance: Not configured
Gateway name: gw3
Operation state: Up
IPv6: 3000::2 Port: 443
SSL server policy configured: ssl1
SSL server policy in use: ssl
Front VPN instance: Not configured
Table 119 Command output
|
Field |
Description |
|
Gateway name |
Name of the SSL VPN gateway. |
|
Operation state |
Operation status of the SSL VPN gateway: · Up—The gateway is running. · Down—The gateway is not running. |
|
Down reason |
Causes for the Down operation status: · Administratively down—The SSL VPN gateway is disabled. To enable the gateway, use the service enable command. · VPN instance not exist—The VPN instance to which the SSL VPN gateway belongs does not exist. · Applying SSL server-policy failed—Failed to apply the SSL server policy to the SSL VPN gateway. |
|
IP |
IPv4 address of the SSL VPN gateway. |
|
IPv6 |
IPv6 address of the SSL VPN gateway. |
|
Port |
Port number of the SSL VPN gateway. |
|
HTTP redirect port |
HTTP redirection port number of the SSL VPN gateway. |
|
SSL server policy configured |
SSL server policy configured for the SSL VPN gateway. A newly configured SSL server policy takes effect only after the SSL VPN gateway is restarted. |
|
SSL server policy in use |
SSL server policy being used by the SSL VPN gateway. |
|
Front VPN instance |
Front VPN instance to which the SSL VPN gateway belongs. |
# Display brief information about all SSL VPN gateways.
<Sysname> display sslvpn gateway brief
Gateway name Admin Operation
gw1 Up Up
gw2 Down Down (Administratively down)
gw3 Up Up
Table 120 Command output
|
Field |
Description |
|
Gateway name |
Name of the SSL VPN gateway. |
|
Admin |
Administrative status of the SSL VPN gateway: · Up—The gateway has been enabled by using the service enable command. · Down—The gateway is disabled. |
|
Operation |
Operation status of the SSL VPN gateway: · Up—The gateway is running. · Down (Administratively down)—The gateway is disabled. To enable the gateway, use the service enable command. · Down (VPN instance not exist)—The gateway is down because the VPN instance to which the gateway belongs does not exist. · Down (Applying SSL server-policy failed)—The gateway is down because the SSL server policy failed to be applied to the gateway. |
display sslvpn ip-tunnel statistics
Use display sslvpn ip-tunnel statistics to display packet statistics for IP access users.
Syntax
display sslvpn ip-tunnel statistics [ context context-name ] [ user user-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays packet statistics for IP access users in all SSL VPN contexts.
user user-name: Specifies an IP access user by username, a case-insensitive string of 1 to 63 characters. If you specify a user, this command displays detailed packet statistics for the user. If you do not specify a user, this command displays packet statistics for all IP access users.
Usage guidelines
If you do not specify any parameters, this command displays packets statistics for all IP access users in all SSL VPN contexts.
Examples
# Display packet statistics for IP access user user1 in SSL VPN context ctx1.
<Sysname> display sslvpn ip-tunnel statistics context ctx1 user user1
Context : ctx1
User : user1
Session ID : 1
User IPv4 address : 192.168.56.1
Received requests : 81
Sent requests : 0
Dropped requests : 81
Received replies : 0
Sent replies : 0
Dropped replies : 0
Received keepalives : 1
Sent keepalive replies : 1
Received configuration updates: 0
Sent configuration updates : 0
Context : ctx1
User : user1
Session ID : 2
User IPv6 address : 1234::5001
Received requests : 81
Sent requests : 0
Dropped requests : 81
Received replies : 0
Sent replies : 0
Dropped replies : 0
Received keepalives : 1
Sent keepalives replies : 1
Received configuration updates: 0
Sent configuration updates : 0
Table 121 Command output
|
Field |
Description |
|
Context |
SSL VPN context to which the SSL VPN user belongs. |
|
User |
Login username used by the SSL VPN user. |
|
User IPv4 address |
IPv4 address of the SSL VPN user. |
|
User IPv6 address |
IPv6 address of the SSL VPN user. |
|
Received requests |
Number of IP access requests received by the SSL VPN gateway from the user. |
|
Sent requests |
Number of IP access requests forwarded by the SSL VPN gateway to internal servers. |
|
Dropped requests |
Number of IP access requests dropped by the SSL VPN gateway. |
|
Received replies |
Number of IP access replies received by the SSL VPN gateway from internal servers. |
|
Sent replies |
Number of IP access replies forwarded by the SSL VPN gateway to the user. |
|
Dropped replies |
Number of IP access replies dropped by the SSL VPN gateway. |
|
Received keepalives |
Number of keepalive messages received by the SSL VPN gateway from the user. |
|
Sent keepalives replies |
Number of keepalive replies sent by the SSL VPN gateway to the user. |
|
Received configuration updates |
Number of configuration update messages received by the SSL VPN gateway from the user. |
|
Sent configuration updates |
Number of configuration update messages sent by the SSL VPN gateway to the user. |
display sslvpn policy-group
Use display sslvpn policy-group to display SSL VPN policy group information.
Syntax
display sslvpn policy-group group-name [ context context-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
group-name: Specifies a policy group by its name, a case-insensitive string of 1 to 31 characters.
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays information about policy groups with the specified group name in all SSL VPN contexts.
Examples
# Display information about policy groups named pg1 in all SSL VPN contexts.
<Sysname> display sslvpn policy-group pg1
Group policy: pg1
Context: context1
Idle timeout: 35 min
Context: context2
Idle timeout: 40 min
Table 122 Command output
|
Field |
Description |
|
Idle timeout |
Maximum idle time of an SSL VPN session, in minutes. |
display sslvpn port-forward connection
Use display sslvpn port-forward connection to display TCP port forwarding connection information.
Syntax
Centralized devices in standalone mode:
display sslvpn port-forward connection [ context context-name ]
Centralized devices in IRF mode:
display sslvpn port-forward connection [ context context-name ] [ slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays TCP port forwarding connection information for all SSL VPN contexts.
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays TCP port forwarding connection information for all member devices. (Centralized devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display TCP port forwarding connection information for all SSL VPN contexts
<Sysname> display sslvpn port-forward connection
SSL VPN context : ctx1
Client address : 192.0.2.1
Client port : 1025
Server address : 192.168.0.39
Server port : 80
Status : Connected
SSL VPN context : ctx2
Client address : 3000::983F:7A36:BD06:342D
Client port : 56190
Server address : 300::1
Server port : 23
Status : Connecting
# (Centralized devices in IRF mode.) Display TCP port forwarding connection information for all SSL VPN contexts
<Sysname> display sslvpn port-forward connection
SSL VPN context : ctx1
Client address : 192.0.2.1
Client port : 1025
Server address : 192.168.0.39
Server port : 80
Slot : 1
Status : Connected
SSL VPN context : ctx2
Client address : 3000::983F:7A36:BD06:342D
Client port : 56190
Server address : 300::1
Server port : 23
Slot : 1
Status : Connecting
Table 123 Command output
|
Field |
Description |
|
Client address |
IPv4 or IPv6 address of the SSL VPN client. |
|
Client port |
Port number of the SSL VPN client. |
|
Server address |
IPv4 or IPv6 address of the internal server. |
|
Server port |
Port number of the internal server. |
|
Slot |
IRF member ID of the device. (Centralized devices in IRF mode.) |
|
Status |
Connection status, Connected or Connecting. |
display sslvpn session
Use display sslvpn session to display SSL VPN session information.
Syntax
display sslvpn session [ context context-name ] [ user user-name | verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command displays SSL VPN session information for all SSL VPN contexts.
user user-name: Specifies an SSL VPN user by the username, a case-insensitive string of 1 to 63 characters. If you specify a user, this command displays detailed SSL VPN session information for the user. If you do not specify a user, this command displays SSL VPN session information for all users.
verbose: Displays detailed SSL VPN session information for all SSL VPN users. If you do not specify this keyword, the command displays brief SSL VPN session information for the specified or all SSL users.
Examples
# Display brief SSL VPN session information for all users in all SSL VPN contexts.
<Sysname> display sslvpn session
Total users: 4
SSL VPN context: ctx1
Users: 2
Username Connections Idle time Created User IP
user1 5 0/00:00:23 0/04:47:16 192.0.2.1
user2 5 0/00:00:46 0/04:48:36 192.0.2.2
SSL VPN context: ctx2
Users: 2
Username Connections Idle time Created User IP
user3 5 0/00:00:30 0/04:50:06 192.168.2.1
user4 5 0/00:00:50 0/04:51:16 192.168.2.2
Table 124 Command output
|
Field |
Description |
|
Total users |
Total number of users in all SSL VPN contexts. |
|
SSL VPN context |
Name of the SSL VPN context. |
|
Users |
Number of users in the SSL VPN context. |
|
Username |
Login name for the SSL VPN session. |
|
Connections |
Number of connections in the SSL VPN session. |
|
Idle time |
Duration that the SSL VPN session has been idle, in the format of days/hh:mm:ss. |
|
Created |
Time elapsed since the SSL VPN session was created, in the format of days/hh:mm:ss. |
|
User IP |
IPv4 or IPv6 address used by the SSL VPN session. |
# Display detailed information about the SSL VPN session for SSL VPN user user1.
<Sysname> display sslvpn session user user1
User : user1
Context : context1
Policy group : pgroup
Idle timeout : 30 min
Created at : 13:49:27 UTC Wed 05/14/2014
Lastest : 17:50:58 UTC Wed 05/14/2014
User IPv4 address: 192.0.2.1
Web browser/OS : Internet Explorer
User : user1
Context : context2
Policy group : Default
Idle timeout : 2100 sec
Created at : 14:15:12 UTC Wed 05/14/2014
Lastest : 18:56:58 UTC Wed 05/14/2014
User IPv6 address : 0:30::983F:7A36:BD06:342D
Session ID : 5
Web browser/OS : Internet Explorer
# Display detailed SSL VPN session information for all users in all SSL VPN contexts.
<Sysname> display sslvpn session verbose
User : user1
Context : context1
Policy group : pgroup
Idle timeout : 30 min
Created at : 13:49:27 UTC Wed 05/14/2014
Lastest : 17:50:58 UTC Wed 05/14/2014
User IPv4 address : 192.0.2.1
Session ID : 1
Web browser/OS : Internet Explorer
User : user1
Context : context2
Policy group : Default
Idle timeout : 2100 sec
Created at : 14:15:12 UTC Wed 05/14/2014
Lastest : 18:56:58 UTC Wed 05/14/2014
User IPv6 address : 0:30::983F:7A36:BD06:342D
Session ID : 5
Web browser/OS : Internet Explorer
Table 125 Command output
|
Field |
Description |
|
User |
SSL VPN username. |
|
Context |
Context to which the user belongs. |
|
Policy group |
Policy group used by the user. |
|
Idle timeout |
Idle timeout time of the SSL VPN session, in seconds. |
|
Created at |
Creation time of the SSL VPN session. |
|
Lastest |
Most recent time when the SSL VPN user accessed resources through the SSL VPN session. |
|
Allocated IP |
IP address allocated to the iNode client of the SSL VPN user. This field is displayed only for iNode users. |
|
User IPv4 address |
IPv4 address used by the SSL VPN session. |
|
User IPv6 address |
IPv6 address used by the SSL VPN session. |
|
Web browser/OS |
Web browser or operating system used by the SSL VPN user. |
dynamic-password enable
Use dynamic-password enable to enable dynamic password verification.
Use undo dynamic-password enable to disable dynamic password verification.
Syntax
dynamic-password enable
undo dynamic-password enable
Default
Dynamic password verification is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Usage guidelines
After dynamic password verification is enabled, a user must enter a correct dynamic password to log in to the SSL VPN webpage.
Examples
# Enable dynamic password verification.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] dynamic-password enable
emo-server
Use emo-server to specify an Endpoint Mobile Office (EMO) server for mobile clients.
Use undo emo-server to restore the default.
Syntax
emo-server address { host-name | ipv4-address } port port-number
undo emo-server
Default
No EMO server is specified for mobile clients.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
address: Specifies the host name or IPv4 address of the EMO server.
host-name: Specifies the host name of the EMO server, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).
ipv4-address: Specifies the IPv4 address of the EMO server, in dotted decimal notation. The IP address cannot be a multicast, broadcast, or loopback address.
port port-number: Specifies the port number of the EMO server, in the range of 1025 to 65535.
Usage guidelines
An EMO server provides services for mobile clients. The SSL VPN gateway issues the EMO server information to the clients, and the clients can access available service resources through the EMO server.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the IP address of the EMO server as 10.10.1.1 and the port number as 9058 for context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] emo-server address 10.10.1.1 port 9058
exclude
Use exclude to add an exclude route to a route list.
Use undo exclude to delete an exclude route from a route list.
Syntax
exclude ip-address { mask | mask-length }
undo exclude ip-address { mask | mask-length }
Default
No exclude routes exist in a route list.
Views
Route list view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the destination IP address of the route. It cannot be a multicast, broadcast, or loopback address.
mask: Specifies the subnet mask of the destination IP address.
mask-length: Specifies the mask length of the destination IP address, an integer in the range of 0 to 32.
Usage guidelines
When a client accesses the SSL VPN gateway in IP mode, the SSL VPN gateway issues exclude routes to the client. The client adds the exclude routes to the local routing table. Traffic that matches the exclude routes are not sent to the SSL VPN gateway.
You can add multiple exclude routes to a route list.
If you execute the include and exclude command to add the same route to a route list, the most recent configuration takes effect.
Examples
# Add exclude route 192.168.0.0/16 to route list rtlist.
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-route-list rtlist
[Sysname-sslvpn-context-ctx1-route-list-rtlist] exclude 192.168.0.0 16
Related commands
Include
execution (port forwarding item view)
Use execution to configure a resource link for a port forwarding item.
Use undo execution to restore the default.
Syntax
execution script
undo execution
Default
No resource link is configured for a port forwarding item.
Views
Port forwarding item view
Predefined user roles
network-admin
Parameters
script: Specifies the script for the resource link, a string of 1 to 255 characters in the format of url(‘url-value’). Complete format for url-value is protocol://hostname or address:port number/resource path.
Usage guidelines
After you configure a resource link for a port forwarding item, you can click the port forwarding name on the SSL VPN Web page to access the resource.
If you execute this command for a port forwarding item multiple times, the most recent configuration takes effect.
Examples
# Configure the url(‘http://127.0.0.1’) resource for port forwarding item pfitem1.
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1
[Sysname-sslvpn-context-ctx1-forward-item-pfitem1] execution url(‘http://127.0.0.1’)
execution (shortcut view)
Use execution to configure a resource link for a shortcut.
Use undo execution to restore the default.
Syntax
execution script
undo execution
Default
No resource link is configured for a shortcut.
Views
Shortcut view
Predefined user roles
network-admin
Parameters
script: Specifies the script for the resource, a string of 1 to 255 characters in the format of url(‘url-value’). Complete format for url-value is protocol://hostname or address:port number/resource path.
Usage guidelines
After you configure a resource link for a shortcut, you can click the shortcut name on the SSL VPN Web page to access the resource.
If you execute this command for a shortcut multiple times, the most recent configuration takes effect.
Examples
# Configure the url(‘http://10.0.0.1’) resource for shortcut shortcut1.
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut shortcut1
[Sysname-sslvpn-context-ctx1-shortcut-shortcut1] execution url(‘http://10.0.0.1’)
file-policy
Use file-policy to create a file policy and enter its view, or enter the view of an existing file policy.
Use undo file-policy to delete a file policy.
Syntax
file-policy policy-name
undo file-policy policy-name
Default
No file policies exist.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a file policy name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
The SSL VPN gateway uses a file policy to rewrite the content of Web page files before forwarding them to requesting Web access users.
You can configure multiple file policies in an SSL VPN context.
Examples
# Create a file policy named fp and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp]
Related commands
sslvpn context
filter ip-tunnel acl
Use filter ip-tunnel acl to specify an advanced ACL for IP access filtering.
Use undo filter ip-tunnel acl to remove the advanced ACL configuration for IP access filtering.
Syntax
filter ip-tunnel [ ipv6 ] acl advanced-acl-number
undo filter ip-tunnel [ ipv6 ] acl
Default
All IP accesses are denied.
Views
SSL VPN policy group view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.
acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.
Usage guidelines
You can specify both an advanced ACL and a URI ACL for IP access filtering.
The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:
1. Matches the request against rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.
2. Matches the request against rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.
Examples
# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for IP access filtering.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] filter ip-tunnel acl 3000
[Sysname-sslvpn-context-ctx1-policy-group-pg1] filter ip-tunnel ipv6 acl 3500
Related commands
filter ip-tunnel uri-acl
filter ip-tunnel uri-acl
Use filter ip-tunnel uri-acl to specify a URI ACL for IP access filtering.
Use undo filter ip-tunnel uri-acl to remove the URI ACL configuration for IP access filtering.
Syntax
filter ip-tunnel uri-acl uri-acl-name
undo filter ip-tunnel uri-acl
Default
All IP accesses are denied.
Views
SSL VPN policy group view
Predefined user roles
network-admin
Parameters
uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.
Usage guidelines
You can specify both an advanced ACL and a URI ACL for IP access filtering.
The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request:
1. Matches the request against rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 2.
2. Matches the request against rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
If a rule in the URI ACL specified for IP access filtering contains HTTP or HTTPS settings, the rule does not take effect.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure policy group abcpg to use URI ACL abcuriacl for IP access filtering.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] policy-group abcpg
[Sysname-sslvpn-context-abc-policy-group-abcpg] filter ip-tunnel uri-acl abcuriacl
Related commands
filter ip-tunnel acl
filter tcp-access acl
Use filter tcp-access acl to specify an advanced ACL for TCP access filtering.
Use undo filter tcp-access acl to remove the advanced ACL configuration for TCP access filtering.
Syntax
filter tcp-access [ ipv6 ] acl advanced-acl-number
undo filter tcp-access [ ipv6 ] acl
Default
A user can access only the TCP resources in the TCP port forwarding list authorized to the user.
Views
SSL VPN policy group view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.
acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.
Usage guidelines
You can specify both an advanced ACL and a URI ACL for TCP access filtering.
For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:
1. Matches the request against the authorized port forwarding list.
¡ If the request matches a port forwarding entry in the list, the gateway forwards the request.
¡ If the request does not match any port forwarding entries in the list, the gateway proceeds to step 2.
2. Matches the request against the rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.
3. Matches the request against the rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
For PC users, the ACLs configured for TCP access filtering do not take effect. They can access only the TCP resources authorized to them through the TCP port forwarding list.
You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.
Examples
# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for TCP access filtering.
<Sysname> system-view
[Sysname]sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access acl 3000
[Sysname-sslvpn-context-ctx1-policy-group pg1] filter tcp-access ipv6 acl 3500
Related commands
filter tcp-access uri-acl
filter tcp-access uri-acl
Use filter tcp-access uri-acl to specify a URI ACL for TCP access filtering.
Use undo filter tcp-access uri-acl to remove the URI ACL configuration for TCP access filtering.
Syntax
filter tcp-access uri-acl uri-acl-name
undo filter tcp-access uri-acl
Default
A user can access only the TCP resources in the TCP port forwarding list authorized to the user.
Views
SSL VPN policy group view
Predefined user roles
network-admin
Parameters
uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.
Usage guidelines
You can specify both an advanced ACL and a URI ACL for TCP access filtering.
For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request:
1. Matches the request against the authorized port forwarding list.
¡ If the request matches a port forwarding entry in the list, the gateway forwards the request.
¡ If the request does not match any port forwarding entries in the list, the gateway proceeds to step 2.
2. Matches the request against the rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.
3. Matches the request against the rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
For PC users, the ACLs configured for TCP access filtering do not take effect. They can access only the TCP resources authorized to them through the TCP port forwarding list.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure policy group abcpg to use URI ACL abcuriacl2 for TCP access filtering.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] policy-group abcpg
[Sysname-sslvpn-context-abc-policy-group-abcpg] filter tcp-access uri-acl abcuriacl2
Related commands
filter tcp-access acl
filter web-access acl
Use filter web-access acl to specify an advanced ACL for Web access filtering.
Use undo filter web-access acl to remove the advanced ACL configuration for Web access filtering.
Syntax
filter web-access [ ipv6 ] acl advanced-acl-number
undo filter web-access [ ipv6 ] acl
Default
A user can access only the Web resources in the URL list authorized to the user.
Views
SSL VPN policy group view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL.
acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999. If a rule in the specified ACL contains VPN settings, the rule does not take effect.
Usage guidelines
You can specify both an advanced ACL and a URI ACL for Web access filtering.
The SSL VPN gateway uses the following procedure to determine whether to forward a Web access request:
1. Matches the request against the authorized URL list.
¡ If the request matches a URL entry in the list, the gateway forwards the request.
¡ If the request does not match any URL entries in the list, the gateway proceeds to step 2.
2. Matches the request against rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.
3. Matches the request against rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
You can specify an IPv4 ACL, IPv6 ACL, or both by using this command, but you cannot specify multiple IPv4 ACLs or IPv6 ACLs. If you specify IPv4 or IPv6 ACLs multiple times, the most recent IPv4 or IPv6 ACL configuration takes effect.
Examples
# Configure policy group pg1 to use IPv4 ACL 3000 and IPv6 ACL 3500 for Web access filtering.
<Sysname> system-view
[Sysname]sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group pg1] filter web-access acl 3000
[Sysname-sslvpn-context-ctx1-policy-group pg1] filter web-access ipv6 acl 3500
Related commands
filter web-access uri-acl
filter web-access uri-acl
Use filter web-access uri-acl to specify a URI ACL for Web access filtering.
Use undo filter web-access uri-acl to remove the URI ACL configuration for Web access filtering.
Syntax
filter web-access uri-acl uri-acl-name
undo filter web-access uri-acl
Default
Users can access only the Web resources authorized to them through the URL list.
Views
SSL VPN policy group view
Predefined user roles
network-admin
Parameters
uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.
Usage guidelines
The SSL VPN gateway uses the following procedure to determine whether to forward a Web access request:
1. Matches the request against the authorized URL list.
¡ If the request matches a URL entry in the list, the gateway forwards the request.
¡ If the request does not match any URL entries in the list, the gateway proceeds to step 2.
2. Matches the request against rules in the URI ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the URI ACL or if no URI ACL is available, the gateway proceeds to step 3.
3. Matches the request against rules in the advanced ACL:
¡ If the request matches a permit rule, the gateway forwards the request.
¡ If the request matches a deny rule, the gateway drops the request.
¡ If the request does not match any rules in the advanced ACL or if no advanced ACL is available, the gateway drops the request.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure policy group abcpg to use URI ACL abcuriacl1 for Web access filtering.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] policy-group abcpg
[Sysname-sslvpn-context-abc-policy-group-abcpg] filter web-access uri-acl abcuriacl
Related commands
filter web-access acl
force-logout
Use force-logout to force online users to log out.
Syntax
force-logout [ all | session session-id | user user-name ]
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
all: Logs out all users.
session session-id: Logs out all users in a session. The session-id argument specifies the session ID in the range of 1 to 4294967295.
user user-name: Logs out a user. The user-name argument specifies the username, a case-sensitive string of 1 to 63 characters.
Examples
# Log out all users in session 1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] force-logout session 1
force-logout max-onlines enable
force-logout max-onlines enable to enable the force logout feature.
undo force-logout max-onlines enable to disable the force logout feature.
Syntax
force-logout max-onlines enable
undo force-logout max-onlines enable
Default
The force logout feature is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Usage guidelines
By default, a user cannot log in if the number of logins using the account reaches the limit.
When a login is attempted but logins using the account reach the maximum, this feature logs out the user with the longest idle time to allow the new login.
Examples
# Enable the force logout feature.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] force-logout max-onlines enable
gateway
Use gateway to associate an SSL VPN context with an SSL VPN gateway.
Use undo gateway to delete associated SSL VPN gateways.
Syntax
gateway gateway-name [ domain domain-name | virtual-host virtual-host-name ]
undo gateway [ gateway-name ]
Default
An SSL VPN context is not associated with an SSL VPN gateway.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
gateway-name: Specifies an SSL VPN gateway by its name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).
domain domain-name: Specifies a domain name for the SSL VPN context, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), and hyphens (-).
virtual-host virtual-host-name: Specifies a virtual host name for the SSL VPN context, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).
Usage guidelines
When you associate an SSL VPN context with an SSL VPN gateway, follow these guidelines:
· Make sure the context has a domain name or virtual host name different than any existing contexts associated with the SSL VPN gateway.
The SSL VPN gateway uses the domain name or virtual host name that a remote user entered to determine the SSL VPN context to which the user belongs.
· If you do not specify a domain name or virtual host name for the context, you cannot associate other SSL VPN contexts with the SSL VPN gateway.
You can associate an SSL VPN context with a maximum of 10 SSL VPN gateways.
Examples
# Associate SSL VPN context ctx1 with SSL VPN gateway gw1, and specify the domain name as domain1 for the context.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] gateway gw1 domain domain1
Related commands
display sslvpn context
heading
Use heading to configure a heading for a URL list.
Use undo heading to restore the default.
Syntax
heading string
undo heading
Default
The heading of a URL list is Web.
Views
URL list view
Predefined user roles
network-admin
Parameters
string: Specifies a URL list heading, a case-insensitive string of 1 to 31 characters.
Examples
# Configure the heading of URL list url as urlhead.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-list url
[Sysname-sslvpn-context-ctx1-url-list-url] heading urlhead
Related commands
sslvpn context
url-list
http-redirect
Use http-redirect to enable HTTP redirection.
Use undo http-redirect to disable HTTP redirection.
Syntax
http-redirect [ port port-number ]
undo http-redirect
Default
HTTP redirection is disabled. An SSL VPN gateway does not process HTTP traffic.
Views
SSL VPN gateway view
Predefined user roles
network-admin
Parameters
port-number: Specifies the HTTP port number to listen to, a value of 80 (the default) or in the range of 1025 to 65535.
Usage guidelines
This command enables an SSL VPN gateway to perform the following operations:
1. Listen to an HTTP port.
2. Redirect HTTP requests with the port number to the port used by HTTPS.
3. Send redirection packets to clients.
Examples
# Enable HTTP redirection for HTTP port 1025.
<Sysname> system-view
[Sysname] sslvpn gateway gateway1
[Sysname-sslvpn-gateway-gateway1] http-redirect port 1025
idle-cut traffic-threshold
Use idle-cut traffic-threshold to set the SSL VPN session idle-cut traffic threshold.
Use undo idle-cut traffic-threshold to restore the default.
Syntax
idle-cut traffic-threshold kilobytes
undo idle-cut traffic-threshold
Default
The SSL VPN session idle-cut traffic threshold is 0 bytes. An SSL VPN session will be disconnected if no traffic is transmitted within the session idle timeout.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
kilobytes: Specifies the session idle-cut traffic threshold in Kilobytes. The value range is 1 to 4294967295.
Usage guidelines
The SSL VPN session idle-cut traffic threshold refers to the minimum traffic required in the session idle timeout interval for a session not to be disconnected as an idle session.
After the idle-cut traffic threshold is set, the system counts the traffic transmitted in each SSL VPN session at intervals specified by the timeout idle command. If the traffic is less than the idle-cut traffic threshold, the system determines the session to be idle and disconnects the session.
If you change the setting of the idle-cut traffic-threshold or timeout idle command in an SSL VPN context, all session idle-cut traffic counters in the SSL VPN context will be cleared.
Examples
# Set the SSL VPN session idle-cut traffic threshold to 1000 Kilobytes in SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] idle-cut traffic-threshold 1000
Related commands
timeout idle
include
Use include to add an include route to a route list.
Use undo include to delete an include route from a route list.
Syntax
include ip-address { mask | mask-length }
undo include ip-address { mask | mask-length }
Default
No include routes exist.
Views
Route list view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the destination IP address of the route. It cannot be a multicast, broadcast, or loopback address. The specified IP address must be the address of the network segment where the internal servers reside.
mask: Specifies the subnet mask.
mask-length: Specifies the mask length of the route, an integer in the range of 0 to 32.
Usage guidelines
To permit user access to specific network nodes or segments behind an SSL VPN gateway, configure include routes for those nodes or segments.
When a client accesses an SSL VPN gateway in IP mode, the SSL VPN gateway issues the include routes to the client. The client adds the include routes to the local routing table, using the VNIC as the output interface. Traffic that matches the include routes are sent to the SSL VPN gateway through the VNIC.
You can add multiple routes to a route list.
If you execute the include and exclude command to add the same route to a route list, the most recent configuration takes effect.
Examples
# Add include route 10.0.0.0/8 to route list rtlist.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-route-list rtlist
[Sysname-sslvpn-context-ctx1-route-list-rtlist] include 10.0.0.0 8
Related commands
exclude
interface sslvpn-ac
Use interface sslvpn-ac to create an SSL VPN AC interface and enter its view, or enter the view of an existing SSL VPN AC interface.
Use undo interface sslvpn-ac to delete an SSL VPN AC interface.
Syntax
interface sslvpn-ac interface-number
undo interface sslvpn-ac interface-number
Default
No SSL VPN AC interfaces exist.
Views
System view
Predefined user roles
network-admin
Parameters
interface-number: Specifies an SSL VPN AC interface number in the range of 0 to 4095.
Examples
# Create interface SSL VPN AC 1000 and enter its view.
<Sysname>system-view
[Sysname]interface SSLVPN-AC 1000
[Sysname-SSLVPN-AC1000]
ip address
Use ip address to configure an IPv4 address and a port number for an SSL VPN gateway.
Use undo ip address to restore the default.
Syntax
ip address ip-address [ port port-number ]
undo ip address
Default
An SSL VPN gateway uses IPv4 address 0.0.0.0 and port number 443.
Views
SSL VPN gateway view
Predefined user roles
network-admin
Parameters
ip-address: Specifies an IPv4 address for the SSL VPN gateway, in dotted decimal notation.
port port-number: Specifies a port number for the SSL VPN gateway. The port number is 443 (the default value) or in the range of 1025 to 65535.
Usage guidelines
A remote user uses the IPv4 address and port number configured by this command to access an SSL VPN gateway.
The specified IPv4 address must be the IP address of an interface on the gateway device and is reachable from clients and internal servers.
If the gateway uses the default address (0.0.0.0), make sure its port number is different from the port number of the HTTPS server on the device.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the IPv4 address of SSL VPN gateway gw1 as 10.10.1.1 and the port number as 8000.
<Sysname> system-view
[Sysname] sslvpn gateway gw1
[Sysname-sslvpn-gateway-gw1] ip address 10.10.1.1 port 8000
Related commands
display sslvpn gateway
ip-route-list
Use ip-route-list to create a route list for an SSL VPN context and enter its view, or enter the view of an existing route list.
Use undo ip-route-list to delete a route list.
Syntax
ip-route-list list-name
undo ip-route-list list-name
Default
No route lists exist.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
list-name: Specifies a name for the route list, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You cannot delete a route list that is used by a policy group. To delete the route list, execute the undo ip-tunnel access-route command to remove the configuration and then execute the undo ip-route-list command.
Examples
# In SSL VPN context ctx1, create a route list named rtlist and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-route-list rtlist
[Sysname-sslvpn-context-ctx1-route-list-rtlist]
Related commands
ip-tunnel access-route
ip-tunnel access-route
Use ip-tunnel access-route to specify the routes to be issued to clients.
Use undo ip-tunnel access-route to restore the default.
Syntax
ip-tunnel access-route { ip-address { mask-length | mask } | force-all | ip-route-list list-name }
undo ip-tunnel access-route
Default
No routes to be issued to clients are specified.
Views
SSL VPN policy group view
Predefined user roles
network-admin
Parameters
ip-address { mask-length | mask }: Configures a route to be issued to a client. The ip-address argument specifies the destination address of the route. It cannot be a multicast, broadcast, or loopback address. The mask-length argument specifies the mask length of the route, in the range of 0 to 32.
force-all: Forces all traffic to be sent to the SSL VPN gateway.
ip-route-list list-name: Issues routes in the specified route list to a client. The list-name argument specifies the route list name, a case-insensitive string of 1 to 31 characters. The specified route list must have been created by the ip-route-list command.
Usage guidelines
When a client accesses an SSL VPN gateway in IP mode, the SSL VPN gateway issues the configured route or the specified routes to the client. The client adds the routes, using the VNIC as the output interface. Packets from the client to the internal servers match the routes, and therefore are sent to the SSL VPN gateway through the VNIC.
After you execute the ip-tunnel access-route force-all command, the SSL VPN gateway issues a default route to the SSL VPN client. The default route uses the VNIC as the output interface and has the highest priority among all default routes on the client. Packets for destinations not in the routing table are sent to the SSL VPN gateway through the VNIC. The SSL VPN gateway monitors the SSL VPN client in real time. It does not allow the client to delete the default route or add a default route with a higher priority.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# In the view of policy group pg1, configure the SSL VPN gateway to issue routes in the route list rtlist to a client.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-route-list rtlist
[Sysname-sslvpn-context-ctx1-route-list-rtlist] include 10.0.0.0 8
[Sysname-sslvpn-context-ctx1-route-list-rtlist] include 20.0.0.0 8
[Sysname-sslvpn-context-ctx1-route-list-rtlist] quit
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] ip-tunnel access-route ip-route-list rtlist
Related commands
ip-route-list
ip-tunnel address-pool
Use ip-tunnel address-pool to specify an address pool for IP access.
Use undo ip-tunnel address-pool to restore the default.
Syntax
ip-tunnel address-pool pool-name mask { mask-length | mask }
undo ip-tunnel address-pool
Default
No address pool is specified for IP access.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
pool-name: Specifies the name of the address pool, a case-insensitive string of 1 to 31 characters.
mask { mask-length | mask }: Specifies the mask length or mask of the address pool. The value range for the mask length is 1 to 30.
Usage guidelines
When a client accesses an SSL VPN gateway in IP mode, the SSL VPN gateway allocates an IP address from the specified address pool to the client.
You can specify a nonexistent address pool, but the pool is not effective for address allocation until it is created.
You can specify only one address pool for an SSL VPN context. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify address pool pool1 for IP access.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] ip-tunnel address-pool pool1 mask 24
Related commands
sslvpn ip address-pool
ip-tunnel dns-server
Use ip-tunnel dns-server to specify a DNS server for IP access.
Use undo ip-tunnel dns-server to restore the default.
Syntax
ip-tunnel dns-server { primary | secondary } ip-address
undo ip-tunnel dns-server { primary | secondary }
Default
No DNS servers are specified for IP access.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
primary: Specifies the primary DNS server.
secondary: Specifies the secondary DNS server.
ip-address: Specifies the IP address of the DNS server. It cannot be a multicast, broadcast, or loopback address.
Examples
# Specify the primary DNS server 1.1.1.1 for IP access.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] ip-tunnel dns-server primary 1.1.1.1
ip-tunnel interface
Use ip-tunnel interface to specify an SSL VPN AC interface for IP access in an SSL VPN context.
Use undo ip-tunnel interface to restore the default.
Syntax
ip-tunnel interface sslvpn-ac interface-number
undo ip-tunnel interface
Default
No SSL VPN AC interface is specified for IP access in an SSL VPN context.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
sslvpn-ac interface-number: Specifies the number of an SSL VPN AC interface. The interface must have been created by using the interface sslvpn-ac command.
Usage guidelines
The SSL VPN gateway uses the specified SSL VPN AC interface to communicate with SSL VPN users in IP mode. It uses the SSL VPN AC interface to forward packets sent by the user to remote servers and to forward the servers' replies back to the user.
Examples
# Specify SSL VPN AC 100 for IP access.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] ip-tunnel interface sslvpn-ac 100
Related commands
interface sslvpn-ac
ip-tunnel keepalive
Use ip-tunnel keepalive to set the keepalive interval for IP access.
Use undo ip-tunnel keepalive to restore the default.
Syntax
ip-tunnel keepalive seconds
undo ip-tunnel keepalive
Default
The keepalive interval is 30 seconds for IP access.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
seconds: Specifies the keepalive interval in the range of 0 to 600 seconds. If the interval is set to 0 seconds, a client does not send keepalive messages to the SSL VPN gateway.
Usage guidelines
If an SSL VPN gateway does not receive any data or keepalive messages from a client during the session idle timeout time, it terminates the session with the client.
Set the keepalive interval to be shorter than the session idle timeout timer configured by the timeout idle command.
Examples
# Set the keepalive interval to 50 seconds for SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] ip-tunnel keepalive 50
ip-tunnel log connection-close
Use ip-tunnel log connection-close to enable logging for IP connection close events.
Use undo ip-tunnel log connection-close to disable logging for IP connection close events.
Syntax
ip-tunnel log connection-close
undo ip-tunnel log connection-close
Default
Logging for IP connection close events is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Usage guidelines
This feature logs connection close events for IP access users. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for IP connection close events.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ip-tunnel log connection-close
Related commands
sslvpn context
ip-tunnel wins-server
Use ip-tunnel wins-server to specify a WINS server for IP access.
Use undo ip-tunnel wins-server to restore the default.
Syntax
ip-tunnel wins-server { primary | secondary } ip-address
undo ip-tunnel wins-server { primary | secondary }
Default
No WINS servers are specified for IP access.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
primary: Specifies the primary WINS server.
secondary: Specifies the secondary WINS server.
ip-address: Specifies the IPv4 address of the WINS server. It cannot be a multicast, broadcast, or loopback address.
Examples
# Specify the primary WINS server 1.1.1.1 for IP access.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] ip-tunnel wins-server primary 1.1.1.1
ipv6 address
Use ipv6 address to configure an IPv6 address and a port number for an SSL VPN gateway.
Use undo ipv6 address to restore the default.
Syntax
ipv6 address ipv6-address [ port port-number ]
undo ipv6 address
Default
No IPv6 address is specified for an SSL VPN gateway.
Views
SSL VPN gateway view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies an IPv6 address for the SSL VPN gateway, a 16-byte hexadecimal string separated by colons.
port port-number: Specifies a port number for the SSL VPN gateway. The port number is 443 (the default value) or in the range of 1025 to 65535.
Usage guidelines
A remote user uses the IPv6 address and port number configured by this command to access an SSL VPN gateway.
The specified IPv6 address must be the address of an interface on the gateway device and is reachable from clients and internal servers.
Do not use the management address of the device as the IPv6 address of the SSL VPN gateway.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the IPv6 address of SSL VPN gateway gw1 as 200::1 and the port number as 8000.
<Sysname> system-view
[Sysname] sslvpn gateway gw1
[Sysname-sslvpn-gateway-gw1] ipv6 address 200::1 port 8000
Related commands
display sslvpn gateway
local-port
Use local-port to configure a port forwarding instance for a port forwarding item.
Use undo local-port to remove the configuration.
Syntax
local-port local-port-number local-name local-name remote-server remote-server remote-port remote-port-number [ description text ]
undo local-port
Default
A port forwarding item does not contain a port forwarding instance.
Views
Port forwarding item view
Predefined user roles
network-admin
Parameters
local-port-number: Specifies a local port number in the range of 1 to 65535. The specified port number must be different from the port numbers of any existing services on the SSL VPN client.
local-name local-name: Specifies a local address or a local host name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).
· To specify an IPv4 address, use an address in the network segment 127.0.0.0/8.
· To specify an IPv6 address, enclose the IPv6 address in brackets. For example, local-name [1234::5678].
remote-server remote-server: Specifies the IP address or domain name of a TCP service on an internal server. The remote-server argument is a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.). To specify an IPv6 address, enclose the IPv6 address in brackets. For example, remote-server [1234::5678].
remote-port remote-port-number: Specifies the port number of the TCP service on the internal server, in the range of 1 to 65535.
description text: Specifies a description, a case-sensitive string of 1 to 63 characters.
Usage guidelines
A port forwarding instance maps a TCP service on an internal server to a local address and port number on an SSL VPN client.
For example, for an SSL VPN client to use local address 127.0.0.1 and port 80 to access the internal HTTP server 192.168.0.213, perform the following tasks:
1. Create a port forwarding item (tcp1 in this example).
2. Configure a port forwarding instance for the port forwarding item.
local-port 80 local-name 127.0.0.1 remote-server 192.168.0.213 remote-port 80
The port forwarding instance will be displayed together with the port forwarding item name on the SSL VPN Web page. In this example, tcp1 (127.0.0.1:80 -> 192.168.0.213) will be displayed.
If you map a TCP service to a local host name, the TCP access client software will add the IP address corresponding to the host name to the host file hosts. When the client logs out, the software restores the original host file. The host file hosts is in the directory C:\Windows\System32\drivers\etc of the client host.
You can configure only one port forwarding instance for a port forwarding item. If you execute this command for a port forwarding item multiple times, the most recent configuration takes effect.
Examples
# Configure a port forwarding instance for port forwarding item pfitem1. The port forwarding instance maps IP address 192.168.0.213 and port 80 of the internal HTTP server to local address 127.0.0.1 and port 80.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1
[Sysname-sslvpn-context-ctx1-port-forward-item-pfitem1] local-port 80 local-name 127.0.0.1 remote-server 192.168.0.213 remote-port 80 description http
port-forward
log enable user-log
Use log enable user-log to enable logging for user online status changes.
Use undo log enable user-log to disable logging for user online status changes.
Syntax
log enable user-log
undo log enable user-log
Default
Logging for user online status changes is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Usage guidelines
This feature logs user login and logoff events. The logs are sent to the information center of the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for user online status changes.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] log enable user-log
log resource-access enable
Use log resource-access enable to enable resource access logging.
Use undo log resource-access enable to disable resource access logging.
Syntax
log resource-access enable [ filtering ]
undo log resource-access enable
Default
Resource access logging is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
filtering: Enables resource access log filtering. With this keyword specified, the device generates only one log for accesses of the same user to the same resource in a minute. If this keyword is not specified, the device generates a log for each resource access.
Usage guidelines
This feature logs resource accesses of SSL VPN users. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable resource access logging.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] log resource-access enable
log resource-access enable
Use log resource-access enable to enable resource access logging.
Use undo log resource-access enable to disable resource access logging.
Syntax
log resource-access enable [ brief | filtering ] *
undo log resource-access enable
Default
Resource access logging is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
brief: Records brief resource access information. If you specify this keyword, only the address and port number of the accessed resource will be recorded. If you do not specify this keyword, a large amount of information including webpage formatting information will be recorded.
filtering: Enables resource access log filtering. With this keyword specified, the device generates only one log for accesses of the same user to the same resource in a minute. If this keyword is not specified, the device generates a log for each resource access.
Usage guidelines
This feature logs resource accesses of SSL VPN users. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Enable resource access logging.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] log resource-access enable
log user-login enable
Use log user-login enable to enable logging for user login and logoff events.
Use undo log user-login enable to disable logging for user login and logoff events.
Syntax
log user-login enable
undo log user-login enable
Default
Logging for user login and logoff events is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Usage guidelines
This feature logs user login and logoff events. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for user logins and logouts.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] log user-login enable
login-message
Use login-message to configure a login message.
Use undo log login-message to restore the default.
Syntax
login-message { chinese chinese-message | english english-message }
undo login-message { chinese | english }
Default
The login message is Welcome to SSL VPN.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
chinese chinese-message: Configures a login message in Chinese, a case-sensitive string of 1 to 255 characters.
english english-message: Configures a login message in English, a case-sensitive string of 1 to 255 characters.
Examples
# Configure the login message as hello.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] login-message english hello
logo
Use logo to specify a logo to be displayed on SSL VPN webpages.
Use undo logo to restore the default.
Syntax
logo { file file-name | none }
undo logo
Default
The logo displayed on SSL VPN webpages is H3C.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
file file-name: Specifies a logo file by its name, a case-insensitive string of 1 to 255 characters. The file must be a .gif, .jpg, or .png file, and its size cannot exceed 100 KB. As a best practice, use a file whose image resolution is 110*30 pixels.
none: Specifies that no logo is displayed.
Usage guidelines
The specified logo file must exist on the local device.
After you specify a logo file, the logo is displayed on SSL VPN webpages even if the file is deleted.
Examples
# Specify the logo in the file flash:/mylogo.gif as the logo displayed on SSL VPN webpages.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] logo file flash:/mylogo.gif
max-onlines
Use max-onlines to set the maximum number of concurrent logins for each account.
Use undo max-onlines to restore the default.
Syntax
max-onlines number
undo max-onlines
Default
The maximum number of concurrent logins for each account is 32.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
number: Specifies the maximum number, in the range of 0 to 1048575. Value 0 indicates that the number of concurrent logins for each account is not limited.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the maximum number of concurrent logins for each account to 50.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] max-onlines 50
max-users
Use max-users to set the maximum number of sessions for an SSL VPN context. If the limit is reached, new users cannot access the SSL VPN gateway.
Use undo max-users to restore the default.
Syntax
max-users max-number
undo max-users
Default
An SSL VPN context supports a maximum of 1048575 sessions.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
max-number: Specifies the maximum number of sessions, in the range of 1 to 1048575
Examples
# Set the maximum number of sessions to 500 for SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] max-users 500
Related commands
display sslvpn context
message-server
Use message-server to specify a message server for mobile clients.
Use undo message-server to restore the default.
Syntax
message-server address { host-name | ipv4-address } port port-number
undo message-server
Default
No message server is specified for mobile clients.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
address: Specifies the host name or IPv4 address of the message server.
host-name: Specifies the host name of the message server, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).
ipv4-address: Specifies the IPv4 address of the message server, in dotted decimal notation. The IP address cannot be a multicast, broadcast, or loopback address.
port port-number: Specifies the port number of the message server, in the range of 1025 to 65535.
Usage guidelines
A message server provides services for mobile clients. The SSL VPN gateway issues the message server information to the clients, and the clients can access the message server.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the IP address of the message server as 10.10.1.1 and the port number as 8000 for context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] message-server address 10.10.1.1 port 8000
Related commands
sslvpn context
mtu
Use mtu to set the MTU of an SSL VPN AC interface.
Use undo mtu to restore the default.
Syntax
mtu size
undo mtu
Default
The MTU is 1500 bytes.
Views
SSL VPN AC interface view
Predefined user roles
network-admin
Parameters
size: Specifies an MTU value in the range of 100 to 64000 bytes.
Examples
# Set the MTU of SSL VPN AC 1000 to 1430 bytes.
<Sysname> system-view
[Sysname] interface sslvpn-ac 1000
[Sysname-SSLVPN-AC1000] mtu 1430
new-content
Use new-content to specify the new content used to replace the old content.
Use undo new-content to restore the default.
Syntax
new-content string
undo new-content
Default
The new content used to replace the old content is not specified.
Views
Rewrite rule view
Predefined user roles
network-admin
Parameters
string: Specifies the new content, a case-sensitive string of 1 to 256 characters.
Usage guidelines
During file content rewriting, the new content will replace the old content specified by using the old-content command.
If the new content contains spaces, enclose the content in double quotation marks.
Examples
# Specify the new content in rewrite rule rule1 of file policy fp.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp] rewrite-rule rule1
[Sysname-sslvpn-context-ctx-file-policy-fp-rewrite-rule-rule1] new-content sslvpn_rewrite_htmlcode(d)
Related commands
old-content
old-content
Use old-content to specify the old file content to be rewritten.
Use undo old-content to restore the default.
Syntax
old-content string
undo old-content
Default
The old file content to be rewritten is not specified.
Views
Rewrite rule view
Predefined user roles
network-admin
Parameters
string: Specifies the old content, a case-sensitive string of 1 to 256 characters.
Usage guidelines
During file content rewriting, the old file content will be replaced by the new content specified by using the new-content command.
If the old content contains spaces, enclose the content in double quotation marks.
In the same file policy, the old content specified in different rewrite rules must be unique.
Examples
# Specify the content to be rewritten in rewrite rule rule1 of file policy fp.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp] rewrite rule rule1
[Sysname-sslvpn-context-ctx-file-policy-fp-rewrite-rule-rule1] old-content "a.b.c.innerHTML = d;"
Related commands
new-content
password-authentication enable
Use password-authentication enable to enable username/password authentication.
Use password-authentication enable to disable username/password authentication.
Syntax
password-authentication enable
undo password-authentication enable
Default
Username/password authentication is enabled for an SSL VPN context.
Views
SSL VPN context
Predefined user roles
network-admin
Examples
# Disable username/password authentication for SSL VPN context ctx.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] undo password-authentication enable
Related commands
certificate-authentication enable
display sslvpn context
policy-group
Use policy-group to create an SSL VPN policy group and enter its view, or enter the view of an existing SSL VPN policy group.
Use undo policy-group to delete a policy group.
Syntax
policy-group group-name
undo policy-group group-name
Default
No SSL VPN policy groups exist.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
group-name: Specifies a name for the policy group, a case-insensitive string of 1 to 31 characters.
Usage guidelines
An SSL VPN policy group contains a set of rules for resource access authorization.
You can configure multiple SSL VPN policy groups for an SSL VPN context. When a remote user accesses the SSL VPN context, the AAA server issues the authorized policy group to the associated SSL VPN gateway. The user can access only the resources allowed by the authorized policy group. If the AAA server does not authorize the user to use a policy group, the user can access only the resources allowed by the default policy group.
Examples
# Create a policy group named pg1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1]
Related commands
default-policy-group
port-forward
Use port-forward to create a port forwarding list for an SSL VPN context and enter its view, or enter the view of an existing port forwarding list.
Use undo port-forward to delete a port forwarding list.
Syntax
port-forward port-forward-name
undo port-forward port-forward-name
Default
No port forwarding lists exist.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
port-forward-name: Specifies a name for the port forwarding list, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Port forwarding lists provide TCP access services for SSL VPN users.
A port forwarding list can contain multiple port forwarding items. Each port forwarding item defines an accessible TCP service provided on an internal server.
You can assign a port forwarding list to a policy group by using the resources port-forward command. After the AAA server authorizes a user to use a policy group, the SSL VPN Web page provides the user the port forwarding list assigned to the group. The user can access the TCP services provided by the port forwarding list.
Examples
# Create port forwarding list pflist1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-gateway-ctx1] port-forward pflist1
[Sysname-sslvpn-context-ctx1-port-forward-pflist1]
Related commands
local-port
resources port-forward
port-forward-item
Use port-forward-item to create a port forwarding item and enter its view, or enter the view of an existing port forwarding item.
Use undo port-forward-item to delete a port forwarding item.
Syntax
port-forward-item item-name
undo port-forward-item item-name
Default
No port forwarding items exist.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
item-name: Specifies a name for the port forwarding item, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A port forwarding item defines an accessible TCP service provided on an internal server. It contains the following settings:
· A port forwarding instance.
A port forwarding instance is configured by using the local-port command. It makes an internal TCP service accessible through a local address and port number on the SSL VPN client.
· (Optional.) A resource link.
A resource link is configured by using the execution command.
After you configure a resource link for a port forwarding item, the port forwarding item name will be displayed on the SSL VPN Web page as a link. You can click the link to access the resource directly.
Make sure the resource link matches the TCP service specified by the port forwarding instance.
After you create a port forwarding item, you can assign it to a port forwarding list by using the resources port-forward-item command.
Examples
# Create a port forwarding item named pfitem1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1
[Sysname-sslvpn-context-ctx1-port-forward-item-pfitem1]
Related commands
execution
local-port
resources port-forward-item
reset counters interface sslvpn-ac
Use reset counters interface sslvpn-ac to clear SSL VPN AC interface statistics.
Syntax
reset counters interface [ sslvpn-ac [ interface-number ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface-number: Specifies the number of an SSL VPN AC interface, in the range of 0 to 4095.
Usage guidelines
Use this command to clear old statistics so you can observe new traffic statistics on an SSL VPN AC interface.
· If you do not specify any parameters, this command clears statistics for all interfaces.
· If you specify the sslvpn-ac keyword without the interface-number argument, this command clears statistics for all existing SSL VPN AC interfaces.
· If you specify both the sslvpn-ac keyword and the interface-number argument, this command clears statistics for the specified SSL VPN AC interface.
Examples
# Clear statistics for SSL VPN AC 1000.
<Sysname> reset counters interface sslvpn-ac 1000
Related commands
display interface sslvpn-ac
reset sslvpn ip-tunnel statistics
Use reset sslvpn ip-tunnel statistics to clear packet statistics for IP access users.
Syntax
reset sslvpn ip-tunnel statistics [ context context-name [ session session-id ] ]
Views
User view
Predefined user roles
network-admin
Parameters
context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN context, this command clear packet statistics for IP access users in all SSL VPN contexts.
session session-id: Specifies a session by its ID in the range of 1 to 4294967295. If you do not specify a session, this command clears packet statistics for all IP access users in the specified SSL VPN context.
Usage guidelines
To view the SSL VPN sessions in different SSL VPN contexts, execute the display sslvpn session command.
If you do not specify any parameters, this command clear packets statistics for all IP access users in all SSL VPN contexts.
Examples
# Clear the IP access packet statistics of session 1 in SSL VPN context ctx.
<Sysname> reset sslvpn ip-tunnel statistics context ctx session 1
Related commands
display sslvpn ip-tunnel statistics
display sslvpn session
resources port-forward
Use resources port-forward to associate a port forwarding list with an SSL VPN policy group.
Use undo resources port-forward to remove the association.
Syntax
resources port-forward port-forward-name
undo resources port-forward
Default
No port forwarding list is associated with an SSL VPN policy group.
Views
SSL VPN policy group view
Predefined user roles
network-admin
Parameters
port-forward-name: Specifies the name of an existing port forwarding list. A port forwarding list name is a case-insensitive string of 1 to 31 characters.
Usage guidelines
After the AAA server authorizes an SSL VPN user to use a policy group, the TCP access services provided by the associated port forwarding list are authorized to the user.
Examples
# Associate port forwarding list pflist1 with policy group pg1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] resources port-forward pflist1
Related commands
local-port
port-forward
resources port-forward-item
Use resources port-forward-item to assign a port forwarding item to a port forwarding list.
Use undo resources port-forward-item to remove a port forwarding item from a port forwarding list.
Syntax
resources port-forward-item item-name
undo resources port-forward-item item-name
Default
A port forwarding list does not contain any port forwarding items.
Views
Port forwarding list view
Predefined user roles
network-admin
Parameters
item-name: Specifies a port forwarding item by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Before you assign a port forwarding item to a port forwarding list, make sure the port forwarding item has been created by using the port-forward-item command.
You can assign multiple port forwarding items to a port forwarding list.
Examples
# Create a port forwarding item named pfitem1, and then assign it to port forwarding list pflist1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] port-forward-item pfitem1
[Sysname-sslvpn-context-ctx1-port-forward-pflist1-port-forward-item-pfitem1] quit
[Sysname-sslvpn-context-ctx1] port-forward pflist1
[Sysname-sslvpn-context-ctx1-port-forward-pflist1] resources port-forward-item pfitem1
Related commands
port-forward-item
resources shortcut
Use resources shortcut to assign a shortcut to a shortcut list.
Use undo resources shortcut to remove a shortcut from a shortcut list.
Syntax
resources shortcut shortcut-name
undo resources shortcut shortcut-name
Default
A shortcut list does not contain any shortcuts.
Views
Shortcut list view
Predefined user roles
network-admin
Parameters
shortcut-name: Specifies a shortcut by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can assign multiple shortcuts to a shortcut list.
Examples
# Assign shortcut list1 to shortcut list shortcut1.
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut shortcut1
[Sysname-sslvpn-context-ctx1-shortcut-shortcut1] quit
[Sysname-sslvpn-context-ctx1] shortcut-list list1
[Sysname-sslvpn-context-ctx1-shortcut-list-list1] resources shortcut shortcut1
resources shortcut-list
Use resources shortcut-list to assign a shortcut list to an SSL VPN policy group.
Use undo resources shortcut-list to restore the default.
Syntax
resources shortcut-list list-name
undo resources shortcut-list
Default
An SSL VPN policy group does not contain a shortcut list.
Views
SSL VPN policy group view
Predefined user roles
network-admin
Parameters
list-name: Specifies a shortcut list by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can assign only one shortcut list to an SSL VPN policy group. After the AAA server authorizes a user to use a policy group, the SSL VPN Web page provides the user the shortcut list assigned to the group. The user can click a shortcut to access the associated resource.
If you execute this command for an SSL VPN policy group multiple times, the most recent configuration takes effect.
Examples
# Assign shortcut list list1 to SSL VPN policy group pg1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut-list list1
[Sysname-sslvpn-context-ctx1-shortcut-list-list1] quit
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] resources shortcut-list list1
resources url-list
Use resources url-list to specify a URL list for an SSL VPN policy group.
Use undo resources url-list to remove the configuration.
Syntax
resources url-list url-list-name
undo resources url-list
Default
No URL list is specified for an SSL VPN policy group.
Views
SSL VPN policy group view
Predefined user roles
network-admin
Parameters
url-list-name: Specifies the name of an existing URL list. A URL list name is a case-insensitive string of 1 to 31 characters.
Usage guidelines
In Web access mode, a remote user can use a Web browser to access URL resources in the URL list specified for the authorized SSL VPN policy group.
Examples
# Specify URL list url1 for policy group pg1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] policy-group pg1
[Sysname-sslvpn-context-ctx1-policy-group-pg1] resources url-list url1
Related commands
policy-group
sslvpn context
url-list
rewrite-rule
Use rewrite-rule to create a rewrite rule and enter its view, or enter the view of an existing rewrite rule.
Use undo rewrite-rule to delete a rewrite rule.
Syntax
rewrite-rule rule-name
undo rewrite-rule rule-name
Default
No rewrite rules exist.
Views
File policy view
Predefined user roles
network-admin
Parameters
rule-name: Specifies a rule name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can configure multiple rewrite rules in a file policy.
Examples
# Create a rewrite rule named rule1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp] rewrite-rule rule1
[Sysname-sslvpn-context-ctx-file-policy-fp-rewrite-rule-rule1]
rule
Use rule to create a rule for a URI ACL.
Use undo rule to remove a rule from a URI ACL.
Syntax
rule [ rule-id ] { deny | permit } uri uri-pattern-string
undo rule rule-id
Default
No URL ACL rules exist in a URI ACL
Views
URI ACL view
Predefined user roles
network-admin
Parameters
deny: Denies matching packets to pass.
permit: Allows matching packets to pass.
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an ACL rule, the system automatically assigns it a rule ID. The numbering step is 5 for automatic numbering of rule IDs. An automatically assigned rule ID takes the nearest multiple of 5 higher than the current highest rule ID. For example, if the current highest rule ID is 28, the rule is numbered 30.
uri uri-pattern-string: Specifies a URI pattern. The URI pattern can contain a maximum of 256 characters in the format of protocol://host:port/path, where protocol and host are required. See Table 126 for descriptions of the fields in a URI pattern.
Table 126 URI field descriptions
|
Field |
Description |
|
protocol |
Protocol name. Options are: · http. · https. · tcp. · udp. · icmp. · ip. |
|
host |
Domain name or address of a host. · Valid host address formats: ¡ IPv4 or IPv6 address. For example, 192.168.1.1. ¡ IPv4 or IPv6 address range in the format of start address-end address. For example, 3.3.3.1-3.3.3.200. ¡ IPv4 address with a mask length or IPv6 address with a prefix length. For example 2.2.2.2/24. ¡ A combination of the preceding host address formats separated by comma (,). For example, 192.168.1.1,3.3.3.1-3.3.3.200,2.2.2.2/24. · Valid domain name formats: ¡ Fully qualified domain name. For example, www.domain.com ¡ Domain name with the following wildcard characters: |
|
port |
Port number. If no port number is specified, the default port number of the protocol is used. Valid formats for this field: · Single port number. For example, 1002. · Port number range in the format of start port-end port. For example, 8080-8088. · A combination of the preceding formats separate by comma (,). For example, 1002,90,8080-8088. |
|
path |
String that identifies a directory or file on the host. The path is a sequence of fields separated by forward or backward slashes. The following wildcard characters are supported: · Asterisk (*)—Matches zero or more characters. For example, /path1/*. · Question mark (?)—Matches one character. For example, /path?/. · Percent sign (%)—Matches one or more characters in a field of the path. For example, /path1/%/. |
Usage guidelines
You can add multiple rules to a URI ACL. The device matches a packet against the rules in ascending order of rule ID. The match process stops once a matching rule is found.
Examples
# Add a rule to URI ACL uriacla.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] uri-acl uriacla
[Sysname-sslvpn-context-abc-uri-acl-uriacla] rule 1 permit uri
service enable (SSL VPN context view)
Use service enable to enable an SSL VPN context.
Use undo service enable to disable an SSL VPN context.
Syntax
service enable
undo service enable
Default
An SSL VPN context is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Examples
# Enable SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] service enable
Related commands
display sslvpn context
service enable (SSL VPN gateway view)
Use service enable to enable an SSL VPN gateway.
Use undo service enable to disable an SSL VPN gateway.
Syntax
service enable
undo service enable
Default
An SSL VPN gateway is disabled.
Views
SSL VPN gateway view
Predefined user roles
network-admin
Examples
# Enable SSL VPN gateway gw1.
<Sysname> system-view
[Sysname] sslvpn gateway gw1
[Sysname-sslvpn-gateway-gw1] service enable
Related commands
display sslvpn gateway
session-connections
Use session-connections to set the maximum number of connections allowed per session.
Use undo session-connections to restore the default.
Syntax
session-connections number
undo session-connections
Default
A maximum of 64 connections are allowed per session.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
number: Set the maximum number of connections allowed per session. The value can be 0 or in the range of 10 to 1000. Value 0 indicates that the number of connections per session is not limited.
Usage guidelines
If the number of connections in a session has reached the maximum, new connection requests for the session will be rejected with a 503 Service Unavailable message.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the maximum number of connections allowed per session to 10.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] session-connections 10
shortcut
Use shortcut to create a shortcut and enter its view, or enter the view of an existing shortcut.
Use undo shortcut to delete a shortcut.
Syntax
shortcut shortcut-name
undo shortcut shortcut-name
Default
No shortcuts exist.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
shortcut-name: Specifies a shortcut name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
After you create a shortcut, use the execution command to configure a resource link for it. Users can then click the shortcut name on the SSL VPN Web page to access the associated resource.
Examples
# Create a shortcut named shortcut1 and enter its view.
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut shortcut1
[Sysname-sslvpn-context-ctx1-shortcut-shortcut1]
shortcut-list
Use shortcut-list to create a shortcut list and enter its view, or enter the view of an existing shortcut list.
Use undo shortcut-list to delete a shortcut list.
Syntax
shortcut-list list-name
undo shortcut-list list-name
Default
No shortcut lists exist.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
list-name: Specifies a name for the shortcut list, a case-insensitive string of 1 to 31 characters.
Examples
# Create a shortcut list named list1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] shortcut-list list1
[Sysname-sslvpn-context-ctx1-shortcut-list-list1]
shutdown
Use shutdown to shut down an SSL VPN AC interface.
Use undo shutdown to bring up an SSL VPN AC interface.
Syntax
shutdown
undo shutdown
Default
An SSL VPN AC interface is up.
Views
SSL VPN AC interface view
Predefined user roles
network-admin
Examples
# Shut down SSL VPN AC 1000.
<Sysname> system-view
[Sysname] interface sslvpn-ac 1000
[Sysname-SSLVPN-AC1000] shutdown
sms-imc address
Use sms-imc address to specify an IMC server for SMS message verification.
Use undo sms-imc address to restore the default.
Syntax
sms-imc address ip-address port port-number [ vpn-instance vpn-instance-name ]
undo sms-imc address
Default
No IMC server is specified for SMS message verification.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of the IMC server, in dotted decimal notation.
port port-number: Specifies the port number of the IMC server, in the range of 0 to 65535.
vpn-instance vpn-instance-name: Specifies the VPN instance to which the IMC server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. Do not specify this option if the IMC server is on the public network.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify an IMC server (with IP address 192.168.10.1 and port 2000) in VPN instance vpn1 for SMS message verification of users in SSL VPN context ctx1..
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-imc address 192.168.10.1 port 2000 vpn-instance vpn1
Related commands
sms-imc enable
sms-imc enable
Use sms-imc enable to enable IMC SMS message verification.
Use undo sms-imc enable to disable IMC SMS message verification.
Syntax
sms-imc enable
undo sms-imc enable
Default
IMC SMS message verification is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Usage guidelines
Before you execute this command, make sure SMS message verification has been configured on the IMC server.
In IP access mode, the authentication process for an SSL VPN user using an iNode client is as follows:
1. The iNode client sends a user login request to the SSL VPN gateway.
2. The SSL VPN gateway obtains the verification code request from the login request and sends the verification code request to the IMC server.
3. The IMC server sends a verification code to the user through an SMS message and sends a reply to the SSL VPN gateway.
4. The SSL VPN gateway sends the reply to the iNode client.
5. The user enters the username, password, and the received verification code on the login page to pass authentication through the IMC server.
Examples
# Enable IMC SMS message verification.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] sms-imc enable
Related commands
sms-imc address
ssl client-policy
Use ssl client-policy to apply an SSL client policy to an SSL VPN context.
Use undo ssl client-policy to restore the default.
Syntax
ssl client-policy policy-name
undo ssl client-policy
Default
In non-FIPS mode, the default SSL client policy for SSL VPN is used. This policy supports the dhe_rsa_aes_128_cbc_sha, dhe_rsa_aes_256_cbc_sha, rsa_3des_ede_cbc_sha, rsa_aes_128_cbc_sha, and rsa_aes_256_cbc_sha cipher suites.
In FIPS mode, the default SSL client policy for SSL VPN is used. This policy supports the rsa_aes_128_cbc_sha and rsa_aes_256_cbc_sha cipher suites.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can apply only one SSL client policy to an SSL VPN context. For the applied SSL client policy to take effect, you must enable the SSL VPN context by using the service enable command. The SSL VPN gateway will use the parameters defined by the policy to establish SSL connections to HTTPS servers.
If you execute this command multiple times, the new configuration overwrites the previous configuration, but does not take effect. For the new configuration to take effect, disable the SSL VPN context and then re-enable it.
For information about configuring SSL client policies, see Security Configuration Guide.
Examples
# Apply SSL client policy abc to SSL VPN context ctx1.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] ssl client-policy abc
ssl server-policy
Use ssl server-policy to apply an SSL server policy to an SSL VPN gateway.
Use undo ssl server-policy to remove the application.
Syntax
ssl server-policy policy-name
undo ssl server-policy
Default
An SSL VPN gateway uses the SSL server policy associated with its self-signed certificate.
Views
SSL VPN gateway view
Predefined user roles
network-admin
Parameters
policy-name: Specifies the name of an SSL server policy, a case-insensitive string of 1 to 31 characters.
Usage guidelines
You can apply only one SSL server policy to an SSL VPN gateway. For the applied SSL server policy to take effect, you must enable the SSL VPN gateway by using the service enable command. The SSL VPN gateway will use the parameters defined by the policy to establish SSL connections to remote users.
If you execute this command multiple times, the new configuration overwrites the previous configuration, but does not take effect. For the new configuration to take effect, disable the SSL VPN gateway and then enable the SSL VPN gateway.
Examples
# Apply SSL server policy CA_CERT to SSL VPN gateway gw1.
<Sysname> system-view
[Sysname] sslvpn gateway gw1
[Sysname-sslvpn-gateway-gw1] ssl server-policy CA_CERT
Related commands
display sslvpn gateway
service enable
sslvpn context
Use sslvpn context to create an SSL VPN context and enter its view, or enter the view of an existing SSL VPN context.
Use undo sslvpn context to delete an SSL VPN context.
Syntax
sslvpn context context-name
undo sslvpn context context-name
Default
No SSL VPN contexts exist.
Views
System view
Predefined user roles
network-admin
Parameters
context-name: Specifies an SSL VPN context name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).
Usage guidelines
SSL VPN contexts contain different user sessions, accessible resources, and user authentication methods.
An SSL VPN gateway can be associated with multiple SSL VPN contexts. After a remote user logs in to an SSL VPN gateway, the user can access only the resources in the SSL VPN context to which the user belongs.
Examples
# Create an SSL VPN context named ctx1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1]
Related commands
display sslvpn context
sslvpn gateway
Use sslvpn gateway to create an SSL VPN gateway and enter its view, or enter the view of an existing SSL VPN gateway.
Use undo sslvpn gateway to delete an SSL VPN gateway.
Syntax
sslvpn gateway gateway-name
undo sslvpn gateway gateway-name
Default
No SSL VPN gateways exist.
Views
System view
Predefined user roles
network-admin
Parameters
gateway-name: Specifies an SSL VPN gateway name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).
Usage guidelines
An SSL VPN gateway resides between remote users and the enterprise network to ensure secure access of remote users to the enterprise internal network. The SSL VPN gateway establishes an SSL connection to a remote user, and then authenticates the user before allowing the user to access an internal server.
You must perform the following tasks in the view of an SSL VPN gateway:
· Execute the ip address command to configure an IP address and a port number for the SSL VPN gateway.
· Execute the ssl server-policy command to apply an SSL server policy to the SSL VPN gateway.
· Execute the service enable command to enable the SSL VPN gateway.
You cannot delete an SSL VPN gateway that has been associated with an SSL VPN context. To delete the SSL VPN gateway, execute the undo gateway command to remove the association and then execute the undo sslvpn gateway command.
Examples
# Create an SSL VPN context named gw1 and enter its view.
<Sysname> system-view
[Sysname] sslvpn gateway gw1
[Sysname-sslvpn-gateway-gw1]
Related commands
display sslvpn gateway
sslvpn ip address-pool
Use sslvpn ip address-pool to create an address pool.
Use undo sslvpn ip address-pool to delete an address pool.
Syntax
sslvpn ip address-pool pool-name start-ip-address end-ip-address
undo sslvpn ip address-pool pool-name
Default
No address pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
pool-name: Specifies a name for the address pool, a case-insensitive string of 1 to 31 characters.
start-ip-address end-ip-address: Specifies the start IP address and end IP address for the pool. The end IP address must be greater than the start IP address. The start IP address and end IP address cannot be a multicast, broadcast, or loopback address.
Usage guidelines
An SSL VPN gateway uses address pools to assign IP addresses to IP access clients.
To specify an address pool for a policy group, you must first create the address pool by using this command.
Examples
# Create an address pool named pool1 and specify the address range as 10.1.1.1 to 10.1.1.254.
<Sysname> system-view
[Sysname] sslvpn ip address-pool pool1 10.1.1.1 10.1.1.254
sslvpn log enable
Use sslvpn log enable to enable the SSL VPN global logging feature.
Use undo sslvpn log enable to disable the SSL VPN global logging feature.
Syntax
sslvpn log enable
undo sslvpn log enable
Default
The SSL VPN global logging feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This feature logs the following global events:
· SSL VPN access failures because of not associating SSL VPN contexts with gateways.
· SSL VPN access failures because of not enabling SSL VPN contexts.
The logs are sent to the information center of the device. For the logs to be output correctly, you must configure the information center on the device. For more information about the information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable the SSL VPN global logging feature.
<Sysname> system-view
[Sysname] sslvpn log enable
timeout idle
Use timeout idle to set the idle timeout timer for SSL VPN sessions.
Use undo timeout idle to restore the default.
Syntax
timeout idle minutes
undo timeout idle
Default
The idle timeout timer is 30 minutes for SSL VPN sessions.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
seconds: Specifies the idle timeout timer in the range of 1 to 1440 minutes.
Usage guidelines
If the idle time of an SSL VPN session exceeds the specified idle timeout time, the session is terminated.
Examples
# Set the idle timeout timer to 50 minutes for SSL VPN sessions.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] timeout idle 50
Related commands
display sslvpn policy-group
title
Use title to configure a title to be displayed on SSL VPN webpages.
Use undo title to restore the default.
Syntax
title { chinese chinese-title | english english-title }
undo title { chinese | english }
Default
The title is SSL VPN.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
chinese chinese-title: Configures a title in Chinese, a case-sensitive string of 1 to 255 characters.
english english-title: Configures a title in English, a case-sensitive string of 1 to 255 characters.
Examples
# Configure the title as SSL VPN service for company A.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] title english SSL VPN service for company A
uri-acl
Use uri-acl to create a URI ACL and enter its view, or enter the view of an existing URI ACL.
Use undo uri-acl to delete a URI ACL.
Syntax
uri-acl uri-acl-name
undo uri-acl uri-acl-name
Default
No URI ACLs exist.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
uri-acl-name: Specifies a name for the URI ACL, a case-insensitive string of 1 to 31 characters.
Usage guidelines
A URI ACL is a set of rules that permit or deny access to resources. You can use URI ACLs for IP, TCP, and Web access filtering of SSL VPN users.
You can create multiple URI ACLs in an SSL VPN context.
Examples
# Create a URI ACL named uriacla and enter its view.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] uri-acl uriacla
[Sysname-sslvpn-context-abc-uri-acl-uriacla]
url (file policy view)
Use url to specify the URL of the Web page file to be rewritten in a file policy.
Use undo url to restore the default.
Syntax
url url
undo url
Default
No file URL is specified in a file policy.
Views
File policy view
Predefined user roles
network-admin
Parameters
url: Specifies the complete file path, a case-insensitive string of 1 to 256 characters.
Usage guidelines
A file policy can be used to modify only the Web page file whose URL is the same as the URL configured in the policy.
A file URL is in the format of scheme://user:password@host:port/path. Table 127 describes the fields in the file URL.
Table 127 URL field descriptions
|
Field |
Description |
|
scheme |
Protocol type. Options include http and https. |
|
user:password |
Username and password used to access the file. |
|
host |
Host name or IP address of the server where the file resides. To specify an IPv6 address, enclose the IPv6 address in brackets. For example, http://[1234::5678]:8080/a.html. |
|
port |
Port number on which the server listens for resource access requests. If you do not specify a port number, the default port number of the protocol is used, which is 80 for HTTP and 443 for HTTPS. |
|
path |
Local path of the file on the server. |
You can specify only one file URL in a file policy. In the same SSL VPN context, the URL specified for each file policy must be unique.
Examples
# Specify a file URL for file policy fp.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] file-policy fp
[Sysname-sslvpn-context-ctx-file-policy-fp] url http://192.168.1.1:8080/js/test.js
url (URL list view)
Use url to add a URL entry to a URL list.
Use undo url to remove a URL entry from a URL list.
Syntax
url name url-value url [ uri-acl uri-acl-name ]
undo url name
Default
No URL entries exist in a URL list.
Views
URL list view
Predefined user roles
network-admin
Parameters
name: Specifies a name for the URL entry, a case-insensitive string of 1 to 31 characters.
url-value url: Specifies a URL, a case-insensitive string of 1 to 253 characters in the format of protocol://host:port/path.
Table 128 describes the fields in a URL.
Table 128 URL field descriptions
|
Field |
Description |
|
protocol |
Protocol name. Options are: · http. · https. If you do not specify a protocol name, the default protocol (HTTP) is used. |
|
host |
Domain name or IP address of a host. To specify an IPv6 address, enclose the IPv6 address in brackets. For example. http://[1234::5678]:8080. |
|
port |
Port number. If you do not specify a port number, the default port number of the protocol is used, which is 80 for HTTP and 443 for HTTPS. |
|
path |
Path to the resources on the host. |
uri-acl uri-acl-name: Specify a URI ACL by its name, a case-insensitive string of 1 to 31 characters. Only the resources permitted by the URI ACL are available to users. If you do not specify a URI ACL, all resources in the specified URL are available to users.
Usage guidelines
You can add multiple URL entries to a URL list, and each URL entry must be associated with a unique URL.
Examples
# Add a URL entry named abc to URL list url1, and specify the URL as www.abc.com.cn.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-list url1
[Sysname-sslvpn-context-ctx1-url-list-url1] url abc url-value www.abc.com
# Add a URL entry named web1 to URL list web, specify the URL as http://www.abc.com, and apply URI ACL abc to the URL entry.
<Sysname> system-view
[Sysname] sslvpn context abc
[Sysname-sslvpn-context-abc] url-list web
[Sysname-sslvpn-context-abc-url-list-web] url web1 url-value http://www.abc.com uri-acl abc
# Add a URL entry named ipv6 to URL list url1 and specify the URL as http://[1234::5678]:8080.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-list url1
[Sysname-sslvpn-context-ctx1-url-list-url1] url ipv6 url-value http://[1234::5678]:8080
Related commands
sslvpn context
url-list
url-list
Use url-list to create a URL list and enter its view, or enter the view of an existing URL list.
Use undo url-list to delete a URL list.
Syntax
url-list name
undo url-list name
Default
No URL lists exist.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
name: Specifies a name for the URL list, a case-insensitive string of 1 to 31 characters.
Examples
# Create a URL list named url1 and enter URL list view.
<Sysname> system-view
[Sysname] sslvpn context ctx1
[Sysname-sslvpn-context-ctx1] url-list url1
[Sysname-sslvpn-context-ctx1-url-list-url1]
Related commands
sslvpn context
verify-code
Use verify-code enable to enable code verification.
Use undo verify-code enable to disable code verification.
Syntax
verify-code enable
undo verify-code enable
Default
Code verification is disabled.
Views
SSL VPN context view
Predefined user roles
network-admin
Usage guidelines
After code verification is enabled, a user must enter a correct verification code to log in to the SSL VPN webpage.
Examples
# Enable code verification.
<Sysname> system-view
[Sysname] sslvpn context ctx
[Sysname-sslvpn-context-ctx] verify-code enable
vpn-instance (SSL VPN context view)
Use vpn-instance to associate an SSL VPN context with a VPN instance.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
An SSL VPN context is associated with the public network.
Views
SSL VPN context view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies the name of a VPN instance, a case-sensitive string of 1 to 31 characters.
Usage guidelines
After you associate an SSL VPN context with a VPN instance, the resources managed by the context belong to the VPN instance.
An SSL VPN context can be associated with only one VPN instance.
You can associate an SSL VPN context with a nonexistent VPN instance. The context does not take effect until the associated VPN instance is created.
Examples
# Associate SSL VPN context context1 with VPN instance vpn1.
<Sysname> System-view
[Sysname] sslvpn context context1
[Sysname-sslvpn-context-context1] vpn-instance vpn1
vpn-instance (SSL VPN gateway view)
Use vpn-instance to specify the VPN instance for an SSL VPN gateway.
Use undo vpn-instance to restore the default.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
An SSL VPN gateway belongs to the public network.
Views
SSL VPN gateway view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies the name of a VPN instance, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN instance specified for an SSL VPN gateway is called a front VPN instance.
You can specify only one VPN instance for an SSL VPN gateway.
You can specify a nonexistent VPN instance for an SSL VPN gateway. The SSL VPN gateway does not take effect until the VPN instance is created.
Examples
# Specify VPN instance vpn1 for SSL VPN gateway gateway1.
<Sysname> system-view
[Sysname] sslvpn gateway gateway1
[Sysname-sslvpn-gateway-gateway1] vpn-instance vpn1`
ASPF commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
aspf apply policy (interface view)
Use aspf apply policy to apply an ASPF policy to an interface.
Use undo aspf apply policy to remove an ASPF policy application from an interface.
Syntax
aspf apply policy aspf-policy-number { inbound | outbound }
undo aspf apply policy aspf-policy-number { inbound | outbound }
Default
No ASPF policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
aspf-policy-number: Specifies an ASPF policy number. The value range for this argument is 1 to 256.
inbound: Applies the ASPF policy to incoming packets.
outbound: Applies the ASPF policy to outgoing packets.
Usage guidelines
To inspect the traffic through an interface, you must apply a configured ASPF policy to that interface.
Make sure a connection initiation packet and the response packet pass through the same interface, because an ASPF stores and maintains the application layer protocol status based on interfaces.
You can apply an ASPF policy to both the inbound and outbound directions of an interface.
Examples
# Apply ASPF policy 1 to the outbound direction of GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] aspf apply policy 1 outbound
Related commands
aspf policy
display aspf all
display aspf interface
aspf apply policy (zone pair view)
Use aspf apply policy to apply an ASPF policy to a zone pair.
Use undo aspf apply policy to remove an ASPF policy application from a zone pair.
Syntax
aspf apply policy aspf-policy-number
undo aspf apply policy aspf-policy-number
Default
The system applies the predefined ASPF policy to a zone pair when the zone pair is created.
Views
Zone pair view
Predefined user roles
network-admin
Parameters
aspf-policy-number: Specifies an ASPF policy number, in the range of 1 to 256.
Usage guidelines
With the predefined policy, ASPF inspects FTP packets and packets of all transport layer protocols, but it does not perform ICMP error message check or the TCP SYN packet check.
The predefined ASPF policy cannot be modified. To change the ASPF policy application, define an ASPF policy and apply it to the zone pair.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply an ASPF policy to a zone pair.
<Sysname> system-view
[Sysname] security-zone name trust
[Sysname-security-zone-Trust] import interface gigabitethernet 1/0/1
[Sysname-security-zone-Trust] quit
[Sysname] security-zone name untrust
[Sysname-security-zone-Untrust] import interface gigabitethernet 1/0/2
[Sysname-security-zone-Untrust] quit
[Sysname] zone-pair security source trust destination untrust
[Sysname-zone-pair-security-Trust-Untrust] aspf apply policy 1
Related commands
aspf policy
display aspf all
zone-pair security (Fundamentals Command Reference)
aspf icmp-error reply
Use aspf icmp-error reply to enable the device to send ICMP error messages for packet dropping by security policies applied to zone pairs.
Use undo aspf icmp-error reply to restore the default.
Syntax
aspf icmp-error reply
undo aspf icmp-error reply
Default
The device does not send ICMP error messages when the device drops packets that do not match security policies applied to zone pairs.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Typically, to reduce useless packets transmitted over the network and save bandwidth, do not use this command.
However, you must use this command when you use traceroute, for ICMP error messages in this situation are required.
Examples
# Enable ICMP error message sending for packet dropping by security policies applied to zone pairs.
<Sysname> system-view
[Sysname] aspf icmp-error reply
aspf policy
Use aspf policy to create an ASPF policy and enter its view, or enter the view of an existing ASPF policy.
Use undo aspf policy to remove an ASPF policy.
Syntax
aspf policy aspf-policy-number
undo aspf policy aspf-policy-number
Default
No ASPF policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
aspf-policy-number: Assigns a number to the ASPF policy. The value range for this argument is 1 to 256.
Examples
# Create ASPF policy 1 and enter its view.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1]
Related commands
display aspf all
display aspf policy
detect
Use detect to configure ASPF inspection for an application layer protocol.
Use undo detect to restore the default.
Syntax
detect { dns[ action { drop | logging } * ] | { ftp | h323 | http | sccp | sip | smtp } [ action drop ] | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp }
undo detect { dns | ftp | gtp | h323 | http | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | smtp | sqlnet | tftp | xdmcp }
Default
ASPF does not inspect application layer protocols. ASPF inspects only transport layer protocols.
Views
ASPF policy view
Predefined user roles
network-admin
Parameters
dns: Specifies DNS, an application layer protocol.
ftp: Specifies FTP, an application layer protocol.
gtp: Specifies GPRS Tunneling Protocol (GTP), an application layer protocol.
h323: Specifies H.323 protocol stack, application layer protocols.
http: Specifies HTTP, an application layer protocol.
ils: Specifies Internet Locator Service (ILS), an application layer protocol.
mgcp: Specifies Media Gateway Control Protocol (MGCP), an application layer protocol.
nbt: Specifies NetBIOS over TCP/IP (NBT), an application layer protocol.
pptp: Specifies Point-to-Point Tunneling Protocol (PPTP), an application layer protocol.
rsh: Specifies Remote Shell (RSH), an application layer protocol.
rtsp: Specifies Real Time Streaming Protocol (RTSP), an application layer protocol.
sccp: Specifies Skinny Client Control Protocol (SCCP), an application layer protocol.
sip: Specifies Session Initiation Protocol (SIP), an application layer protocol.
smtp: Specifies SMTP, an application layer protocol.
sqlnet: Specifies SQLNET, an application layer protocol.
tftp: Specifies TFTP, an application layer protocol.
xdmcp: Specifies X Display Manager Control Protocol (XDMCP), an application layer protocol.
action: Specifies an action on the packets that do not pass the protocol status validity check. If you do not specify an action, ASPF does not perform the protocol status validity check, and it only maintains connection status information.
drop: Drops the packets that do not pass the protocol status validity check.
logging: Generates log messages for packets that do not pass the protocol status validity check.
Usage guidelines
This command is required to ensure successful data connections for multichannel protocols when either of the following conditions exists:
· The ALG feature is disabled in other service modules (such as NAT).
· Other service modules with the ALG feature (such as DPI) are not configured.
This command is optional for multichannel protocols if ALG is enabled in other service modules or other service modules with the ALG feature are configured.
Application protocols supported by this command (except HTTP, SMTP, and TFTP) are multichannel protocols.
Repeat the detect command to configure ASPF inspection for multiple application protocols.
ASPF inspection for transport layer protocols is always enabled and is not configurable. The supported transport layer protocols include TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and DCCP.
This command configures ASPF inspection for application protocols. ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323, HTTP, SCCP, SIP, and SMTP. The device deals with packets with invalid protocol status depending on the actions you have specified. To configure protocol status validity check for an application protocol, you must specify the action keyword.
Examples
# Configure ASPF inspection for FTP packets.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] detect ftp
# Configure ASPF inspection for DNS packets, drop packets that fail protocol status validity check, and generate log messages for these packets.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] detect dns action drop logging
Related commands
display aspf policy
display aspf all
Use display aspf all to display the configuration of all ASPF policies and their applications.
Syntax
display aspf all
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the configuration of all ASPF policies and their applications.
<Sysname> display aspf all
ASPF policy configuration:
Policy default:
ICMP error message check: Disabled
TCP SYN packet check: Disabled
Inspected protocol Action
FTP None
Policy number: 1
ICMP error message check: Disabled
TCP SYN packet check: Disabled
Inspected protocol Action
FTP None
Interface configuration:
GigabitEthernet1/0/1
Inbound policy : 1
Outbound policy: none
Table 129 Command output
|
Field |
Description |
|
Policy default |
Predefined ASPF policy. |
|
ICMP error message check |
Whether ICMP error message check is enabled. |
|
TCP SYN packet check |
Whether TCP SYN check is enabled. |
|
Inspected protocol |
Protocols to be inspected by ASPF. |
|
Action |
Actions on the detected illegal packets: · Drop—Drops illegal packets. · Log—Generates log messages for illegal packets. · None—Allows illegal packets to pass. If the protocol does not support the action configuration, this field displays a hyphen (-). |
|
Interface configuration |
Interfaces where ASPF policy is applied. |
|
Inbound policy |
Inbound ASPF policy number. |
|
Outbound policy |
Outbound ASPF policy number. |
Related commands
aspf apply policy
aspf policy
display aspf policy
display aspf interface
Use display aspf interface to display ASPF policy application on interfaces.
Syntax
display aspf interface
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display ASPF policy application on interfaces.
<Sysname> display aspf interface
Interface configuration:
GigabitEthernet1/0/1
Inbound policy : 1
Outbound policy: none
Table 130 Command output
|
Field |
Description |
|
Interface configuration |
Interfaces where ASPF policy is applied. |
|
Inbound policy |
Inbound ASPF policy number. |
|
Outbound policy |
Outbound ASPF policy number. |
Related commands
aspf apply policy
aspf policy
display aspf policy
Use display aspf policy to display the configuration of an ASPF policy.
Syntax
display aspf policy { aspf-policy-number | default }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
aspf-policy-number: Specifies the number of an ASPF policy. The value range for this argument is 1 to 256.
default: Specifies the predefined ASPF policy.
Examples
# Display the configuration of ASPF policy 1.
<Sysname> display aspf policy 1
ASPF policy configuration:
Policy number: 1
ICMP error message check: Disabled
TCP SYN packet check: Enabled
Inspected protocol Action
FTP Drop
HTTP None
RSH -
Table 131 Command output
|
Field |
Description |
|
ICMP error message check |
Whether ICMP error message check is enabled. |
|
TCP SYN packet check |
Whether TCP SYN check is enabled. |
|
Inspected protocol |
Protocols to be inspected by ASPF. |
|
Action |
Actions on the detected illegal packets: · Drop—Drops illegal packets. · Log—Generates log messages for illegal packets. · None—Allows illegal packets to pass. If the protocol does not support the action configuration, this field displays a hyphen (-). |
Related commands
aspf policy
display aspf session
Use display aspf session to display ASPF sessions.
Syntax
Centralized devices in standalone mode:
display aspf session [ ipv4 | ipv6 ] [ verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display aspf session [ ipv4 | ipv6 ] [ slot slot-number ] [ verbose ]
Distributed devices in IRF mode:
display aspf session [ ipv4 | ipv6 ] [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4: Displays IPv4 ASPF sessions.
ipv6: Displays IPv6 ASPF sessions.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ASPF sessions on all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays ASPF sessions for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ASPF sessions for all cards. (Distributed devices in IRF mode.)
verbose: Displays detailed information about ASPF sessions. If you do not specify this keyword, the command displays the brief information about ASPF sessions.
Usage guidelines
If you do not specify the ipv4 keyword or the ipv6 keyword, this command displays all ASPF sessions on the device.
Examples
# (Centralized devices in standalone mode.) Display brief information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Total sessions found: 2
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/1/0/1
Source security zone: SrcZone
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/1/0/1
Source security zone: SrcZone
Total sessions found: 2
# (Distributed devices in IRF mode.) Display brief information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4
Slot 1 in chassis 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/1/0/1
Source security zone: SrcZone
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/1/0/1
Source security zone: SrcZone
Total sessions found: 2
# (Centralized devices in standalone mode.) Display detailed information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4 verbose
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/1792
Destination IP/port: 192.168.1.18/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: DestZone
State: ICMP_REQUEST
Application: OTHER
Start time: 2011-07-29 19:12:33 TTL: 55s
Initiator->Responder: 1 packets 60 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/1/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/1/0/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/1/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/1792
Destination IP/port: 192.168.1.18/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/1/0/2
Source security zone: DestZone
State: ICMP_REQUEST
Application: OTHER
Start time: 2011-07-29 19:12:33 TTL: 55s
Initiator->Responder: 1 packets 6048 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2
# (Distributed devices in IRF mode.) Display detailed information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4 verbose
Slot 1 in chassis 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/1/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/1/0/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/1/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/1792
Destination IP/port: 192.168.1.18/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/1/0/2
Source security zone: DestZone
State: ICMP_REQUEST
Application: OTHER
Start time: 2011-07-29 19:12:33 TTL: 55s
Initiator->Responder: 1 packets 6048 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2
Table 132 Command output
|
Field |
Description |
|
Initiator |
Session information from initiator to responder. |
|
Responder |
Session information from responder to initiator. |
|
Source IP/port |
Source IP address and port number. |
|
Destination IP/port |
Destination IP address and port number. |
|
DS-Lite tunnel peer |
IP address of the DS-Lite tunnel peer. If the session is not tunneled by DS-Lite, this field displays a hyphen (-). |
|
VPN-instance/VLAN ID/Inline ID |
· VPN-instance—MPLS L3VPN instance where the session is initiated. · VLAN ID—VLAN to which the session belongs during Layer 2 forwarding. · Inline ID—Inline to which the session belongs during Layer 2 forwarding. If no VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for each field. |
|
Protocol |
Transport layer protocols, including DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite. Number in parentheses represents the protocol number. |
|
Source security zone |
Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-). |
|
State |
Protocol status of the session. |
|
Application |
Application layer protocol, including FTP and DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER. |
|
Start time |
Establishment time of the session. |
|
TTL |
Remaining lifetime of the session, in seconds. |
|
Initiator->Responder |
Number of packets and bytes from initiator to responder. |
|
Responder->Initiator |
Number of packets and bytes from responder to initiator. |
Related commands
reset aspf session
icmp-error drop
Use icmp-error drop to enable ICMP error message check and drop faked messages.
Use undo icmp-error drop to disable ICMP error message check.
Syntax
icmp-error drop
undo icmp-error drop
Default
ICMP error message check is disabled.
Views
ASPF policy view
Predefined user roles
network-admin
Usage guidelines
An ICMP error message carries information about the corresponding connection. ICMP error message check verifies the information. If the information does not match the connection, ASPF drops the message.
Examples
# Enable ICMP error message check for ASPF policy 1.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] icmp-error drop
aspf policy
display aspf policy
reset aspf session
Use reset aspf session to clear ASPF session statistics.
Syntax
Centralized devices in standalone mode:
reset aspf session [ ipv4 | ipv6 ]
Distributed devices in standalone mode/centralized devices in IRF mode:
reset aspf session [ ipv4 | ipv6 ] [ slot slot-number ]
Distributed devices in IRF mode:
reset aspf session [ ipv4 | ipv6 ] [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
ipv4: Clears IPv4 ASPF session statistics.
ipv6: Clears IPv6 ASPF session statistics.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears ASPF session statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears ASPF session statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears ASPF session statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
If you do not specify the ipv4 keyword or the ipv6 keyword, this command clears all ASPF session statistics.
Examples
# Clear all ASPF session statistics.
<Sysname> reset aspf session
display aspf session
tcp syn-check
Use tcp syn-check to enable TCP SYN check.
Use undo tcp syn-check to disable TCP SYN check.
Syntax
tcp syn-check
undo tcp syn-check
Default
TCP SYN check is disabled.
Views
ASPF policy view
Predefined user roles
network-admin
Usage guidelines
TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet.
When a router attached to the network is started up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. Then, the router allows the non-SYN packet that is the first packet to establish a TCP connection to pass. After the network topology becomes steady, you can enable TCP SYN check again.
Examples
# Enable TCP SYN check for ASPF policy 1.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] tcp syn-check
Related commands
aspf policy
APR commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
app-group
Use app-group to create an application group and enter its view, or enter the view of an existing application group.
Use undo app-group to delete the specified application group.
Syntax
app-group group-name
undo app-group group-name
Default
No application groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies the application group name, a case-insensitive string of 1 to 63 characters. Names invalid and other are not allowed.
Usage guidelines
You can create a maximum of 1000 application groups on the device.
Examples
# Create an application group named aaa and enter its view.
<Sysname> system-view
[Sysname] app-group aaa
[Sysname-app-group-aaa]
Related commands
copy app-group
description
include application
application statistics enable
Use application statistics enable to enable the application statistics feature on the specified direction of an interface.
Use undo application statistics enable to disable the application statistics feature on the specified direction of an interface.
Syntax
application statistics enable [ inbound | outbound ]
undo application statistics enable [ inbound | outbound ]
Default
The application statistics feature is disabled on both directions of an interface.
Views
Layer 3 interface view
Predefined user roles
network-admin
Parameters
inbound: Specifies the inbound direction of the interface.
outbound: Specifies the outbound direction of the interface.
Usage guidelines
|
|
IMPORTANT: The application statistics feature consumes a large amount of system memory. When the system generates a low-memory alarm, disable the application statistics feature on interfaces. |
If no direction is specified, application statistics is enabled in both the inbound and outbound directions.
When this feature is enabled, the device separately counts the number of packets or bytes that the interface has received or sent for each application protocol. It also calculates the transmission rates of the interface for these protocols.
To display application statistics, use the display application statistics command.
Examples
# Enable application statistics in the inbound direction of GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] application statistics enable inbound
# Enable application statistics in the outbound direction of GigabitEthernet 1/0/2.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] application statistics enable outbound
# Enable application statistics in the inbound and outbound directions of GigabitEthernet 1/0/3.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/3
[Sysname-GigabitEthernet1/0/3] application statistics enable
Related commands
display application statistics
apr set detectlen
Use apr set detectlen to set the maximum detected length for an NBAR rule.
Use undo apr set detectlen to restore the default.
Syntax
apr set detectlen bytes
undo apr set detectlen
Default
The maximum detected length is not set for an NBAR rule.
Views
NBAR rule view
Predefined user roles
network-admin
Parameters
bytes: Specifies the maximum detected length in the range of 0 to 4294967295 bytes.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
The maximum detected length determines whether to inspect subsequent packets after the device recognizes an application:
· If the inspected byte count already reaches the maximum number, the device will not inspect subsequent packets.
· If the inspected byte count does not reach the maximum number, the device will inspect subsequent packets until the maximum number is reached.
If no maximum detected length is configured, the device continues to inspect subsequent packets for application recognition after recognizing an application. Inspection of subsequent packets affects device performance.
When you set the maximum detected length, make sure you fully understand its impact on system performance.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the maximum detected length to 100000 bytes for NBAR rule abcd.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] apr set detectlen 100000
Related commands
nbar application
apr signature auto-update
Use apr signature auto-update to enable automatic update for the APR signature database and enter auto-update configuration view.
Use undo apr signature auto-update to disable automatic update for the APR signature database.
Syntax
apr signature auto-update
undo apr signature auto-update
Default
Automatic update is disabled for the APR signature database.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Use this command to update the APR signature database if the device can access the signature database services at the H3C website.
Examples
# Enable automatic update for the APR signature database and enter auto-update configuration view.
<Sysname> system-view
[Sysname] apr signature auto-update
[Sysname-apr-autoupdate]
Related commands
override-current
update schedule
apr signature auto-update-now
Use apr signature auto-update-now to manually trigger an automatic update for the APR signature database.
Syntax
apr signature auto-update-now
Views
System view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
This command starts the automatic APR signature database update process and backs up the current APR signature file. This command is independent of the apr signature auto-update command.
Use this command to update the APR signature database if you find a new version of APR signature database at the H3C website.
Examples
# Manually trigger an automatic update for the APR signature database.
<Sysname> system-view
[Sysname] apr signature auto-update-now
apr signature rollback
Use apr signature rollback to roll back the APR signature database.
Syntax
apr signature rollback { factory | last }
Views
System view
Predefined user roles
network-admin
Parameters
factory: Rolls back the APR signature database to the factory version.
last: Rolls back the APR signature database to the last version.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
You can use this command if you find that high error rate or abnormality occurs when the device uses the current APR signature database for application recognition.
Each time a rollback operation is performed, the device backs up the current version of the APR signature database. If you repeat the apr signature rollback last command multiple times, the APR signature database will repeatedly switch between the current version and the last version.
To ensure that the APR signature database can be successfully rolled back to the last version, back up the current APR signature database each time you update the database.
Examples
# Roll back the APR signature database to the last version.
<Sysname> system-view
[Sysname] apr signature rollback last
apr signature update
Use apr signature update to manually update the APR signature database.
Syntax
apr signature update [ override-current ] file-path
Views
System view
Predefined user roles
network-admin
Parameters
override-current: Overwrites the old APR signature file. If you do not specify this keyword, the old APR signature file will be saved as a backup signature file on the device after the update.
file-path: Specifies the path of the new APR signature file, a case-insensitive string of 1 to 256 characters.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Use this command to update APR signature database if the device cannot access the signature database services at the H3C website.
You can use either of the following methods to manually update the APR signature database:
· Local update—By using the locally stored APR signature file.
(Centralized devices in IRF mode.) The APR signature file must be stored on the mater device for a successful update.
(Distributed devices in standalone mode.) To ensure a successful update, the APR signature file must be stored on the active MPU.
(Distributed devices in IRF mode.) To ensure a successful update, the APR signature file must be stored on the global active MPU.
The following table describes the formats of the file-path argument for different update scenarios:
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command (see file system management in Fundamentals Command Reference). |
|
The update file is stored in a different directory on the same storage medium. |
path/filename |
Before updating the signature library, you must use the cd command to open the directory where the update file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The update file is stored on a different storage medium. |
path/filename |
Before updating the signature database, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—By using the APR signature file stored on an FTP or TFTP server.
The following table describes the formats of the file-path argument for different update scenarios:
|
Update scenario |
Format of file-path |
Remarks |
|
The update file is stored on an FTP server. |
ftp://username:password@server address/filename |
The username argument represents the FTP login username. The password argument represents the FTP login password. The server address argument represents the IP address or host name of the FTP server. If an FTP login username or password includes colons (:), at signs (@), or slashes (/), you must replace these special characters with the corresponding escape characters. · The escape character for the colon (:) character is %3A or %3a. · The escape character for the at sign (@) character is %40. · The escape character for the slash (/) character is %2F or %2f. |
|
The update file is stored on a TFTP server. |
tftp://server address/filename |
The server address argument represents the IP address or host name of the TFTP server. |
If you specify the host name, make sure the following requirements are met:
¡ The device can resolve the IP address of the FTP or TFTP server through static or dynamic domain name resolution.
¡ The device and server can reach each other.
For information about DNS, see Layer 3—IP Services Configuration Guide.
Examples
# Manually update the APR signature database by using an APR signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] apr signature update tftp://192.168.0.1/apr-1.0.2-en.dat
# Manually update the APR signature database by using an APR signature file stored on an FTP server.
<Sysname> system-view
[Sysname] apr signature update ftp://user%3A123:user%40abc%2F123@192.168.0.10/apr-1.0.2-en.dat
# Manually update the APR signature database by using an APR signature file stored on the device, The file is stored in directory cfa0:/apr-1.0.23-en.dat. In this example, the working directory is cfa0:.
<Sysname> system-view
[Sysname] apr signature update apr-1.0.23-en.dat
# Manually update the APR signature library by using an APR signature file stored on the device. The file is stored in directory cfa0:/dpi/apr-1.0.23-en.dat. In this example, the working directory is cfa0:.
<Sysname> cd dpi
<Sysname> system-view
[Sysname] apr signature update apr-1.0.23-en.dat
# Manually update the APR signature database by using an APR signature file stored on the device, The file is stored in directory cfb0:/dpi/apr-1.0.23-en.dat. In this example, the working directory is cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] apr signature update dpi/apr-1.0.23-en.dat
copy app-group
Use copy app-group to copy all application protocols in an application group to another group.
Syntax
copy app-group group-name
Views
Application group view
Predefined user roles
network-admin
Parameters
group-name: Specifies the name of the source application group, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
Usage guidelines
Execute this command multiple times to copy application protocols in different groups to the current group.
Examples
# Copy application protocols in group bcd to group abc.
<Sysname> system-view
[Sysname] app-group abc
[Sysname-app-group-abc] copy app-group bcd
Related commands
app-group
include application
description (application group view)
Use description to configure a description for an application group.
Use undo description to restore the default.
Syntax
description text
undo description
Default
An application group is described as "User-defined application group".
Views
Application group view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters. If the string includes spaces, use a pair of quotation marks ("") to enclose all characters.
Usage guidelines
Configure descriptions for different application groups for identification and management purposes.
Examples
# Configure a description for application group aaa.
<Sysname> system-view
[Sysname] app-group aaa
[Sysname-app-group-aaa] description "User defined aaa group"
Related commands
app-group
description (NBAR rule view)
Use description to configure a description for a user-defined NBAR rule.
Use undo description to restore the default.
Syntax
description text
undo description
Default
A user-defined NBAR rule is described as "User defined application".
Views
NBAR rule view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Configure descriptions for different user-defined NBAR rules for identification and management purposes.
Examples
# Configure a description for user-defined NBAR rule abcd.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] description "A user-defined application based on HTTP"
Related commands
nbar application
destination
Use destination to specify a destination IP address or subnet as a match criterion in a user-defined NBAR rule.
Use undo destination to restore the default.
Syntax
destination { ip ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] }
undo destination
Default
A user-defined NBAR rule matches packets destined for all IP addresses.
Views
NBAR rule view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies a destination IPv4 address or IPv4 subnet, in dotted decimal notation.
mask-length: Specifies the mask length for IPv4 addresses, in the range of 0 to 32.
ipv6 ipv6-address: Specifies a destination IPv6 address or IPv6 subnet.
prefix-length: Specifies the prefix length for IPv6 addresses, in the range of 0 to 128.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
The ipv6 ipv6-address option is not supported in the current software version. If you specify this option, the command does not take effect.
If you execute this command multiple times for the same NBAR rule, the most recent configuration takes effect.
Examples
# Configure user-defined NBAR rule abcd to match packets destined for the IPv4 subnet 192.168.1.0/24.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] destination ip 192.168.1.0 24
Related commands
nbar application
direction
Use direction to specify a direction as a match criterion in a user-defined NBAR rule.
Use undo direction to restore the default.
Syntax
direction { to-client | to-server }
undo direction
Default
A user-defined NBAR rule matches packets in both directions.
Views
NBAR rule view
Predefined user roles
network-admin
Parameters
to-client: Specifies the direction from server to client.
to-server: Specifies the direction from client to server.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
If you execute this command multiple times for the same NBAR rule, the most recent configuration takes effect.
Examples
# Configure user-defined NBAR rule abcd to match packets from client to server.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] direction to-server
Related commands
nbar application
disable
Use disable to disable a user-defined NBAR rule.
Use undo disable to restore the default.
Syntax
disable
undo disable
Default
A user-defined NBAR rule is enabled.
Views
NBAR rule view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Use this command to disable a user-defined NBAR rule if the following conditions exist:
· The NBAR rule will not be used in the near future.
· You do not want to delete the NBAR rule.
Examples
# Disable user-defined NBAR rule abcd.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] disable
Related commands
nbar application
display app-group
Use display app-group to display information about the specified application groups.
Syntax
display app-group [ name group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name group-name: Specifies an application group by its name. The group-name argument is a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. If you do not specify any parameters, this command displays information about all application groups.
Examples
# Display information about all application groups.
<Sysname> display app-group
User-defined count:3
Group Name Type Group ID
6767 User-defined 0x00800002
er User-defined 0x00800001
hbc User-defined 0x00800003
# Display information about application group er.
<Sysname> display app-group name er
Group English name: er
Group Chinese name: er
Group ID: 0x00800001
Type: User-defined
Application count: 2
Include application list:
Application name Type App ID
114Travel Pre-defined 0x0000542c
banc User-defined 0x00800001
pre-defined app-group count:0
Include pre-defined app-group list:
App-group name Type App-group ID
Table 133 Command output
|
Field |
Description |
|
User-defined count |
Number of application groups. |
|
Group Name |
Name of the application group. |
|
Group English name |
English name of the application group. |
|
Type |
Application protocol attribute: · Pre-defined. · User-defined. This filed always displays User-defined for application groups. |
|
Application count |
Number of application protocols in the application group. |
|
Include application list |
Application protocol list. |
|
Application name |
Application protocol name. |
|
App ID |
Application protocol ID. |
|
pre-defined app-group count |
Number of predefined application groups in the application group. This field is not supported in the current software version. |
|
Include pre-defined app-group list |
List of predefined application groups. This field is not supported in the current software version. |
|
App-group name |
Name of a predefined application group. This field is not supported in the current software version. |
|
App-group ID |
ID of a predefined application group. This field is not supported in the current software version. |
Related commands
app-group
include
display application
Use display application to display information about the specified application protocols.
Syntax
display application [ name application-name | pre-defined | user-defined ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name application-name: Specifies an application protocol by its name. The application-name argument is a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
pre-defined: Specifies the predefined application protocols.
user-defined: Specifies the user-defined application protocols.
Usage guidelines
If you do not specify any parameters, this command displays information about all application protocols.
Examples
# Display information about all predefined application protocols.
<Sysname> display application pre-defined
Pre-defined count: 817
Application name Type App ID Tunnel Encrypted DetectLen
12530WAP_Application_We Pre-defined 0x000003ac No No 0
b_HTTP
12580_Application_HTTP Pre-defined 0x00000312 No No 0
126_Web_Email_Download_ Pre-defined 0x000002b7 No No 0
HTTP
126_Web_Email_Login_HTT Pre-defined 0x000002b3 No No 0
P
126_Web_Email_Read_Emai Pre-defined 0x000002b4 No No 0
l_HTTP
126_Web_Email_Receive_E Pre-defined 0x000002b6 No No 0
mail_HTTP
126_Web_Email_Send_Emai Pre-defined 0x000002b5 No No 0
l_HTTP
126_Web_Email_Upload_HT Pre-defined 0x000002b8 No No 0
TP
139_mobile_weibo_commen Pre-defined 0x000001da No No 0
t_HTTP
139_mobile_weibo_login_ Pre-defined 0x000001d9 No No 0
HTTP
139_mobile_weibo_login_ Pre-defined 0x00000444 No No 0
---- More ----
# Display information about all user-defined application protocols.
<Sysname> display application user-defined
User-defined count: 4
Application name Type App ID Tunnel Encrypted DetectLen
def User-defined 0x00800002 No No 0
dfer User-defined 0x00800003 No No 0
efer User-defined 0x00800004 No No 0
fdfad User-defined 0x00800001 No No 0
# Display information about all application protocols.
<Sysname> display application
Total count: 821
Pre-defined count: 817
User-defined count: 4
Application name Type App ID Tunnel Encrypted DetectLen
12530WAP_Application_We Pre-defined 0x000003ac No No 0
b_HTTP
12580_Application_HTTP Pre-defined 0x00000312 No No 0
126_Web_Email_Download_ Pre-defined 0x000002b7 No No 0
HTTP
126_Web_Email_Login_HTT Pre-defined 0x000002b3 No No 0
P
126_Web_Email_Read_Emai Pre-defined 0x000002b4 No No 0
l_HTTP
126_Web_Email_Receive_E Pre-defined 0x000002b6 No No 0
mail_HTTP
126_Web_Email_Send_Emai Pre-defined 0x000002b5 No No 0
l_HTTP
126_Web_Email_Upload_HT Pre-defined 0x000002b8 No No 0
TP
139_mobile_weibo_commen Pre-defined 0x000001da No No 0
t_HTTP
139_mobile_weibo_login_ Pre-defined 0x000001d9 No No 0
HTTP
139_mobile_weibo_login_ Pre-defined 0x00000444 No No 0
HTTPS
139Mail_Login_HTTP Pre-defined 0x000001cb No No 0
139Mail_Login_HTTPS Pre-defined 0x0000038c No No 0
139Mail_Login_TCP Pre-defined 0x0000044b No No 0
163TV_HTTP Pre-defined 0x000004c3 No No 0
17173_Application_HTTP Pre-defined 0x00000350 No No 0
178Game_Application_HTT Pre-defined 0x00000222 No No 0
P
17K_fiction_Application Pre-defined 0x00000330 No No 0
_HTTP
19lou_Login_http_stream Pre-defined 0x000002c0 No No 0
19lou_Publish_Or_Reply_ Pre-defined 0x000002c2 No No 0
http_stream1
19lou_Publish_Or_Reply_ Pre-defined 0x000002c3 No No 0
http_stream2
19lou_View_http_stream Pre-defined 0x000002c1 No No 0
1ting_Music_Application Pre-defined 0x000001bc No No 0
_Mobile_HTTP
21CN_Email_Read_HTTP Pre-defined 0x000003fb No No 0
21CN_Email_Send_HTTP Pre-defined 0x000003fc No No 0
---- More ----
# Display information about application protocol Telnet.
<Sysname> display application name telnet
Application English Name: telnet
Application Chinese Name: telnet
Application ID: 0x0000000e
Tunnel: No
Encrypted: No
Table 134 Command output
|
Field |
Description |
|
Total count |
Total number of application protocols. |
|
Pre-defined count |
Number of predefined application protocols. |
|
User-defined count |
Number of user-defined application protocols. |
|
Application name |
Name of the application protocol. |
|
Type |
Application protocol type: · Pre-defined. · User-defined. |
|
App ID/Application ID |
ID of the application protocol. |
|
Tunnel |
Whether or not the protocol is a tunnel protocol: · Yes. · No. |
|
Encrypted |
Whether or not the protocol is a cryptographic protocol: · Yes. · No. |
|
DetectLen |
Length of data to be inspected for application recognition. The length can be predefined or user defined. The measurement unit is byte. |
Related commands
app-group
include
display application statistics
Use display application statistics to display statistics for the specified application protocols.
Syntax
Centralized devices in standalone mode:
display application statistics [ direction { inbound | outbound } | interface interface-type interface-number | name application-name ] *
Distributed devices in standalone mode/centralized devices in IRF mode:
display application statistics [ direction { inbound | outbound } | interface interface-type interface-number [ slot slot-number ] | name application-name ] *
Distributed devices in IRF mode:
display application statistics [ direction { inbound | outbound } | interface interface-type interface-number [ chassis chassis-number slot slot-number ] | name application-name ] *
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
direction: Specifies the direction of the interface.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. This option is available only for global interfaces, such as VLAN interfaces and tunnel interfaces. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member by its member ID. This option is available only for global interfaces, such as VLAN interfaces and tunnel interfaces. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only for global interfaces, such as VLAN interfaces and tunnel interfaces. (Distributed devices in IRF mode.)
name application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
Usage guidelines
If you do not specify any options or keywords, this command displays statistics for application protocols on all interfaces in both inbound and outbound directions.
This command displays statistics for application protocols only after the application statistics feature is enabled on the specified interfaces. Disabling the application statistics feature on the specified interfaces deletes the corresponding application statistics.
You can display statistics for application protocols based on certain criteria, including application protocol names, interface directions, interface names, or a combination of the criteria.
Examples
# Display application statistics for all interfaces.
<Sysname> display application statistics
Interface : GigabitEthernet1/0/1
Application In/Out Packets Bytes PPS BPS
Slot 1 :
http IN 275 78631 0 275
OUT 357 255251 0 101
https IN 403 39267 0 44
OUT 681 623501 0 32
netbios-dgm IN 3 729 0 32
OUT 0 0 0 0
netbios-ns IN 248 22816 2 1423
OUT 0 0 0 0
telnet IN 801 43374 10 4509
OUT 1519 65388 20 6774
# Display application statistics in the inbound direction of GigabitEthernet 1/0/1.
<Sysname> display application statistics interface gigabitethernet 1/0/1 direction inbound
Interface : GigabitEthernet1/0/1
Application In/Out Packets Bytes PPS BPS
Slot 1 :
http IN 330 87710 0 347
https IN 439 41247 0 88
netbios-dgm IN 27 6238 0 218
netbios-ns IN 716 65872 2 1325
telnet IN 1066 57692 0 14
Table 135 Command output
|
Field |
Description |
|
Interface |
Interface name. |
|
Application |
Name of the application protocol. |
|
In/Out |
Interface direction: · In. · Out. |
|
Packets |
Number of packets received or sent by the interface. |
|
Bytes |
Number of bytes received or sent by the interface. |
|
PPS |
Packets received or sent per second. |
|
BPS |
Bytes received or sent per second. |
Related commands
app-group
application statistics enable
display application statistics top
Use display application statistics top to display statistics for application protocols on an interface in descending order, based on the specified criteria.
Syntax
Centralized devices in standalone mode:
display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number
Distributed devices in standalone mode/centralized devices in IRF mode:
display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number [ slot slot-number ]
Distributed devices in IRF mode:
display application statistics top number { bps | bytes | packets | pps } interface interface-type interface-number [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
number: Specifies the number of application statistics entries to be displayed. The value range for this argument is 0 to 4294967295.
bytes: Sorts application protocols by traffic size in bytes.
bps: Sorts application protocols by traffic rate in bps.
packets: Sorts application protocols by traffic size in packet count.
pps: Sorts application protocols by traffic rate in pps.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. This option is available only for global interfaces, such as VLAN interfaces and tunnel interfaces. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member by its member ID. This option is available only for global interfaces, such as VLAN interfaces and tunnel interfaces. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only for global interfaces, such as VLAN interfaces and tunnel interfaces. (Distributed devices in IRF mode.)
Usage guidelines
This command displays application statistics only after the application statistics feature is enabled on the specified interface. Disabling the application statistics feature on the interface deletes the existing statistics.
The system uses the sum of inbound and outbound statistics to rank the application protocols. If the sum statistics for multiple application protocols is the same, the system displays these protocols in alphabetical order.
Examples
# Display the top three application protocols that have received and sent the most packets on GigabitEthernet 1/0/1.
<Sysname> display application statistics top 3 packets interface gigabitethernet 1/0/1
Interface : GigabitEthernet1/0/1
Application In/Out Packets Bytes PPS BPS
Slot 1 :
telnet IN 1389 75219 0 44
OUT 2626 112745 0 54
https IN 468 42830 0 123
OUT 746 626101 0 91
netbios-ns IN 965 88780 2 1411
OUT 0 0 0 0
# Display the top three application protocols that have received and sent the most bytes per second on GigabitEthernet 1/0/1.
<Sysname> display application statistics top 3 bps interface gigabitethernet 1/0/1
Interface : GigabitEthernet1/0/1
Application In/Out Packets Bytes PPS BPS
Slot 1 :
netbios-ns IN 1279 117668 2 1300
OUT 0 0 0 0
telnet IN 1776 96197 1 589
OUT 3318 143139 2 702
http IN 360 98456 0 239
OUT 442 262251 0 75
Table 136 Command output
|
Field |
Description |
|
Interface |
Interface name. |
|
Application |
Name of the application protocol. |
|
In/Out |
Interface direction: · In. · Out. |
|
Packets |
Number of packets received or sent by the interface. |
|
Bytes |
Number of bytes received or sent by the interface. |
|
PPS |
Packets received or sent per second. |
|
BPS |
Bytes received or sent per second. |
Related commands
app-group
application statistics enable
display apr signature information
Use display apr signature information to display APR signature database information.
Syntax
display apr signature information
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Examples
# Display APR signature database information.
<Sysname> display apr signature information
APR signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.49 Tue Sep 13 06:54:01 2016 659744
Last 1.0.52 Wed Nov 02 07:14:03 2016 702640
Factory 1.0.0 Fri Dec 31 16:00:00 1999 77040
Table 137 Command output
|
Field |
Description |
|
Type |
Version type of the APR signature database: · Current. · Last. · Factory. |
|
SigVersion |
Version of the APR signature database. |
|
ReleaseTime |
Release time of the APR signature database. |
|
Size |
Size of the APR signature database, in bytes. |
display port-mapping pre-defined
Use display port-mapping pre-defined to display information about the predefined port-mappings.
Syntax
display port-mapping pre-defined
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about all predefined port mappings.
<Sysname> display port-mapping pre-defined
Application Protocol Port
afs3-kaserver TCP 7004
UDP 7004
aol TCP 5190, 5191, 5192, 5193
UDP 5190, 5191, 5192, 5193
appleqtc TCP 458
UDP 458
bgp TCP 179
UDP 179
Table 138 Command output
|
Field |
Description |
|
Application |
Application protocol using the port mapping. |
|
Protocol |
Transport layer protocol. |
|
Port |
Port number of the application protocol. |
Related commands
display port-mapping
port-mapping
display port-mapping user-defined
Use display port-mapping user-defined to display information about the user-defined port mappings.
Syntax
display port-mapping user-defined [ application application-name | port port-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
application application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
port port-number: Specifies a port by its number, in the range of 0 to 65535.
Usage guidelines
If you do not specify an application protocol or a port number, this command displays all user-defined port mappings on the device.
Examples
# Display all user-defined port mappings on the device.
<Sysname> display port-mapping user-defined
Application Port Protocol Match Type Match Condition
-------------------------------------------------------------
FTP 21 TCP --- ---
FTP 21 UDP IPv4 host 10.10.10.1(vpn1)
FTP 2121 UDP IPv4 host [11.10.10.1, 11.10.10.10](vpn2)
FTP 21 UDP IPv4 subnet 10.10.10.1/24
FTP 21 SCTP IPv6 host 2000:fdb8::1:00ab:853c:39ab
HTTP 899 TCP IPv4 ACL 2002
HTTP 999 SCTP IPv6 ACL 2002
Table 139 Command output
|
Field |
Description |
|
Application |
Application protocol using port mapping. |
|
Port |
Port number to which the application protocol is mapped. |
|
Protocol |
Transport layer protocol. |
|
Match Type |
Match types: · ---—No match types or match conditions are specified, and all packets that have the specified port are recognized as the packets of the specified application protocol. · IPv4 host—A match based on the destination IPv4 addresses of the packet. · IPv6 host—A match based on the destination IPv6 addresses of the packet. · IPv4 subnet—A match based on the destination IPv4 subnet of the packet. · IPv6 subnet—A match based on the destination IPv6 subnet of the packet. · IPv4 ACL—A match based on the IPv4 ACL. · IPv6 ACL—A match based on the IPv6 ACL. |
|
Match Condition |
Match conditions: · For the match type of IPv4 host or IPv6 host, the destination IP addresses of the packets are displayed. · For the match type of IPv4 subnet or IPv6 subnet, the destination subnet addresses of the packets are displayed. · For the match type of IPv4 ACL or IPv6 ACL, the correct ACL number is displayed. For IP address-based and subnet-based host-port mappings, the MPLS L3VPN instance names are displayed if you configured them. |
include application
Use include application to add application protocols to an application group.
Use undo include application to remove application protocols from an application group.
Syntax
include application application-name
undo include application application-name
Default
An application group does not contain any application protocols.
Views
Application group view
Predefined user roles
network-admin
Parameters
application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
Usage guidelines
Execute this command multiple times to add multiple predefined or user-defined application protocols to an application group.
The number of application protocols in an application group is not limited.
If you add a nonexistent application protocol to the application group, the system first creates the protocol before adding it to the application group. Whether the device can recognize the packets of this protocol depends on your configuration.
Examples
# Add HTTP and FTP to group abc.
<Sysname> system-view
[Sysname] app-group abc
[Sysname-app-group-abc] include application http
[Sysname-app-group-abc] include application ftp
Related commands
app-group
copy app-group
nbar application
Use nbar application to create a user-defined NBAR rule and enter its view, or enter the view of an existing NBAR rule.
Use undo nbar application to delete a user-defined NBAR rule.
Syntax
nbar application application-name protocol { http | tcp | udp }
undo nbar application application-name
Default
No user-defined NBAR rules exist.
Views
System view
Predefined user roles
network-admin
Parameters
application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The following names are not allowed:
· invalid.
· other.
· Names of predefined application protocols.
http: Specifies HTTP packets to which the NBAR rule is applied.
tcp: Specifies TCP packets to which the NBAR rule is applied.
udp: Specifies UDP packets to which the NBAR rule is applied.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
By default, predefined NBAR rules exist, and these NBAR rules cannot be deleted or modified. If the predefined NBAR rules cannot meet the user needs, use this command to create user-defined NBAR rules.
Examples
# Create a user-defined NBAR rule named abc and apply the rule to HTTP packets.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd]
override-current
Use override-current to overwrite the current signature file for an update operation if the APR signature database is automatically updated at a regular basis.
Use undo port-mapping to restore the default.
Syntax
override-current
undo override-current
Default
If the APR signature database is automatically updated at a regular basis, the current APR signature file is not overwritten for an update operation. Instead, the device will back up the current APR signature file.
Views
Auto-update configuration view
Predefined user roles
network-admin
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Use this command only if the device memory is insufficient.
This command disables the APR signature database from being rolled back to the last version. Do not use this command if the device memory is sufficient.
Examples
# Overwrite the current APR signature file for a regular online auto-update operation.
<Sysname> system-view
[Sysname] apr signature auto-update
[Sysname-apr-autoupdate] override-current
Related commands
apr signatures auto-update
port-mapping
Use port-mapping to configure a general port mapping.
Use undo port-mapping to remove a general port mapping.
Syntax
port-mapping application application-name port port-number [ protocol protocol-name ]
undo port-mapping application application-name port port-number [ protocol protocol-name ]
Default
An application protocol is mapped to a well-known port.
Views
System view
Predefined user roles
network-admin
Parameters
application application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
port port-number: Specifies a port by its number, in the range of 0 to 65535.
protocol protocol-name: Specifies a transport layer protocol by its name, including:
· dccp: Specifies DCCP.
· sctp: Specifies SCTP.
· tcp: Specifies TCP.
· udp: Specifies UDP.
· udp-lite: Specifies UDP-Lite.
Usage guidelines
If no transport layer protocol is specified, packets that meet the following conditions are recognized as the specified application protocol's packets:
· Packets are encapsulated by any transport layer protocol.
· Packets have the specified port.
If the destination port of a packet matches a general port mapping, APR recognizes the packet as the specified application protocol's packet.
If two port mappings are configured with the same port number and transport layer protocol, but with different application protocols, the most recent configuration takes effect.
A mapping with the transport layer protocol specified has a higher priority than one without it.
To change the port number mapped to an application protocol, perform the following tasks:
1. Use the undo port-mapping application command to remove the existing general port mapping.
2. Use the port-mapping application command to specify a different port number for the application protocol.
Examples
# Create a general port mapping of port 3456 to FTP.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456
Related commands
display port-mapping user-defined
port-mapping acl
Use port-mapping acl to configure an ACL-based host-port mapping.
Use undo port-mapping acl to remove an ACL-based host-port mapping.
Syntax
port-mapping application application-name port port-number [ protocol protocol-name ] acl [ ipv6 ] acl-number
undo port-mapping application application-name port port-number [ protocol protocol-name ] acl [ ipv6 ] acl-number
Default
An application protocol is mapped to a well-known port.
Views
System view
Predefined user roles
network-admin
Parameters
application application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
port port-number: Specifies a port by its number in the range of 0 to 65535.
protocol protocol-name: Specifies a transport layer protocol by its name, including:
· dccp: Specifies DCCP.
· sctp: Specifies SCTP.
· tcp: Specifies TCP.
· udp: Specifies UDP.
· udp-lite: Specifies UDP-Lite.
acl [ ipv6 ] acl-number: Specifies the number of an ACL, in the range of 2000 to 2999. To specify an IPv6 ACL, include the ipv6 keyword. To specify an IPv4 ACL, do not include the ipv6 keyword.
Usage guidelines
APR uses ACL-based host-port mappings to recognize packets. A packet is recognized as an application protocol packet when it matches all the following conditions in a mapping:
· The packet's destination IP address matches the specified source IP address defined in the ACL.
· The packet's destination port matches the specified port in the mapping.
· The transport layer protocol that encapsulates the packet matches the specified transport layer protocol if you specify a transport layer protocol in the mapping.
If two port mappings are configured with the same port number, transport layer protocol, and ACL, but with different application protocols, the most recent configuration takes effect.
A mapping with the transport layer protocol specified has a higher priority than one without it.
Examples
# Create a port mapping of port 3456 to FTP for the packets matching the ACL 2000.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456 acl 2000
Related commands
display port-mapping user-defined
port-mapping host
Use port-mapping host to configure an IP address-based host-port mapping.
Use undo port-mapping host to remove an IP address-based host-port mapping.
Syntax
port-mapping application application-name port port-number [ protocol protocol-name ] host { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]
undo port-mapping application application-name port port-number [ protocol protocol-name ] host { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]
Default
An application protocol is mapped to a well-known port.
Views
System view
Predefined user roles
network-admin
Parameters
application application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
port port-number: Specifies a port by its number, in the range of 0 to 65535.
protocol protocol-name: Specifies a transport layer protocol by its name, including:
· dccp: Specifies DCCP.
· sctp: Specifies SCTP.
· tcp: Specifies TCP.
· udp: Specifies UDP.
· udp-lite: Specifies UDP-Lite.
{ ip | ipv6 } start-ip-address [ end-ip-address ]: Specifies a range of IPv4 or IPv6 addresses. The ip keyword specifies the IPv4 addresses, and the ipv6 keyword specifies the IPv6 addresses. To specify only one IP address, provide only the start IP address. To specify a range of IP addresses, provide both the start and end IP addresses, and make sure the end IP address is bigger than the start IP address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you configure a mapping for the public network, do not specify this option.
Usage guidelines
APR uses IP address-based host-port mappings to recognize packets. A packet is recognized as an application protocol packet when it matches all the following conditions in a mapping:
· The packet is destined for the specified IP address or IP subnet in the mapping.
· The packet's destination port matches the specified port in the mapping.
· The transport layer protocol that encapsulates the packet matches the specified transport layer protocol if you specify a transport layer protocol in the mapping.
No overlapping of IP addresses is tolerable for the host-port mappings configured with the same application protocol, port number, and transport layer protocol.
If two port mappings are configured with the same port number, transport layer protocol, and IP address or IP address ranges, but with different application protocols, the most recent configuration takes effect.
A mapping with the transport layer protocol specified has a higher priority than one without it.
Examples
# Create a mapping of port 3456 to FTP for the IPv4 packets sent to the host at 1.1.1.1 to 1.1.1.10.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456 host ip 1.1.1.1 1.1.1.10
# Create a mapping of port 3456 to FTP for the IPv6 packets sent to 1::1.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456 host ipv6 1::1
Related commands
display port-mapping user-defined
port-mapping subnet
Use port-mapping subnet to configure a subnet-based host-port mapping.
Use undo port-mapping subnet to remove a subnet-based host-port mapping.
Syntax
port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]
undo port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]
Default
An application protocol is mapped to a well-known port.
Views
System view
Predefined user roles
network-admin
Parameters
application application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
port port-number: Specifies a port by its number, in the range of 0 to 65535.
protocol protocol-name: Specifies a transport layer protocol by its name, including:
· dccp: Specifies DCCP.
· sctp: Specifies SCTP.
· tcp: Specifies TCP.
· udp: Specifies UDP.
· udp-lite: Specifies UDP-Lite.
ip ipv4-address { mask-length | mask }: Specifies an IPv4 subnet.
· The ipv4-address argument specifies the IPv4 network address.
· The mask-length argument specifies the mask length of the IPv4 subnet, in the range of 1 to 32.
· The mask argument specifies the subnet mask in dotted decimal notation.
ipv6 ipv6-address prefix-length: Specifies an IPv6 subnet. The ipv6-address argument specifies the IPv6 network address, and the prefix-length argument specifies the length of the IPv6 prefix, in the range of 1 to 128.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you configure a mapping for the public network, do not specify this option.
Usage guidelines
APR uses subnet-based host-port mappings to recognize packets. A packet is recognized as an application protocol packet when it matches all the following conditions in a mapping:
· The packet is destined for the specified IP subnet in the mapping.
· The packet's destination port matches the specified port in the mapping.
· The transport layer protocol that encapsulates the packet matches the specified transport layer protocol if you specify a transport layer protocol in the mapping.
If multiple subnet-based mappings are applied to packets and these subnets overlap, APR matches the packets destined for the overlapped segment with the port mapping of the subnet that has the smallest range.
If two port mappings are configured with the same port number, transport layer protocol, and subnet, but with different application protocols, the most recent configuration takes effect.
A mapping with the transport layer protocol specified has a higher priority than one without it.
Examples
# Create a mapping of port 3456 to FTP for the packets sent to the IPv4 hosts on subnet 1.1.1.0/24.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456 subnet ip 1.1.1.0 24
# Create a mapping of port 3456 to FTP for the packets sent to the IPv6 hosts on subnet 1:: /120.
<Sysname> system-view
[Sysname] port-mapping application ftp port 3456 subnet ipv6 1:: 120
Related commands
display port-mapping user-defined
reset application statistics
Use reset application statistics to clear application statistics for interfaces.
Syntax
reset application statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command clears application statistics for all interfaces.
Examples
# Clear application statistics for GigabitEthernet 1/0/1.
<Sysname> reset application statistics interface gigabitethernet 1/0/1
# Clear application statistics for all interfaces.
<Sysname> reset application statistics
Related commands
application statistics enable
display application statistics
service-port
Use service-port to specify a port number or a port range as a match criterion in a user-defined NBAR rule.
Use undo service-port to restore the default.
Syntax
service-port { port-num | range start-port end-port }
undo service-port
Default
A user-defined NBAR rule matches packets of all port numbers.
Views
NBAR rule view
Predefined user roles
network-admin
Parameters
port-num: Specifies the port number in the range of 0 to 65535.
range: Specifies a port range.
start-port: Specifies the start port number for the port range, in the range of 0 to 65535.
end-port: Specifies the end port number for the port range, in the range of 0 to 65535. The end port number cannot be smaller than the start port number.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
The specified port number or port range is used to match the packets' destination ports first. If no match is found for a packet, the device continues to match its source port. A packet is determined as a matching packet as long as one of the ports is matched.
If you execute this command multiple times for the same NBAR rule, the most recent configuration takes effect.
Examples
# Configure user-defined NBAR rule abcd to match packets with port numbers 2001 through 2004.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] service-port range 2001 2004
Related commands
direction
signature
Use signature to configure a signature for a user-defined NBAR rule.
Use undo signature to cancel the signature configuration.
Syntax
signature [ signature-id ] [ field field-name ] [ offset offset-value ] { hex hex-vector | regex regex-pattern | string string }
undo signature signature-id
Default
No signatures are configured for a user-defined NBAR rule.
Views
NBAR rule view
Predefined user roles
network-admin
Parameters
signature-id: Specifies the signature ID in the range of 1 to 65535. If you do not specify this argument when creating a signature, the system automatically assigns the signature a signature ID and records the signature ID. The increment of automatically assigned signature IDs is 5. A new signature ID is the nearest unassigned multiple of the increment to the latest automatically assigned signature ID. For example, if the system automatically assigns ID 5 to a signature, the next signature ID to be assigned automatically will be 10. If signature ID 10 has been assigned manually to a signature, the next signature ID to be assigned automatically will be 15.
field field-name: Specifies a protocol field by its name. The specified protocol field must be predefined. This option is available for configuration only if the NBAR rule is applied to HTTP packets. If you do not specify this option, the configured signature takes effect on all fields in HTTP packets.
offset offset-value: Specifies the offset from the beginning of the data field, in bytes. The value range for the offset-value argument is 0 to 65535. A packet matches the signature after the offset. If you do not specify this option, a packet matches the signature from the beginning. If you also specify the field field-name option, the offset begins from the protocol field.
hex hex-vector: Specifies a hexadecimal vector as the match pattern. The hex-vector argument is a string of 6 to 254 characters. The value for the argument must be included by two vertical bars (|).
regex regex-pattern: Specifies a regular expression as the match pattern. The regex-pattern argument is a case-sensitive string of 3 to 512 characters, and it must meet the following requirements:
· Contains a maximum of four branches. For example, abc(c|d|e|\x3D) is valid, and abc(c|onreset|onselect|onchange|style\x3D) is invalid.
· Nested braces are not allowed. For example, ab((abcs*?)) is invalid.
· A branch cannot be specified after another branch. For example, ab(a|b)(c|d)^\\r\\n]+? is invalid.
· A minimum of four non-wildcard characters must exist before an asterisk (*) or question mark (?). For example, abc* is invalid and abcd*DoS\x2d\d{5}\x20\x2bxi\\r\\nJOIN is valid.
string string: Specifies a string as the match pattern. The string argument is a case-sensitive string of 3 to 512 characters.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
You can repeat this command to configure multiple signatures of different match patterns in a user-defined NBAR rule. If the signatures have different signature IDs, all signatures take effect. The logical relation of these signatures is OR, which indicates that a packet that matches any signature matches the NBAR rule. If the signatures have the same signature ID, the most recent configuration takes effect.
Examples
# Configure user-defined NBAR rule abcd to match packets with signature 1, which defines match string abcdegf.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] signature 1 string abcdefg
# Configure user-defined NBAR rule ddd to match packets with signature 2, which defines hexadecimal vector 123456.
<Sysname> system-view
[Sysname] nbar application ddd protocol http
[Sysname-nbar-application-ddd] signature 2 hex |123456|
Related commands
nbar application
source
Use source to specify a source IP address or subnet as a match criterion in a user-defined NBAR rule.
Use undo source to restore the default.
Syntax
source { ip ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] }
undo source
Default
A user-defined NBAR rule matches packets sourced from all IP addresses.
Views
NBAR rule view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies a source IPv4 address or IPv4 subnet, in dotted decimal notation.
mask-length: Specifies the mask length for IPv4 addresses, in the range of 0 to 32.
ipv6 ipv6-address: Specifies a source IPv6 address or IPv6 subnet.
prefix-length: Specifies the prefix length for IPv6 addresses, in the range of 0 to 128.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
If you execute this command multiple times for the same NBAR rule, the most recent configuration takes effect.
The ipv6 ipv6-address option is not supported in the current software version. If you specify this option, the command does not take effect.
Examples
# Configure user-defined NBAR rule abcd to match packets sourced from the IPv4 subnet 192.168.2.0/24.
<Sysname> system-view
[Sysname] nbar application abcd protocol http
[Sysname-nbar-application-abcd] source ip 192.168.2.0 24
Related commands
nbar application
update schedule
Use update schedule to set the update schedule for automatic update, including the update interval and update time.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { fri | mon | sat | sun | thu | tue | wed } } start-time time tingle minutes
undo update schedule
Default
The device automatically updates the APR signature database between 02:01:00 to 04:01:00 every day.
Views
Auto-update configuration view
Predefined user roles
network-admin
Parameters
daily: Specifies the daily update interval.
weekly: Specifies the weekly update interval. You can specify one day in a week for the update:
· fri: Specifies Friday.
· mon: Specifies Monday.
· sat: Specifies Saturday.
· sun: Specifies Sunday.
· thu: Specifies Thursday.
· tue: Specifies Tuesday.
· wed: Specifies Wednesday.
start-time time: Specifies the start time for the update, in the format of hh:mm:ss. The value range for the time argument is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range for the minutes argument is 0 to 120 minutes. An automatic update will occur at a time point between the following time points:
· Start time minus half of the tolerance time.
· Start time plus half of the tolerance time.
For example, if the specified start time is 01:00:00 and the tolerance time is 60 minutes, the update starts during the period from 00:30:00 to 01:30:00.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Examples
# Configure the device to automatically update the APR signature database at 23:10:00 every Monday with a tolerance time of 10 minutes.
<Sysname> system-view
[Sysname] apr signature auto-update
[Sysname-apr-autoupdate] update schedule weekly mon start-time 23:10:00 tingle 10
Related commands
apr signature auto-update
Session management commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display session aging-time application
Use display session aging-time application to display the aging time for sessions of different application layer protocols or applications.
Syntax
display session aging-time application
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the aging time for sessions of different application layer protocols and applications.
<Sysname> display session aging-time application
Application Aging time(s)
bootpc 120
bootps 120
dns 1
ftp 3600
ftp-data 240
gprs-data 60
gprs-sig 60
gtp-control 60
gtp-user 60
h225 3600
h245 3600
https 600
ils 3600
l2tp 120
mgcp-callagent 60
mgcp-gateway 60
netbios-dgm 3600
netbios-ns 3600
netbios-ssn 3600
ntp 120
pptp 3600
qq 120
ras 300
rip 120
rsh 60
rtsp 3600
sccp 3600
sip 300
snmp 120
snmptrap 120
sqlnet 600
stun 600
syslog 120
tacacs-ds 120
tftp 60
who 120
xdmcp 3600
others: 1200
Table 140 Command output
|
Field |
Description |
|
Application |
Name of an application layer protocol or an application. |
|
Aging time(s) |
Aging time in seconds. |
|
others:1200 |
All application layer protocols and applications with the aging time of 1200 seconds is displayed as others. |
Related commands
session aging-time application
display session aging-time state
Use display session aging-time stat to display the aging time for sessions in different protocol states.
Syntax
display session aging-time state
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the aging time for sessions in different protocol states.
<Sysname> display session aging-time state
State Aging Time(s)
SYN 30
TCP-EST 3600
FIN 30
UDP-OPEN 30
UDP-READY 60
ICMP-REQUEST 60
ICMP-REPLY 30
RAWIP-OPEN 30
RAWIP-READY 60
UDPLITE-OPEN 30
UDPLITE-READY 60
DCCP-REQUEST 30
DCCP-EST 3600
DCCP-CLOSEREQ 30
SCTP-INIT 30
SCTP-EST 3600
SCTP-SHUTDOWN 30
ICMPV6-REQUEST 60
ICMPV6-REPLY 30
TCP-TIME-WAIT 2
TCP-CLOSE 2
Table 141 Command output
|
Field |
Description |
|
State |
Protocol state. |
|
Aging Time(s) |
Aging time in seconds. |
Related commands
session aging-time state
display session relation-table
Use display session relation-table to display relation entries.
Syntax
Centralized devices in standalone mode:
display session relation-table { ipv4 | ipv6 }
Distributed devices in standalone mode/centralized devices in IRF mode:
display session relation-table { ipv4 | ipv6 } [ slot slot-number ]
Distributed devices in IRF mode:
display session relation-table { ipv4 | ipv6 } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4: Specifies IPv4 relation entries.
ipv6: Specifies IPv6 relation entries.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays relation entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays relation entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays relation entries for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display all IPv4 relation entries.
<Sysname> display session relation-table ipv4
Slot 0:
Source IP/port: 192.168.1.100/-
Destination IP/port: 192.168.2.100/99
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: 1/-/-
Protocol: TCP(6) TTL: 1234s App: FTP-DATA
Source IP/port: -/-
Destination IP/port: 192.168.2.200/1212
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6) TTL: 3100s App: H225
Total entries found: 2
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display all IPv4 relation entries.
<Sysname> display session relation-table ipv4
Slot 1:
Source IP/port: 192.168.1.100/-
Destination IP/port: 192.168.2.100/99
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: 1/-/-
Protocol: TCP(6) TTL: 1234s App: FTP-DATA
Source IP/port: -/-
Destination IP/port: 192.168.2.200/1212
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6) TTL: 3100s App: H225
Total entries found: 2
# (Centralized devices in standalone mode.) Display all IPv6 relation entries.
<Sysname> display session relation-table ipv6
Slot 0:
Source IP: 2011::0002
Destination IP/port: 2011::0008/1212
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6) TTL: 567s App: FTP-DATA
Total entries found: 1
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display all IPv6 relation entries.
<Sysname> display session relation-table ipv6
Slot 1:
Source IP: 2011::0002
Destination IP/port: 2011::0008/1212
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6) TTL: 567s App: FTP-DATA
Total entries found: 1
Table 142 Command output
|
Field |
Description |
|
Source IP/port |
Source IP address and port number of the session. If the IP or port number is not specified, this field displays a hyphen (-). For an IPv6 relation entry, the source port number is not displayed. |
|
Destination IP/port |
Destination IP address and port number of the session. |
|
DS-Lite tunnel peer |
Peer tunnel interface address of the DS-Lite tunnel to which the session belongs. If no peer tunnel interface address is specified, a hyphen (-) is displayed. |
|
VPN instance/VLAN ID/Inline ID |
MPLS L3VPN instance to which the relation entry belongs. VLAN and inline to which the relation entry belongs during Layer 2 forwarding. If a parameter is not specified, a hyphen (-) is displayed for the proper field. |
|
Protocol |
Transport layer protocol. |
|
TTL |
Remaining lifetime of the relation entry, in seconds. |
|
App |
Application layer protocol. |
|
Total entries found |
Total number of found relation entries. |
display session statistics
Use display session statistics to display unicast session statistics.
Syntax
Centralized devices in standalone mode:
display session statistics [ history-max | summary ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display session statistics [ history-max | summary ] [ slot slot-number ]
Distributed devices in IRF mode:
display session statistics [ history-max | summary ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
history-max: Displays history statistics of the maximum unicast sessions and the maximum unicast session establishment rates. If you do not specify this keyword, the command displays all unicast session statistics.
summary: Displays summary information about unicast session statistics. If you do not specify this keyword, the command displays detailed information about unicast session statistics.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays unicast session statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays unicast session statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays unicast session statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
If you do not specify any parameters, this command displays detailed information about the current unicast session statistics.
Examples
# Display detailed information about unicast session statistics.
<Sysname> display session statistics
Slot 1:
Current sessions: 3
TCP sessions: 0
UDP sessions: 0
ICMP sessions: 3
ICMPv6 sessions: 0
UDP-Lite sessions: 0
SCTP sessions: 0
DCCP sessions: 0
RAWIP sessions: 0
DNS sessions: 0
FTP sessions: 0
GTP sessions: 0
H323 sessions: 0
HTTP sessions: 0
ILS sessions: 0
MGCP sessions: 0
NBT sessions: 0
PPTP sessions: 0
RSH sessions: 0
RTSP sessions: 0
SCCP sessions: 0
SIP sessions: 0
SMTP sessions: 0
SQLNET sessions: 0
SSH sessions: 0
TELNET sessions: 0
TFTP sessions: 0
XDMCP sessions: 0
History average sessions per second:
Past hour: 1
Past 24 hours: 0
Past 30 days: 0
History average session establishment rate:
Past hour: 0/s
Past 24 hours: 0/s
Past 30 days: 0/s
Current relation-table entries: 0
Relation table establishment rate: 0/s
Session establishment rate: 0/s
TCP: 0/s
UDP: 0/s
ICMP: 0/s
ICMPv6: 0/s
UDP-Lite: 0/s
SCTP: 0/s
DCCP: 0/s
RAWIP: 0/s
Received TCP : 0 packets 0 bytes
Received UDP : 118 packets 13568 bytes
Received ICMP : 105 packets 8652 bytes
Received ICMPv6 : 0 packets 0 bytes
Received UDP-Lite : 0 packets 0 bytes
Received SCTP : 0 packets 0 bytes
Received DCCP : 0 packets 0 bytes
Received RAWIP : 0 packets 0 bytes
Table 143 Command output
|
Field |
Description |
|
Current sessions |
Total number of unicast sessions. |
|
TCP sessions |
Number of TCP sessions. |
|
UDP sessions |
Number of UDP sessions. |
|
ICMP sessions |
Number of ICMP sessions. |
|
ICMPv6 sessions |
Number of ICMPv6 sessions. |
|
UDP-Lite sessions |
Number of UDP-Lite sessions. |
|
SCTP sessions |
Number of SCTP sessions. |
|
DCCP sessions |
Number of DCCP sessions. |
|
RAWIP sessions |
Number of Raw IP sessions. |
|
DNS sessions |
Number of DNS unicast sessions. |
|
FTP sessions |
Number of FTP unicast sessions. |
|
GTP sessions |
Number of GTP unicast sessions. |
|
H323 sessions |
Number of H.323 unicast sessions. |
|
HTTP sessions |
Number of HTTP unicast sessions. |
|
ILS sessions |
Number of ILS unicast sessions. |
|
MGCP sessions |
Number of MGCP unicast sessions. |
|
NBT sessions |
Number of NBT unicast sessions. |
|
PPTP sessions |
Number of PPTP unicast sessions. |
|
RSH sessions |
Number of RSH unicast sessions. |
|
RTSP sessions |
Number of RTSP unicast sessions. |
|
SCCP sessions |
Number of SCCP unicast sessions. |
|
SIP sessions |
Number of SIP unicast sessions. |
|
SMTP sessions |
Number of SMTP unicast sessions. |
|
SQLNET sessions |
Number of SQLNET unicast sessions. |
|
SSH sessions |
Number of SSH unicast sessions. |
|
TELNET sessions |
Number of Telnet unicast sessions. |
|
TFTP sessions |
Number of TFTP unicast sessions. |
|
XDMCP sessions |
Number of XDMCP unicast sessions. |
|
History average sessions per second |
History statistics of average sessions per second. |
|
Past hour |
The average number of sessions per second in the most recent hour. |
|
Past 24 hours |
The average number of sessions per second in the most recent 24 hours. |
|
Past 30 days |
The average number of sessions per second in the most recent 30 days. |
|
History average session establishment rate |
History statistics of average session establishment rates. |
|
Past hour |
The average session establishment rate in the most recent hour. |
|
Past 24 hours |
The average session establishment rate in the most recent 24 hours. |
|
Past 30 days |
The average session establishment rate in the most recent 30 days. |
|
Current relation-table entries |
Total number of relation entries. |
|
Relation table establishment rate |
Rate of relation table establishment. |
|
Session establishment rate |
Unicast session establishment rate, and rates for establishing unicast sessions of different protocols. |
|
Received TCP |
Number of received TCP packets and bytes. |
|
Received UDP |
Number of received UDP packets and bytes. |
|
Received ICMP |
Number of received ICMP packets and bytes. |
|
Received ICMPv6 |
Number of received ICMPv6 packets and bytes. |
|
Received UDP-Lite |
Number of received UDP-Lite packets and bytes. |
|
Received SCTP |
Number of received SCTP packets and bytes. |
|
Received DCCP |
Number of received DCCP packets and bytes. |
|
Received RAWIP |
Number of received Raw IP packets and bytes. |
# (Centralized devices in standalone mode.) Display summary information about unicast session statistics.
<Sysname> display session statistics summary
Slot Sessions TCP UDP Rate TCP rate UDP rate
0 3 0 0 0/s 0/s 0/s
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display summary information about unicast session statistics.
<Sysname> display session statistics summary
Slot Sessions TCP UDP Rate TCP rate UDP rate
2 3 0 0 0/s 0/s 0/s
# (Distributed devices in IRF mode.) Display summary information about unicast session statistics.
<Sysname> display session statistics summary
Chassis Slot Sessions TCP UDP Rate TCP rate UDP rate
1 2 3 0 0 0/s 0/s 0/s
Table 144 Command output
|
Field |
Description |
|
Sessions |
Total number of unicast sessions. |
|
TCP |
Number of TCP unicast sessions. |
|
UDP |
Number of UDP unicast sessions. |
|
Rate |
Rate of unicast session creation. |
|
TCP rate |
Rate of TCP unicast session creation. |
|
UDP rate |
Rate of UDP unicast session creation. |
# (Centralized devices in standalone mode.) Display history statistics of the maximum unicast sessions and maximum unicast session establishment rates.
<Sysname> display session statistics history-max
Slot 0:
Max sessions: 20084 Time: 2017-03-04 12:03:53
Max session establishment rate: 9080/s Time: 2017-03-04 12:03:53
Max TCP sessions: 20084 Time: 2017-03-04 12:03:53
Max TCP session establishment rate: 9080/s Time: 2017-03-04 12:03:53
Max UDP sessions: 0 Time: 2017-03-04 12:03:53
Max UDP session establishment rate: 0 Time: 2017-03-04 12:03:53
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display history statistics of the maximum unicast sessions and maximum unicast session establishment rates.
<Sysname> display session statistics history-max
Slot 1
Max sessions: 20084 Time: 2017-03-04 12:03:53
Max session establishment rate: 9080/s Time: 2017-03-04 12:03:53
Max TCP sessions: 20084 Time: 2017-03-04 12:03:53
Max TCP session establishment rate: 9080/s Time: 2017-03-04 12:03:53
Max UDP sessions: 0 Time: 2017-03-04 12:03:53
Max UDP session establishment rate: 0 Time: 2017-03-04 12:03:53
# (Distributed devices in IRF mode.) Display history statistics of the maximum unicast sessions and maximum unicast session establishment rates.
<Sysname> display session statistics history-max
Slot 1 in chassis 1:
Max sessions: 20084 Time: 2017-03-04 12:03:53
Max session establishment rate: 9080/s Time: 2017-03-04 12:03:53
Max TCP sessions: 20084 Time: 2017-03-04 12:03:53
Max TCP session establishment rate: 9080/s Time: 2017-03-04 12:03:53
Max UDP sessions: 0 Time: 2017-03-04 12:03:53
Max UDP session establishment rate: 0 Time: 2017-03-04 12:03:53
Table 145 Command output
|
Field |
Description |
|
Max sessions |
History statistics of the maximum unicast sessions. |
|
Max session establishment rate |
History statistics of the maximum rate at which unicast sessions were created. |
|
Max TCP sessions |
History statistics of the maximum TCP unicast sessions. |
|
Max TCP session establishment rate |
History statistics of the maximum rate at which TCP unicast sessions were created. |
|
Max UDP sessions |
History statistics of the maximum UDP unicast sessions. |
|
Max UDP session establishment rate |
History statistics of the maximum rate at which UDP unicast sessions were created. |
display session statistics ipv4
Use display session statistics ipv4 to display IPv4 unicast session statistics.
Syntax
Centralized devices in standalone mode:
display session statistics ipv4 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | dns | ftp | gtp | h323 I http | icmp | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp } | source-port source-port | destination-port destination-port } *
Distributed devices in standalone mode/centralized devices in IRF mode:
display session statistics ipv4 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | dns | ftp | gtp | h323 I http | icmp | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp } | source-port source-port | destination-port destination-port } * [ slot slot-number ]
Distributed devices in IRF mode:
display session statistics ipv4 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | dns | ftp | gtp | h323 I http | icmp | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp } | source-port source-port | destination-port destination-port } * [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
source-ip source-ip: Specifies a source IPv4 address for a unicast session from the initiator to the responder.
destination-ip destination-ip: Specifies a destination IPv4 address for a unicast session from the initiator to the responder.
protocol { dccp | dns | ftp | gtp | h323 I http | icmp | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp }: Specifies an IPv4 protocol.
source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of an IPv4 unicast session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of an IPv6 unicast session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv4 unicast session statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv4 unicast session statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv4 unicast session statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Display statistics for unicast sessions from IP address 111.15.111.66.
<Sysname> display session statistics ipv4 source-ip 111.15.111.66
Slot 1:
Current sessions: 3
TCP sessions: 0
UDP sessions: 0
ICMP sessions: 3
ICMPv6 sessions: 0
UDP-Lite sessions: 0
SCTP sessions: 0
DCCP sessions: 0
RAWIP sessions: 0
DNS sessions: 0
FTP sessions: 0
GTP sessions: 0
H323 sessions: 0
HTTP sessions: 0
ILS sessions: 0
MGCP sessions: 0
NBT sessions: 0
PPTP sessions: 0
RSH sessions: 0
RTSP sessions: 0
SCCP sessions: 0
SIP sessions: 0
SMTP sessions: 0
SQLNET sessions: 0
SSH sessions: 0
TELNET sessions: 0
TFTP sessions: 0
XDMCP sessions: 0
# Display statistics for IPv4 unicast TCP sessions.
<Sysname> display session statistics ipv4 protocol tcp
Slot 1:
Current sessions: 3
TCP sessions: 3
Table 146 Command output
|
Field |
Description |
|
Current sessions |
Total number of unicast sessions. |
|
TCP sessions |
Number of TCP unicast sessions. |
|
UDP sessions |
Number of UDP unicast sessions. |
|
ICMP sessions |
Number of ICMP unicast sessions. |
|
ICMPv6 sessions |
Number of ICMPv6 unicast sessions. |
|
UDP-Lite sessions |
Number of UDP-Lite unicast sessions. |
|
SCTP sessions |
Number of SCTP unicast sessions. |
|
DCCP sessions |
Number of DCCP unicast sessions. |
|
RAWIP sessions |
Number of Raw IP unicast sessions. |
|
DNS sessions |
Number of DNS unicast sessions. |
|
FTP sessions |
Number of FTP unicast sessions. |
|
GTP sessions |
Number of GTP unicast sessions. |
|
H323 sessions |
Number of H.323 unicast sessions. |
|
HTTP sessions |
Number of HTTP unicast sessions. |
|
ILS sessions |
Number of ILS unicast sessions. |
|
MGCP sessions |
Number of MGCP unicast sessions. |
|
NBT sessions |
Number of NBT unicast sessions. |
|
PPTP sessions |
Number of PPTP unicast sessions. |
|
RSH sessions |
Number of RSH unicast sessions. |
|
RTSP sessions |
Number of RTSP unicast sessions. |
|
SCCP sessions |
Number of SCCP unicast sessions. |
|
SIP sessions |
Number of SIP unicast sessions. |
|
SMTP sessions |
Number of SMTP unicast sessions. |
|
SQLNET sessions |
Number of SQLNET unicast sessions. |
|
SSH sessions |
Number of SSH unicast sessions. |
|
TELNET sessions |
Number of Telnet unicast sessions. |
|
TFTP sessions |
Number of TFTP unicast sessions. |
|
XDMCP sessions |
Number of XDMCP unicast sessions. |
display session statistics ipv6
Use display session statistics ipv6 to display IPv6 unicast session statistics.
Syntax
Centralized devices in standalone mode:
display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | dns | ftp | gtp | h323 I http | icmpv6 | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp } | source-port source-port | destination-port destination-port } *
Distributed devices in standalone mode/centralized devices in IRF mode:
display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | dns | ftp | gtp | h323 I http | icmpv6 | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp } | source-port Distributed devices in IRF mode:
display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | dns | ftp | gtp | h323 I http | icmpv6 | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp } | source-port source-port | destination-port destination-port } * [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
source-ip source-ip: Specifies a source IPv6 address for a unicast session from the initiator to the responder.
destination-ip destination-ip: Specifies a destination IPv6 address for a unicast session from the initiator to the responder.
protocol { dccp | dns | ftp | gtp | h323 I http | icmpv6 | ils | mgcp | nbt | pptp | raw-ip | rsh | rtsp | sccp | sctp | sip | smtp | sqlnet | ssh | tcp | telnet | tftp | udp | udp-lite | xdmcp }: Specifies an IPv6 protocol.
source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of an IPv6 unicast session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of an IPv6 unicast session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 unicast session statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 unicast session statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 unicast session statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Display statistics for unicast sessions from IPv6 address 100::2.
<Sysname> display session statistics ipv6 source-ip 100::2
Slot 1:
Current sessions: 3
TCP sessions: 0
UDP sessions: 0
ICMP sessions: 3
ICMPv6 sessions: 0
UDP-Lite sessions: 0
SCTP sessions: 0
DCCP sessions: 0
RAWIP sessions: 0
DNS sessions: 0
FTP sessions: 0
GTP sessions: 0
H323 sessions: 0
HTTP sessions: 0
ILS sessions: 0
MGCP sessions: 0
NBT sessions: 0
PPTP sessions: 0
RSH sessions: 0
RTSP sessions: 0
SCCP sessions: 0
SIP sessions: 0
SMTP sessions: 0
SQLNET sessions: 0
SSH sessions: 0
TELNET sessions: 0
TFTP sessions: 0
XDMCP sessions: 0
# Display statistics for IPv6 unicast TCP sessions.
<Sysname> display session statistics ipv6 protocol tcp
Slot 1:
Current sessions: 3
Table 147 Command output
|
Field |
Description |
|
Current sessions |
Total number of unicast sessions. |
|
TCP sessions |
Number of TCP unicast sessions. |
|
UDP sessions |
Number of UDP unicast sessions. |
|
ICMP sessions |
Number of ICMP unicast sessions. |
|
ICMPv6 sessions |
Number of ICMPv6 unicast sessions. |
|
UDP-Lite sessions |
Number of UDP-Lite unicast sessions. |
|
SCTP sessions |
Number of SCTP unicast sessions. |
|
DCCP sessions |
Number of DCCP unicast sessions. |
|
RAWIP sessions |
Number of Raw IP unicast sessions. |
|
DNS sessions |
Number of DNS unicast sessions. |
|
FTP sessions |
Number of FTP unicast sessions. |
|
GTP sessions |
Number of GTP unicast sessions. |
|
H323 sessions |
Number of H.323 unicast sessions. |
|
HTTP sessions |
Number of HTTP unicast sessions. |
|
ILS sessions |
Number of ILS unicast sessions. |
|
MGCP sessions |
Number of MGCP unicast sessions. |
|
NBT sessions |
Number of NBT unicast sessions. |
|
PPTP sessions |
Number of PPTP unicast sessions. |
|
RSH sessions |
Number of RSH unicast sessions. |
|
RTSP sessions |
Number of RTSP unicast sessions. |
|
SCCP sessions |
Number of SCCP unicast sessions. |
|
SIP sessions |
Number of SIP unicast sessions. |
|
SMTP sessions |
Number of SMTP unicast sessions. |
|
SQLNET sessions |
Number of SQLNET unicast sessions. |
|
SSH sessions |
Number of SSH unicast sessions. |
|
TELNET sessions |
Number of Telnet unicast sessions. |
|
TFTP sessions |
Number of TFTP unicast sessions. |
|
XDMCP sessions |
Number of XDMCP unicast sessions. |
display session statistics multicast
Use display session statistics multicast to display multicast session statistics.
Syntax
Centralized devices in standalone mode:
display session statistics multicast
Distributed devices in standalone mode/centralized devices in IRF mode:
display session statistics multicast [ slot slot-number ]
Distributed devices in IRF mode:
display session statistics multicast [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays multicast session statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays multicast session statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays multicast session statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display information about multicast session statistics.
<Sysname> display session statistics multicast
Slot 0:
Current sessions: 0
Session establishment rate: 0/s
History max sessions: 0 Time: 2017-04-25 11:28:00
History max session establishment rate: 0/s Time: 2017-04-25 11:28:00
Received: 0 packets 0 bytes
Sent : 0 packets 0 bytes
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about multicast session statistics.
<Sysname> display session statistics multicast
Slot 0:
Current sessions: 0
Session establishment rate: 0/s
History max sessions: 0 Time: 2017-04-25 11:28:00
History max session establishment rate: 0/s Time: 2017-04-25 11:28:00
Received: 0 packets 0 bytes
Sent : 0 packets 0 bytes
# (Distributed devices in IRF mode.) Display information about multicast session statistics.
<Sysname> display session statistics multicast
Slot 0 in chassis 1:
Current sessions: 0
Session establishment rate: 0/s
History max sessions: 0 Time: 2017-04-25 11:28:00
History max session establishment rate: 0/s Time: 2017-04-25 11:28:00
Received: 0 packets 0 bytes
Sent : 0 packets 0 bytes
Table 148 Command output
|
Field |
Description |
|
Current sessions |
Total number of multicast sessions. |
|
Session establishment rate |
Rate of multicast session creation. |
|
History max sessions |
History statistics of the maximum multicast sessions. |
|
History max session establishment rate |
History statistics of the maximum rate at which multicast sessions were created. |
|
Received |
Number of received multicast packets and bytes. |
|
Sent |
Number of sent multicast packets and bytes. |
display session table ipv4
Use display session table ipv4 to display information about IPv4 unicast session entries that match specific criteria.
Syntax
Centralized devices in standalone mode:
display session table ipv4 [ [ responder ] { source-ip start-source-ip [ end-source-ip ] | destination-ip start-destination-ip [ end-destination-ip ] | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port | application application-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmp-reply | icmp-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display session table ipv4 [ slot slot-number ] [ [ responder ] { source-ip start-source-ip [ end-source-ip ] | destination-ip start-destination-ip [ end-destination-ip ] | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port | application application-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmp-reply | icmp-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ verbose ]
Distributed devices in IRF mode:
display session table ipv4 [ chassis chassis-number slot slot-number ] [ [ responder ] { source-ip start-source-ip [ end-source-ip ] | destination-ip start-destination-ip [ end-destination-ip ] | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port | application application-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmp-reply | icmp-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information for all cards. (Distributed devices in IRF mode.)
responder: Displays entries of IPv4 unicast sessions from the responder to the initiator. If you do not specify this keyword, the command displays entries of IPv4 unicast sessions from the initiator to the responder.
source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv4 address or IPv4 address range for a unicast session. The start source-ip argument specifies the start source IPv4 address. The end source-ip argument specifies the end source IPv4 address.
destination-ip start-destination-ip [ end-destination-ip ]: Specifies a destination IPv4 address or IPv4 address range for a unicast session. The start destination-ip argument specifies the start destination IPv4 address. The end destination-ip argument specifies the end destination IPv4 address.
protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv4 protocol.
source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a unicast session. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a unicast session. The value range for the destination-port argument is 0 to 65535.
application application-name: Specifies an application protocol by its name. The application-name argument is a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmp-reply | icmp-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready }: Specifies a protocol state.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
verbose: Displays detailed information about IPv4 unicast session entries. If you do not specify this keyword, the command displays brief information about IPv4 unicast session entries.
Usage guidelines
If you do not specify any parameters, this command displays all IPv4 unicast session entries.
Examples
# (Centralized devices in standalone mode.) Display brief information about all IPv4 unicast session entries.
<Sysname> display session table ipv4
Slot 0:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Total sessions found: 2
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about all IPv4 unicast session entries.
<Sysname> display session table ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Total sessions found: 2
# (Centralized devices in standalone mode.) Display detailed information about all IPv4 unicast session entries.
<Sysname> display session table ipv4 verbose
Slot 0:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Local
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 192.168.1.55/1792
Destination IP/port: 192.168.1.18/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Local
State: ICMP_REQUEST
Application: OTHER
Start time: 2011-07-29 19:12:33 TTL: 55s
Initiator->Responder: 1 packets 60 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about all IPv4 unicast session entries.
<Sysname> display session table ipv4 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer:-
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer:-
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Local
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 192.168.1.55/1792
Destination IP/port: 192.168.1.18/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Local
State: ICMP_REQUEST
Application: OTHER
Start time: 2011-07-29 19:12:33 TTL: 55s
Initiator->Responder: 1 packets 60 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2
Table 149 Command output
|
Field |
Description |
|
Initiator |
Information about the unicast session from the initiator to the responder. |
|
Responder |
Information about the unicast session from the responder to the initiator. |
|
DS-Lite tunnel peer |
Address of the DS-Lite tunnel peer. When the unicast session does not belong to any DS-Lite tunnel, this field displays a hyphen (-). |
|
VPN instance/VLAN ID/Inline ID |
MPLS L3VPN instance to which the unicast session belongs. VLAN and inline to which the session belongs during Layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field. |
|
Protocol |
Transport layer protocol: · DCCP. · ICMP. · ICMPv6. · Raw IP. · SCTP. · TCP. · UDP. · UDP-Lite. The number in the brackets indicates the protocol number. |
|
Source security zone |
Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-). |
|
State |
Unicast session state. |
|
Application |
Application layer protocol, FTP or DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER. |
|
Start time |
Unicast session establishment time. |
|
TTL |
Remaining lifetime of the unicast session, in seconds. |
|
Initiator->Responder |
Number of packets and bytes from the initiator to the responder. |
|
Responder->Initiator |
Number of packets and bytes from the responder to the initiator. |
|
Total sessions found |
Total number of found unicast session entries. |
display session table ipv6
Use display session table ipv6 to display information about IPv6 unicast session entries that match specific criteria.
Syntax
Centralized devices in standalone mode:
display session table ipv6 [ [ responder ] { source-ip start-source-ip [ end-source-ip ] | destination-ip start-destination-ip [ end-destination-ip ] | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port | application application-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display session table ipv6 [ slot slot-number ] [ [ responder ] { source-ip start-source-ip [ end-source-ip ] | destination-ip start-destination-ip [ end-destination-ip ] | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port | application application-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ verbose ]
Distributed devices in IRF mode:
display session table ipv6 [ chassis chassis-number slot slot-number ] [ [ responder ] { source-ip start-source-ip [ end-source-ip ] | destination-ip start-destination-ip [ end-destination-ip ] | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port | application application-name | state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready } | vpn-instance vpn-instance-name } * ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information for all cards. (Distributed devices in IRF mode.)
responder: Displays entries of IPv6 unicast sessions from the responder to the initiator. If you do not specify this keyword, the command displays entries of IPv6 unicast sessions from the initiator to the responder.
source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv6 address or IPv6 address range for a unicast session. The start source-ip argument specifies the start source IPv6 address. The end source-ip argument specifies the end source IPv6 address.
destination-ip start-destination-ip [ end-destination-ip ]: Specifies a destination IPv6 address or IPv6 address range for a unicast session. The start destination-ip argument specifies the start destination IPv6 address. The end destination-ip argument specifies the end destination IPv6 address.
protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv6 protocol.
source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a unicast session. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a unicast session. The value range for the destination-port argument is 0 to 65535.
application application-name: Specifies an application protocol by its name. The application-name argument is a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
state { dccp-closereq | dccp-closing | dccp-open | dccp-partopen | dccp-request | dccp-respond | dccp-timewait | icmpv6-reply | icmpv6-request | rawip-open | rawip-ready | sctp-closed | sctp-cookie-echoed | sctp-cookie-wait | sctp-established | sctp-shutdown-ack-sent | sctp-shutdown-recd | sctp-shutdown-sent | tcp-close | tcp-close-wait | tcp-est | tcp-fin-wait | tcp-last-ack | tcp-syn-recv | tcp-syn-sent | tcp-syn-sent2 | tcp-time-wait | udp-open | udp-ready | udplite-open | udplite-ready }: Specifies a protocol state.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters.
verbose: Displays detailed information about IPv6 unicast session entries. If you do not specify this keyword, the command displays brief information about IPv6 unicast session entries.
Usage guidelines
If you do not specify any parameters, this command displays all IPv6 unicast session entries.
Examples
# (Centralized devices in standalone mode.) Display brief information about all IPv6 unicast session entries.
<Sysname> display session table ipv6
Slot 0:
Initiator:
Source IP/port: 2011::2/58473
Destination IP/port: 2011::8/32768
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: IPV6-ICMP(58)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Total sessions found: 1
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about all IPv6 unicast session entries.
<Sysname> display session table ipv6
Slot 1:
Initiator:
Source IP/port: 2011::2/58473
Destination IP/port: 2011::8/32768
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: IPV6-ICMP(58)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Total sessions found: 1
# (Centralized devices in standalone mode.) Display detailed information about all IPv6 unicast session entries.
<Sysname> display session table ipv6 verbose
Slot 0:
Initiator:
Source IP/port: 2011::2/58473
Destination IP/port: 2011::8/32768
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: IPV6-ICMP(58)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 2011::8/58473
Destination IP/port: 2011::2/33024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: IPV6-ICMP(58)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Local
State: ICMPV6_REQUEST
Application: OTHER
Start time: 2011-07-29 19:23:41 TTL: 55s
Initiator->Responder: 1 packets 104 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about all IPv6 unicast session entries.
<Sysname> display session table ipv6 verbose
Slot 1:
Initiator:
Source IP/port: 2011::2/58473
Destination IP/port: 2011::8/32768
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: IPV6-ICMP(58)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
Responder:
Source IP/port: 2011::8/58473
Destination IP/port: 2011::2/33024
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: IPV6-ICMP(58)
Inbound interface: GigabitEthernet1/0/2
Source security zone: Local
State: ICMPV6_REQUEST
Application: OTHER
Start time: 2011-07-29 19:23:41 TTL: 55s
Initiator->Responder: 1 packets 104 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
Table 150 Command output
|
Field |
Description |
|
Initiator |
Information about the unicast session from the initiator to the responder. |
|
Responder |
Information about the unicast session from the responder to the initiator. |
|
DS-Lite tunnel peer |
Address of the DS-Lite tunnel peer. When the unicast session is not tunneled by DS-Lite, this field displays a hyphen (-). |
|
VPN instance/VLAN ID/Inline ID |
MPLS L3VPN instance to which the unicast session belongs. VLAN and inline to which the unicast session belongs during Layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field. |
|
Protocol |
Transport layer protocol: · DCCP. · ICMP. · ICMPv6. · Raw IP. · SCTP. · TCP. · UDP. · UDP-Lite. The number in the brackets indicates the protocol number. |
|
Source security zone |
Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-). |
|
State |
Unicast session state. |
|
Application |
Application layer protocol, FTP or DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER. |
|
Start time |
Unicast session establishment time. |
|
TTL |
Remaining lifetime of the unicast session, in seconds. |
|
Initiator->Responder |
Number of packets and bytes from the initiator to the responder. |
|
Responder->Initiator |
Number of packets and bytes from the responder to the initiator. |
|
Total sessions found |
Total number of found unicast session entries. |
display session table multicast ipv4
Use display session table multicast ipv4 to display information about IPv4 multicast session entries that match specific criteria.
Syntax
Centralized devices in standalone mode:
display session table multicast ipv4 [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display session table multicast ipv4 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
Distributed devices in IRF mode:
display session table multicast ipv4 [ chassis chassis-number slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information for all cards. (Distributed devices in IRF mode.)
source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv4 address or IPv4 address range for a multicast session from the initiator to the responder. The start source-ip argument specifies the start source IPv4 address. The end source-ip argument specifies the end source IPv4 address.
destination-ip start-destination-ip [ end-destination-ip ]: Specifies a destination IPv4 address or IPv4 address range for a multicast session from the initiator to the responder. The start destination-ip argument specifies the start destination IPv4 address. The end destination-ip argument specifies the end destination IPv4 address.
protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv4 transport layer protocol, including DCCP, ICMP, RawIP, SCTP, TCP, UDP, and UDP-Lite.
source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a multicast session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a multicast session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.
verbose: Displays detailed information about IPv4 multicast session entries. If you do not specify this keyword, the command displays brief information about IPv4 multicast session entries.
Usage guidelines
If you do not specify any parameters, this command displays all IPv4 multicast session entries.
Examples
# (Centralized devices in standalone mode.) Display brief information about all IPv4 multicast session entries.
<Sysname> display session table multicast ipv4
Slot 0:
Inbound initiator:
Source IP/port: 3.3.3.4/1609
Destination IP/port: 232.0.0.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: GigabitEthernet1/0/1
Outbound interface list:
GigabitEthernet1/0/2
GigabitEthernet1/0/3
Total sessions found: 3
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about all IPv4 multicast session entries.
<Sysname> display session table multicast ipv4
Slot 0:
Total sessions found: 0
Slot 1:
Total sessions found: 0
Slot 2:
Inbound initiator:
Source IP/port: 3.3.3.4/1609
Destination IP/port: 232.0.0.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: GigabitEthernet1/0/1
Outbound interface list:
GigabitEthernet1/0/2
GigabitEthernet1/0/3
Total sessions found: 3
# (Centralized devices in standalone mode.) Display detailed information about all IPv4 multicast session entries.
<Sysname> display session table multicast ipv4 verbose
Slot 0:
Inbound initiator:
Source IP/port: 3.3.3.4/1609
Destination IP/port: 232.0.0.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound responder:
Source IP/port: 232.0.0.1/1025
Destination IP/port: 3.3.3.4/1609
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 15:59:22 TTL: 18s
Initiator->Responder: 1 packets 84 bytes
Outbound initiator:
Source IP/port: 3.3.3.4/1609
Destination IP/port: 232.0.0.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound responder:
Source IP/port: 232.0.0.1/1025
Destination IP/port: 3.3.3.4/1609
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound interface: GigabitEthernet1/0/2
Destination security zone: aaa
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 15:59:22 TTL: 18s
Initiator->Responder: 1 packets 84 bytes
Outbound initiator:
Source IP/port: 3.3.3.4/1609
Destination IP/port: 232.0.0.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound responder:
Source IP/port: 232.0.0.1/1025
Destination IP/port: 3.3.3.4/1609
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound interface: GigabitEthernet1/0/3
Destination security zone: bbb
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 15:59:22 TTL: 18s
Initiator->Responder: 1 packets 84 bytes
Total sessions found: 3
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about all IPv4 multicast session entries.
<Sysname> display session table multicast ipv4 verbose
Slot 0:
Total sessions found: 0
Slot 1:
Total sessions found: 0
Slot 2:
Inbound initiator:
Source IP/port: 3.3.3.4/1609
Destination IP/port: 232.0.0.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound responder:
Source IP/port: 232.0.0.1/1025
Destination IP/port: 3.3.3.4/1609
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 15:59:22 TTL: 18s
Initiator->Responder: 1 packets 84 bytes
Outbound initiator:
Source IP/port: 3.3.3.4/1609
Destination IP/port: 232.0.0.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound responder:
Source IP/port: 232.0.0.1/1025
Destination IP/port: 3.3.3.4/1609
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound interface: GigabitEthernet1/0/2
Destination security zone: aaa
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 15:59:22 TTL: 18s
Initiator->Responder: 1 packets 84 bytes
Outbound initiator:
Source IP/port: 3.3.3.4/1609
Destination IP/port: 232.0.0.1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound responder:
Source IP/port: 232.0.0.1/1025
Destination IP/port: 3.3.3.4/1609
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound interface: GigabitEthernet1/0/3
Destination security zone: bbb
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 15:59:22 TTL: 18s
Initiator->Responder: 1 packets 84 bytes
Total sessions found: 3
Table 151 Command output
|
Field |
Description |
|
Inbound initiator |
Information about the multicast session from the initiator to the responder on the inbound interface. |
|
Inbound responder |
Information about the multicast session from the responder to the initiator on the inbound interface. |
|
Outbound initiator |
Information about the multicast session from the initiator to the responder on the outbound interface. |
|
Outbound responder |
Information about the multicast session from the responder to the initiator on the outbound interface. |
|
DS-Lite tunnel peer |
Address of the DS-Lite tunnel peer. If the multicast session is not tunneled by DS-Lite, this field displays a hyphen (-). |
|
VPN instance/VLAN ID/Inline ID |
MPLS L3VPN instance to which the multicast session belongs. VLAN and inline to which the multicast session belongs during Layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field. |
|
Protocol |
Transport layer protocol: · DCCP. · ICMP. · Raw IP. · SCTP. · TCP. · UDP. · UDP-Lite. The number in the brackets indicates the protocol number. |
|
State |
Multicast session state. |
|
Application |
Application layer protocol, FTP or DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER. |
|
Start time |
Time when the multicast session was created. |
|
TTL |
Remaining lifetime of the multicast session, in seconds. |
|
Inbound interface |
Inbound interface of the first packet from the initiator to responder. |
|
Outbound interface |
Outbound interface of the first packet from the initiator to responder. |
|
Outbound interface list |
Outbound interfaces of the first packet from the initiator to responder. |
|
Source security zone |
Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-). |
|
Destination security zone |
Security zone to which the outbound interface belongs. If the outbound interface does not belong to any security zone, this field displays a hyphen (-). |
|
Initiator->Responder |
Number of packets and bytes from the initiator to the responder. |
|
Total sessions found |
Total number of found multicast session entries. |
display session table multicast ipv6
Use display session table multicast ipv6 to display information about IPv6 multicast session entries that match specific criteria.
Syntax
Centralized devices in standalone mode:
display session table multicast ipv6 [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display session table multicast ipv6 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
Distributed devices in IRF mode:
display session table multicast ipv6 [ chassis chassis-number slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information for all cards. (Distributed devices in IRF mode.)
source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv6 address or IPv6 address range for a multicast session from the initiator to the responder. The start source-ip argument specifies the start source IPv6 address. The end source-ip argument specifies the end source IPv6 address.
destination-ip start-destination-ip [ end-destination-ip ]: Specifies a destination IPv6 address or IPv6 address range for a multicast session from the initiator to the responder. The start destination-ip argument specifies the start destination IPv6 address. The end destination-ip argument specifies the end destination IPv6 address.
protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv6 transport layer protocol, including DCCP, ICMPv6, RawIP, SCTP, TCP, UDP, and UDP-Lite.
source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a multicast session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a multicast session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.
verbose: Displays detailed information about IPv6 multicast session entries. If you do not specify this keyword, the command displays brief information about IPv6 multicast session entries.
Usage guidelines
If you do not specify any parameters, this command displays all IPv6 multicast session entries.
Examples
# (Centralized devices in standalone mode.) Display brief information about all IPv6 multicast session entries.
<Sysname> display session table multicast ipv6
Slot 0:
Inbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: GigabitEthernet1/0/1
Outbound interface list:
GigabitEthernet1/0/2
GigabitEthernet1/0/3
Total sessions found: 3
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about all IPv6 multicast session entries.
<Sysname> display session table multicast ipv6
Slot 0:
Total sessions found: 0
Slot 1:
Total sessions found: 0
Slot 2:
Inbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: GigabitEthernet1/0/1
Outbound interface list:
GigabitEthernet1/0/2
GigabitEthernet1/0/3
Total sessions found: 3
# (Centralized devices in standalone mode.) Display detailed information about all IPv6 multicast session entries.
<Sysname> display session table multicast ipv6 verbose
Slot 0:
Inbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound responder:
Source IP/port: FF0E::1/1025
Destination IP/port: 3::4/1617
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 16:10:58 TTL: 23s
Initiator->Responder: 5 packets 520 bytes
Outbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound responder:
Source IP/port: FF0E::1/1025
Destination IP/port: 3::4/1617
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound interface: GigabitEthernet1/0/2
Destination security zone: bbb
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 16:10:58 TTL: 23s
Initiator->Responder: 5 packets 520 bytes
Outbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound responder:
Source IP/port: FF0E::1/1025
Destination IP/port: 3::4/1617
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound interface: GigabitEthernet1/0/3
Destination security zone: ccc
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 16:10:58 TTL: 23s
Initiator->Responder: 5 packets 520 bytes
Total sessions found: 3
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about all IPv6 multicast session entries.
<Sysname> display session table multicast ipv6 verbose
Slot 0:
Total sessions found: 0
Slot 1:
Total sessions found: 0
Slot 2:
Inbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound responder:
Source IP/port: FF0E::1/1025
Destination IP/port: 3::4/1617
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 16:10:58 TTL: 23s
Initiator->Responder: 5 packets 520 bytes
Outbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound responder:
Source IP/port: FF0E::1/1025
Destination IP/port: 3::4/1617
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound interface: GigabitEthernet1/0/2
Destination security zone: bbb
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 16:10:58 TTL: 23s
Initiator->Responder: 5 packets 520 bytes
Outbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound responder:
Source IP/port: FF0E::1/1025
Destination IP/port: 3::4/1617
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound interface: GigabitEthernet1/0/3
Destination security zone: ccc
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 16:10:58 TTL: 23s
Initiator->Responder: 5 packets 520 bytes
Total sessions found: 3
# (Distributed devices in IRF mode.) Display detailed information about all IPv6 multicast session entries.
<Sysname> display session table multicast ipv6 verbose
Slot 0 in chassis 1:
Total sessions found: 0
Slot 1 in chassis 1:
Total sessions found: 0
Slot 2 in chassis 1:
Inbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound responder:
Source IP/port: FF0E::1/1025
Destination IP/port: 3::4/1617
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Inbound interface: GigabitEthernet1/0/1
Source security zone: Trust
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 16:10:58 TTL: 23s
Initiator->Responder: 5 packets 520 bytes
Outbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound responder:
Source IP/port: FF0E::1/1025
Destination IP/port: 3::4/1617
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound interface: GigabitEthernet1/0/2
Destination security zone: bbb
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 16:10:58 TTL: 23s
Initiator->Responder: 5 packets 520 bytes
Outbound initiator:
Source IP/port: 3::4/1617
Destination IP/port: FF0E::1/1025
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound responder:
Source IP/port: FF0E::1/1025
Destination IP/port: 3::4/1617
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: UDP(17)
Outbound interface: GigabitEthernet1/0/3
Destination security zone: ccc
State: UDP_OPEN
Application: OTHER
Start time: 2014-03-03 16:10:58 TTL: 23s
Initiator->Responder: 5 packets 520 bytes
Total sessions found: 3
Table 152 Command output
|
Field |
Description |
|
Inbound initiator |
Information about the multicast session from the initiator to the responder on the inbound interface. |
|
Inbound responder |
Information about the multicast session from the responder to the initiator on the inbound interface. |
|
Outbound initiator |
Information about the multicast session from the initiator to the responder on the outbound interface. |
|
Outbound responder |
Information about the multicast session from the responder to the initiator on the outbound interface. |
|
DS-Lite tunnel peer |
Address of the DS-Lite tunnel peer. If the multicast session is not tunneled by DS-Lite, this field displays a hyphen (-). |
|
VPN instance/VLAN ID/Inline ID |
MPLS L3VPN instance to which the multicast session belongs. VLAN and inline to which the multicast session belongs during Layer 2 forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field. |
|
Protocol |
Transport layer protocol: · DCCP. · ICMPv6. · Raw IP. · SCTP. · TCP. · UDP. · UDP-Lite. The number in the brackets indicates the protocol number. |
|
State |
Multicast session state. |
|
Application |
Application layer protocol, FTP or DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER. |
|
Start time |
Time when the multicast session was created. |
|
TTL |
Remaining lifetime of the multicast session, in seconds. |
|
Inbound interface |
Inbound interface of the first packet from the initiator to responder. |
|
Outbound interface |
Outbound interface of the first packet from the initiator to responder. |
|
Outbound interface list |
Outbound interfaces of the first packet from the initiator to responder. |
|
Source security zone |
Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-). |
|
Destination security zone |
Security zone to which the outbound interface belongs. If the outbound interface does not belong to any security zone, this field displays a hyphen (-). |
|
Initiator->Responder |
Number of packets and bytes from the initiator to the responder. |
|
Total sessions found |
Total number of found multicast session entries. |
reset session relation-table
Use reset session relation-table to clear relation entries.
Syntax
Centralized devices in standalone mode:
reset session relation-table [ ipv4 | ipv6 ]
Distributed devices in standalone mode/centralized devices in IRF mode:
reset session relation-table [ ipv4 | ipv6 ] [ slot slot-number ]
Distributed devices in IRF mode:
reset session relation-table [ ipv4 | ipv6 ] [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
ipv4: Specifies IPv4 relation entries.
ipv6: Specifies IPv6 relation entries.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears relation entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears relation entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears relation entries for all cards. (Distributed devices in IRF mode.)
Usage guidelines
If you do not specify the IPv4 keyword or the IPv6 keyword, this command clears all IPv4 and IPv6 relation entries.
Examples
# Clear all IPv4 relation entries.
<Sysname> reset session relation-table ipv4
Related commands
display session relation-table
reset session statistics
Use reset session statistics to clear unicast session statistics.
Syntax
Centralized devices in standalone mode:
reset session statistics
Distributed devices in standalone mode/centralized devices in IRF mode:
reset session statistics [ slot slot-number ]
Distributed devices in IRF mode:
reset session statistics [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears unicast session statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears unicast session statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears unicast session statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Clear all unicast session statistics.
<Sysname> reset session statistics
Related commands
display session statistics
reset session statistics multicast
Use reset session statistics multicast to clear multicast session statistics.
Syntax
Centralized devices in standalone mode:
reset session statistics multicast
Distributed devices in standalone mode/centralized devices in IRF mode:
reset session statistics multicast [ slot slot-number ]
Distributed devices in IRF mode:
reset session statistics multicast [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears multicast session statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears multicast session statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears multicast session statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Clear all multicast session statistics.
<Sysname> reset session statistics multicast
Related commands
display session statistics multicast
reset session table
Use reset session table to clear IPv4 and IPv6 unicast session entries.
Syntax
Centralized devices in standalone mode:
reset session table
Distributed devices in standalone mode/centralized devices in IRF mode:
reset session table [ slot slot-number ]
Distributed devices in IRF mode:
reset session table [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears unicast session entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears unicast session entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears unicast session entries for all cards. (Distributed devices in IRF mode.)
Examples
# Clear all IPv4 and IPv6 unicast session entries.
<Sysname> reset session table
Related commands
display session table ipv4
display session table ipv6
reset session table ipv4
Use reset session table ipv4 to clear information about IPv4 unicast session entries that match specific criteria.
Syntax
Centralized devices in standalone mode:
reset session table ipv4 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Distributed devices in standalone mode/centralized devices in IRF mode:
reset session table ipv4 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Distributed devices in IRF mode:
reset session table ipv4 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears information for all cards. (Distributed devices in IRF mode.)
source-ip source-ip: Specifies a source IPv4 address. The source-ip argument specifies the source IPv4 address of a unicast session from the initiator to the responder.
destination-ip destination-ip: Specifies a destination IPv4 address. The destination-ip argument specifies the destination IPv4 address of a unicast session from the initiator to the responder.
protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv4 transport layer protocol, including DCCP, ICMP, RawIP, SCTP, TCP, UDP, and UDP-Lite.
source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a unicast session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a unicast session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you want to clear IPv4 unicast session entries on the public network, do not specify this option.
Usage guidelines
If you do not specify any parameters, this command clears all IPv4 unicast session entries on the public network.
Examples
# Clear all IPv4 unicast session entries.
<Sysname> reset session table ipv4
# Clear the IPv4 unicast session entries with the source IP address of 10.10.10.10.
<Sysname> reset session table ipv4 source-ip 10.10.10.10
Related commands
display session table ipv4
reset session table ipv6
Use reset session table ipv6 to clear information about IPv6 unicast session entries that match the specified criteria.
Syntax
Centralized devices in standalone mode:
reset session table ipv6 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Distributed devices in standalone mode/centralized devices in IRF mode:
reset session table ipv6 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Distributed devices in IRF mode:
reset session table ipv6 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears information for all cards. (Distributed devices in IRF mode.)
source-ip source-ip: Specifies a source IPv6 address. The source-ip argument specifies the source IPv6 address of a unicast session from the initiator to the responder.
destination-ip destination-ip: Specifies a destination IPv6 address. The destination-ip argument specifies the destination IPv6 address of a unicast session from the initiator to the responder.
protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv6 transport layer protocol, including DCCP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite.
source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a unicast session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a unicast session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you want to clear IPv6 unicast session entries on the public network, do not specify this option.
Usage guidelines
If you do not specify any parameters, this command clears all IPv6 unicast session entries on the public network.
Examples
# Clear all IPv6 unicast session entries.
<Sysname> reset session table ipv6
# Clear the IPv6 unicast session entries with the source IP address of 2011::0002.
<Sysname> reset session table ipv6 source-ip 2011::0002
Related commands
display session table ipv6
reset session table multicast
Use reset session table multicast to clear IPv4 and IPv6 multicast session entries.
Syntax
Centralized devices in standalone mode:
reset session table multicast
Distributed devices in standalone mode/centralized devices in IRF mode:
reset session table multicast [ slot slot-number ]
Distributed devices in IRF mode:
reset session table multicast [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears multicast session entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears multicast session entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears multicast session entries for all cards. (Distributed devices in IRF mode.)
Examples
# Clear all IPv4 and IPv6 multicast session entries.
<Sysname> reset session table multicast
Related commands
display session table multicast ipv4
display session table multicast ipv6
reset session table multicast ipv4
Use reset session table multicast ipv4 to clear information about IPv4 multicast session entries that match specific criteria.
Syntax
Centralized devices in standalone mode:
reset session table multicast ipv4 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Distributed devices in standalone mode/centralized devices in IRF mode:
reset session table multicast ipv4 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Distributed devices in IRF mode:
reset session table multicast ipv4 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears information for all cards. (Distributed devices in IRF mode.)
source-ip source-ip: Specifies a source IPv4 address. The source-ip argument specifies the source IPv4 address of a multicast session from the initiator to the responder.
destination-ip destination-ip: Specifies a destination IPv4 address. The destination-ip argument specifies the destination IPv4 address of a multicast session from the initiator to the responder.
protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv4 transport layer protocol, including DCCP, ICMP, RawIP, SCTP, TCP, UDP, and UDP-Lite.
source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a multicast session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a multicast session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you want to clear IPv4 multicast session entries on the public network, do not specify this option.
Usage guidelines
If you do not specify any parameters, this command clears all IPv4 multicast session entries on the public network.
Examples
# Clear all IPv4 multicast session entries.
<Sysname> reset session table multicast ipv4
# Clear the IPv4 multicast session entries with the source IP address of 10.10.10.10.
<Sysname> reset session table multicast ipv4 source-ip 10.10.10.10
Related commands
display session table multicast ipv4
reset session table multicast ipv6
Use reset session table multicast ipv6 to clear information about IPv6 multicast session entries that match specific criteria.
Syntax
Centralized devices in standalone mode:
reset session table multicast ipv6 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Distributed devices in standalone mode/centralized devices in IRF mode:
reset session table multicast ipv6 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Distributed devices in IRF mode:
reset session table multicast ipv6 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ]
Views
User view
Predefined user roles
network-admin
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears information for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears information for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command clears information for all cards. (Distributed devices in IRF mode.)
source-ip source-ip: Specifies a source IPv6 address. The source-ip argument specifies the source IPv6 address of a multicast session from the initiator to the responder.
destination-ip destination-ip: Specifies a destination IPv6 address. The destination-ip argument specifies the destination IPv6 address of a multicast session from the initiator to the responder.
protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite }: Specifies an IPv6 transport layer protocol, including DCCP, ICMPv6, RawIP, SCTP, TCP, UDP, and UDP-Lite.
source-port source-port: Specifies a source port by its number. The source-port argument specifies the source port of a multicast session from the initiator to the responder. The value range for the source-port argument is 0 to 65535.
destination-port destination-port: Specifies a destination port by its number. The destination-port argument specifies the destination port of a multicast session from the initiator to the responder. The value range for the destination-port argument is 0 to 65535.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you want to clear IPv6 multicast session entries on the public network, do not specify this option.
Usage guidelines
If you do not specify any parameters, this command clears all IPv6 multicast session entries on the public network.
Examples
# Clear all IPv6 multicast session entries.
<Sysname> reset session table multicast ipv6
# Clear the IPv6 multicast session entries with the source IP address of 2011::0002.
<Sysname> reset session table multicast ipv6 source-ip 2011::0002
Related commands
display session table multicast ipv6
session aging-time application
Use session aging-time application to set the aging time for sessions of an application layer protocol or an application.
Use undo session aging-time application to restore the default. If you do not specify an application layer protocol or an application, this command restores the default aging time for all sessions of the supported application layer protocols and applications.
Syntax
session aging-time application application-name time-value
undo session aging-time application [ application-name ]
Default
The aging time is 1200 seconds for sessions of application layer protocols or applications except for the following sessions:
· BOOTPC sessions: 120 seconds.
· BOOTPS sessions: 120 seconds.
· DNS sessions: 1 second.
· FTP sessions: 3600 seconds.
· FTP-DATA sessions: 240 seconds.
· GTP-CONTROL sessions: 60 seconds.
· GTP-USER sessions: 60 seconds.
· GPRS-DATA sessions: 60 seconds.
· GPRS-SIG sessions: 60 seconds.
· H.225 sessions: 3600 seconds.
· H.245 sessions: 3600 seconds.
· HTTPS sessions: 600 seconds.
· ILS sessions: 3600 seconds.
· L2TP sessions: 120 seconds.
· MGCP-CALLAGENT sessions: 60 seconds.
· MGCP-GATEWAY sessions: 60 seconds.
· NETBIOS-DGM sessions: 3600 seconds.
· NETBIOS-NS sessions: 3600 seconds.
· NETBIOS-SSN sessions: 3600 seconds.
· NTP sessions: 120 seconds.
· PPTP sessions: 3600 seconds.
· QQ sessions: 120 seconds.
· RAS sessions: 300 seconds.
· RIP sessions: 120 seconds.
· RSH sessions: 60 seconds.
· RTSP sessions: 3600 seconds.
· SCCP sessions: 3600 seconds.
· SIP sessions: 300 seconds.
· SNMP sessions: 120 seconds.
· SNMPTRAP sessions: 120 seconds.
· SQLNET sessions: 600 seconds.
· STUN sessions: 600 seconds.
· SYSLOG sessions: 120 seconds.
· TFTP sessions: 60 seconds.
· TACACS-DS sessions: 120 seconds.
· WHO sessions: 120 seconds.
· XDMCP sessions: 3600 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
application-name: Specifies an application layer protocol or an application by its name, a case-insensitive string of 1 to 63 characters. Valid characters can be digits, letters, hyphens (-), and underscores (_). The names invalid and other are not allowed. The application layer protocol or application must exist on the device.
time-value: Specifies the aging time in seconds. The value range 1 to 100000.
Usage guidelines
This command sets the aging time for stable sessions of the specified application layer protocol or applications. For TCP sessions, the stable state is ESTABLISHED. For UDP sessions, the stable state is READY.
For sessions of application layer protocols or applications that are not supported by this command, the aging time is set by the session aging-time state command. For persistent sessions, the aging time is set by the session persistent acl command.
Supported application layer protocols or applications specified in this command depend on the APR module. For information about APR, see Security Configuration Guide.
Examples
# Set the aging time for FTP sessions to 1800 seconds.
<Sysname> system-view
[Sysname] session aging-time application ftp 1800
# Set the aging time for 126_Web_Email_Send_Email_HTTP sessions to 1800 seconds.
<Sysname> system-view
[Sysname] session aging-time application 126_Web_Email_Send_Email_HTTP 1800
Related commands
display session aging-time application
nbar application
port-mapping
port-mapping acl
port-mapping host
port-mapping subnet
session aging-time state
session persistent acl
session aging-time state
Use session aging-time state to set the aging time for the sessions in a protocol state.
Use undo session aging-time state to restore the default for the sessions in a protocol state. If you do not specify a protocol state, this command restores all aging time for sessions in different protocol states to the default.
Syntax
session aging-time state { fin | icmp-reply | icmp-request | rawip-open | rawip-ready | syn | tcp-close | tcp-est | tcp-time-wait | udp-open | udp-ready } time-value
undo session aging-time state [ fin | icmp-reply | icmp-request | rawip-open | rawip-ready | syn | tcp-close | tcp-est | tcp-time-wait | udp-open | udp-ready ]
Default
The aging time for sessions in different protocol states is as follows:
· FIN_WAIT: 30 seconds.
· ICMP-REPLY: 30 seconds.
· ICMP-REQUEST: 60 seconds.
· RAWIP-OPEN: 30 seconds.
· RAWIP-READY: 60 seconds.
· TCP SYN-SENT and SYN-RCV: 30 seconds.
· TCP CLOSE: 2 seconds.
· TCP ESTABLISHED: 3600 seconds.
· TCP TIME-WAIT: 2 seconds.
· UDP-OPEN: 30 seconds.
· UDP-READY: 60 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
fin: Specifies the TCP FIN_WAIT state.
icmp-reply: Specifies the ICMP REPLY state.
icmp-request: Specifies the IGMP REQUEST state.
rawip-open: Specifies the RAWIP-OPEN state.
rawip-ready: Specifies the RAWIP-READY state.
syn: Specifies the TCP SYN-SENT and SYN-RCV states.
tcp-close: Specifies the TCP CLOSE state.
tcp-est: Specifies the TCP ESTABLISHED state.
tcp-time-wait: Specifies the TCP TIME-WAIT state.
udp-open: Specifies the UDP OPEN state.
udp-ready: Specifies the UDP READY state.
time-value: Specifies the aging time in seconds. The value range is 1 to 100000.
Usage guidelines
This command sets the aging time for stable sessions of the application layer protocols that are not supported by the session aging-time application command. For persistent sessions, the aging time is set by the session persistent acl command.
Examples
# Set the aging time for TCP sessions in SYN-SENT and SYN-RCV states to 60 seconds.
<Sysname> system-view
[Sysname] session aging-time state syn 60
Related commands
display session aging-time state
session aging-time application
session persistent acl
session log { bytes-active | packets-active }
Use session log { bytes-active | packets-active } to set a threshold for traffic-based logging.
Use undo session log { bytes-active | packets-active } to restore the default.
Syntax
session log { bytes-active bytes-value | packets-active packets-value }
undo session log { bytes-active | packets-active }
Default
No threshold is set for traffic-based logging.
Views
System view
Predefined user roles
network-admin
Parameters
bytes-value: Specifies the byte-based threshold in the range of 1 to 100000 MB.
packets-value: Specifies the packet-based threshold in the range of 1 to 100000 mega-packets.
Usage guidelines
For this command to take effect, make sure the session statistics collection for software fast forwarding feature is enabled.
If you set both the traffic-based and time-based logging, the device outputs a session log when whichever is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the device to output session logs on a per-10-mega-packet basis.
<Sysname> system-view
[Sysname] session statistics enable
[Sysname] session log packets-active 10
Related commands
session log enable
session statistics enable
session log enable
Use session log enable to enable session logging.
Use undo session log enable to disable session logging.
Syntax
session log enable { ipv4 | ipv6 } [ acl acl-number ] { inbound | outbound }
undo session log enable { ipv4 | ipv6 } [ acl acl-number ] { inbound | outbound }
Default
Session logging is disabled.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv4: Logs IPv4 sessions.
ipv6: Logs IPv6 sessions.
acl acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
inbound: Specifies the inbound direction.
outbound: Specifies the outbound direction.
Usage guidelines
If you do not specify an ACL, this command enables session logging for all IPv4 or IPv6 sessions on the interface.
If you do not specify the inbound or the outbound keyword, this command enables session logging on both directions.
Up to one IPv4 ACL and one IPv6 ACL can be applied to each direction.
The session logging feature must work with the flow log feature to generate session logs. For information about flow log, see Network Management and Monitoring.
After session logging is enabled, the device outputs session logs as follows:
· Outputs a session log when the specified traffic threshold or interval is reached.
· Outputs a session log when a session entry is created or removed only if the logging for session creation or deletion is enabled.
Examples
# Enable IPv4 session logging in the inbound direction of GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] session log flow-begin
[Sysname] session log flow-end
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] session log enable ipv4 inbound
# Enable session logging on GigabitEthernet 1/0/2 for IPv4 sessions that match ACL 2050 in the outbound direction.
<Sysname> system-view
[Sysname] session log flow-begin
[Sysname] session log flow-end
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] session log enable ipv4 acl 2050 outbound
# Enable session logging on GigabitEthernet 1/0/3 for IPv6 sessions that match ACL 2050 in the outbound direction.
<Sysname> system-view
[Sysname] session log flow-begin
[Sysname] session log flow-end
[Sysname] interface gigabitethernet 1/0/3
[Sysname-GigabitEthernet1/0/3] session log enable ipv6 acl 2050 outbound
Related commands
session log bytes-active
session log flow-begin
session log flow-end
session log packets-active
session log time-active
session log flow-begin
Use session log flow-begin to enable logging for session creation.
Use undo session log flow-begin to disable logging for session creation.
Syntax
session log flow-begin
undo session log flow-begin
Default
Logging for session creation is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
For the device to output a session log when a session entry is created, make sure both session logging and logging for session creation are enabled.
Examples
# Enable logging for session creation.
<Sysname> system-view
[Sysname] session log flow-begin
Related commands
session log enable
session log flow-end
Use session log flow-end to enable logging for session deletion.
Use undo session log flow-end to disable logging for session deletion.
Syntax
session log flow-end
undo session log flow-end
Default
Logging for session deletion is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
For the device to output a session log when a session entry is deleted, make sure both session logging and logging for session deletion are enabled.
Examples
# Enable logging for session deletion.
<Sysname> system-view
[Sysname] session log flow-end
Related commands
session log enable
session log time-active
Use session log time-active to set the time-based session logging.
Use undo session log time-active to restore the default.
Syntax
session log time-active time-value
undo session log time-active
Default
No threshold is set for time-based session logging.
Views
System view
Predefined user roles
network-admin
Parameters
time-value: Specifies the interval in minutes. The value range for the time-value argument is 10 to 120 and the value must be integer times of 10.
Usage guidelines
If you set both time-based and traffic-based logging, the device outputs a session log when whichever is reached. After outputting a session log, the device resets the traffic counter and restarts the interval for the session.
Examples
# Configure the device to output session logs every 50 minutes.
<Sysname> system
[Sysname] session log time-active 50
Related commands
session log enable
session log bytes-active
session log packets-active
session persistent acl
Use session persistent acl to specify persistent sessions.
Use undo session persistent acl to restore the default.
Syntax
session persistent acl [ ipv6 ] acl-number [ aging-time time-value ]
undo session persistent acl [ ipv6 ] acl-number
Default
No persistent sessions exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not specify this keyword.
acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
aging-time time-value: Specifies the aging time for persistent sessions in hours. The value range for the time-value argument is 0 to 360, and the default value is 24. To disable the aging for persistent sessions, set the value to 0.
Usage guidelines
This command is effective only on TCP sessions in ESTABLISHED state.
For a TCP session in ESTABLISHED state, the priority of the aging time is as follows:
· Aging time for persistent sessions.
· Aging time for sessions of application layer protocols.
· Aging time for sessions in different protocol states.
A never-age-out session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries.
The configuration of persistent sessions applies only to new sessions. It has no effect on existing sessions.
Repeat this command to use multiple ACLs to specify persistent sessions.
Examples
# Specify IPv4 ACL 2000 for identifying persistent sessions and set the aging time to 72 hours.
<Sysname> system-view
[Sysname] session persistent acl 2000 aging-time 72
# Specify IPv6 ACL 3000 for identifying persistent sessions and set the aging time to 100 hours.
<Sysname> system-view
[Sysname] session persistent acl ipv6 3000 aging-time 100
Related commands
session aging-time application
session aging-time state
session state-machine mode loose
Use session state-machine mode loose to set the mode of session state machine to loose.
Use undo session state-machine mode loose to restore the default.
Syntax
session state-machine mode loose
undo session state-machine mode loose
Default
The session state machine is in strict mode.
Views
System view
Predefined user roles
network-admin
Usage guidelines
For asymmetric-path networks, if session synchronization is disabled, to prevent the device from dropping packets abnormally, set the mode of the session state machine to loose.
As a best practice, use the default setting on symmetric-path networks.
Examples
# Set the mode of session state machine to loose.
<Sysname> system-view
[Sysname] session state-machine mode loose
session statistics enable
Use session statistics enable to enable session statistics collection for software fast forwarding.
Use undo session statistics enable to disable session statistics collection for software fast forwarding.
Syntax
session statistics enable
undo session statistics enable
Default
Session statistics collection is disabled for software fast forwarding.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to collect the session-based outbound and inbound packets and bytes for software fast forwarding.
To display statistics per session, use the display session table command. To display statistics per packet type, use the display session statistics command.
This command is CPU and memory intensive. Before using this command, make sure you fully understand its impact on system performance.
Examples
# Enable session statistics collection.
<Sysname> system-view
[Sysname] session statistics enable
Related commands
display session statistics
display session table
Connection limit commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
connection-limit
Use connection-limit to create a connection limit policy and enter its view, or enter the view of an existing connection limit policy.
Use undo connection-limit to delete a connection limit policy.
Syntax
connection-limit { ipv6-policy | policy } policy-id
undo connection-limit { ipv6-policy | policy } policy-id
Default
No connection limit policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 connection limit policy.
policy: Specifies an IPv4 connection limit policy.
policy-id: Specifies the ID of a connection limit policy. An IPv4 or IPv6 connection limit policy has its own number. The value range for this argument is 1 to 32.
Examples
# Create IPv4 connection limit policy 1 and enter its view.
<Sysname> system-view
[Sysname] connection-limit policy 1
[Sysname-connlmt-policy-1]
# Create IPv6 connection limit policy 12 and enter its view.
<Sysname> system-view
[Sysname] connection-limit ipv6-policy 12
[Sysname-connlmt-ipv6-policy-12]
Related commands
connection-limit apply
connection-limit apply global
display connection-limit
limit
connection-limit apply
Use connection-limit apply to apply a connection limit policy to an interface.
Use undo connection-limit apply to remove the application.
Syntax
connection-limit apply { ipv6-policy | policy } policy-id
undo connection-limit apply { ipv6-policy | policy }
Default
No connection limit policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 connection limit policy.
policy: Specifies an IPv4 connection limit policy.
policy-id: Specifies the ID of a connection limit policy. The value range for this argument is 1 to 32.
Usage guidelines
Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied to an interface. A new IPv4 or IPv6 connection limit policy overwrites the old one.
Examples
# Apply IPv4 connection limit policy 1 to GigabitEthernet 2/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] connection-limit apply policy 1
# Apply IPv6 connection limit policy 12 to GigabitEthernet 2/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] connection-limit apply ipv6-policy 12
Related commands
connection-limit
limit
connection-limit apply global
Use connection-limit apply global to apply a connection limit policy globally.
Use undo connection-limit apply global to remove the application.
Syntax
connection-limit apply global { ipv6-policy | policy } policy-id
undo connection-limit apply global { ipv6-policy | policy }
Default
No connection limit policy is applied globally.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 connection limit policy.
policy: Specifies an IPv4 connection limit policy.
policy-id: Specifies the ID of a connection limit policy. The value range for this argument is 1 to 32.
Usage guidelines
Only one IPv4 connection limit policy and one IPv6 connection limit policy can be applied globally. A new IPv4 or IPv6 connection limit policy overwrites the old one.
Examples
# Apply IPv4 connection limit policy 1 globally.
<Sysname> system-view
[Sysname] connection-limit apply global policy 1
# Apply IPv6 connection limit policy 12 globally.
<Sysname> system-view
[Sysname] connection-limit apply global ipv6-policy 12
connection-limit
limit
description
Use description to configure a description for a connection limit policy.
Use undo description to restore the default.
Syntax
description text
undo description
Default
A connection limit policy does not have a description.
Views
IPv4 connection limit policy view
IPv6 connection limit policy view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the description as CenterToA for IPv4 connection limit policy 1.
<Sysname> system-view
[Sysname] connection-limit policy 1
[Sysname-connlmt-policy-1] description CenterToA
Related commands
display connection-limit
display connection-limit
Use display connection-limit to display information about connection limit policies.
Syntax
display connection-limit { ipv6-policy | policy } { policy-id | all }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6-policy: Specifies an IPv6 connection limit policy.
policy: Specifies an IPv4 connection limit policy.
policy-id: Specifies a connection limit policy by its ID. The value range for this argument is 1 to 32.
all: Specifies all connection limit policies.
Examples
# Display information about all IPv4 connection limit policies.
<Sysname> display connection-limit policy all
3 policies in total:
Policy Rule Stat Type HiThres LoThres Rate ACL
--------------------------------------------------------------------------------
0 1 Src-Dst-Port 2000 1800 10 3000
12 Src-Dst 500 45 0 3001
255 -- 1000000 980000 0 2001
1 2 Dst-Port 800 70 0 3010
3 Src-Dst 100 90 0 3000
10 Src-Dst-Port 50 45 0 3003
11 Src 200 200 0 3004
200 -- 500000 498000 0 2002
28 4 Port 1500 1400 0 3100
5 Dst 3000 280 0 3101
21 Src-Dst 200 180 0 3102
25 Src-Port 50 35 0 3200
Description list:
Policy Description
--------------------------------------------------------------------------------
1 IPv4Description1
28 Description for IPv4 28
# Display information about IPv4 connection limit policy 1.
<Sysname> display connection-limit policy 1
IPv4 connection limit policy 1 has been applied 5 times, and has 5 limit rules.
Description: IPv4Description1
Limit rule list:
Policy Rule Stat Type HiThres LoThres Rate ACL
--------------------------------------------------------------------------------
1 2 Dst-Port 800 700 10 3010
3 Src-Dst 100 90 0 3000
10 Src-Dst-Port 50 45 0 3003
11 Src 200 200 0 3004
200 -- 500000 498000 0 2002
Application list:
GigabitEthernet2/0/1
GigabitEthernet2/0/2
Vlan-interface2
Global
# Display information about all IPv6 connection limit policies.
<Sysname> display connection-limit ipv6-policy all
2 policies in total:
Policy Rule Stat Type HiThres LoThres Rate ACL
--------------------------------------------------------------------------------
3 1 Src-Dst 1000 800 10 3010
2 Dst 500 450 0 3001
4 2 Src-Dst-Port 800 700 0 3010
3 Src 100 90 0 3020
200 -- 100000 89000 0 2005
Description list:
Policy Description
--------------------------------------------------------------------------------
3 IPv6Description3
4 Description for IPv6 4
# Display information about IPv6 connection limit policy 3.
<Sysname> display connection-limit ipv6-policy 3
IPv6 connection limit policy 3 has been applied 3 times, and has 2 limit rules.
Description: IPv6Description3
Limit rule list:
Policy Rule Stat Type HiThres LoThres Rate ACL
--------------------------------------------------------------------------------
3 1 Src-Dst 1000 800 0 3010
2 Dst 500 450 0 3001
Application list:
GigabitEthernet2/0/1
Vlan-interface2
|
Field |
Description |
|
Limit rule list |
Connection limit policy information. |
|
Policy |
Number of the connection limit policy. |
|
Rule |
Number of the connection limit rule. |
|
Stat Type |
Statistics types: · Src-Dst-Port—Limits connections by source IP, destination IP, and service combination. · Src-Dst—Limits connections by source IP address and destination IP address combination. · Src-Port—Limits connections by source IP and service combination. · Dst-Port—Limits connections by destination IP and service combination. · Src—Limits connections by source IP address. · Dst—Limits connections by destination IP address. · Port—Limits connections by service. · Dslite—Limits connections by B4 device of a DS-Lite tunnel. This type is not supported on the MSR810-LMS or MSR810-LUS routers. · --—Limits connections not by a specific IP address or service. All connections that match the ACL used by the rule are limited. |
|
HiThres |
Upper limit of the connections. |
|
LoThres |
Lower limit of the connections. |
|
Rate |
Number of connections established per second. |
|
ACL |
Number or name of the ACL used by the rule. |
|
Application list |
Application list of the connection limit policy, including interface name and Global. Global indicates that the connection limit policy is applied globally. |
|
Description |
Connection limit policy description. |
|
Description list |
List of connection limit policy descriptions. |
Related commands
connection-limit
connection-limit apply
connection-limit apply global
limit
display connection-limit ipv6-stat-nodes
Use display connection-limit ipv6-stat-nodes to display statistics about IPv6 connections that match connection limit rules globally or on an interface.
Syntax
Centralized devices in standalone mode:
display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ]
Distributed devices in IRF mode:
display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ] [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
global: Displays statistics about IPv6 connections that match connection limit rules globally.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN-interface and tunnel interface. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Distributed devices in IRF mode.)
deny-new: Displays limit rule-based statistics sets for which new connections are rejected.
permit-new: Displays limit rule-based statistics sets for which new connections are allowed.
destination destination-ip: Specifies a destination by its IP address.
service-port port-number: Specifies a service port by its port number.
source source-ip: Specifies a source by its IP address.
count: Displays only the number of limit rule-based statistics sets. Detailed information about the specified IPv6 connections is not displayed. If you do not specify this keyword, the command displays detailed information about the specified IPv6 connections that match connection limit rules.
Usage guidelines
The statistics for connections that match connection limit rules include the following information:
· Connection information, including the source/destination IP address, service port, and transport layer protocol of connections.
· Matching connection limit rules.
· Number of current connections.
· Whether or not new connections can be created.
To further filter the output statistics, specify the following parameters in the command:
· source source-ip.
· destination destination-ip.
· service-port port-number.
· permit-new.
· deny-new.
For example, if you specify the source source-ip and destination destination-ip combination, this command displays statistics about IPv6 connections that match connection limit rules by source IP address and destination IP address.
If you does not specify any parameters for further filtering, this command displays statistics about all IPv6 connections that match connection limit rules.
Deleting or modifying an IPv6 connection limit policy will not delete the effective IPv6 connection limit rule-based statistics sets. An IPv6 connection limit rule-based statistics set will be automatically deleted after all the IPv6 connections for the set are disconnected.
Examples
# (Centralized devices in standalone mode.) Display statistics about all IPv6 connections that match the connection limit rule on GigabitEthernet 2/0/1.
<Sysname> display connection-limit ipv6-stat-nodes interface gigabitethernet 2/0/1
Slot 2 :
Src IP address : Any
VPN instance : vpn5
Dst IP address : fe80::5ed9:98ff:feb1:69b6
VPN instance : abcdefghijklmnopqrstuvwxyzabcde
DS-Lite tunnel peer : 9876543210
Service : tcp/12345
Limit rule ID : 12345(ACL: 3184)
Sessions threshold Hi/Lo: 1000000/90000
Sessions count : 150000
Sessions limit rate : 0
New session flag : Permit
# (Centralized devices in standalone mode.) Display statistics about all IPv6 connections that match the connection limit rule on VLAN-interface 2.
<Sysname> display connection-limit ipv6-stat-nodes interface vlan-interface 2
Slot 2 :
Src IP address : Any
VPN instance : vpn5
Dst IP address : fe80::5ed9:98ff:feb1:69b6
VPN instance : abcdefghijklmnopqrstuvwxyzabcde
DS-Lite tunnel peer : 9876543210
Service : tcp/12345
Limit rule ID : 12345(ACL: 3184)
Sessions threshold Hi/Lo: 1000000/90000
Sessions count : 150000
Sessions limit rate : 0
New session flag : Permit
# (Distributed devices in standalone mode.) Display statistics about all IPv6 connections that match the connection limit rule on VLAN-interface 10 on the card in slot 2.
<Sysname> display connection-limit ipv6-stat-nodes interface vlan-interface 10 slot 2
Slot 2:
Src IP address : 112::2
VPN instance : --
Dst IP address : Any
VPN instance : --
DS-Lite tunnel peer : --
Service : udp/300
Limit rule ID : 0(ACL: 3571)
Sessions threshold Hi/Lo: 3000/2900
Sessions count : 2002
Sessions limit rate : 0
New session flag : Permit
# (Centralized devices in IRF mode.) Display statistics about IPv6 connections that match the connection limit rule on IRF member device 2.
<Sysname> display connection-limit ipv6-stat-nodes global slot 2
Slot 2:
Src IP address : Any
VPN instance : --
Dst IP address : Any
VPN instance : --
DS-Lite tunnel peer : --
Service : icmp/0
Limit rule ID : 22(ACL: 3666)
Sessions threshold Hi/Lo: 3500/3000
Sessions count : 3100
Sessions limit rate : 0
New session flag : Permit
# (Distributed devices in IRF mode.) Display statistics about IPv6 connections that match the connection limit rule on GigabitEthernet 1/2/0/2.
<Sysname> display connection-limit ipv6-stat-nodes interface gigabitethernet 1/2/0/2
Slot 2 in chassis 1:
Src IP address : 5::1
VPN instance : Vpn1
Dst IP address : Any
VPN instance : --
DS-Lite tunnel peer : --
Service : All
Limit rule ID : 21(ACL: 2988)
Sessions threshold Hi/Lo: 2000/1500
Sessions count : 1988
Sessions limit rate : 0
New session flag : Permit
# (Centralized devices in standalone mode.) Display the number of limit rule-based statistics sets by source IP address 2::1.
<Sysname> display connection-limit ipv6-stat-nodes global source 2::1 count
Slot 0:
Current limit statistic nodes count is 16.
# (Distributed devices in standalone mode.) Display the number of limit rule-based statistics sets on VLAN-interface 10 on the card in slot 2.
<Sysname> display connection-limit ipv6-stat-nodes interface vlan-interface 10 slot 2 count
Slot 2:
Current limit statistic nodes count is 1.
# (Centralized devices in IRF mode.) Display the number of limit rule-based statistics sets on IRF member device 2.
<Sysname> display connection-limit ipv6-stat-nodes global slot 2 count
Slot 2:
Current limit statistic nodes count is 0.
# (Distributed devices in IRF mode.) Display the number of limit rule-based statistics sets of IRF member device 1 on the card in slot 2.
<Sysname> display connection-limit ipv6-stat-nodes global chassis 1 slot 2 count
Slot 2 in chassis 1:
Current limit statistic nodes count is 0.
Table 154 Command output
|
Field |
Description |
|
Src IP address |
Source IP address. |
|
Dst IP address |
Destination IP address. |
|
VPN instance |
MPLS L3VPN instance to which the IP address belongs. Two hyphens (--) indicates that the IP address is on the public network. |
|
DS-Lite tunnel peer |
Peer IP address of the DS-Lite tunnel to which the connection belongs. Two hyphens (--) indicates that the connection does not belong to a DS-Lite tunnel. |
|
Service |
Protocol name and service port number. For an unwell-known protocol, this field displays unknown(xx).The cross signs (xx) indicates the protocol number. For the ICMP protocol, the protocol number is the decimal digits that are converted from the hexadecimal contents of the type and code fields. |
|
Limit rule ID |
ID of the matched rule. The ACL number of the rule is enclosed in parentheses. |
|
Sessions threshold Hi/Lo |
Upper and lower connection limits. |
|
Sessions count |
Number of current connections. |
|
Sessions limit rate |
Maximum number of connections established per second. |
|
New session flag |
Whether or not new connections can be created: · Permit—New connections can be created. · Deny—New connections cannot be created. NOTE: When the number of connections reaches the upper limit, this field displays Permit although new connections are not allowed. This field displays Deny only when the number of connections exceeds the upper limit. |
Related commands
connection-limit apply global ipv6-policy
connection-limit apply ipv6-policy
connection-limit ipv6-policy
limit
display connection-limit statistics
Use display connection-limit statistics to display the connection limit statistics globally or on an interface.
Syntax
Centralized devices in standalone mode:
display connection-limit statistics { global | interface interface-type interface-number }
Distributed devices in standalone mode/centralized devices in IRF mode:
display connection-limit statistics { global | interface interface-type interface-number } [ slot slot-number ]
Distributed devices in IRF mode:
display connection-limit statistics { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
global: Displays the global connection limit statistics.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card or virtual interface by its slot number. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display the global connection limit statistics.
<Sysname> display connection-limit statistics global
Connection limit statistics (Global, slot 0):
Dropped IPv4 packets: 54781
Dropped IPv6 packets: 11457
# (Distributed devices in standalone mode.) Display the global connection limit statistics on the card in slot 2.
<Sysname> display connection-limit statistics global slot 2
Connection limit statistics (Global, slot 2):
Dropped IPv4 packets: 74213
Dropped IPv6 packets: 58174
# (Centralized devices in IRF mode.) Display the global connection limit statistics on IRF member device 2.
<Sysname> display connection-limit statistics global slot 2
Connection limit statistics (Global, slot 2):
Dropped IPv4 packets: 74213
Dropped IPv6 packets: 58174
# (Distributed devices in IRF mode.) Display the connection limit statistics of VLAN-interface 10 of the card in slot 1 on IRF member device 2.
<Sysname> display connection-limit statistics interface vlan-interface 10 chassis 2 slot 1
Connection limit statistics (Vlan-interface10, slot 1 in chassis 2):
Dropped IPv4 packets: 12345
Dropped IPv6 packets: 55239
Table 155 Command output
|
Field |
Description |
|
Dropped IPv4 packet |
Number of IPv4 packets that are dropped because the upper connection limit is exceeded when an IPv4 connection limit policy is configured globally or on an interface. |
|
Dropped IPv6 packet |
Number of IPv6 packets that are dropped because the upper connection limit is exceeded when an IPv6 connection limit policy is configured globally or on an interface. |
Related commands
connection-limit
connection-limit apply
connection-limit apply global
limit
display connection-limit stat-nodes
Use display connection-limit stat-nodes to display statistics about IPv4 connections that match connection limit rules globally or on an interface.
Syntax
Centralized devices in standalone mode:
display connection-limit stat-nodes { global | interface interface-type interface-number } [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ]
display connection-limit stat-nodes { global | interface interface-type interface-number } dslite-peer b4-address [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display connection-limit stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ]
display connection-limit stat-nodes { global | interface interface-type interface-number } [ slot slot-number ] dslite-peer b4-address [ count ]
Distributed devices in IRF mode:
display connection-limit stat-nodes { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ] [ { deny-new | permit-new } | destination destination-ip | service-port port-number | source source-ip ] * [ count ]
display connection-limit stat-nodes { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ] dslite-peer b4-address [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
global: Displays statistics about IPv4 connections that match connection limit rules globally.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN-interface and tunnel interface. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Distributed devices in IRF mode.)
deny-new: Displays limit rule-based statistics sets for which new connections are rejected.
permit-new: Displays limit rule-based statistics sets for which new connections are allowed.
destination destination-ip: Specifies a destination by its IP address.
service-port port-number: Specifies a service port by its port number.
source source-ip: Specifies a source by its IP address.
dslite-peer b4-address: Specifies a B4 device on a DS-Lite tunnel. The b4-address argument specifies the IPv6 address of the B4 device. The following matrix shows the dslite-peer b4-address option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-LMS/810-LUS /810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
count: Displays only the number of limit rule-based statistics sets. Detailed information about the specified IPv4 connections is not displayed. If you do not specify this keyword, the command displays detailed information about the specified IPv4 connections that match connection limit rules.
Usage guidelines
The statistics for connections that match connection limit rules include the following information:
· Connection information, including the source/destination IP address, service port, and transport layer protocol of connections.
· Matching connection limit rules.
· Number of current connections.
· Whether or not new connections can be created.
To further filter the output statistics, specify the following parameters in the command:
· source source-ip.
· destination destination-ip.
· service-port port-number.
· permit-new.
· deny-new.
For example, if you specify the source source-ip and destination destination-ip combination, this command displays statistics about IPv4 connections that match connection limit rules by source IP address and destination IP address.
If you do not specify any parameters for further filtering, this command displays statistics about all IPv4 connections that match connection limit rules.
Deleting or modifying an IPv4 connection limit policy will not delete the effective IPv6 connection limit rule-based statistics sets. An IPv4 connection limit rule-based statistics set will be automatically deleted after all the IPv6 connections for the set are disconnected.
Examples
# (Centralized devices in standalone mode.) Display statistics about all IPv4 connections that match the connection limit rule on GigabitEthernet 0/1.
<Sysname> display connection-limit stat-nodes interface gigabitethernet 0/1
Slot 2 :
Src IP address : 100.100.100.100
VPN instance : 0123456789012345678901234567890
Dst IP address : 200.200.200.200
VPN instance : abcdefghijklmnopqrstuvwxyzabcde
DS-Lite tunnel peer : 1234567890
Service : tcp/12345
Limit rule ID : 12345(ACL: 3001)
Sessions threshold Hi/Lo: 1100000/980000
Sessions count : 1050000
Sessions limit rate : 0
New session flag : Permit
# (Centralized devices in standalone mode.) Display statistics about all IPv4 connections that match the connection limit rule on VLAN-interface 2.
<Sysname> display connection-limit stat-nodes interface vlan-interface 2
Slot 0 :
Src IP address : 100.100.100.100
VPN instance : 0123456789012345678901234567890
Dst IP address : 200.200.200.200
VPN instance : abcdefghijklmnopqrstuvwxyzabcde
DS-Lite tunnel peer : 1234567890
Service : tcp/12345
Limit rule ID : 12345(ACL: 3001)
Sessions threshold Hi/Lo: 1100000/980000
Sessions count : 1050000
Sessions limit rate : 0
New session flag : Permit
# (Distributed devices in standalone mode.) Display statistics about all IPv4 connections that match the connection limit rule on all cards.
<Sysname> display connection-limit stat-nodes global
Slot 0:
There are no specified connection limit statistic nodes.
Slot 1:
There are no specified connection limit statistic nodes.
Slot 2:
Src IP address : Any
VPN instance : Vpn1
Dst IP address : Any
VPN instance : --
DS-Lite tunnel peer : --
Service : All
Limit rule ID : 21(ACL: 2002)
Sessions threshold Hi/Lo: 2000/1500
Sessions count : 1988
Sessions limit rate : 0
New session flag : Permit
# (Centralized devices in IRF mode.) Display statistics about IPv4 connections that match the connection limit rule on IRF member device 2.
<Sysname> display connection-limit stat-nodes global slot 2
Slot 2:
Src IP address : Any
VPN instance : Vpn1
Dst IP address : 202.113.16.117
VPN instance : Vpn2
DS-Lite tunnel peer : --
Service : icmp/0
Limit rule ID : 7(ACL: 3102)
Sessions threshold Hi/Lo: 4000/3800
Sessions count : 1001
Sessions limit rate : 0
New session flag : Permit
# (Distributed devices in IRF mode.) Display statistics about IPv4 connections that match the connection limit rule on GigabitEthernet 1/2/0/2.
<Sysname> display connection-limit stat-nodes interface gigabitethernet 1/2/0/2
Slot 2 in chassis 1:
Src IP address : Any
VPN instance : --
Dst IP address : 110.23.1.44
VPN instance : --
DS-Lite tunnel peer : --
Service : udp/333
Limit rule ID : 19(ACL: 3307)
Sessions threshold Hi/Lo: 10000/9900
Sessions count : 1001
Sessions limit rate : 0
New session flag : Permit
# (Centralized devices in standalone mode.) Display the number of global limit rule-based statistics sets.
<Sysname> display connection-limit stat-nodes global count
Slot 0:
Current limit statistic nodes count is 5.
# (Distributed devices in standalone mode.) Display the number of limit rule-based statistics sets on VLAN-interface 10 on the card in slot 2.
<Sysname> display connection-limit stat-nodes interface vlan-interface 10 slot 2 count
Slot 2:
Current limit statistic nodes count is 1.
# (Centralized devices in IRF mode.) Display the number of limit rule-based statistics sets on IRF member device 2 by source IP address 1.1.1.1.
<Sysname> display connection-limit stat-nodes global slot 2 source 1.1.1.1 count
Slot 2:
Current limit statistic nodes count is 0.
# (Distributed devices in IRF mode.) Display the number of limit rule-based statistics sets of IRF member device 1 on the card in slot 2.
<Sysname> display connection-limit stat-nodes global chassis 1 slot 2 count
Slot 2 in chassis 1:
Current limit statistic nodes count is 0.
Table 156 Command output
|
Field |
Description |
|
Src IP address |
Source IP address. |
|
Dst IP address |
Destination IP address. |
|
VPN instance |
MPLS L3VPN instance to which the IP address belongs. Two hyphens (--) indicates that the IP address is on the public network. |
|
DS-Lite tunnel peer |
Peer IP address of the DS-Lite tunnel. Two hyphens (--) indicates that the connection does not belong to a DS-Lite tunnel. |
|
Service |
Protocol name and service port number. For an unwell-known protocol, this field displays unknown(xx). The cross signs (xx) represents the protocol number. For the ICMP protocol, the protocol number is the decimal digits that are converted from the hexadecimal contents of the type and code fields. |
|
Sessions threshold Hi/Lo |
Upper and lower connection limits. |
|
Sessions count |
Number of current connections. |
|
Sessions limit rate |
Maximum number of connections established per second. |
|
New session flag |
Whether or not new connections can be created: · Permit—New connections can be created. · Deny—New connections cannot be created. NOTE: When the number of connections reaches the upper limit, this field displays Permit although new connections are not allowed. This field displays Deny only when the number of connections exceeds the upper limit. |
Related commands
connection-limit apply global policy
connection-limit apply policy
connection-limit policy
limit
limit
Use limit to configure a connection limit rule.
Use undo limit to remove the specified connection limit rule.
Syntax
In IPv4 connection limit policy view:
limit limit-id acl { acl-number | name acl-name } [ per-destination | per-service | per-source ] * { amount max-amount min-amount | rate rate } * [ description text ]
limit limit-id acl ipv6 { acl-number | name acl-name } per-dslite-b4 { amount max-amount min-amount | rate rate } * [ description text ]
undo limit limit-id
In IPv6 connection limit policy view:
limit limit-id acl ipv6 { acl-number | name acl-name } [ per-destination | per-service | per-source ] * { amount max-amount min-amount | rate rate } * [ description text ]
undo limit limit-id
Default
No connection limit rules exist.
Views
IPv4 connection limit policy view
IPv6 connection limit policy view
Predefined user roles
network-admin
Parameters
limit-id: Specifies a connection limit rule by its ID. The value range for this argument is 1 to 256.
acl: Specifies the ACL that matches the user range. Only the user connections that match the ACL are limited.
ipv6: Specifies an IPv6 ACL. If you do not specify this keyword, an IPv4 ACL is used.
acl-number: Specifies an ACL by its number in the range of 2000 to 3999.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter. To avoid confusion, make sure it is not all.
per-destination: Limits connections by destination IP address.
per-service: Limits connections by service depending on transport layer protocol and service port.
per-source: Limits connections by source IP address.
per-dslite-b4: Limits connections by IPv6 address of a B4 device on a DS-Lite tunnel. This keyword is available only in IPv4 connection limit policy view. The following matrix shows the per-dslite-b4 keyword and hardware compatibility:
|
Hardware |
Keyword compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/MSR810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
amount: Limits the number of connections.
max-amount: Specifies the upper connection limit in the range of 1 to 4294967294. When user connections in a range or of a type exceed the upper connection limit, new connections cannot be created. As a best practice, set the upper connection limit to a value greater than 32 to make sure the device can function correctly.
min-amount: Specifies the lower connection limit in the range of 1 to 4294967294. The lower connection limit cannot be greater than the upper connection limit. New connections cannot be created until the connection number goes below the lower connection limit.
rate: Limits the connection establishment rate.
rate: Specifies the maximum number of connections established per second. The value range is 5 to 10000000.
description text: Specifies a description for the connection limit rule, a case-sensitive string of 1 to 127 characters. By default, a connection limit rule does not have a description.
Usage guidelines
Each connection limit policy can define multiple rules. Each rule must specify the used ACL, rule type, and either of upper/lower connection limit and connection establishment rate limit. In one rule, you can specify one or multiple of the keywords per-destination, per-source, and per-service, but you cannot specify the per-dslite-b4 keyword together with other keywords. For example, if the per-destination and per-source combination is specified, connections are limited by the source IP address and destination IP address. Connections with the same source IP address and destination IP address are the same type.
When you configure a connection limit rule, follow these guidelines:
· Different rules in the same connection limit policy must use different ACLs.
· If you specify none of the per-destination, per-source, and per-service keywords, all connections that match the specified ACL are limited by the specified value.
· When the connections established on a device are matched against a connection limit policy, the limit rules in the policy are matched in ascending order of rule ID.
· When the specified ACL changes, the connections that have been established are limited by the new connection limit policy.
· A rule that has the per-dslite-b4 keyword limits IPv4 connections of the DS-Lite tunnel B4 device that matches the specified IPv6 ACL in the rule. On a DS-Lite tunnel network, if the AFTR device uses the Endpoint-Independent Mapping-based NAT configuration, you must limit connections from external IPv4 networks to access the internal IPv4 network. To implement B4 device-based connection limits, perform the following tasks:
¡ Add a rule that has the per-dslite-b4 to a connection limit policy.
¡ Apply the policy globally or on the DS-Lite tunnel interface.
Examples
# Configure connection limit rule 1 for IPv4 connection limit policy 1:
1. Configure ACL 3000.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule permit ip source 192.168.0.0 0.0.0.255
[Sysname-acl-ipv4-adv-3000] quit
2. Limit connections that match ACL 3000 by the source and destination IP addresses, with the upper limit 2000, lower limit 1800, and establishment rate 10 per second.
[Sysname] connection-limit policy 1
[Sysname-connlmt-policy-1] limit 1 acl 3000 per-destination per-source amount 2000 1800 rate 10
3. Verify that when the connection number exceeds 2000, new connections cannot be established until the connection number goes below 1800. (Details not shown.)
# Configure connection limit rule 2 for IPv6 connection limit policy 12:
4. Configure ACL 2001.
<Sysname> system-view
[Sysname] acl ipv6 basic 2001
[Sysname-acl-ipv6-basic-2001] rule permit source 2:1::/96
[Sysname-acl-ipv6-basic-2001] quit
5. Limit connections that match ACL 2001 by the source and destination IP addresses, with the upper limit 200, lower limit 100, and establishment rate 10 per second.
[Sysname] connection-limit ipv6-policy 12
[Sysname-connlmt-ipv6-policy-12] limit 2 acl ipv6 2001 per-destination amount 200 100 rate 10
6. Verify that when the connection number exceeds 200, new connections cannot be established until the connection number goes below 100. (Details not shown.)
connection-limit
display connection-limit
reset connection-limit statistics
Use reset connection-limit statistics to clear the connection limit statistics globally or on an interface.
Syntax
Centralized devices in standalone mode:
reset connection-limit statistics { global | interface interface-type interface-number }
Distributed devices in standalone mode/centralized devices in IRF mode:
reset connection-limit statistics { global | interface interface-type interface-number } [ slot slot-number ]
Distributed devices in IRF mode:
reset connection-limit statistics { global | interface interface-type interface-number } [ chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
network-operator
Parameters
global: Clears the global connection limit statistics.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. The slot-number argument represents the ID of the IRF member device. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Clear the connection limit statistics on GigabitEthernet 0/1.
<Sysname> reset connection-limit statistics interface gigabitethernet 0/1
# (Centralized devices in standalone mode.) Clear the connection limit statistics on VLAN-interface 2.
<Sysname> reset connection-limit statistics interface vlan-interface 2
# (Distributed devices in standalone mode.) Clear the global connection limit statistics on the card in slot 2.
<Sysname> reset connection-limit statistics global slot 2
# (Centralized devices in IRF mode.) Clear the global connection limit statistics on IRF member device 2.
<Sysname> reset connection-limit statistics global slot 2
# (Distributed devices in IRF mode.) Clear the global connection limit statistics of the card in slot 2 on IRF member device 1.
<Sysname> reset connection-limit statistics global chassis 1 slot 2
display connection-limit statistics
Object group commands
The following matrix shows the feature and hardware compatibility:
|
Hardware |
Object group compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
description
Use description to configure a description for an object group.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for an object group.
Views
Object group view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Examples
# Configure the description as This is an IPv4 object-group for an IPv4 address object group.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] description This is an IPv4 object-group
display object-group
Use display object-group to display information about object groups.
Syntax
display object-group [ { { ip | ipv6 } address | service | port } [ default ] [ name object-group-name ] | name object-group-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ip address: Specifies the IPv4 address object groups.
ipv6 address: Specifies the IPv6 address object groups.
port: Specifies the port object groups.
service: Specifies the service object groups.
default: Specifies the default object groups.
name object-group-name: Specifies an object group by its name, a case-insensitive string of 1 to 31 characters.
Examples
# Display information about all object groups.
<Sysname> display object-group
IP address object group obj1: 0 object(in use)
IP address object group obj2: 5 objects(out of use)
0 network host address 1.1.1.1
10 network host name host
20 network subnet 1.1.1.1 255.255.255.0
30 network range 1.1.1.1 1.1.1.2
40 network group-object obj1
IPv6 address object-group obj3: 0 object(in use)
IPv6 address object-group obj4: 5 objects(out of use)
0 network host address 1::1:1
10 network host name host
20 network subnet 1::1:0 112
30 network range 1::1:1 1::1:2
40 network group-object obj3
Port object-group obj7: 0 object(in use)
Port object-group obj8: 3 objects(out of use)
0 port lt 20
10 port range 20 30
20 port group-object obj7
Service object-group obj5: 0 object(in use)
Service object-group obj6: 6 objects(out of use)
0 service 200
10 service tcp source lt 50 destination range 30 40
20 service udp source range 30 40 destination gt 30
30 service icmp 20 20
40 service icmpv6 20 20
50 service group-object obj5
# Display information about object group obj2.
<Sysname> display object-group name obj2
IP address object-group obj2: 5 objects(out of use)
0 network host address 1.1.1.1
10 network host name host
20 network subnet 1.1.1.1 255.255.255.0
30 network range 1.1.1.1 1.1.1.2
40 network group-object obj1
# Display information about all IPv4 address object groups.
<Sysname> display object-group ip address
IP address object-group obj1: 0 object(in use)
IP address object-group obj2: 5 objects(out of use)
0 network host address 1.1.1.1
10 network host name host
20 network subnet 1.1.1.1 255.255.255.0
30 network range 1.1.1.1 1.1.1.2
40 network group-object obj1
# Display information about IPv6 address object group obj4.
<Sysname> display object-group ipv6 address name obj4
IPv6 address object-group obj4: 5 objects(out of use)
0 network host address 1::1:1
10 network host name host
20 network subnet 1::1:0 112
30 network range 1::1:1 1::1:2
40 network group-object obj3
Table 157 Command output
|
Field |
Description |
|
in use |
The object group is used by an ACL or object group. |
|
out of use |
The object group is not used. |
network (IPv4 address object group view)
Use network to configure an IPv4 address object.
Use undo network to delete an IPv4 address object.
Syntax
[ object-id ] network { host { address ip-address | name host-name } | subnet ip-address { mask-length | mask } | range ip-address1 ip-address2 | group-object object-group-name }
undo network { host { address ip-address | name host-name } | subnet ip-address { mask-length | mask } | range ip-address1 ip-address2 | group-object object-group-name }
undo object-id
Default
No IPv4 address objects exist.
Views
IPv4 address object group view
Predefined user roles
network-admin
Parameters
object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not specify an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.
host: Configures an IPv4 address object with the host address or name.
address ip-address: Specifies an IPv4 host address.
name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters.
subnet ip-address { mask-length | mask }: Configures an IPv4 address object with the subnet address followed by a mask length in the range of 0 to 32 or a mask in dotted decimal notation.
range ip-address1 ip-address2: Configures an IPv4 address object with the address range.
group-object object-group-name: Specifies an IPv4 address object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command fails if you use it to configure or change an IPv4 address object to be identical with an existing object.
This command creates an IPv4 address object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.
If you configure a subnet with the mask length of 32 or the mask of 255.255.255.255, the system configures the object with a host address.
When you use the range ip-address1 ip-address2 option, follow these guidelines:
· If ip-address1 is equal to ip-address2, the system configures the object with a host address.
· If ip-address1 is not equal to ip-address2, the system compares the two IPv4 addresses, configures a range starting with the lower IPv4 address, and performs the following operations:
¡ Configures the object with an address range if the two addresses are in different subnets.
¡ Configures the object with a subnet address if the two addresses are in the same subnet.
When you use the group-object object-group-name option, follow these guidelines:
· The object group to be used must be an IPv4 address object group.
· If the specified object group does not exist, the system creates an IPv4 address object group with the name you specified and uses the object group for the object.
· Two object groups cannot use each other at the same time.
· The system supports a maximum of five object group hierarchy layers. For example, if groups 1, 2, 3, and 4 use groups 2, 3, 4, and 5, respectively, group 5 cannot use another group and group 1 cannot be used by another group.
Examples
# Configure an IPv4 address object with the host address of 192.168.0.1.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network host address 192.168.0.1
# Configure an IPv4 address object with the host name of pc3.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network host name pc3
# Configure an IPv4 address object with the IPv4 address of 192.167.0.0 and mask length of 24.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network subnet 192.167.0.0 24
# Configure an IPv4 address object with the IPv4 address of 192.166.0.0 and mask of 255.255.0.0.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network subnet 192.166.0.0 255.255.0.0
# Configure an IPv4 address object with the address range of 192.165.0.100 to 192.165.0.200.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network range 192.165.0.100 192.165.0.200
# Configure an IPv4 address object using object group ipgroup2.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] network group-object ipgroup2
network (IPv6 address object group view)
Use network to configure an IPv6 address object.
Use undo network to delete an IPv6 address object.
Syntax
[ object-id ] network { host { address ipv6-address | name host-name } | subnet ipv6-address prefix-length | range ipv6-address1 ipv6-address2 | group-object object-group-name }
undo network { host { address ipv6-address | name host-name } | subnet ipv6-address prefix-length | range ipv6-address1 ipv6-address2 | group-object object-group-name }
undo object-id
Default
No IPv6 address objects exist.
Views
IPv6 address object group view
Predefined user roles
network-admin
Parameters
object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not configure an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.
host: Configures an IPv6 address object with the host address or name.
address ipv6-address: Specifies an IPv6 host address.
name host-name: Specifies a host name, a case-insensitive string of 1 to 60 characters.
subnet ipv6-address prefix-length: Configures an IPv6 address object with the subnet address followed by the prefix length in the range of 1 to 128.
range ipv6-address1 ipv6-address2: Configures an IPv6 address object.
group-object object-group-name: Specifies an IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command fails if you use it to configure or change an IPv6 address object to be identical with an existing object.
This command creates an IPv6 address object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.
If you configure a subnet address with the prefix length of 128, the system configures the object with a host address.
When you use the range ipv6-address1 ipv6-address2 option, follow these guidelines:
· If ipv6-address1 is equal to ipv6-address2, the system configures the object with a host address.
· If ipv6-address1 is not equal to ipv6-address2, the system compares the two IPv6 addresses, configures a range starting with the lower IPv6 address, and performs the following operations:
¡ Configures the object with an address range if the two addresses are in different subnets.
¡ Configures the object with a subnet address if the two addresses are in the same subnet.
When you use the group-object object-group-name option, follow these guidelines:
· The object group to be used must be an IPv6 address object group.
· If the specified object group does not exist, the system creates an IPv6 address object group with the name you specified and uses the object group for the object.
· Two object groups cannot use each other at the same time.
· The system supports a maximum of five object group hierarchy layers. For example, if groups 1, 2, 3, and 4 use groups 2, 3, 4, and 5, respectively, group 5 cannot use another group and group 1 cannot be used by another group.
Examples
# Configure an IPv6 address object with the host address of 1::1.
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
[Sysname-obj-grp-ipv6-ipv6group] network host address 1::1
# Configure an IPv6 address object with the host name of pc3.
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
[Sysname-obj-grp-ipv6-ipv6group] network host name pc3
# Configure an IPv6 address object with the IPv6 address of 1:1:1::1 and prefix length of 24.
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
[Sysname-obj-grp-ipv6-ipv6group] network subnet 1:1:1::1 24
# Configure an IPv6 address object with the address range of 1:1:1::1 to 1:1:1::100
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
[Sysname-obj-grp-ipv6-ipv6group] network range 1:1:1::1 1:1:1::100
# Configure an IPv6 address object using object group ipv6group2.
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
[Sysname-obj-grp-ipv6-ipv6group] network group-object ipv6group2
network exclude
Use network exclude to exclude an IPv4 or IPv6 address from an address object.
Use undo network exclude to restore the default.
Syntax
object-id network exclude ipv4-address/ipv6-address
undo object-id network exclude ipv4-address/ipv6-address
Default
No IPv4 or IPv6 address in an address object is excluded.
Views
IPv4 address object group view
IPv6 address object group view
Predefined user roles
network-admin
Parameters
object-id: Specifies an address object by its ID in the range of 1 to 4294967294. The specified address object must have been created.
ipv4-address/ipv6-address: Specifies the IPv4 or IPv6 address to be excluded.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
No |
You can execute this command multiple times to exclude multiple IPv4 or IPv6 addresses from an address object.
Examples
# Configure an IPv4 address object with the IPv4 address of 192.166.0.0 and mask of 255.255.0.0, and exclude IPv4 address 192.166.0.10 from the address object.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
[Sysname-obj-grp-ip-ipgroup] 10 network subnet 192.166.0.0 255.255.0.0
[Sysname-obj-grp-ip-ipgroup] 10 network exclude 192.166.0.10
# Configure an IPv6 address object with the IPv6 address of 1:1:1::1 and prefix length of 24, and exclude IPv6 address 1:1:1::10 from the address object.
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
[Sysname-obj-grp-ipv6-ipv6group] 10 network subnet 1:1:1::1 24
[Sysname-obj-grp-ipv6-ipv6group] 10 network exclude 1:1:1::10
object-group
Use object-group to configure an object group and enter its view, or enter the view of an existing object group.
Use undo object-group to delete an object group.
Syntax
object-group { { ip | ipv6 } address | port | service } object-group-name
undo object-group { { ip | ipv6 } address | port | service } object-group-name
Default
Default object groups exist.
Views
System view
Predefined user roles
network-admin
Parameters
ip address: Configures an IPv4 address object group.
ipv6 address: Configures an IPv6 address object group.
port: Configures a port object group.
service: Configures a service object group.
object-group-name: Specifies a globally unique object group name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
The object-group command execution results vary with the specified object group.
· If the specified group does not exist, the system creates a new object group and enters the object group view.
· If the specified group exists but the group type is different from that in the command, the command fails.
The undo object-group command execution results vary with the specified object group.
· If the specified group does not exist, the system executes the command without any system prompt.
· If the specified group exists and the group type is the same as that in the command, the system deletes the group.
· If the specified group exists but the group type is different from that in the command, the command fails.
· If the specified object group is being used by an ACL, object policy, or object group, the command fails.
Default object groups cannot be deleted.
Examples
# Configure an IPv4 address object group named ipgroup.
<Sysname> system-view
[Sysname] object-group ip address ipgroup
# Configure an IPv6 address object group named ipv6group.
<Sysname> system-view
[Sysname] object-group ipv6 address ipv6group
# Configure a port object group named portgroup.
<Sysname> system-view
[Sysname] object-group port portgroup
# Configure a service object group named servicegroup.
<Sysname> system-view
[Sysname] object-group service servicegroup
object-group rename
Use object-group rename to rename an object group.
Syntax
object-group rename old-object-group-name new-object-group-name
Views
System view
Predefined user roles
network-admin
Parameters
old-object-group-name: Specifies the name of the object group to be renamed, a case-insensitive string of 1 to 31 characters.
new-object-group-name: Specifies a new name for the object group, a case-insensitive string of 1 to 31 characters. The object group name must be globally unique.
Usage guidelines
You can only rename non-default object groups.
Examples
# Rename object group ipgroup1 to ipgroup2.
<Sysname> system-view
[Sysname] object-group rename ipgroup1 ipgroup2
Related commands
object-group
port (port object group view)
Use port to configure a port object.
Use undo port to delete a port object.
Syntax
[ object-id ] port { { eq | lt | gt } port | range port1 port2 | group-object object-group-name }
undo port { { eq | lt | gt } port | range port1 port2 | group-object object-group-name }
undo object-id
Default
No port objects exist.
Views
Port object group view
Predefined user roles
network-admin
Parameters
object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not specify an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.
eq: Configures a port object with a port number equal to the specified port.
lt: Configures a port object with a port number smaller than the specified port.
gt: Configures a port object with a port number greater than the specified port.
port: Specifies a port number in the range of 0 to 65535.
range port1 port2: Configures a port object with a port range. The value range for the port1 and port2 arguments is 0 to 65535.
group-object object-group-name: Specifies a port object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command fails if you use it to configure or change a port object to be identical with an existing object.
This command creates a port object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.
When you use the lt port option, follow these guidelines:
· The value of port cannot be 0.
· If the value of port is 1, the system configures the object with a port number of 0.
· If the value of port is in the range of 2 to 65535, the system configures the object with a port number range of [0, port–1].
When you use the gt port option, follow these guidelines:
· The value of port cannot be 65535.
· If the value of port is 65534, the system configures the object with a port number of 65535.
· If the value of port is in the range of 0 to 65533, the system configures the object with a port number range of [port+1, 65535].
When you use the range port1 port2 option, follow these guidelines:
· If port1 is equal to port2, the system configures the object with the port number port1.
· If port1 is smaller than port2, the system configures the object with the port number range.
· If port1 is greater than port2, the system changes the range to [port2, port1] and configures the object with the changed port number range.
· If port1 is 0, the range is displayed as lt port2+1.
· If port2 is 65535, the range is displayed as gt port1–1.
When you use the group-object object-group-name option, follow these guidelines:
· The object group to be used must be a port object group.
· If the specified object group does not exist, the system creates a port object group with the name you specified and uses the object group for the object.
· Two object groups cannot use each other at the same time.
· The system supports a maximum of five object group hierarchy layers. For example, if groups 1, 2, 3, and 4 use groups 2, 3, 4, and 5, respectively, group 5 cannot use another group and group 1 cannot be used by another group.
Examples
# Configure a port object with a port number of 100.
<Sysname> system-view
[Sysname] object-group port portgroup
[Sysname-obj-grp-port-portgroup] port eq 100
# Configure a port object with a port number smaller than 20.
<Sysname> system-view
[Sysname] object-group port portgroup
[Sysname-obj-grp-port-portgroup] port lt 20
# Configure a port object with a port number greater than 60000.
<Sysname> system-view
[Sysname] object-group port portgroup
[Sysname-obj-grp-port-portgroup] port gt 60000
# Configure a port object with a port number in the range of 1000 to 2000.
<Sysname> system-view
[Sysname] object-group port portgroup
[Sysname-obj-grp-port-portgroup] port range 1000 2000
# Configure a port object using object group portgroup2.
<Sysname> system-view
[Sysname] object-group port portgroup
[Sysname-obj-grp-port-portgroup] port group-object portgroup2
security-zone
Use security-zone to specify a security zone for an IP address object group.
Use undo security-zone to restore the default.
Syntax
security-zone security-zone-name
undo security-zone
Default
No security zone is specified for an IP address object group.
Views
IPv4 address object group view
IPv6 address object group view
Predefined user roles
network-admin
Parameters
security-zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. The string cannot contain hyphens (-) or percent signs (%) and cannot be any.
Usage guidelines
You can specify only one security zone for an IP address object group. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify the security zone for IPv4 address object group 1 as Local.
<Sysname> system-view
[Sysname] object-group ip address 1
[Sysname-obj-grp-ip-1] security-zone Local
Related commands
object-group { ipv4 | ipv6 }
service (service object group view)
Use service to configure a service object.
Use undo service to delete a service object.
Syntax
[ object-id ] service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name }
undo service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name }
undo object-id
Default
No service objects exist.
Views
Service object group view
Predefined user roles
network-admin
Parameters
object-id: Configures an object ID in the range of 0 to 4294967294. If you do not configure an ID for the object, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the automatically assigned ID is 30.
protocol: Configures the protocol number in the range of 0 to 255, or the protocol name such as TCP, UDP, ICMP, and ICMPv6.
source: Configures a service object with a source port when the protocol is TCP or UDP.
destination: Configures a service object with a destination port when the protocol is TCP or UDP.
eq: Configures a port equal to the specified port.
lt: Configures a port smaller than the specified port.
gt: Configures a port greater than the specified port.
port: Specifies a port number in the range of 0 to 65535.
range port1 port2: Configures a service object with a port range. The value range for the port1 and port2 arguments is 0 to 65535.
icmp-type: Configures the ICMP message type in the range of 0 to 255.
icmp-code: Configures the ICMP message code in the range of 0 to 255.
icmpv6-type: Configures the ICMPv6 message type in the range of 0 to 255.
icmpv6-code: Configures the ICMPv6 message code in the range of 0 to 255.
group-object object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
This command fails if you use it to configure or change a service object to be identical with an existing object.
This command creates a service object if the specified object ID does not exist. Otherwise, the command overwrites the configuration of the specified object.
When you use the lt port option, follow these guidelines:
· The value of port cannot be 0.
· If the value of port is 1, the system configures the object with a port number of 0.
· If the value of port is in the range of 2 to 65535, the system configures the object with a port number range of [0, port–1].
When you use the gt port option, follow these guidelines:
· The value of port cannot be 65535.
· If the value of port is 65534, the system configures the object with a port number of 65535.
· If the value of port is in the range of 0 to 65533, the system configures the object with a port number range of [port+1, 65535].
When you use the range port1 port2 option, follow these guidelines:
· If port1 is equal to port2, the system configures the object with the port number port1.
· If port1 is smaller than port2, the system configures the object with the port number range.
· If port1 is greater than port2, the system changes the range to [port2, port1] and configures the object with the changed port number range.
· If port1 is 0, the range is displayed as lt port2+1.
· If port2 is 65535, the range is displayed as gt port1–1.
When use the group-object object-group-name option, follow these guidelines:
· The object group to be used must be a service object group.
· If the specified object group does not exist, the system creates a service object group with the name you specified and uses the object group for the object.
· Two object groups cannot use each other at the same time.
· The system supports a maximum of five object group hierarchy layers. For example, if groups 1, 2, 3, and 4 use groups 2, 3, 4, and 5, respectively, group 5 cannot use another group and group 1 cannot be used by another group.
Examples
# Configure a service object with a protocol number of 100.
<Sysname> system-view
[Sysname] object-group service servicegroup
[Sysname-obj-grp-service-servicegroup] service 100
# Configure a service object with the source and destination port numbers for the TCP service.
<Sysname> system-view
[Sysname] object-group service servicegroup
[Sysname-obj-grp-service-servicegroup] service tcp source eq 100 destination range 10 100
# Configure a service object with the message type and code for the ICMP service.
<Sysname> system-view
[Sysname] object-group service servicegroup
[Sysname-obj-grp-service-servicegroup] service icmp 100 150
# Configure a service object using object group servicegroup2.
<Sysname> system-view
[Sysname] object-group service servicegroup
[Sysname-obj-grp-service-servicegroup] service group-object servicegroup2
Object policy commands
The following matrix shows the feature and hardware compatibility:
|
Hardware |
Object group compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
accelerate
Use accelerate to enable rule matching acceleration for an object policy.
Use undo accelerate to disable rule matching acceleration for an object policy.
Syntax
accelerate
undo accelerate
Default
Rule matching acceleration is disabled for an object policy.
Views
Object policy view
Predefined user roles
network-admin
Usage guidelines
Insufficient hardware resources cause acceleration failures. When the system has sufficient hardware resources, acceleration can take effect again under either of the following conditions:
· You change or add rules for the policy.
· You use this command to enable rule matching acceleration again.
After you enable rule matching acceleration, the following situations might occur:
· Acceleration fails, and the matching process runs without acceleration.
· Acceleration succeeds, and the matching process is accelerated. In this scenario, if you change or add a rule that causes resource insufficiency, the rule does not take effect.
Make sure the IP address object group specified for an object policy rule is not configured with excluded IP addresses or a wildcard mask. If an excluded IP address or wildcard mask is configured, rule matching acceleration fails for the object policy.
If an IP address object group specified for an object policy rule uses a user or user group, rule matching acceleration for the rule fails.
Examples
# Disable rule matching acceleration for IPv4 object policy op.
<Sysname> system-view
[Sysname] object-policy ip op
[Sysname-object-policy-ip-op] undo accelerate
Related commands
display object-policy accelerate
description
Use description to configure a description for an object policy.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for an object policy.
Views
Object policy view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Usage guidelines
If the object policy does not have a description, this command configures the description. Otherwise, this command overwrites the existing description for the policy.
Examples
# Configure the description as zone-pair security office to library for an IPv4 address object policy.
<Sysname> system-view
[Sysname] object-policy ip permit
[Sysname-object-policy-ip-permit] description zone-pair security office to library
Related commands
display object-policy ip
display object-policy ipv6
display object-policy accelerate
Use display object-policy accelerate to display acceleration information for object policies.
Syntax
Centralized devices in standalone mode:
display object-policy accelerate { summary { ip | ipv6 } | verbose { ip object-policy-name | ipv6 object-policy-name } }
Distributed devices in standalone mode/centralized IRF devices in IRF mode:
display object-policy accelerate { summary { ip | ipv6 } | verbose { ip object-policy-name | ipv6 object-policy-name } slot slot-number }
Distributed devices in IRF mode:
display object-policy accelerate { summary { ip | ipv6 } | verbose { ip object-policy-name | ipv6 object-policy-name } chassis chassis-number slot slot-number }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
summary: Displays brief acceleration information.
verbose: Displays detailed acceleration information.
ip: Displays acceleration information for IPv4 object policies.
ipv6: Displays acceleration information for IPv6 object policies.
object-policy-name: Specifies an object policy by its name, a case-insensitive string of 1 to 63 characters.
slot slot-number: Specifies a card by its slot number. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device. The slot-number argument represents its IRF member ID. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the IRF member ID. The slot-number argument represents the slot number of the card. (Distributed device in IRF mode.)
Examples
# Display brief acceleration information for all IPv4 object policies.
<Sysname> display object-policy accelerate summary ip
Object-policy ip a
Object-policy ip c
# Display detailed acceleration information for IPv4 object policy a.
<Sysname> display object-policy accelerate verbose ip a slot 1
Object-policy ip a
rule 1 drop
rule 0 pass (failed)
Table 158 Command output
|
Field |
Description |
|
failed |
Rule matching acceleration and rule matching failed. |
display object-policy ip
Use display object-policy ip to display information about IPv4 object policies.
Syntax
display object-policy ip [ object-policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
object-policy-name: Specifies an object policy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an object policy name, this command displays information about all IPv4 object policies.
Usage guidelines
This command displays IPv4 object policy rules in the order they were configured.
Examples
# Display information about all IPv4 object policies.
<Sysname> display object-policy ip
Object-policy ip pass
This is an IPv4 object policy for the zone-pair security source office destination library
Object-policy accelerated
rule 5 pass source-ip sourceip
rule 5 comment This rule is used for source-ip sourceip
|
Field |
Description |
|
Object-policy ip pass |
Name of the IPv4 object policy. |
|
This is an IPv4 object policy for the zone-pair security source office destination library |
Description of the IPv4 object policy. |
|
Object-policy accelerated |
Rule matching acceleration is enabled for the IPv4 object policy. |
|
rule 5 pass source-ip sourceip |
Statement of rule 5. The value of sourceip is the name of the source IPv4 address object group. |
|
rule 5 comment This rule is used for source-ip sourceip |
Description of rule 5. |
display object-policy ipv6
Use display object-policy ipv6 to display information about IPv6 object policies.
Syntax
display object-policy ipv6 [ object-policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
object-policy-name: Specifies an object policy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an object policy name, this command displays information about all IPv6 object policies.
Usage guidelines
This command displays IPv6 object policy rules in the order they were configured.
Examples
# Display information about all IPv6 object policies.
<Sysname> display object-policy ipv6
Object-policy ipv6 pass
This is an IPv6 object policy for the zone-pair security source office destination library
Object-policy accelerated
rule 5 pass source-ip sourceipv6
rule 5 comment This rule is used for source-ip sourceipv6
Table 160 Command output
|
Field |
Description |
|
Object-policy ipv6 pass |
Name of the IPv6 object policy. |
|
This is an IPv6 object policy for the zone-pair security source office destination library |
Description of the IPv6 object policy. |
|
Object-policy accelerated |
Rule matching acceleration is enabled for the IPv6 object policy. |
|
rule 5 pass source-ip sourceipv6 |
Statement of rule 5. The value of sourceipv6 is the name of the source IPv6 address object group. |
|
rule 5 comment This rule is used for source-ip sourceipv6 |
Description of rule 5. |
display object-policy statistics zone-pair security
Use display object-policy statistics zone-pair security to display statistics for the object policies applied to a zone pair.
Syntax
display object-policy statistics zone-pair security source source-zone-name destination destination-zone-name [ ip | ipv6 ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
source source-zone-name: Specifies a source security zone name, a case-insensitive string of 1 to 31 characters.
destination destination-zone-name: Specifies a destination security zone name, a case-insensitive string of 1 to 31 characters.
ip: Displays statistics for IPv4 object policies.
ipv6: Displays statistics for IPv6 object policies.
Usage guidelines
If you specify neither the ip keyword nor the ipv6 keyword, the system displays statistics for all object policies applied to the specified zone pair.
Examples
# Display statistics for all object policies applied to the zone pair with source security zone office and destination security zone library.
<Sysname> display object-policy statistics zone-pair security source office destination library
Object-policy apply ip OfficeToLibrary
rule 0 pass source-ip sourceip1 (5 packets,10 bytes)
Object-policy apply ipv6 OfficeToLibraryIPv6
rule 0 pass source-ip sourceip3 (6 packets,13 bytes)
Table 161 Command output
|
Field |
Description |
|
Object-policy apply ip OfficeToLibrary |
Name of the IPv4 object policy applied to the zone pair. |
|
rule 0 pass source-ip sourceip1 |
Statement of rule 0. The value of sourceip1 is the name of the source IPv4 address object group. |
|
Object-policy apply ipv6 OfficeToLibraryIPv6 |
Name of the IPv6 object policy applied to the zone pair. |
|
rule 0 pass source-ip sourceip3 |
Statement of rule 0. The value of sourceip3 is the name of the source IPv6 address object group. |
|
x packets,y bytes |
The rule has matched x packets, a total of y bytes. This field is displayed only when the following conditions exist: · The counting or logging keyword is specified in the rule command. · The rule has been matched. |
Related commands
reset object-policy statistics
display object-policy zone-pair security
Use display object-policy zone-pair security to display information about the object policies applied to zone pairs.
Syntax
display object-policy zone-pair security [ source source-zone-name destination destination-zone-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
source source-zone-name: Specifies a source security zone name, a case-insensitive string of 1 to 31 characters.
destination destination-zone-name: Specifies a destination security zone name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
If you do not specify a zone pair, the system displays information about the object policies applied to all zone pairs.
Examples
# Display information about the object policies applied to all zone pairs.
<Sysname> display object-policy zone-pair security
Zone-pair source office destination library
object-policy apply ip permit
object-policy apply ipv6 drop
Table 162 Command output
|
Field |
Description |
|
Zone-pair source office destination library |
Name of the zone pair. |
|
object-policy apply ip permit |
Name of the IPv4 object policy applied to the zone pair. |
|
object-policy apply ipv6 drop |
Name of the IPv6 object policy applied to the zone pair. |
move rule
Use move rule to change the rule match order of a rule in an object policy.
Syntax
move rule rule-id before insert-rule-id
Views
Object policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule by its ID in the range of 0 to 65534.
insert-rule-id: Specifies the ID of the target rule before which a rule is inserted. The target rule ID is in the range of 0 to 65535. If you specify 65535 as the target rule ID, the rule is moved to the end of the list.
Usage guidelines
The system does not execute the command in the following situations:
· You specify the same value for the rule-id and insert-rule-id arguments.
· You specify a nonexistent rule.
Examples
# Insert rule 5 before rule 2 for IPv4 object policy permit.
<Sysname> system-view
[Sysname] object-policy ip permit
[Sysname-object-policy-ip-permit] move rule 5 before 2
Related commands
object-policy apply ipv6
object-policy ip
rule (IPv4 object policy view)
rule (IPv6 object policy view)
object-policy apply ip
Use object-policy apply ip to apply an IPv4 object policy to a zone pair.
Use undo object-policy apply ip to restore the default.
Syntax
object-policy apply ip object-policy-name
undo object-policy apply ip object-policy-name
Default
IPv4 object policies are not applied to a zone pair.
Views
Zone pair view
Predefined user roles
network-admin
Parameters
object-policy-name: Specifies an IPv4 object policy by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If the specified object policy does not exist, this command fails.
You can apply only one IPv4 object policy to each zone pair. To apply a new IPv4 object policy to an instance, remove the application of the existing IPv4 object policy.
Examples
# Configure an IPv4 object policy and apply it to a zone pair.
<Sysname> system-view
[Sysname] object-policy ip permit
[Sysname-object-policy-ip-permit] quit
[Sysname] zone-pair security source office destination library
[Sysname-zone-pair-security-office-library] object-policy apply ip permit
Related commands
display object-policy zone-pair security
object-policy apply ipv6
object-policy ip
object-policy apply ipv6
Use object-policy apply ipv6 to apply an IPv6 object policy to a zone pair.
Use undo object-policy apply ipv6 to restore the default.
Syntax
object-policy apply ipv6 object-policy-name
undo object-policy apply ipv6 object-policy-name
Default
IPv6 object policies are not applied to a zone pair.
Views
Zone pair view
Predefined user roles
network-admin
Parameters
object-policy-name: Specifies an IPv6 object policy by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If the specified object policy does not exist, this command fails.
You can apply only one IPv6 object policy to each zone pair. To apply a new IPv6 object policy to an instance, remove the application of the existing IPv6 object policy.
Examples
# Configure an IPv6 object policy and apply it to a zone pair.
<Sysname> system-view
[Sysname] object-policy ipv6 permit
[Sysname-object-policy-ipv6-permit] quit
[Sysname] zone-pair security source office destination library
[Sysname-zone-pair-security-office-library] object-policy apply ipv6 permit
Related commands
display object-policy zone-pair security
object-policy apply ip
object-policy ipv6
object-policy ip
Use object-policy ip to configure an IPv4 object policy and enter its view, or enter the view of an existing IPv4 object policy.
Use undo object-policy ip to delete an IPv4 object policy.
Syntax
object-policy ip object-policy-name
undo object-policy ip object-policy-name
Default
No IPv4 object policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
object-policy-name: Specifies an IPv4 object policy name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The IPv4 object policy name is unchangeable once configured.
You cannot delete an IPv4 object policy that has been applied to a zone pair.
Examples
# Configure an IPv4 object policy and enter its view.
<Sysname> system-view
[Sysname] object-policy ip permit
[Sysname-object-policy-ip-permit] rule pass
Related commands
display object-policy ip
object-policy ipv6
object-policy ipv6
Use object-policy ipv6 to configure an IPv6 object policy and enter its view, or enter the view of an existing IPv6 object policy.
Use undo object-policy ipv6 to delete an IPv6 object policy.
Syntax
object-policy ipv6 object-policy-name
undo object-policy ipv6 object-policy-name
Default
No IPv6 object policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
object-policy-name: Configures the IPv6 object policy name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The IPv6 object policy name is unchangeable once configured.
You cannot delete an IPv6 object policy that has been applied to a zone pair.
Examples
# Configure an IPv6 object policy and enter its view.
<Sysname> system-view
[Sysname] object-policy ipv6 permit
[Sysname-object-policy-ipv6-permit] rule pass
Related commands
display object-policy ipv6
object-policy ip
reset object-policy statistics
Syntax
reset object-policy statistics [ zone-pair security source source-zone-name destination destination-zone-name ] [ ip | ipv6 ]
Views
User view
Predefined user roles
network-admin
Parameters
source source-zone-name: Specifies the source security zone name, a case-insensitive string of 1 to 31 characters.
destination destination-zone-name: Specifies the destination security zone name, a case-insensitive string of 1 to 31 characters.
ip: Clears statistics for IPv4 object policies.
ipv6: Clears statistics for IPv6 object policies.
Usage guidelines
If you do not specify a zone pair, the system clears statistics for the object policies applied to all zone pairs.
If you specify neither the ip keyword nor the ipv6 keyword, the system clears statistics for all object policies applied to the specified zone pairs.
Examples
# Clear statistics for all IPv4 object policies applied to the zone pair with source security zone office and destination security zone library.
<Sysname> reset object-policy statistics zone-pair security source office destination library ip
Related commands
display object-policy statistics zone-pair security
rule (IPv4 object policy view)
Use rule to configure a rule for an IPv4 object policy.
Use undo rule to partially or completely delete a rule for an IPv4 object policy.
Syntax
rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip { object-group-name | any } ] [ destination-ip { object-group-name | any } ] [ service { object-group-name | any } ] [ vrf vrf-name ] [ application application-name ] [ app-group app-group-name ] [ counting ] [ disable ] [ logging ] [ time-range time-range-name ] ] *
undo rule rule-id [ source-ip | destination-ip | service | vrf | application | app-group | counting | disable | logging | time-range ] *
Default
No rules are configured for an IPv4 object policy.
Views
IPv4 object policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule an integer next to the greatest ID being used. For example, if the greatest ID is 60000, the system automatically assigns 60001. If the greatest ID is 65534, the system assigns the rule the smallest unused number in the range.
drop: Discards the packets that match the rule.
pass: Allows the packets that match the rule to pass.
inspect app-profile-name: Applies a DPI application profile to the packets that match the rule. The app-profile-name argument represents the DPI profile name, a case-insensitive string of 1 to 100 characters. The string can contain only letters, digits, and underscores (_).
The following matrix shows the inspect app-profile-name option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
source-ip object-group-name: Specifies a source IPv4 address object group by its name, a case-insensitive string of 1 to 31 characters.
source-ip any: Specifies all source IPv4 address object groups.
destination-ip object-group-name: Specifies a destination IPv4 address object group by its name, a case-insensitive string of 1 to 31 characters.
destination-ip any: Specifies all destination IPv4 address object groups.
service object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters.
service any: Specifies all service object groups.
vrf vrf-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command applies to packets of the public network.
application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The invalid and other applications are not supported.
app-group app-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters. The invalid and other application groups are not supported.
counting: Enables match counting for the rule in an IPv4 object policy. By default, rule match counting is disabled.
disable: Disables the IPv4 object policy rule.
logging: Logs the packets that match the rule.
time-range time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters. If the specified time range does not exist, the system creates the rule and prompts you to configure the time range. The rule takes effect after you set the time range. For more information about time range configuration, see ACL and QoS Configuration Guide.
Usage guidelines
If the specified rule ID does not exist, this command creates a rule. Otherwise, this command changes the configuration of the specified rule.
The rule matches all IPv4 packets if no criteria are specified.
If you specify a nonexistent object group in a rule, the command creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
If you do not specify any options in the undo rule command, the command deletes the entire rule. Otherwise, the command deletes only the specified part of the rule statement.
You cannot delete a nonexistent rule. You can use the display object-policy ip command to display rules in an IPv4 object policy.
To use applications or application groups in an object policy, use only PBAR-classified applications. NBAR-classified applications cannot match any packets. For more information about PBAR and NBAR, see Security Configuration Guide.
Examples
# Configure a rule to allow packets that match source IPv4 address object group sourceip1 to pass through during time range time1.
<Sysname> system-view
[Sysname] object-policy ip permit
[Sysname-object-policy-ip-permit] rule pass source-ip sourceip1 logging time-range time1
# Configure a rule to apply DPI application profile profile1 to packets that match source IPv4 address object group sourceip1.
<Sysname> system-view
[Sysname] object-policy ip dpiproc
[Sysname-object-policy-ip-dpiproc] rule inspect profile1 source-ip sourceip1 logging
# Configure a rule to permit packets that match application aaa.
<Sysname> system-view
[Sysname] object-policy ip dpiproc
[Sysname-object-policy-ip-dpiproc] rule pass application aaa
Related commands
app-profile (DPI Command Reference)
display object-policy ip
move rule
object-policy ip
time-range (ACL and QoS Command Reference)
track (High Availability Command Reference)
rule (IPv6 object policy view)
Use rule to configure a rule for an IPv6 object policy.
Use undo rule to partially or completely delete a rule for an IPv6 object policy.
Syntax
rule [ rule-id ] { drop | pass | inspect app-profile-name } [ [ source-ip { object-group-name | any } ] [ destination-ip { object-group-name | any } ] [ service { object-group-name | any } ] [ vrf vrf-name ] [ application application-name ] [ app-group app-group-name ] [ counting ] [ disable ] [ logging ] [ time-range time-range-name ] ] *
undo rule rule-id [ source-ip | destination-ip | service | vrf | application | app-group | counting | disable | logging | time-range ] *
Default
No rules are configured for an IPv6 object policy.
Views
IPv6 object policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule an integer next to the greatest ID being used. For example, if the greatest ID is 60000, the system automatically assigns 60001. If the greatest ID is 65534, the system assigns the rule the smallest unused number in the range.
drop: Discards the packets that match the rule.
pass: Allows the packets that match the rule to pass.
inspect app-profile-name: Applies a DPI application profile to the packets that match the rule. The app-profile-name argument represents the DPI profile name, a case-insensitive string of 1 to 100 characters. The string can contain only letters, digits, and underscores (_).
The following matrix shows the inspect app-profile-name option and hardware compatibility:
|
Hardware |
Option compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
source-ip object-group-name: Specifies a source IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters.
source-ip any: Specifies all source IPv6 address object groups.
destination-ip object-group-name: Specifies a destination IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters.
destination-ip any: Specifies all destination IPv6 address object groups.
service object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters.
service any: Specifies all service object groups.
vrf vrf-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command applies to packets of the public network.
application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The invalid and other applications are not supported.
app-group app-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters. The invalid and other application groups are not supported.
counting: Enables match counting for the rule in an IPv6 object policy. By default, rule match counting is disabled.
disable: Disables the IPv6 object policy rule.
logging: Logs the packets that match the rule.
time-range time-range-name: Specifies the rule effective time range by its name, a case-insensitive string of 1 to 32 characters. If you configure a rule without setting the effective time period, the system creates the rule and prompts you to configure the time period. The rule takes effect after you set the time period. For more information about time range configuration, see ACL and QoS Configuration Guide.
Usage guidelines
If the specified rule ID does not exist, this command creates a rule. Otherwise, this command changes the configuration of the specified rule.
The rule matches all IPv6 packets if no criteria are specified.
If you specify a nonexistent object group in a rule, the command creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets.
If you do not specify any options in the undo rule command, the command deletes the entire rule. Otherwise, the command deletes only the specified part of the rule statement.
You cannot delete a nonexistent rule. You can use the display object-policy ipv6 command to display rules in an IPv6 object policy.
To use applications or application groups in an object policy, use only PBAR-classified applications. NBAR-classified applications cannot match any packets. For more information about PBAR and NBAR, see Security Configuration Guide.
Examples
# Configure a rule to allow packets that match source IPv6 address object group sourceip1 to pass through during time range time1.
<Sysname> system-view
[Sysname] object-policy ipv6 permit
[Sysname-object-policy-ipv6-permit] rule pass source-ip sourceip1 logging time-range time1
# Configure a rule to apply DPI application profile profile1 to packets that match source IPv4 address object group sourceip1.
<Sysname> system-view
[Sysname] object-policy ipv6 dpiproc
[Sysname-object-policy-ipv6-dpiproc] rule inspect profile1 source-ip sourceip1 logging
# Configure a rule to permit packets that match application aaa.
<Sysname> system-view
[Sysname] object-policy ipv6 dpiproc
[Sysname-object-policy-ipv6-dpiproc] rule pass application aaa
Related commands
app-profile (DPI Command Reference)
display object-policy ipv6
move rule
object-policy ipv6
time-range (ACL and QoS Command Reference)
track (High Availability Command Reference)
rule append
Use rule append to append a criterion to a rule for packet matching.
Use undo rule append to delete a criterion appended to a rule.
Syntax
rule rule-id append { application application-name | app-group app-group-name | destination-ip object-group-name | service object-group-name | source-ip object-group-name }
undo rule rule-id append { application [ application-name ] | app-group [ app-group-name ] | destination-ip [ object-group-name ] | service [ object-group-name ] | source-ip [ object-group-name ] }
Default
No criterion is appended to a rule for packet matching.
Views
Object policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule by its ID in the range of 0 to 65534.
application application-name: Specifies an application by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
app-group app-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed.
destination-ip object-group-name: Specifies a destination IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters. The name any is not allowed.
service object-group-name: Specifies a service object group by its name, a case-insensitive string of 1 to 31 characters. The name any is not allowed.
source-ip object-group-name: Specifies a source IPv4 or IPv6 address object group by its name, a case-insensitive string of 1 to 31 characters. The name any is not allowed.
Usage guidelines
Make sure the rule already exists before you execute this command.
You can execute this command multiple times to append multiple criteria to a rule. These criteria can be of the same type.
The action taken on packets matching the appended criterion is specified in the rule command.
If you do not specify a criterion when executing the undo command, the command deletes all appended criteria of the specified type.
Examples
# Configure rule 1 to allow packets that match source IP address object groups sourceip1, sourceip2, and sourceip3 to pass.
<Sysname> system-view
[Sysname] object-policy ip permit
[Sysname-object-policy-ip-permit] rule 1 pass source-ip sourceip1 logging
[Sysname-object-policy-ip-permit] rule 1 append source-ip sourceip2
[Sysname-object-policy-ip-permit] rule 1 append source-ip sourceip3
Related commands
app-group
display object-policy ip
display object-policy ipv6
nbar application
object-group
object-policy ip
object-policy ipv6
rule (IPv4 object policy view)
rule (IPv6 object policy view)
rule comment
Use rule comment to configure a description for a rule.
Use undo rule comment to delete the description for a rule.
Syntax
rule rule-id comment text
undo rule rule-id comment
Default
No description is configured for a rule.
Views
Object policy view
Predefined user roles
network-admin
Parameters
rule-id: Specifies a rule by its ID in the range of 0 to 65534.
text: Specifies a description, a case-sensitive string of 1 to 127 characters.
Usage guidelines
If the specified rule does not exist, this command fails.
If the rule does not have a description, this command configures the description. Otherwise, this command overwrites the existing description for the rule.
Examples
# Create rule 0 for IPv4 object policy permit and configure a description for rule 0.
<Sysname> system-view
[Sysname] object-policy ip permit
[Sysname-object-policy-ip-permit] rule 0 pass source-ip ip1
[Sysname-object-policy-ip-permit] rule 0 comment This rule is used for source-ip ip1
Related commands
display object-policy ip
display object-policy ipv6
Attack detection and prevention commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
ack-flood action
Use ack-flood action to specify global actions against ACK flood attacks.
Use undo ack-flood action to restore the default.
Syntax
ack-flood action { client-verify | drop | logging } *
undo ack-flood action
Default
No global action is specified for ACK flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent ACK packets destined for the victim IP addresses.
logging: Enables logging for ACK flood attack events.
Usage guidelines
For the ACK flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against ACK flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood action drop
Related commands
ack-flood threshold
ack-flood detect
ack-flood detect non-specific
client-verify tcp enable
ack-flood detect
Use ack-flood detect to configure IP address-specific ACK flood attack detection.
Use undo ack-flood detect to remove IP address-specific ACK flood attack detection configuration.
Syntax
ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific ACK flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering ACK flood attack prevention. The value range is 1 to 1000000 in units of ACK packets sent to the specified IP address per second.
action: Specifies the actions when an ACK flood attack is detected. If no action is specified, the global actions set by the ack-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent ACK packets destined for the protected IP address.
logging: Enables logging for ACK flood attack events.
none: Takes no action.
Usage guidelines
With ACK flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of ACK packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure ACK flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood detect ip 192.168.1.2 threshold 2000
Related commands
ack-flood action
ack-flood detect non-specific
ack-flood threshold
client-verify tcp enable
ack-flood detect non-specific
Use ack-flood detect non-specific to enable global ACK flood attack detection.
Use undo ack-flood detect non-specific to disable global ACK flood attack detection.
Syntax
ack-flood detect non-specific
undo ack-flood detect non-specific
Default
Global ACK flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
The global ACK flood attack detection applies to all IP addresses except those specified by the ack-flood detect command. The global detection uses the global trigger threshold set by the ack-flood threshold command and global actions specified by the ack-flood action command.
Examples
# Enable global ACK flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood detect non-specific
Related commands
ack-flood action
ack-flood detect
ack-flood threshold
ack-flood threshold
Use ack-flood threshold to set the global threshold for triggering ACK flood attack prevention.
Use undo ack-flood threshold to restore the default.
Syntax
ack-flood threshold threshold-value
undo ack-flood threshold
Default
The global threshold is 1000 for triggering ACK flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ACK packets sent to an IP address per second.
Usage guidelines
The device applies the global threshold to global ACK flood attack detection. Adjust the threshold according to the application scenarios. If the number of ACK packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global ACK flood attack detection configured, the device is in attack detection state. When the sending rate of ACK packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering ACK flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] ack-flood threshold 100
Related commands
ack-flood action
ack-flood detect
ack-flood detect non-specific
attack-defense apply policy
Use attack-defense apply policy to apply an attack defense policy to an interface.
Use undo attack-defense apply policy to restore the default.
Syntax
attack-defense apply policy policy-name
undo attack-defense apply policy
Default
No attack defense policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Usage guidelines
An interface can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect.
An attack defense policy can be applied to multiple interfaces.
Examples
# Apply the attack defense policy atk-policy-1 to interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] attack-defense apply policy atk-policy-1
Related commands
attack-defense policy
display attack-defense policy
attack-defense local apply policy
Use attack-defense local apply policy to apply an attack defense policy to the device.
Use undo attack-defense local apply policy to restore the default.
Syntax
attack-defense local apply policy policy-name
undo attack-defense local apply policy
Default
No attack defense policy is applied to the device.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Usage guidelines
An attack defense policy applied to the device itself detects packets destined for the device and prevents attacks targeted at the device.
Applying an attack defense policy to the device can improve the efficiency of processing attack packets destined for the device.
Each device can have only one attack defense policy applied. If you execute this command multiple times, the most recent configuration takes effect.
An attack defense policy can be applied to the device itself and to multiple interfaces.
If a device and its interfaces have attack defense policies applied, a packet destined for the device is processed as follows:
1. The policy applied to the receiving interface processes the packet.
2. If the packet is not dropped by the receiving interface, the policy applied to the device processes the packet.
Examples
# Apply the attack defense policy atk-policy-1 to the device.
<Sysname> system-view
[Sysname] attack-defense local apply policy atk-policy-1
Related commands
attack-defense policy
display attack-defense policy
attack-defense login reauthentication-delay
Use attack-defense login reauthentication-delay to enable the login delay feature.
Use undo attack-defense login reauthentication-delay to restore the default.
Syntax
attack-defense login reauthentication-delay seconds
undo attack-defense login reauthentication-delay
Default
The login delay feature is disabled. The device does not delay accepting a login request from a user who has failed a login attempt.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the delay period in seconds, in the range of 4 to 60.
Usage guidelines
The login delay feature delays the device to accept a login request from a user after the user fails a login attempt. This feature can slow down login dictionary attacks.
Examples
# Enable the login delay feature and set the delay period to 5 seconds.
[Sysname] attack-defense login reauthentication-delay 5
attack-defense policy
Use attack-defense policy to create an attack defense policy and enter its view, or enter the view of an existing attack defense policy.
Use undo attack-defense policy to delete an attack defense policy.
Syntax
attack-defense policy policy-name
undo attack-defense policy policy-name
Default
No attack defense policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Assigns a name to the attack defense policy. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
Examples
# Create the attack defense policy atk-policy-1 and enter its view.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1]
Related commands
attack-defense apply policy
display attack-defense policy
attack-defense signature log non-aggregate
Use attack-defense signature log non-aggregate to enable log non-aggregation for single-packet attack events.
Use undo attack-defense signature log non-aggregate to restore the default.
Syntax
attack-defense signature log non-aggregate
undo attack-defense signature log non-aggregate
Default
Log non-aggregation is disabled for single-packet attack events.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Log aggregation aggregates all logs generated during a period of time and sends one log. The logs with the same attributes for the following items can be aggregated:
· Interface where the attack is detected.
· Attack type.
· Attack prevention action.
· Source and destination IP addresses.
· VPN instance to which the victim IP address belongs.
As a best practice, do not disable log aggregation. A large number of logs will consume the display resources of the console.
Examples
# Enable log non-aggregation for single-packet attack events.
<Sysname> system-view
[Sysname] attack-defense signature log non-aggregate
Related commands
signature detect
attack-defense top-attack-statistics enable
Use attack-defense top-attack-statistics enable to enable the top attack statistics ranking feature.
Use undo attack-defense top-attack-statistics enable to disable the top attack statistics ranking feature.
Syntax
attack-defense top-attack-statistics enable
undo attack-defense top-attack-statistics enable
Default
The top attack statistics ranking feature is disabled.
Views
System view.
Predefined user roles
network-admin
Usage guidelines
This command collects statistics about number of dropped attack packets based on attacker, victim, and attack type and ranks the statistics by attacker and victim.
To display the top attack statistics, use the display attack-defense top-attack-statistics command.
Examples
# Enable the top attack statistics ranking feature.
<Sysname> system-view
[Sysname] attack-defense top-attack-statistics enable
Related commands
display attack-defense top-attack-statistics
blacklist enable
Use blacklist enable to enable the blacklist feature on an interface.
Use undo blacklist enable to disable the blacklist feature on an interface.
Syntax
blacklist enable
undo blacklist enable
Default
The blacklist feature is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
If the global blacklist feature is enabled, the blacklist feature is enabled on all interfaces. If the global blacklist feature is disabled, you can use this command to enable the blacklist feature on individual interfaces.
Examples
# Enable the blacklist feature on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] blacklist enable
Related commands
blacklist ip
blacklist ipv6
blacklist global enable
Use blacklist global enable to enable the global blacklist feature.
Use undo blacklist global enable to disable the global blacklist feature.
Syntax
blacklist global enable
undo blacklist global enable
Default
The global blacklist feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
If you enable the global blacklist feature, the blacklist feature is enabled on all interfaces.
Examples
# Enable the global blacklist feature.
<Sysname> system-view
[Sysname] blacklist global enable
Related commands
blacklist enable
blacklist ip
blacklist ip
Use blacklist ip to add an IPv4 blacklist entry.
Use undo blacklist ip to delete an IPv4 blacklist entry.
Syntax
blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] [ timeout minutes ]
undo blacklist ip source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ]
Default
No IPv4 blacklist entries exist.
Views
System view
Predefined user roles
network-admin
Parameters
source-ip-address: Specifies an IPv4 address for the blacklist entry. Packets sourced from this address will be dropped.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the blacklist belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the blacklist is on the public network.
ds-lite-peer ds-lite-peer-address: Specifies the IPv6 address of the B4 element of the DS-Lite tunnel that transmits packets from the blacklisted IPv4 address.
timeout minutes: Specifies the aging time in minutes for the blacklist entry, in the range of 1 to 1000. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.
Usage guidelines
The undo blacklist ip command deletes only manually added IPv4 blacklist entries. To delete dynamically added IPv4 blacklist entries, use the reset blacklist ip command.
A blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot.
You can use the display blacklist ip command to display all effective IPv4 blacklist entries.
Examples
# Add a blacklist entry for the IP address 192.168.1.2 and set the aging time to 20 minutes for the entry.
<Sysname> system-view
[Sysname] blacklist ip 192.168.1.2 timeout 20
Related commands
blacklist enable
blacklist global enable
display blacklist ip
blacklist ipv6
Use blacklist ipv6 to add an IPv6 blacklist entry.
Use undo blacklist ipv6 to delete an IPv6 blacklist entry.
Syntax
blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ] [ timeout minutes ]
undo blacklist ipv6 source-ipv6-address [ vpn-instance vpn-instance-name ]
Default
No IPv6 blacklist entries exist.
Views
System view
Predefined user roles
network-admin
Parameters
source-ipv6-address: Specifies an IPv6 address for the blacklist entry. Packets sourced from this address will be dropped.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the blacklist belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the blacklist is on the public network.
timeout minutes: Specifies the aging time in minutes for the blacklist entry, in the range of 1 to 1000. If you do not specify this option, the blacklist entry never ages out. You must delete it manually.
Usage guidelines
The undo blacklist ipv6 command deletes only manually added IPv6 blacklist entries. To delete dynamically added IPv6 blacklist entries, use the reset blacklist ipv6 command.
A blacklist entry with an aging time is not saved to the configuration file and cannot survive a reboot.
You can use the display blacklist ipv6 command to display all effective IPv6 blacklist entries.
Examples
# Add a blacklist entry for the IPv6 address 2012::12:25 and set the aging time to 10 minutes for the entry.
<Sysname> system-view
[Sysname] blacklist ipv6 2012::12:25 timeout 10
Related commands
blacklist enable
blacklist global enable
blacklist ip
blacklist logging enable
Use blacklist logging enable to enable logging for the blacklist feature.
Use undo blacklist logging enable to disable logging for the blacklist feature.
Syntax
blacklist logging enable
undo blacklist logging enable
Default
Logging is disabled for the blacklist feature.
Views
System view
Predefined user roles
network-admin
Usage guidelines
With logging enabled for the blacklist feature, the system outputs logs in the following situations:
· A blacklist entry is manually added.
· A blacklist entry is dynamically added by the scanning attack detection feature.
· A blacklist entry is manually deleted.
· A blacklist entry ages out.
A blacklist log records the following information:
· Source IP address of the blacklist entry.
· Remote IP address of the DS-Lite tunnel.
· VPN instance name.
· Reason for adding or deleting the blacklist entry.
· Aging time for the blacklist entry.
Examples
# Enable logging for the blacklist feature.
<Sysname> system-view
[Sysname] blacklist logging enable
# Add 192.168.1.2 to the blacklist. A log is output for the adding event.
[Sysname] blacklist ip 192.168.100.12
%Mar 13 03:47:49:736 2013 Sysname BLS/5/BLS_ENTRY_ADD:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; TTL(1051)=; Reason(1052)=Configuration.
# Delete 192.168.1.2 from the blacklist. A log is output for the deletion event.
[Sysname] undo blacklist ip 192.168.100.12
%Mar 13 03:49:52:737 2013 Sysname BLS/5/BLS_ENTRY_DEL:SrcIPAddr(1003)=192.168.100.12; DSLiteTunnelPeer(1040)=--; RcvVPNInstance(1041)=--; Reason(1052)=Configuration.
Related commands
blacklist ip
blacklist ipv6
blacklist object-group
Use blacklist object-group to add an address object group to the blacklist.
Use undo blacklist object-group to restore the default.
Syntax
blacklist object-group object-group-name
undo blacklist object-group
Default
No address object group is added to the blacklist.
Views
System view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
|
MSR810-LMS/810-LUS |
No |
|
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
|
MSR 2630 |
Yes |
|
|
MSR3600-28/3600-51 |
Yes |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
This command must be used together with the address object group feature. For more information about address object groups, see "Configuring object groups."
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Add address object group object-group1 to the blacklist.
<Sysname> system-view
[Sysname] blacklist object-group object-group1
client-verify dns enable
Use client-verify dns enable to enable DNS client verification on an interface.
Use undo client-verify dns enable to disable DNS client verification on an interface.
Syntax
client-verify dns enable
undo client-verify dns enable
Default
DNS client verification is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
Enable DNS client verification on the interface connected to the external network. This feature protects internal DNS servers against DNS flood attacks.
For the DNS client verification to collaborate with DNS flood attack prevention, specify client-verify as the DNS flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a DNS flood attack. You can use the display client-verify dns protected ip command to display the protected IP list for DNS client verification.
Examples
# Enable DNS client verification on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] client-verify dns enable
Related commands
client-verify dns protected ip
display client-verify dns protected ip
client-verify http enable
Use client-verify http enable to enable HTTP client verification on an interface.
Use undo client-verify http enable to disable HTTP client verification on an interface.
Syntax
client-verify http enable
undo client-verify http enable
Default
HTTP client verification is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
Enable HTTP client verification on the interface connected to the external network. This feature protects internal servers against HTTP flood attacks.
For the HTTP client verification to collaborate with HTTP flood attack prevention, specify client-verify as the HTTP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects an HTTP flood attack. You can use the display client-verify http protected ip command to display the protected IP list for HTTP client verification.
Examples
# Enable HTTP client verification on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] client-verify http enable
Related commands
client-verify http protected ip
display client-verify http protected ip
client-verify protected ip
Use client-verify protected ip to specify an IPv4 address to be protected by the client verification feature.
Use undo client-verify protected ip to remove an IPv4 address protected by the client verification feature.
Syntax
client-verify { dns | http | tcp } protected ip destination-ip-address [ vpn-instance vpn-instance-name ] [ port port-number ]
undo client-verify { dns | http | tcp } protected ip destination-ip-address [ vpn-instance vpn-instance-name ] [ port port-number ]
Default
The client verification feature does not protect any IPv4 addresses.
Views
System view
Predefined user roles
network-admin
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
destination-ip-address: Specifies the IPv4 address to be protected. All connection requests destined for this address are verified by the client verification feature.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
port port-number: Specifies the port to be protected, in the range of 1 to 65535. If you do not specify this option, DNS client verification protects port 53, HTTP client verification protects port 80, and TCP client verification protects all ports.
Usage guidelines
You can specify multiple protected IP addresses by using this command multiple times.
Examples
# Configure TCP client verification to protect IPv4 address 2.2.2.5 and port 25.
<Sysname> system-view
[Sysname] client-verify tcp protected ip 2.2.2.5 port 25
# Configure DNS client verification to protect IPv4 address 2.2.2.5 and port 50.
<Sysname> system-view
[Sysname] client-verify dns protected ip 2.2.2.5 port 50
Related commands
display client-verify protected ip
client-verify protected ipv6
Use client-verify protected ipv6 to specify an IPv6 address to be protected by the client verification feature.
Use undo client-verify protected ipv6 to remove an IPv6 address protected by the client verification feature.
Syntax
client-verify { dns | http | tcp } protected ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ port port-number ]
undo client-verify { dns | http | tcp } protected ipv6 destination-ipv6-address [ vpn-instance vpn-instance-name ] [ port port-number ]
Default
The client verification feature does not protect any IPv6 addresses.
Views
System view
Predefined user roles
network-admin
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
destination-ipv6-address: Specifies the IPv6 address to be protected. All connection requests destined for this address are verified by the client verification feature.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
port port-number: Specifies the port to be protected, in the range of 1 to 65535. If you do not specify this option, DNS client verification protects port 53, HTTP client verification protects port 80, and TCP client verification protects all ports.
Usage guidelines
You can specify multiple protected IPv6 addresses by using this command multiple times.
Examples
# Configure TCP client verification to protect IPv6 address 2013::12 and port 23.
<Sysname> system-view
[Sysname] client-verify tcp protected ipv6 2013::12 port 23
# Configure HTTP client verification to protect IPv6 address 2013::12.
<Sysname> system-view
[Sysname] client-verify http protected ipv6 2013::12
Related commands
display client-verify protected ipv6
client-verify tcp enable
Use client-verify tcp enable to enable TCP client verification on an interface.
Use undo client-verify tcp enable to disable TCP client verification on an interface.
Syntax
client-verify tcp enable [ mode { syn-cookie | safe-reset } ]
undo client-verify tcp enable
Default
TCP client verification is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
mode: Specifies a working mode for TCP client verification. If you do not specify this keyword, the SYN cookie mode is used.
syn-cookie: Specifies the SYN cookie mode. In this mode, bidirectional TCP proxy is enabled.
safe-reset: Specifies the safe reset mode. In this mode, unidirectional TCP proxy is enabled.
Usage guidelines
Enable TCP client verification on the interface connected to the external network to check incoming packets. This feature protects internal servers against TCP flood attacks, including SYN flood attacks, SYN-ACK flood attacks, RST flood attacks, FIN flood attacks, and ACK flood attacks.
For TCP client verification to collaborate with TCP flood attack prevention, specify client-verify as the TCP flood attack prevention action. During collaboration, the device adds the victim IP address to the protected IP list and verifies the untrusted sources if it detects a TCP flood attack. You can use the display client-verify tcp protected ip command to display the protected IP list for TCP client verification.
TCP client verification supports the following modes:
· Safe reset—Enables unidirectional TCP proxy for packets only from TCP connection initiators.
· SYN cookie—Enables bidirectional TCP proxy for packets from both TCP clients and TCP servers.
Choose a TCP proxy mode according to the network scenarios.
· If packets from clients pass through the TCP proxy device, but packets from servers do not, specify the safe reset mode.
· If packets from clients and servers both pass through the TCP proxy device, specify either safe reset or SYN cookie.
Examples
# Enable TCP client verification in SYN cookie mode on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] client-verify tcp enable mode syn-cookie
Related commands
client-verify tcp protected ip
display client-verify tcp protected ip
display attack-defense flood statistics ip
Use display attack-defense flood statistics ip to display IPv4 flood attack detection and prevention statistics.
Syntax
Centralized devices in standalone mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ interface interface-type interface-number | local ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]
Distributed devices in IRF mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ip [ ip-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv4 flood attacks.
http-flood: Specifies HTTP flood attack.
icmp-flood: Specifies ICMP flood attack.
rst-flood: Specifies RST flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays flood attack detection and prevention statistics for all protected IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv4 address is on the public network.
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays IPv4 flood attack detection and prevention statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays IPv4 flood attack detection and prevention statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays IPv4 flood attack detection and prevention statistics for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching protected IPv4 addresses.
Usage guidelines
The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
If the interface and local parameters are not specified, this command display IPv4 flood attack detection and prevention statistics on all interfaces and the device.
Examples
# (Centralized devices in standalone mode.) Display all IPv4 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ip
IP address VPN Detected on Detect type State PPS Dropped
192.168.100.221 a0123456789 GE1/0/2 SYN-ACK-FLOOD Normal 1000 4294967295
201.55.7.45 asd GE1/0/2 SYN-ACK-FLOOD Normal 1000 111111111
192.168.11.5 -- GE1/0/3 ACK-FLOOD Normal 1000 222222222
201.55.7.44 -- GE1/0/4 DNS-FLOOD Normal 1000 111111111
192.168.11.4 -- GE1/0/5 ACK-FLOOD Normal 1000 22222222
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display all IPv4 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ip
Slot 1:
IP address VPN Detected on Detect type State PPS Dropped
192.168.100.221 a0123456789 GE1/0/2 SYN-ACK-FLOOD Normal 1000 4294967295
201.55.7.45 asd GE1/0/2 SYN-ACK-FLOOD Normal 1000 111111111
192.168.11.5 -- GE1/0/3 ACK-FLOOD Normal 1000 222222222
201.55.7.44 -- GE1/0/4 DNS-FLOOD Normal 1000 111111111
192.168.11.4 -- GE1/0/5 ACK-FLOOD Normal 1000 22222222
Slot 2:
IP address VPN Detected on Detect type State PPS Dropped
201.55.1.10 -- GE2/0/3 ACK-FLOOD Normal 1000 222222222
192.168.100.30 -- GE2/0/4 DNS-FLOOD Normal 1000 333333333
192.168.100.66 -- GE2/0/2 SYN-ACK-FLOOD Normal 1000 165467998
# (Distributed devices in IRF mode.) Display all IPv4 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ip
Slot 1 in chassis 1:
IP address VPN Detected on Detect type State PPS Dropped
192.168.100.221 a0123456789 GE1/1/0/2 SYN-ACK-FLOOD Normal 1000 4294967295
201.55.7.45 asd GE1/1/0/2 SYN-ACK-FLOOD Normal 1000 111111111
192.168.11.5 -- GE1/1/0/3 ACK-FLOOD Normal 1000 222222222
201.55.7.44 -- GE1/1/0/4 DNS-FLOOD Normal 1000 111111111
192.168.11.4 -- GE1/1/0/5 ACK-FLOOD Normal 1000 22222222
Slot 2 in chassis 2:
IP address VPN Detected on Detect type State PPS Dropped
201.55.1.10 -- GE2/0/3 ACK-FLOOD Normal 1000 222222222
192.168.100.30 -- GE2/0/4 DNS-FLOOD Normal 1000 333333333
192.168.100.66 -- GE2/0/2 SYN-ACK-FLOOD Normal 1000 165467998
# (Centralized devices in standalone mode.) Display the number of IPv4 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ip count
Totally 2 flood entries.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv4 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ip count
Slot 1:
Totally 2 flood entries.
Slot 2:
Totally 1 flood entries.
# (Distributed devices in IRF mode.) Display the number of IPv4 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ip count
Slot 1 in chassis 1:
Totally 2 flood entries.
Slot 2 in chassis 2:
Totally 1 flood entries.
Table 163 Command output
|
Field |
Description |
|
IP address |
Protected IPv4 address. |
|
VPN |
MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--). |
|
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
|
Detect type |
Type of the detected flood attack. |
|
State |
Whether the interface or device is attacked: · Attacked. · Normal. |
|
PPS |
Number of packets sent to the IPv4 address per second. |
|
Dropped |
Number of attack packets dropped by the interface or the device. |
|
Totally 2 flood entries |
Total number of IPv4 addresses that are protected. |
display attack-defense flood statistics ipv6
Use display attack-defense flood statistics ipv6 to display IPv6 flood attack detection and prevention statistics.
Syntax
Centralized devices in standalone mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ interface interface-type interface-number | local ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]
Distributed devices in IRF mode:
display attack-defense { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } statistics ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ [ interface interface-type interface-number | local ] [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv6 flood attacks.
http-flood: Specifies HTTP flood attack.
icmpv6-flood: Specifies ICMPv6 flood attack.
rst-flood: Specifies RST flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays flood attack detection and prevention statistics for all protected IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays IPv6 flood attack detection and prevention statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays IPv6 flood attack detection and prevention statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays IPv6 flood attack detection and prevention statistics for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching protected IPv6 addresses.
Usage guidelines
The device collects statistics about protected IP addresses for flood attack detection and prevention. The attackers' IP addresses are not recorded.
If the interface and local parameters are not specified, this command display IPv6 flood attack detection and prevention statistics on all interfaces and the device.
Examples
# (Centralized devices in standalone mode.) Display all IPv6 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ipv6
IPv6 address VPN Detected on Detect type State PPS Dropped
2000::1011 a0123456789 GE1/0/2 SYN-FLOOD Normal 0 4294967295
1::2 1222232 GE1/0/2 DNS-FLOOD Normal 1000 111111111
1::3 -- GE1/0/3 SYN-ACK-FLOOD Normal 1000 222222222
1::4 -- GE1/0/4 ACK-FLOOD Normal 1000 111111111
1::5 -- GE1/0/5 SYN-FLOOD Normal 1000 22222222
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display all IPv6 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ipv6
Slot 1:
IPv6 address VPN Detected on Detect type State PPS Dropped
2000::1011 a0123456789 GE1/0/2 SYN-FLOOD Normal 0 4294967295
1::2 1222232 GE1/0/2 DNS-FLOOD Normal 1000 111111111
1::3 -- GE1/0/3 SYN-ACK-FLOOD Normal 1000 222222222
1::4 -- GE1/0/4 ACK-FLOOD Normal 1000 111111111
1::5 -- GE1/0/5 SYN-FLOOD Normal 1000 22222222
Slot 2:
IPv6 address VPN Detected on Detect type State PPS Dropped
1::2 1222232 GE2/0/3 SYN-FLOOD Normal 1000 468792363
1::5 -- GE2/0/3 ACK-FLOOD Normal 1000 452213396
1::6 -- GE2/0/5 DNS-FLOOD Normal 1000 12569985
# (Distributed devices in IRF mode.) Display all IPv6 flood attack detection and prevention statistics.
<Sysname> display attack-defense flood statistics ipv6
Slot 1 in chassis 1:
IPv6 address VPN Detected on Detect type State PPS Dropped
2000::1011 a0123456789 GE1/1/0/2 SYN-FLOOD Normal 0 4294967295
1::2 1222232 GE1/1/0/2 DNS-FLOOD Normal 1000 111111111
1::3 -- GE1/1/0/3 SYN-ACK-FLOOD Normal 1000 222222222
1::4 -- GE1/1/0/4 ACK-FLOOD Normal 1000 111111111
1::5 -- GE1/1/0/5 SYN-FLOOD Normal 1000 22222222
Slot 2 in chassis 2:
IPv6 address VPN Detected on Detect type State PPS Dropped
1::2 1222232 GE2/0/3 SYN-FLOOD Normal 1000 468792363
1::5 -- GE2/0/3 ACK-FLOOD Normal 1000 452213396
1::6 -- GE2/0/5 DNS-FLOOD Normal 1000 12569985
# (Centralized devices in standalone mode.) Display the number of IPv6 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ipv6 count
Totally 5 flood entries.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv6 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ipv6 count
Slot 1:
Totally 5 flood entries.
Slot 2:
Totally 3 flood entries.
# (Distributed devices in IRF mode.) Display the number of IPv6 addresses that are protected against flood attacks.
<Sysname> display attack-defense flood statistics ipv6 count
Slot 1 in chassis 1:
Totally 5 flood entries.
Slot 2 in chassis 2:
Totally 3 flood entries.
Table 164 Command output
|
Field |
Description |
|
IPv6 address |
Protected IPv6 address. |
|
VPN |
MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--). |
|
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
|
Detect type |
Type of the detected flood attack. |
|
State |
Whether the interface or device is attacked: · Attacked. · Normal. |
|
PPS |
Number of packets sent to the IPv6 address per second. |
|
Dropped |
Number of attack packets dropped by the interface or the device. |
|
Totally 5 flood entries |
Total number of IPv6 addresses that are protected. |
display attack-defense policy
Use display attack-defense policy to display attack defense policy configuration.
Syntax
display attack-defense policy [ policy-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). If no attack defense policy is specified, this command displays brief information about all attack defense policies.
Usage guidelines
This command output includes the following configuration information about an attack defense policy:
· Whether attack detection is enabled.
· Attack prevention actions.
· Attack prevention trigger thresholds.
Examples
# Display the configuration of the attack defense policy abc.
<Sysname> display attack-defense policy abc
Attack-defense Policy Information
--------------------------------------------------------------------------
Policy name : abc
Applied list : GE1/0/1
Vlan1
--------------------------------------------------------------------------
Exempt IPv4 ACL: : Not configured
Exempt IPv6 ACL: : vip
--------------------------------------------------------------------------
Actions: CV-Client verify BS-Block source L-Logging D-Drop N-None
Signature attack defense configuration:
Signature name Defense Level Actions
Fragment Enabled Info L
Impossible Enabled Info L
Teardrop Disabled Info L
Tiny fragment Disabled Info L
IP option abnormal Disabled Info L
Smurf Disabled Info N
Traceroute Disabled Medium L,D
Ping of death Disabled Low L
Large ICMP Disabled Medium L,D
Max length 4000 bytes
Large ICMPv6 Disabled Low L
Max length 4000 bytes
TCP invalid flags Disabled medium L,D
TCP null flag Disabled Low L
TCP all flags Enabled Info L
TCP SYN-FIN flags Disabled Info L
TCP FIN only flag Enabled Info L
TCP Land Disabled Info L
Winnuke Disabled Info L
UDP Bomb Disabled Info L
UDP Snork Disabled Info L
UDP Fraggle Enabled Info L
IP option record route Disabled Info L
IP option internet timestamp Enabled Info L
IP option security Disabled Info L
IP option loose source routing Enabled Info L
IP option stream ID Disabled Info L
IP option strict source routing Disabled Info L
IP option route alert Disabled Info L
ICMP echo request Disabled Info L
ICMP echo reply Disabled Info L
ICMP source quench Disabled Info L
ICMP destination unreachable Enabled Info L
ICMP redirect Enabled Info L
ICMP time exceeded Enabled Info L
ICMP parameter problem Disabled Info L
ICMP timestamp request Disabled Info L
ICMP timestamp reply Disabled Info L
ICMP information request Disabled Info L
ICMP information reply Disabled Medium L,D
ICMP address mask request Disabled Medium L,D
ICMP address mask reply Disabled Medium L,D
ICMPv6 echo request Enabled Medium L,D
ICMPv6 echo reply Disabled Medium L,D
ICMPv6 group membership query Disabled Medium L,D
ICMPv6 group membership report Disabled Medium L,D
ICMPv6 group membership reduction Disabled Medium L,D
ICMPv6 destination unreachable Enabled Medium L,D
ICMPv6 time exceeded Enabled Medium L,D
ICMPv6 parameter problem Disabled Medium L,D
ICMPv6 packet too big Disabled Medium L,D
Scan attack defense configuration:
Preset defense:
Defense: Disabled
User-defined defense:
Port scan defense: Enabled
Port scan defense threshold: 5000 packets
IP sweep defense: Enabled
IP sweep defense threshold: 8000 packets
Period: 100s
Actions: L
Flood attack defense configuration:
Flood type Global thres(pps) Global actions Service ports Non-specific
SYN flood 1000 - - Disabled
ACK flood 1000 - - Enabled
SYN-ACK flood 1000 - - Disabled
RST flood 200 - - Enabled
FIN flood 1000 L,D - Disabled
UDP flood 1000 - - Disabled
ICMP flood 1000 - - Disabled
ICMPv6 flood 1000 CV - Disabled
DNS flood 10000 - 30,61 to 62 Enabled
HTTP flood 10000 - 80,8080 Enabled
Flood attack defense for protected IP addresses:
Address VPN instance Flood type Thres(pps) Actions Ports
1::1 -- FIN-FLOOD 10 L,D -
192.168.1.1 A01234567890 SYN-ACK-FLOOD 10 - -
123456789012
3456789
1::1 -- FIN-FLOOD - L -
2013:2013:2013:2013: A0123456789 DNS-FLOOD 100 L,CV 53
2013:2013:2013:2013
Table 165 Command output
|
Field |
Description |
|
Policy name |
Name of the attack defense policy. |
|
Applied list |
List of interfaces to which the attack defense policy is applied. If the policy is applied to the device, this field displays Local. |
|
Exempt IPv4 ACL |
IPv4 ACL used for attack detection exemption. |
|
Exempt IPv6 ACL |
IPv6 ACL used for attack detection exemption. |
|
Actions |
Attack prevention actions: · CV—Client verification. · BS—Blocking sources. · L—Logging. · D—Dropping packets. · N—No action. |
|
Signature attack defense configuration |
Configuration information about single-packet attack detection and prevention. |
|
Signature name |
Type of the single-packet attack. |
|
Defense |
Whether single-packet attack detection is enabled. |
|
Level |
Level of the single-packet attack, info, low, medium, or high. Currently, no high-level single-packet attacks exist. |
|
Actions |
Prevention actions against the single-packet attack: · L—Logging. · D—Dropping packets. · N—No action. |
|
Scan attack defense configuration |
Configuration information about scanning attack detection and prevention. |
|
Preset defense |
Configuration information about predefined scanning attack detection and prevention. |
|
Defense |
Whether scanning attack detection is enabled. |
|
Level |
Level of the scanning attack detection, low, medium, or high. |
|
Actions |
Prevention actions against the scanning attack: · BS—Blocking sources. · D—Dropping packets. · L—Logging. |
|
User-defined defense |
Configuration information about user-defined scanning attack detection and prevention. |
|
Port scan defense |
Status of port scan attack prevention, which can be Enabled or Disabled. |
|
Port scan defense threshold |
Threshold for triggering port scan attack prevention. |
|
IP sweep defense |
Status of IP sweep attack prevention, which can be Enabled or Disabled. |
|
IP sweep defense threshold |
Threshold for triggering IP sweep attack prevention. |
|
Period |
Scanning attack detection cycle in seconds. |
|
Flood attack defense configuration |
Configuration information about flood attack detection and prevention. |
|
Flood type |
Type of the flood attack: · ACK flood. · DNS flood. · FIN flood. · ICMP flood. · ICMPv6 flood. · SYN flood. · SYN-ACK flood. · UDP flood. · RST flood. · HTTP flood. |
|
Global thres (pps) |
Global threshold for triggering the flood attack prevention, in units of packets sent to an IP address per second. The default is 1000 pps. |
|
Global actions |
Global prevention actions against the flood attack: · D—Dropping packets. · L—Logging. · CV—Client verification. · -—Not configured. |
|
Service ports |
Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-). |
|
Non-specific |
Whether the global flood attack detection is enabled. |
|
Flood attack defense for protected IP addresses |
Configuration of the IP address-specific flood attack detection and prevention. |
|
Address |
Protected IP address. |
|
VPN instance |
MPLS L3VPN instance to which the protected IP address belongs. If no MPLS L3VPN instance is specified, this field displays a hyphen (-). |
|
Thres(pps) |
Threshold for triggering the flood attack prevention, in units of packets sent to the IP address per second. If no threshold is specified, this field displays 1000. |
|
Actions |
Prevention actions against the flood attack: · BS—Blocking sources. · CV—Client verification. · D—Dropping packets. · L—Logging. · N—No action. |
|
Ports |
Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-). |
# Display brief information about all attack defense policies.
<Sysname> display attack-defense policy
Attack-defense Policy Brief Information
------------------------------------------------------------
Policy Name Applied list
Atk-policy-1 GigabitEthernet1/0/1
GigabitEthernet1/0/2
GigabitEthernet1/0/3
P2 None
P123 GigabitEthernet1/0/2
Table 166 Command output
|
Field |
Description |
|
Policy name |
Name of the attack defense policy. |
|
Applied list |
List of interfaces to which the attack defense policy is applied. If the policy is applied to the device, this field displays Local. |
Related commands
attack-defense policy
display attack-defense policy ip
Use display attack-defense policy ip to display information about IPv4 addresses protected by flood attack detection and prevention.
Syntax
Centralized devices in standalone mode:
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]
Distributed devices in IRF mode:
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmp-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ip [ ip-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv4 flood attacks.
http-flood: Specifies HTTP flood attack.
icmp-flood: Specifies ICMP flood attack.
rst-flood: Specifies RST flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays information about all protected IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about IPv4 addresses protected by flood attack detection and prevention for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information about IPv4 addresses protected by flood attack detection and prevention for all IRF member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information about IPv4 addresses protected by flood attack detection and prevention for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching IPv4 addresses protected by flood attack detection and prevention.
Examples
# (Centralized devices in standalone mode.) Display information about all IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip
IP address VPN instance Type Rate threshold(PPS) Dropped
123.123.123.123 a012345678901234 SYN-ACK-FLOOD 1000 4294967295
201.55.7.45 -- ICMP-FLOOD 100 10
192.168.11.5 -- DNS-FLOOD 23 100
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip
Slot 1:
IP address VPN instance Type Rate threshold(PPS) Dropped
123.123.123.123 a012345678901234 SYN-ACK-FLOOD 1000 4294967295
201.55.7.45 -- ICMP-FLOOD 100 10
192.168.11.5 -- DNS-FLOOD 23 100
Slot 2:
IP address VPN instance Type Rate threshold(PPS) Dropped
123.123.123.123 a012345678901234 SYN-ACK-FLOOD 100 2543
201.55.7.45 -- ICMP-FLOOD 100 122
192.168.11.5 -- DNS-FLOOD 23 0
# (Distributed devices in IRF mode.) Display information about all IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip
Slot 1 in chassis 1:
IP address VPN instance Type Rate threshold(PPS) Dropped
123.123.123.123 a012345678901234 SYN-ACK-FLOOD 1000 4294967295
201.55.7.45 -- ICMP-FLOOD 100 10
192.168.11.5 -- DNS-FLOOD 23 100
Slot 2 in chassis 2:
IP address VPN instance Type Rate threshold(PPS) Dropped
123.123.123.123 a012345678901234 SYN-ACK-FLOOD 100 2543
201.55.7.45 -- ICMP-FLOOD 100 122
192.168.11.5 -- DNS-FLOOD 23 0
# (Centralized devices in standalone mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip count
Totally 3 flood protected IP addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip count
Slot 1:
Totally 3 flood protected IP addresses.
Slot 2:
Totally 3 flood protected IP addresses.
# (Distributed devices in IRF mode.) Display the number of IPv4 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ip count
Slot 1 in chassis 1:
Totally 3 flood protected IP addresses.
Slot 2 in chassis 2:
Totally 3 flood protected IP addresses.
Table 167 Command output
|
Field |
Description |
|
Totally 3 flood protected IP addresses |
Total number of the IPv4 addresses protected by flood attack detection and prevention. |
|
IP address |
Protected IPv4 address. |
|
VPN instance |
MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--). |
|
Type |
Type of the flood attack. |
|
Rate threshold(PPS) |
Threshold for triggering the flood attack prevention, in units of packets sent to the IP address per second. If no rate threshold is set, this field displays 1000. |
|
Dropped |
Number of dropped attack packets. If the prevention action is logging, this field displays 0. |
display attack-defense policy ipv6
Use display attack-defense policy ipv6 to display information about IPv6 addresses protected by flood attack detection and prevention.
Syntax
Centralized devices in standalone mode:
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]
Distributed devices in IRF mode:
display attack-defense policy policy-name { ack-flood | dns-flood | fin-flood | flood | http-flood | icmpv6-flood | rst-flood | syn-ack-flood | syn-flood | udp-flood } ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
ack-flood: Specifies ACK flood attack.
dns-flood: Specifies DNS flood attack.
fin-flood: Specifies FIN flood attack.
flood: Specifies all IPv6 flood attacks.
http-flood: Specifies HTTP flood attack.
icmpv6-flood: Specifies ICMPv6 flood attack.
rst-flood: Specifies RST flood attack.
syn-ack-flood: Specifies SYN-ACK flood attack.
syn-flood: Specifies SYN flood attack.
udp-flood: Specifies UDP flood attack.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays information about all protected IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information about IPv6 addresses protected by flood attack detection and prevention for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information about IPv6 addresses protected by flood attack detection and prevention for all IRF member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information about IPv6 addresses protected by flood attack detection and prevention for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching IPv6 addresses protected by flood attack detection and prevention.
Examples
# (Centralized devices in standalone mode.) Display information about all IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6
IPv6 address VPN instance Type Rate threshold(PPS) Dropped
2013::127f a012345678901234 SYN-ACK-FLOOD 1000 4294967295
2::5 -- ACK-FLOOD 100 10
1::5 -- ACK-FLOOD 100 23
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6
Slot 1:
IPv6 address VPN instance Type Rate threshold(PPS) Dropped
2013::127f a012345678901234 SYN-ACK-FLOOD 1000 4294967295
2::5 -- ACK-FLOOD 100 10
1::5 -- ACK-FLOOD 100 23
Slot 2:
IPv6 address VPN instance Type Rate threshold(PPS) Dropped
2013::127f a012345678901234 SYN-ACK-FLOOD 100 5465
2::5 -- ACK-FLOOD 100 0
1::5 -- ACK-FLOOD 100 122
# (Distributed devices in IRF mode.) Display information about all IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6
Slot 1 in chassis 1:
IPv6 address VPN instance Type Rate threshold(PPS) Dropped
2013::127f a012345678901234 SYN-ACK-FLOOD 1000 4294967295
2::5 -- ACK-FLOOD 100 10
1::5 -- ACK-FLOOD 100 23
Slot 2 in chassis 2:
IPv6 address VPN instance Type Rate threshold(PPS) Dropped
2013::127f a012345678901234 SYN-ACK-FLOOD 100 5465
2::5 -- ACK-FLOOD 100 0
1::5 -- ACK-FLOOD 100 122
# (Centralized devices in standalone mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6 count
Totally 3 flood protected IP addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6 count
Slot 1:
Totally 3 flood protected IP addresses.
Slot 2:
Totally 3 flood protected IP addresses.
# (Distributed devices in IRF mode.) Display the number of IPv6 addresses protected by flood attack detection and prevention in the attack defense policy abc.
<Sysname> display attack-defense policy abc flood ipv6 count
Slot 1 in chassis 1:
Totally 3 flood protected IP addresses.
Slot 2 in chassis 2:
Totally 3 flood protected IP addresses.
Table 168 Command output
|
Field |
Description |
|
Totally 3 flood protected IP addresses |
Total number of the IPv6 addresses protected by flood attack detection and prevention. |
|
IPv6 address |
Protected IPv6 address. |
|
VPN instance |
MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--). |
|
Type |
Type of the flood attack. |
|
Rate threshold(PPS) |
Threshold for triggering the flood attack prevention, in units of packets sent to the IPv6 address per second. If no rate threshold is set, this field displays 1000. |
|
Dropped |
Number of dropped attack packets. If the prevention action is logging, this field displays 0. |
display attack-defense scan attacker ip
Use display attack-defense scan attacker ip to display information about IPv4 scanning attackers.
Syntax
Centralized devices in standalone mode:
display attack-defense scan attacker ip [ interface interface-type interface-number | local ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense scan attacker ip [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]
Distributed devices in IRF mode:
display attack-defense scan attacker ip [ [ interface interface-type interface-number | local ] [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays information about IPv4 scanning attackers for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays information about IPv4 scanning attackers for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays information about IPv4 scanning attackers for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching IPv4 scanning attackers.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv4 scanning attackers.
Examples
# (Centralized devices in standalone mode.) Display information about all IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip
IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min)
192.168.31.2(--) -- TCP GE1/0/2 1284
2.2.2.3(--) -- UDP GE1/0/2 23
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip
Slot 1:
IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min)
192.168.31.2(--) -- TCP GE1/0/2 1284
2.2.2.3(--) -- UDP GE1/0/2 23
Slot 2:
IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min)
192.168.1.100(--) -- TCP GE1/0/2 1586
202.2.1.172(--) -- UDP GE1/0/2 258
# (Distributed devices in IRF mode.) Display information about all IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip
Slot 1 in chassis 1:
IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min)
192.168.31.2(--) -- TCP GE1/1/0/2 1284
2.2.2.3(--) -- UDP GE1/1/0/2 23
Slot 2 in chassis 2:
IP addr(DslitePeer) VPN instance Protocol Detected on Duration(min)
192.168.1.100(--) -- TCP GE2/2/0/2 1586
202.2.1.172(--) -- UDP GE2/2/0/2 258
# (Centralized devices in standalone mode.) Display the number of IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip count
Totally 3 attackers.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip count
Slot 1:
Totally 3 attackers.
Slot 2:
Totally 2 attackers.
# (Distributed devices in IRF mode.) Display the number of IPv4 scanning attackers.
<Sysname> display attack-defense scan attacker ip count
Slot 1 in chassis 1:
Totally 3 attackers.
Slot 2 in chassis 2:
Totally 2 attackers.
Table 169 Command output
|
Field |
Description |
|
Totally 3 attackers |
Total number of IPv4 scanning attackers. |
|
IP addr(DslitePeer) |
The IP addr field displays the IPv4 address of the attacker. The DslitePeer field displays the DS-Lite tunnel source IPv6 address of the attacker in a DS-Lite network. In other situations, this field displays hyphens (--). |
|
VPN instance |
MPLS L3VPN instance to which the attacker's IPv4 address belongs. If the IPv4 address is on the public network, this field displays hyphens (--). |
|
Protocol |
Name of the protocol. |
|
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
|
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan victim ip
scan detect
display attack-defense scan attacker ipv6
Use display attack-defense scan attacker ipv6 to display information about IPv6 scanning attackers.
Syntax
Centralized devices in standalone mode:
display attack-defense scan attacker ipv6 [ interface interface-type interface-number | local ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense scan attacker ipv6 [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]
Distributed devices in IRF mode:
display attack-defense scan attacker ipv6 [ [ interface interface-type interface-number | local ] [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays information about IPv6 scanning attackers for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays information about IPv6 scanning attackers for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays information about IPv6 scanning attackers for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching IPv6 scanning attackers.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv6 scanning attackers.
Examples
# (Centralized devices in standalone mode.) Display information about all IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP GE1/0/4 1234
1230::22 -- UDP GE1/0/4 10
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6
Slot 1:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP GE1/0/4 1234
1230::22 -- UDP GE1/0/4 10
Slot 2:
IPv6 address VPN instance Protocol Detected on Duration(min)
2004::4 -- TCP GE2/0/2 1122
1042::2 -- UDP GE2/0/4 24
# (Distributed devices in IRF mode.) Display information about all IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6
Slot 1 in chassis 1:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP GE1/1/0/4 1234
1230::22 -- UDP GE1/1/0/4 10
Slot 2 in chassis 2:
IPv6 address VPN instance Protocol Detected on Duration(min)
2004::4 -- TCP GE2/2/0/2 1122
1042::2 -- UDP GE2/2/0/4 24
# (Centralized devices in standalone mode.) Display the number of IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6 count
Totally 3 attackers.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6 count
Slot 1:
Totally 3 attackers.
Slot 2:
Totally 0 attackers.
# (Distributed devices in IRF mode.) Display the number of IPv6 scanning attackers.
<Sysname> display attack-defense scan attacker ipv6 count
Slot 1 in chassis 1:
Totally 3 attackers.
Slot 2 in chassis 2:
Totally 0 attackers.
Table 170 Command output
|
Field |
Description |
|
Totally 3 attackers |
Total number of IPv6 scanning attackers. |
|
IPv6 address |
IPv6 address of the attacker. |
|
VPN instance |
MPLS L3VPN instance to which the attacker IPv6 address belongs. If the attacker IPv6 address is on the public network, this field displays hyphens (--). |
|
Protocol |
Name of the protocol. |
|
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
|
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan victim ipv6
scan detect
display attack-defense scan victim ip
Use display attack-defense scan victim ip to display information about IPv4 scanning attack victims.
Syntax
Centralized devices in standalone mode:
display attack-defense scan victim ip [ interface interface-type interface-number | local ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense scan victim ip [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]
Distributed devices in IRF mode:
display attack-defense scan victim ip [ [ interface interface-type interface-number | local ] [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays information about IPv4 scanning attack victims for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays information about IPv4 scanning attack victims for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays information about IPv4 scanning attack victims for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching IPv4 scanning attack victims.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv4 scanning attack victims.
Examples
# (Centralized devices in standalone mode.) Display information about all IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip
IP address VPN instance Protocol Detected on Duration(min)
192.168.31.2 -- TCP GE1/0/4 21
2.2.2.3 -- UDP GE1/0/4 1234
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip
Slot 1:
IP address VPN instance Protocol Detected on Duration(min)
192.168.31.2 -- TCP GE1/0/4 21
2.2.2.3 -- UDP GE1/0/4 1234
Slot 2:
IP address VPN instance Protocol Detected on Duration(min)
# (Distributed devices in IRF mode.) Display information about all IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip
Slot 1 in chassis 1:
IP address VPN instance Protocol Detected on Duration(min)
192.168.31.2 -- TCP GE1/1/0/4 21
2.2.2.3 -- UDP GE1/1/0/4 1234
Slot 2 in chassis 2:
IP address VPN instance Protocol Detected on Duration(min)
# (Centralized devices in standalone mode.) Display the number of IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip count
Totally 3 victim IP addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip count
Slot 1:
Totally 3 victim IP addresses.
Slot 2:
Totally 0 victim IP addresses.
# (Distributed devices in IRF mode.) Display the number of IPv4 scanning attack victims.
<Sysname> display attack-defense scan victim ip count
Slot 1 in chassis 1:
Totally 3 victim IP addresses.
Slot 2 in chassis 2:
Totally 0 victim IP addresses.
Table 171 Command output
|
Field |
Description |
|
Totally 3 victim IP addresses |
Total number of IPv4 scanning attack victims. |
|
IP address |
IPv4 address of the victim. |
|
VPN instance |
MPLS L3VPN instance to which the victim IPv4 address belongs. If the victim IPv4 address is on the public network, this field displays hyphens (--). |
|
Protocol |
Name of the protocol. |
|
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
|
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan attacker ip
scan detect
display attack-defense scan victim ipv6
Use display attack-defense scan victim ipv6 to display information about IPv6 scanning attack victims.
Syntax
Centralized devices in standalone mode:
display attack-defense scan victim ipv6 [ interface interface-type interface-number | local ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense scan victim ipv6 [ [ interface interface-type interface-number | local ] [ slot slot-number ] ] [ count ]
Distributed devices in IRF mode:
display attack-defense scan victim ipv6 [ [ interface interface-type interface-number | local ] [ chassis chassis-number slot slot-number ] ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
local: Specifies the device.
slot slot-number: Specifies a card by its slot number. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays information about IPv6 scanning attack victims for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this command displays information about IPv6 scanning attack victims for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify the device or a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this command displays information about IPv6 scanning attack victims for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching IPv6 scanning attack victims.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPv6 scanning attack victims.
Examples
# (Centralized devices in standalone mode.) Display information about all IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP GE1/0/4 210
1230::22 -- UDP GE1/0/4 13
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6
Slot 1:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP GE1/0/4 210
1230::22 -- UDP GE1/0/4 13
Slot 2:
IPv6 address VPN instance Protocol Detected on Duration(min)
# (Distributed devices in IRF mode.) Display information about all IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6
Slot 1 in chassis 1:
IPv6 address VPN instance Protocol Detected on Duration(min)
2013::2 -- TCP GE1/1/0/4 210
1230::22 -- UDP GE1/1/0/4 13
Slot 2 in chassis 2:
IPv6 address VPN instance Protocol Detected on Duration(min)
# (Centralized devices in standalone mode.) Display the number of IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6 count
Totally 3 victim IP addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6 count
Slot 1:
Totally 3 victim IP addresses.
Slot 2:
Totally 0 victim IP addresses.
# (Distributed devices in IRF mode.) Display the number of IPv6 scanning attack victims.
<Sysname> display attack-defense scan victim ipv6 count
Slot 1 in chassis 1:
Totally 3 victim IP addresses.
Slot 2 in chassis 2:
Totally 0 victim IP addresses.
Table 172 Command output
|
Field |
Description |
|
Totally 3 victim IP addresses |
Total number of IPv6 scanning attack victims. |
|
IPv6 address |
IPv6 address of the victim. |
|
VPN instance |
MPLS L3VPN instance to which the victim IPv6 address belongs. If the victim IPv6 address is on the public network, this field displays hyphens (--). |
|
Protocol |
Name of the protocol. |
|
Detected on |
Where the attack is detected, on the device (Local) or an interface. |
|
Duration(min) |
The amount of time the attack lasts, in minutes. |
Related commands
display attack-defense scan attacker ipv6
scan detect
display attack-defense statistics interface
Use display attack-defense statistics interface to display attack detection and prevention statistics on an interface.
Syntax
Centralized devices in standalone mode:
display attack-defense statistics interface interface-type interface-number
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense statistics interface interface-type interface-number [ slot slot-number ]
Distributed devices in IRF mode:
display attack-defense statistics interface interface-type interface-number [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. This option is available only when you specify a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this commands displays attack detection and prevention statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. This option is available only when you specify a global interface, such as a VLAN interface or tunnel interface. If you do not specify a member device, this commands displays attack detection and prevention statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. This option is available only when you specify a global interface, such as a VLAN interface or tunnel interface. If you do not specify a card, this commands displays attack detection and prevention statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display attack detection and prevention statistics on interface GigabitEthernet 1/0/1.
<Sysname> display attack-defense statistics interface gigabitethernet 1/0/1
Attack policy name: abc
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display attack detection and prevention statistics on interface GigabitEthernet 1/0/1 for the card or member device in slot 1.
<Sysname> display attack-defense statistics interface gigabitethernet 1/0/1 slot 1
Attack policy name: abc
Slot 1:
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
# (Distributed devices in IRF mode.) Display attack detection and prevention statistics on interface GigabitEthernet 1/0/1 for the card in slot 1 on member device 1.
<Sysname> display attack-defense statistics interface gigabitethernet 1/0/1 chassis 1 slot 1
Attack policy name: abc
Slot 1 in chassis 1:
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
Table 173 Command output
|
Field |
Description |
|
AttackType |
Type of the attack. |
|
AttackTimes |
Number of times that the attack occurred. This command output displays only attacks that are detected. |
|
Dropped |
Number of dropped packets. |
display attack-defense statistics local
Use display attack-defense statistics local to display attack detection and prevention statistics for the device.
Syntax
Centralized devices in standalone mode:
display attack-defense statistics local
Distributed devices in standalone mode/centralized devices in IRF mode:
display attack-defense statistics local [ slot slot-number ]
Distributed devices in IRF mode:
display attack-defense statistics local [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays attack detection and prevention statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays attack detection and prevention statistics for all IRF member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays attack detection and prevention statistics for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display attack detection and prevention statistics for the device.
<Sysname> display attack-defense statistics local
Attack defense policy name: abc
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display attack detection and prevention statistics for the device.
<Sysname> display attack-defense statistics local
Attack policy name: abc
Slot 1:
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
# (Distributed devices in IRF mode.) Display attack detection and prevention statistics for the device.
<Sysname> display attack-defense statistics local
Attack policy name: abc
Slot 1 in chassis 1:
Scan attack defense statistics:
AttackType AttackTimes Dropped
Port scan 2 23
IP sweep 3 33
Distribute port scan 1 10
Flood attack defense statistics:
AttackType AttackTimes Dropped
SYN flood 1 0
ACK flood 1 0
SYN-ACK flood 3 5000
RST flood 2 0
FIN flood 2 0
UDP flood 1 0
ICMP flood 1 0
ICMPv6 flood 1 0
DNS flood 1 0
HTTP flood 1 0
Signature attack defense statistics:
AttackType AttackTimes Dropped
IP option record route 1 100
IP option security 2 0
IP option stream ID 3 0
IP option internet timestamp 4 1
IP option loose source routing 5 0
IP option strict source routing 6 0
IP option route alert 3 0
Fragment 1 0
Impossible 1 1
Teardrop 1 1
Tiny fragment 1 0
IP options abnormal 3 0
Smurf 1 0
Ping of death 1 0
Traceroute 1 0
Large ICMP 1 0
TCP NULL flag 1 0
TCP all flags 1 0
TCP SYN-FIN flags 1 0
TCP FIN only flag 1 0
TCP invalid flag 1 0
TCP Land 1 0
Winnuke 1 0
UDP Bomb 1 0
Snork 1 0
Fraggle 1 0
Large ICMPv6 1 0
ICMP echo request 1 0
ICMP echo reply 1 0
ICMP source quench 1 0
ICMP destination unreachable 1 0
ICMP redirect 2 0
ICMP time exceeded 3 0
ICMP parameter problem 4 0
ICMP timestamp request 5 0
ICMP timestamp reply 6 0
ICMP information request 7 0
ICMP information reply 4 0
ICMP address mask request 2 0
ICMP address mask reply 1 0
ICMPv6 echo request 1 1
ICMPv6 echo reply 1 1
ICMPv6 group membership query 1 0
ICMPv6 group membership report 1 0
ICMPv6 group membership reduction 1 0
ICMPv6 destination unreachable 1 0
ICMPv6 time exceeded 1 0
ICMPv6 parameter problem 1 0
ICMPv6 packet too big 1 0
Table 174 Command output
|
Field |
Description |
|
AttackType |
Type of the attack. |
|
AttackTimes |
Number of times that the attack occurred. This command output displays only attacks that are detected. |
|
Dropped |
Number of dropped packets. |
Related commands
reset attack-defense statistics local
display attack-defense top-attack-statistics
Use display attack-defense top-attack-statistics to display top ten attack statistics.
Syntax
display attack-defense top-attack-statistics { last-1-hour | last-24-hours | last-30-days } [ by-attacker | by-type | by-victim ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
last-1-hour: Specifies the most recent 1 hour.
last-24-hours: Specifies the most recent 24 hours.
last-30-days: Specifies the most recent 30 days.
by-attacker: Displays top ten attack statistics by attacker.
by-type: Displays all attack statistics by attack type.
by-victim: Displays top ten attack statistics by victim.
Usage guidelines
If you do not specify the by-attacker, by-type, or by-victim keyword, this command displays attack statistics by attacker, victim, attack type.
Examples
# Display top ten attack statistics in the most recent 1 hour.
<Sysname> display attack-defense top-attack-statistics last-1-hour
Top attackers:
No. VPN instance Attacker IP Attacks
1 vpn1 200.200.200.55 21
2 vpn1 200.200.200.21 16
3 vpn2 200.200.200.133 12
4 vpn3 200.200.200.19 10
5 vpn2 200.200.200.4 8
6 vpn2 200.200.200.155 8
7 vpn3 200.200.200.93 5
8 vpn2 200.200.200.67 3
9 vpn2 200.200.200.70 1
10 vpn1 200.200.200.23 1
Top victims:
No. VPN instance Victim IP Attacks
1 vpn2 200.200.200.12 21
2 vpn2 200.200.200.32 16
3 vpn3 200.200.200.14 12
4 vpn2 200.200.200.251 12
5 vpn1 200.200.200.10 7
6 vpn1 200.200.200.77 6
7 vpn1 200.200.200.96 2
8 vpn1 200.200.200.22 2
9 vpn2 200.200.200.154 2
10 vpn3 200.200.200.18 1
Top attack types:
Attack type Attacks
Scan 155
Syn 155
Table 175 Command output
|
Field |
Description |
|
Top attackers |
Top ten attack statistics by attacker. |
|
No. |
Rank on the list. |
|
VPN instance |
VPN instance to which the attacker or victim belongs. If the attacker or victim belongs to the public network, the field value is not displayed. |
|
Attacks |
Number of attack packets that have been dropped. |
|
Top victims |
Top ten attack statistics by victim. |
|
Top attack types |
Attack statistics by attack type. |
Related commands
attack-defense top-attack-statistics enable
display blacklist ip
Use display blacklist ip to display IPv4 blacklist entries.
Syntax
Centralized devices in standalone mode:
display blacklist ip [ source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display blacklist ip [ source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] ] [ slot slot-number ] [ count ]
Distributed devices in IRF mode:
display blacklist ip [ source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
source-ip-address: Specifies the IPv4 address for a blacklist entry.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
ds-lite-peer ds-lite-peer-address: Specifies the IPv6 address of the B4 element of the DS-Lite tunnel that transmits packets from the blacklisted IPv4 address.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv4 blacklist entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv4 blacklist entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv4 blacklist entries for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching IPv4 blacklist entries.
Usage guidelines
If you do not specify any parameters, this command displays all IPv4 blacklist entries.
Examples
# (Centralized devices in standalone mode.) Display all IPv4 blacklist entries.
<Sysname> display blacklist ip
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
192.168.11.5 -- -- Dynamic 10 353452
123.123.123.123 a0123456789012 2013::fe07:221a:4011 Dynamic 123 4294967295
201.55.7.45 abc 2013::1 Manual Never 14478
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display IPv4 blacklist entries on the card or IRF member device in slot 1.
<Sysname> display blacklist ip slot 1
Slot 1:
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
192.168.11.5 -- -- Dynamic 10 353452
123.123.123.123 a0123456789012 2013::fe07:221a:4011 Dynamic 123 4294967295
201.55.7.45 abc 2013::1 Manual Never 14478
# (Distributed devices in IRF mode.) Display all IPv4 blacklist entries.
<Sysname> display blacklist ip
Slot 1 in chassis 1:
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
192.168.11.5 -- -- Dynamic 10 353452
123.123.123.123 a0123456789012 2013::fe07:221a:4011 Dynamic 123 4294967295
201.55.7.45 abc 2013::1 Manual Never 14478
Slot 2 in chassis 2:
IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped
192.168.11.5 -- -- Dynamic 10 2232333
123.123.123.123 a0123456789012 2013::fe07:221a:4011 Dynamic 123 86985
201.55.7.45 abc 2013::1 Manual Never 4252
# (Centralized devices in standalone mode.) Display the number of IPv4 blacklist entries.
<Sysname> display blacklist ip count
Totally 3 blacklist entries.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv4 blacklist entries on the card or IRF member device in slot 1.
<Sysname> display blacklist ip slot 1 count
Slot 1:
Totally 3 blacklist entries.
# (Distributed devices in IRF mode.) Display the number of IPv4 blacklist entries.
<Sysname> display blacklist ip count
Slot 1 in chassis 1:
Totally 3 blacklist entries.
Slot 2 in chassis 2:
Totally 3 blacklist entries.
Table 176 Command output
|
Field |
Description |
|
IP address |
IPv4 address of the blacklist entry. |
|
VPN instance |
MPLS L3VPN instance to which the blacklisted IPv4 address belongs. If the blacklisted IPv4 address is on the public network, this field displays hyphens (--). |
|
DS-Lite tunnel peer |
IPv6 address of the DS-Lite tunnel peer. If the device is the AFTR of a DS-Lite tunnel, this field displays the IPv6 address of the B4 element from which the packet comes. In other situations, this field displays hyphens (--). |
|
Type |
Type of the IPv4 blacklist entry, Manual or Dynamic. |
|
TTL(sec) |
Remaining aging time of the IPv4 blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never. |
|
Dropped |
Number of dropped packets sourced from the IPv4 address. |
|
Totally 3 blacklist entries |
Total number of IPv4 blacklist entries. |
Related commands
blacklist ip
display blacklist ipv6
Use display blacklist ipv6 to display IPv6 blacklist entries.
Syntax
Centralized devices in standalone mode:
display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] ] [ slot slot-number ] [ count ]
Distributed devices in IRF mode:
display blacklist ipv6 [ source-ipv6-address [ vpn-instance vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
source-ipv6-address: Specifies the IPv6 address for a blacklist entry.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 blacklist entries for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 blacklist entries for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 blacklist entries for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching IPv6 blacklist entries.
Usage guidelines
If you do not specify any parameters, this command displays all IPv6 blacklist entries.
Examples
# (Centralized devices in standalone mode.) Display all IPv6 blacklist entries.
<Sysname> display blacklist ipv6
IPv6 address VPN instance Type TTL(sec) Dropped
1::4 -- Manual Never 14478
1::5 -- Dynamic 10 353452
2013:fe07:221a:4011: a0123456789012345 Dynamic 123 4294967295
2013:fe07:221a:4011 67890123456789
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display IPv6 blacklist entries on the card or IRF member device in slot 1.
<Sysname> display blacklist ipv6 slot 1
Slot 1:
IPv6 address VPN instance Type TTL(sec) Dropped
1::4 -- Manual Never 14478
1::5 -- Dynamic 10 353452
2013:fe07:221a:4011: a0123456789012345 Dynamic 123 4294967295
2013:fe07:221a:4011 67890123456789
# (Distributed devices in IRF mode.) Display all IPv6 blacklist entries.
<Sysname> display blacklist ipv6
Slot 1 in chassis 1:
IPv6 address VPN instance Type TTL(sec) Dropped
1::4 -- Manual Never 14478
1::5 -- Dynamic 10 353452
2013:fe07:221a:4011: a0123456789012345 Dynamic 123 4294967295
2013:fe07:221a:4011 67890123456789
Slot 2 in chassis 2:
IPv6 address VPN instance Type TTL(sec) Dropped
1::4 -- Manual Never 201
1::5 -- Dynamic 10 4452486
2013:fe07:221a:4011: a0123456789012345 Dynamic 123 268798
2013:fe07:221a:4011 67890123456789
# (Centralized devices in standalone mode.) Display the number of IPv6 blacklist entries.
<Sysname> display blacklist ipv6 count
Totally 3 blacklist entries.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of IPv6 blacklist entries on the card or IRF member device in slot 1.
<Sysname> display blacklist ipv6 slot 1 count
Slot 1:
Totally 3 blacklist entries.
# (Distributed devices in IRF mode.) Display the number of IPv6 blacklist entries.
<Sysname> display blacklist ipv6 count
Slot 1 in chassis 1:
Totally 3 blacklist entries.
Slot 2 in chassis 2:
Totally 3 blacklist entries.
Table 177 Command output
|
Field |
Description |
|
IPv6 address |
IPv6 address of the blacklist entry. |
|
VPN instance |
MPLS L3VPN instance to which the blacklisted IPv6 address belongs. If the blacklisted IPv6 address is on the public network, this field displays hyphens (--). |
|
Type |
Type of the IPv6 blacklist entry, Manual or Dynamic. |
|
TTL(sec) |
Remaining aging time of the IPv6 blacklist entry, in seconds. If no aging time is set for the entry, this field displays Never. |
|
Dropped |
Number of dropped packets sourced from the IPv6 address. |
|
Totally 3 blacklist entries |
Total number of IPv6 blacklist entries. |
Related commands
blacklist ipv6
display client-verify protected ip
Use display client-verify protected ip to display protected IPv4 addresses for client verification.
Syntax
Centralized devices in standalone mode:
display client-verify { dns | http | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display client-verify { dns | http | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ slot slot-number ] [ count ]
Distributed devices in IRF mode:
display client-verify { dns | http | tcp } protected ip [ ip-address [ vpn vpn-instance-name ] ] [ port port-number ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ip-address: Specifies a protected IPv4 address. If you do not specify an IPv4 address, this command displays all protected IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv4 address is on the public network.
port port-number: Specifies a protected port in the range of 1 to 65535. If you do not specify a port, this command displays protected IPv4 addresses with default ports. The default port for DNS client verification is port 53, the default port for HTTP client verification is port 80, and the default port for TCP client verification is all ports.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays protected IPv4 addresses for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays protected IPv4 addresses for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv4 addresses for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching protected IPv4 addresses.
Examples
# (Centralized devices in standalone mode.) Display the protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 23 Dynamic 353452 555
123.123.123.123 VPN1 65535 Dynamic 4294967295 15151
201.55.7.45 -- 10 Manual 15000 222
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip
Slot 1:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 23 Dynamic 353452 555
201.55.7.45 -- 10 Manual 15000 222
123.123.123.123 VPN1 65535 Dynamic 4294967295 15151
Slot 2:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 23 Dynamic 46790 78578
201.55.7.45 -- 10 Manual 2368 7237
123.123.123.123 VPN1 65535 Dynamic 24587 1385
# (Distributed devices in IRF mode.) Display the protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip
Slot 1 in chassis 1:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 23 Dynamic 353452 555
201.55.7.45 -- 10 Manual 15000 222
123.123.123.123 VPN1 65535 Dynamic 4294967295 15151
Slot 2 in chassis 2:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 23 Dynamic 46790 78578
201.55.7.45 -- 10 Manual 2368 7237
123.123.123.123 VPN1 65535 Dynamic 24587 1385
# (Centralized devices in standalone mode.) Display the number of protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Totally 3 protected IP addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Slot 1:
Totally 3 protected IP addresses.
Slot 2:
Totally 3 protected IP addresses.
# (Distributed devices in IRF mode.) Display the number of protected IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Slot 1 in chassis 1:
Totally 3 protected IP addresses.
Slot 2 in chassis 2:
Totally 3 protected IP addresses.
# (Centralized devices in standalone mode.) Display the protected IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns protected ip
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 53 Dynamic 353452 555
201.55.7.45 -- 53 Manual 15000 222
123.123.123.123 VPN1 53 Dynamic 4294967295 15151
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the protected IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns protected ip
Slot 1:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 53 Dynamic 353452 555
201.55.7.45 -- 53 Manual 15000 222
123.123.123.123 VPN1 53 Dynamic 4294967295 15151
Slot 2:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 53 Dynamic 35689 25984
201.55.7.45 -- 53 Manual 0 856
123.123.123.123 VPN1 53 Dynamic 5458 8863
# (Distributed devices in IRF mode.) Display the protected IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns protected ip
Slot 1 in chassis 1:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 53 Dynamic 353452 555
201.55.7.45 -- 53 Manual 15000 222
123.123.123.123 VPN1 53 Dynamic 4294967295 15151
Slot 2 in chassis 2:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 53 Dynamic 35689 25984
201.55.7.45 -- 53 Manual 0 856
123.123.123.123 VPN1 53 Dynamic 5458 8863
# (Centralized devices in standalone mode.) Display the number of protected IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns protected ip count
Totally 3 protected IP addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of protected IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns protected ip count
Slot 1:
Totally 3 protected IP addresses.
Slot 2:
Totally 3 protected IP addresses.
# (Distributed devices in IRF mode.) Display the number of protected IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns protected ip count
Slot 1 in chassis 1:
Totally 3 protected IP addresses.
Slot 2 in chassis 2:
Totally 3 protected IP addresses.
# (Centralized devices in standalone mode.) Display the protected IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http protected ip
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 80 Dynamic 353452 555
201.55.7.45 -- 8080 Manual 15000 222
123.123.123.123 VPN1 80 Dynamic 4294967295 15151
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the protected IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http protected ip
Slot 1:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 80 Dynamic 353452 555
201.55.7.45 -- 8080 Manual 15000 222
123.123.123.123 VPN1 80 Dynamic 4294967295 15151
Slot 2:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 80 Dynamic 0 0
201.55.7.45 -- 8080 Manual 458 3258
123.123.123.123 VPN1 80 Dynamic 8666 15863
# (Distributed devices in IRF mode.) Display the protected IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http protected ip
Slot 1 in chassis 1:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 80 Dynamic 353452 555
201.55.7.45 -- 8080 Manual 15000 222
123.123.123.123 VPN1 80 Dynamic 4294967295 15151
Slot 2 in chassis 2:
IP address VPN instance Port Type Requested Trusted
192.168.11.5 -- 80 Dynamic 0 0
201.55.7.45 -- 8080 Manual 458 3258
123.123.123.123 VPN1 80 Dynamic 8666 15863
# (Centralized devices in standalone mode.) Display the number of protected IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http protected ip count
Totally 3 protected IP addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of protected IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http protected ip count
Slot 1:
Totally 3 protected IP addresses.
Slot 2:
Totally 3 protected IP addresses.
# (Distributed devices in IRF mode.) Display the number of protected IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http protected ip count
Slot 1 in chassis 1:
Totally 3 protected IP addresses.
Slot 2 in chassis 2:
Totally 3 protected IP addresses.
Table 178 Command output
|
Field |
Description |
|
Totally 3 protected IP addresses |
Total number of protected IPv4 addresses. |
|
IP address |
Protected IPv4 address. |
|
VPN instance |
MPLS L3VPN instance to which the protected IPv4 address belongs. If the protected IPv4 address is on the public network, this field displays hyphens (--). |
|
Port |
Port protected by TCP client verification. If TCP client verification protects all ports, this field displays any. |
|
Type |
Type of the protected IPv4 address, Manual or Dynamic. |
|
Requested |
Number of packets destined for the protected IPv4 address. |
|
Trusted |
Number of packets that passed the client verification. |
Related commands
client-verify protected ip
display client-verify protected ipv6
Use display client-verify protected ipv6 to display protected IPv6 addresses for client verification.
Syntax
Centralized devices in standalone mode:
display client-verify { dns | http | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port port-number ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display client-verify { dns | http | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port port-number ] [ slot slot-number ] [ count ]
Distributed devices in IRF mode:
display client-verify { dns | http | tcp } protected ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ port port-number ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ipv6-address: Specifies a protected IPv6 address. If you do not specify an IPv6 address, this command displays all protected IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.
port port-number: Specifies a protected port in the range of 1 to 65535. If you do not specify a port, this command displays protected IPv6 addresses with default ports. The default port for DNS client verification is port 53, the default port for HTTP client verification is port 80, and the default port for TCP client verification is all ports.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays protected IPv6 addresses for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays protected IPv6 addresses for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays protected IPv6 addresses for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching protected IPv6 addresses.
Examples
# (Centralized devices in standalone mode.) Display the protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ipv6
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 100 Manual 14478 5501
1023::1123 vpn1 65535 Dynamic 4294967295 15151
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ipv6
Slot 1:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 100 Manual 14478 5501
1023::1123 vpn1 65535 Dynamic 4294967295 15151
Slot 2:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 100 Manual 4568 8798
1023::1123 vpn1 65535 Dynamic 15969 4679
# (Distributed devices in IRF mode.) Display the protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ipv6
Slot 1 in chassis 1:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 100 Manual 14478 5501
1023::1123 vpn1 65535 Dynamic 4294967295 15151
Slot 2 in chassis 2:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 100 Manual 4568 8798
1023::1123 vpn1 65535 Dynamic 15969 4679
# (Centralized devices in standalone mode.) Display the number of protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ipv6 count
Totally 3 protected IPv6 addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Slot 1:
Totally 3 protected IPv6 addresses.
Slot 2:
Totally 3 protected IPv6 addresses.
# (Distributed devices in IRF mode.) Display the number of protected IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp protected ip count
Slot 1 in chassis 1:
Totally 3 protected IPv6 addresses.
Slot 2 in chassis 2:
Totally 3 protected IPv6 addresses.
# (Centralized devices in standalone mode.) Display the protected IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns protected ipv6
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 53 Manual 14478 5501
1023::1123 vpn1 53 Dynamic 4294967295 15151
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the protected IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns protected ipv6
Slot 1:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 53 Manual 14478 5501
1023::1123 vpn1 53 Dynamic 4294967295 15151
Slot 2:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 53 Manual 4568 8798
1023::1123 vpn1 53 Dynamic 15969 4679
# (Distributed devices in IRF mode.) Display the protected IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns protected ipv6
Slot 1 in chassis 1:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 53 Manual 14478 5501
1023::1123 vpn1 53 Dynamic 4294967295 15151
Slot 2 in chassis 2:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 53 Manual 4568 8798
1023::1123 vpn1 53 Dynamic 15969 4679
# (Centralized devices in standalone mode.) Display the number of protected IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns protected ipv6 count
Totally 3 protected IPv6 addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of protected IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns protected ipv6 count
Slot 1:
Totally 3 protected IPv6 addresses.
Slot 2:
Totally 3 protected IPv6 addresses.
# (Distributed devices in IRF mode.) Display the number of protected IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns protected ipv6 count
Slot 1 in chassis 1:
Totally 3 protected entries.
Slot 2 in chassis 2:
Totally 3 protected entries.
# (Centralized devices in standalone mode.) Display the protected IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http protected ipv6
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 8080 Manual 14478 5501
1023::1123 vpn1 80 Dynamic 4294967295 15151
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the protected IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http protected ipv6
Slot 1:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 8080 Manual 14478 5501
1023::1123 vpn1 80 Dynamic 4294967295 15151
Slot 2:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 8080 Manual 4568 8798
1023::1123 vpn1 80 Dynamic 15969 4679
# (Distributed devices in IRF mode.) Display the protected IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http protected ipv6
Slot 1 in chassis 1:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 8080 Manual 14478 5501
1023::1123 vpn1 80 Dynamic 4294967295 15151
Slot 2 in chassis 2:
IPv6 address VPN instance Port Type Requested Trusted
1:2:3:4:5:6:7:8 -- 8080 Manual 4568 8798
1023::1123 vpn1 80 Dynamic 15969 4679
# (Centralized devices in standalone mode.) Display the number of protected IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http protected ipv6 count
Totally 3 protected IPv6 addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of protected IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http protected ipv6 count
Slot 1:
Totally 3 protected IPv6 addresses.
Slot 2:
Totally 3 protected IPv6 addresses.
# (Distributed devices in IRF mode.) Display the number of protected IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http protected ipv6 count
Slot 1 in chassis 1:
Totally 3 protected IPv6 addresses.
Slot 2 in chassis 2:
Totally 3 protected IPv6 addresses.
Table 179 Command output
|
Field |
Description |
|
Totally 3 protected IPv6 addresses |
Total number of protected IPv6 addresses. |
|
IPv6 address |
Protected IPv6 address. |
|
VPN instance |
MPLS L3VPN instance to which the protected IPv6 address belongs. If the protected IPv6 address is on the public network, this field displays hyphens (--). |
|
Port |
Port protected by TCP client verification. If TCP client verification protects all ports, this field displays any. |
|
Type |
Type of the protected IPv6 address, Manual or Dynamic. |
|
Requested |
Number of packets destined for the protected IPv6 address. |
|
Trusted |
Number of packets that passed the client verification. |
Related commands
client-verify protected ipv6
display client-verify trusted ip
Use display client-verify trusted ip to display trusted IPv4 addresses for client verification.
Syntax
Centralized devices in standalone mode:
display client-verify { dns | http | tcp } trusted ip [ ip-address [ vpn vpn-instance-name ] ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display client-verify { dns | http | tcp } trusted ip [ ip-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]
Distributed devices in IRF mode:
display client-verify { dns | http | tcp } trusted ip [ ip-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ip-address: Specifies a trusted IPv4 address. If you do not specify an IPv4 address, this command displays all trusted IPv4 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the trusted IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the trusted IPv4 address is on the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv4 addresses for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays trusted IPv4 addresses for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays trusted IPv4 addresses for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching trusted IPv4 addresses.
Examples
# (Centralized devices in standalone mode.) Display the trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip
Slot 1:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
Slot 2:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.3 vpn1 -- 1200
# (Distributed devices in IRF mode.) Display the trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip
Slot 1 in chassis 1:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
Slot 2 in chassis 2:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.3 vpn1 -- 1200
# (Centralized devices in standalone mode.) Display the number of trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip count
Totally 3 trusted IP addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip count
Slot 1:
Totally 3 trusted IP addresses.
Slot 2:
Totally 3 trusted IP addresses.
# (Distributed devices in IRF mode.) Display the number of trusted IPv4 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ip count
Slot 1 in chassis 1:
Totally 3 trusted IP addresses.
Slot 2 in chassis 2:
Totally 3 trusted IP addresses.
# (Centralized devices in standalone mode.) Display the trusted IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ip
Totally 2 trusted addresses.
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the trusted IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ip
Slot 1:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
Slot 2:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.3 vpn1 -- 1200
# (Distributed devices in IRF mode.) Display the trusted IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ip
Slot 1 in chassis 1:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
Slot 2 in chassis 2:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.3 vpn1 -- 1200
# (Centralized devices in standalone mode.) Display the number of trusted IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ip count
Totally 3 trusted IP addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of trusted IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ip count
Slot 1:
Totally 3 trusted IP addresses.
Slot 2:
Totally 3 trusted IP addresses.
# (Distributed devices in IRF mode.) Display the number of trusted IPv4 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ip count
Slot 1 in chassis 1:
Totally 3 trusted IP addresses.
Slot 2 in chassis 2:
Totally 3 trusted IP addresses.
# (Centralized devices in standalone mode.) Display the trusted IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ip
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the trusted IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ip
Slot 1:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
Slot 2:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.3 vpn1 -- 1200
# (Distributed devices in IRF mode.) Display the trusted IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ip
Slot 1 in chassis 1:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.2 vpn1 -- 3600
123.123.123.123 a012345678901234567 1234:1234::1234:1234 3550
Slot 2 in chassis 2:
IP address VPN instance DS-Lite tunnel peer TTL(sec)
11.1.1.3 vpn1 -- 1200
# (Centralized devices in standalone mode.) Display the number of trusted IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ip count
Totally 3 trusted IP addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of trusted IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ip count
Slot 1:
Totally 3 trusted IP addresses.
Slot 2:
Totally 3 trusted IP addresses.
# (Distributed devices in IRF mode.) Display the number of trusted IPv4 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ip count
Slot 1 in chassis 1:
Totally 3 trusted IP addresses.
Slot 2 in chassis 2:
Totally 3 trusted IP addresses.
Table 180 Command output
|
Field |
Description |
|
Totally 3 protected IP addresses |
Total number of trusted IPv4 addresses. |
|
IP address |
Trusted IPv4 address. |
|
VPN instance |
MPLS L3VPN instance to which the trusted IPv4 address belongs. If the trusted IPv4 address is on the public network, this field displays hyphens (--). |
|
DS-Lite tunnel peer |
IPv6 address of the DS-Lite tunnel peer. If the device is the AFTR of a DS-Lite tunnel, this field displays the IPv6 address of the B4 element from which the packet comes. In other situations, this field displays hyphens (--). |
|
TTL(sec) |
Remaining aging time of the trusted IPv4 address, in seconds. |
display client-verify trusted ipv6
Use display client-verify trusted ipv6 to display trusted IPv6 addresses for client verification.
Syntax
Centralized devices in standalone mode:
display client-verify { dns | http | tcp } trusted ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ count ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display client-verify { dns | http | tcp } trusted ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ slot slot-number ] [ count ]
Distributed devices in IRF mode:
display client-verify { dns | http | tcp } trusted ipv6 [ ipv6-address [ vpn vpn-instance-name ] ] [ chassis chassis-number slot slot-number ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ipv6-address: Specifies a trusted IPv6 address. If you do not specify an IPv6 address, this command displays all trusted IPv6 addresses.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the trusted IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the trusted IPv6 address is on the public network.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays trusted IPv6 addresses for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays trusted IPv6 addresses for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays trusted IPv6 addresses for all cards. (Distributed devices in IRF mode.)
count: Displays the number of matching trusted IPv6 addresses.
Examples
# (Centralized devices in standalone mode.) Display the trusted IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ipv6
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the trusted IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ipv6
Slot 1:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
Slot 2:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
# (Distributed devices in IRF mode.) Display the trusted IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ipv6
Slot 1 in chassis 1:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
Slot 2 in chassis 2:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
# (Centralized devices in standalone mode.) Display the number of trusted IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ipv6 count
Totally 3 trusted IPv6 addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of trusted IPv6 list for DNS client verification.
<Sysname> display client-verify dns trusted ipv6 count
Slot 1:
Totally 3 trusted IPv6 addresses.
Slot 2:
Totally 3 trusted IPv6 addresses.
# (Distributed devices in IRF mode.) Display the number of trusted IPv6 addresses for DNS client verification.
<Sysname> display client-verify dns trusted ipv6 count
Slot 1 in chassis 1:
Totally 3 trusted IPv6 addresses.
Slot 2 in chassis 2:
Totally 3 trusted IPv6 addresses.
# (Centralized devices in standalone mode.) Display the trusted IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ipv6
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the trusted IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ipv6
Slot 1:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
Slot 2:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
# (Distributed devices in IRF mode.) Display the trusted IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ipv6
Slot 1 in chassis 1:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
Slot 2 in chassis 2:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
# (Centralized devices in standalone mode.) Display the number of trusted IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ipv6 count
Totally 3 trusted IPv6 addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of trusted IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ipv6 count
Slot 1:
Totally 3 trusted IPv6 addresses.
Slot 2:
Totally 3 trusted IPv6 addresses.
# (Distributed devices in IRF mode.) Display the number of trusted IPv6 addresses for HTTP client verification.
<Sysname> display client-verify http trusted ipv6 count
Slot 1 in chassis 1:
Totally 3 trusted IPv6 addresses.
Slot 2 in chassis 2:
Totally 3 trusted IPv6 addresses.
# (Centralized devices in standalone mode.) Display the trusted IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ipv6
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the trusted IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ipv6
Slot 1:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
Slot 2:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
# (Distributed devices in IRF mode.) Display the trusted IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ipv6
Slot 1 in chassis 1:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
1234::1234 a012345678901234 1234
Slot 2 in chassis 2:
IPv6 address VPN instance TTL(sec)
1::3 vpn1 1643
# (Centralized devices in standalone mode.) Display the number of trusted IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ipv6 count
Totally 3 trusted IPv6 addresses.
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display the number of trusted IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ipv6 count
Slot 1:
Totally 3 trusted IPv6 addresses.
Slot 2:
Totally 3 trusted IPv6 addresses.
# (Distributed devices in IRF mode.) Display the number of trusted IPv6 addresses for TCP client verification.
<Sysname> display client-verify tcp trusted ipv6 count
Slot 1 in chassis 1:
Totally 3 trusted IPv6 addresses.
Slot 2 in chassis 2:
Totally 3 trusted IPv6 addresses.
Table 181 Command output
|
Field |
Description |
|
Totally 3 protected IPv6 addresses |
Number of trusted IPv6 addresses. |
|
IPv6 address |
Trusted IPv6 address. |
|
VPN instance |
MPLS L3VPN instance to which the trusted IPv6 address belongs. If the trusted IPv6 address is on the public network, this field displays hyphens (--). |
|
TTL(sec) |
Remaining aging time of the trusted IPv6 address, in seconds. |
display whitelist object-group
Use display whitelist object-group to display statistics about packets that match the address object groups of the whitelist.
Syntax
Centralized devices in standalone mode:
display whitelist object-group [ object-group-name ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display whitelist object-group [ object-group-name ] [ slot slot-number ]
Distributed devices in IRF mode:
display whitelist object-group [ object-group-name ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 31 characters. If you do not specify an address object group, this command displays statistics about packets that match all address object groups of the whitelist.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays statistics for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays statistics for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays statistics for all cards. (Distributed devices in IRF mode.)
Usage guidelines
If you do not specify any parameters, this command displays statistics about packets that match all address object groups of the whitelist.
Examples
# (Centralized devices in standalone mode.) Display statistics about packets that match the address object group of the whitelist.
<Sysname> display whitelist object-group objgrp-1
Object group Type Matching Packets
objgrp-1 IPv4 353452
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display statistics about packets that match all address object groups of the whitelist in the specified slot.
<Sysname> display whitelist object-group slot 2
Slot 2:
Object group Type Matching Packets
objgrp-1 IPv4 353452
Table 182 Command output
|
Field |
Description |
|
Object group |
Name of the address object group. |
|
Type |
Type of the address object group. |
|
Matching packets |
Number of packets that match the address object group. |
Related commands
reset whitelist statistics
whitelist object-group
dns-flood action
Use dns-flood action to specify global actions against DNS flood attacks.
Use undo dns-flood action to restore the default.
Syntax
dns-flood action { client-verify | drop | logging } *
undo dns-flood action
Default
No global action is specified for DNS flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent DNS packets destined for the victim IP addresses.
logging: Enables logging for DNS flood attack events.
Usage guidelines
For the DNS flood attack detection to collaborate with the DNS client verification, make sure the client-verify keyword is specified and the DNS client verification is enabled. To enable DNS client verification, use the client-verify dns enable command.
Examples
# Specify drop as the global action against DNS flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood action drop
Related commands
dns-flood detect
dns-flood detect non-specific
dns-flood threshold
client-verify dns enable
dns-flood detect
Use dns-flood detect to configure IP address-specific DNS flood attack detection.
Use undo dns-flood detect to remove the IP address-specific DNS flood attack detection configuration.
Syntax
dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } *| none } ]
undo dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific DNS flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 24 port number items for a protected IPv4 address or a protected IPv6 address. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
threshold threshold-value: Specifies the threshold for triggering DNS flood attack prevention. The value range is 1 to 1000000 in units of DNS packets sent to the specified IP address per second.
action: Specifies the actions when a DNS flood attack is detected. If no action is specified, the global actions set by the dns-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent DNS packets destined for the protected IP address.
logging: Enables logging for DNS flood attack events.
none: Takes no action.
Usage guidelines
With DNS flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of DNS packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure DNS flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect ip 192.168.1.2 port 53 threshold 2000
Related commands
dns-flood action
dns-flood detect non-specific
dns-flood threshold
dns-flood port
dns-flood detect non-specific
Use dns-flood detect non-specific to enable global DNS flood attack detection.
Use undo dns-flood detect non-specific to disable global DNS flood attack detection.
Syntax
dns-flood detect non-specific
undo dns-flood detect non-specific
Default
Global DNS flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
The global DNS flood attack detection applies to all IP addresses except for those specified by the dns-flood detect command. The global detection uses the global trigger threshold set by the dns-flood threshold command and global actions specified by the dns-flood action command.
Examples
# Enable global DNS flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect non-specific
Related commands
dns-flood action
dns-flood detect
dns-flood threshold
dns-flood port
Use dns-flood port to specify the global ports to be protected against DNS flood attacks.
Use undo dns-flood port to restore the default.
Syntax
dns-flood port port-list
undo dns-flood port
Default
The global DNS flood attack prevention protects port 53.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
The device detects only DNS packets destined for the specified ports.
The global ports apply to global DNS flood attack detection and IP address-specific DNS flood attack detection with no port specified.
Examples
# Specify the ports 53 and 61000 as the global ports to be protected against DNS flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood port 53 61000
Related commands
dns-flood action
dns-flood detect
dns-flood detect non-specific
dns-flood threshold
Use dns-flood threshold to set the global threshold for triggering DNS flood attack prevention.
Use undo dns-flood threshold to restore the default.
Syntax
dns-flood threshold threshold-value
undo dns-flood threshold
Default
The global threshold is 1000 for triggering DNS flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of DNS packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global DNS flood attack detection. Adjust the threshold according to the application scenarios. If the number of DNS packets sent to a protected DNS server is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global DNS flood attack detection configured, the device is in attack detection state. When the sending rate of DNS packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering DNS flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood threshold 100
Related commands
dns-flood action
dns-flood detect
dns-flood detect non-specific
exempt acl
Use exempt acl to configure attack detection exemption.
Use undo exempt acl to restore the default.
Syntax
exempt acl [ ipv6 ] { acl-number | name acl-name }
undo exempt acl [ ipv6 ]
Default
Attack detection exemption is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not use this keyword.
acl-number: Specifies an ACL by its number:
· 2000 to 2999 for basic ACLs.
· 3000 to 3999 for advanced ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
The attack defense policy uses an ACL to identify exempted packets. The policy does not check the packets permitted by the ACL. You can configure the ACL to identify packets from trusted hosts. The exemption feature reduces the false alarm rate and improves packet processing efficiency.
If an ACL is used for attack detection exemption, only the following match criteria in the ACL permit rules take effect:
· Source IP address.
· Destination IP address.
· Source port.
· Destination port.
· Protocol.
· L3VPN instance.
· fragment keyword for matching non-first fragments.
If the specified ACL does not exist or does not contain a rule, attack detection exemption does not take effect.
Examples
# Configure an ACL to permit packets sourced from 1.1.1.1. Configure attack detection exemption for packets matching the ACL in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 1.1.1.1 0
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] attack-defense policy atk-policy-1
[attack-defense-policy-atk-policy-1] exempt acl 2001
Related commands
attack-defense policy
fin-flood action
Use fin-flood action to specify global actions against FIN flood attacks.
Use undo fin-flood action to restore the default.
Syntax
fin-flood action { client-verify | drop | logging } *
undo fin-flood action
Default
No global action is specified for FIN flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent FIN packets destined for the victim IP addresses.
logging: Enables logging for FIN flood attack events.
Usage guidelines
For the FIN flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against FIN flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood action drop
Related commands
client-verify tcp enable
fin-flood detect
fin-flood detect non-specific
fin-flood threshold
fin-flood detect
Use fin-flood detect to configure IP address-specific FIN flood attack detection.
Use undo fin-flood detect to remove the IP address-specific FIN flood attack detection configuration.
Syntax
fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific FIN flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering FIN flood attack prevention. The value range is 1 to 1000000 in units of FIN packets sent to the specified IP address per second.
action: Specifies the actions when a FIN flood attack is detected. If no action is specified, the global actions set by the fin-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent FIN packets destined for the protected IP address.
logging: Enables logging for FIN flood attack events.
none: Takes no action.
Usage guidelines
With FIN flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of FIN packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure FIN flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood detect ip 192.168.1.2 threshold 2000
Related commands
fin-flood action
fin-flood detect non-specific
fin-flood threshold
fin-flood detect non-specific
Use fin-flood detect non-specific to enable global FIN flood attack detection.
Use undo fin-flood detect non-specific to disable global FIN flood attack detection.
Syntax
fin-flood detect non-specific
undo fin-flood detect non-specific
Default
Global FIN flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
The global FIN flood attack detection applies to all IP addresses except for those specified by the fin-flood detect command. The global detection uses the global trigger threshold set by the fin-flood threshold command and global actions specified by the fin-flood action command.
Examples
# Enable global FIN flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood detect non-specific
Related commands
fin-flood action
fin-flood detect
fin-flood threshold
fin-flood threshold
Use fin-flood threshold to set the global threshold for triggering FIN flood attack prevention.
Use undo fin-flood threshold to restore the default.
Syntax
fin-flood threshold threshold-value
undo fin-flood threshold
Default
The global threshold is 1000 for triggering FIN flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of FIN packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global FIN flood attack detection. Adjust the threshold according to the application scenarios. If the number of FIN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global FIN flood attack detection configured, the device is in attack detection state. When the sending rate of FIN packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering FIN flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] fin-flood threshold 100
Related commands
fin-flood action
fin-flood detect
fin-flood detect non-specific
http-flood action
Use http-flood action to specify global actions against HTTP flood attacks.
Use undo http-flood action to restore the default.
Syntax
http-flood action { client-verify | drop | logging } *
undo http-flood action
Default
No global action is specified for HTTP flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for HTTP client verification. If HTTP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent HTTP packets destined for the victim IP addresses.
logging: Enables logging for HTTP flood attack events.
Usage guidelines
For the HTTP flood attack detection to collaborate with the HTTP client verification, make sure the client-verify keyword is specified and the HTTP client verification is enabled. To enable HTTP client verification, use the client-verify http enable command.
Examples
# Specify drop as the global action against HTTP flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood action drop
Related commands
client-verify http enable
http-flood detect
http-flood detect non-specific
http-flood threshold
http-flood detect
Use http-flood detect to configure IP address-specific HTTP flood attack detection.
Use undo http-flood detect to remove the IP address-specific HTTP flood attack detection configuration.
Syntax
http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific HTTP flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
port port-list: Specifies a space-separated list of up to 24 port number items for a protected IPv4 address or a protected IPv6 address. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.
threshold threshold-value: Specifies the threshold for triggering HTTP flood attack prevention. The value range is 1 to 1000000 in units of HTTP packets sent to the specified IP address per second.
action: Specifies the actions when an HTTP flood attack is detected. If no action is specified, the global actions set by the http-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for HTTP client verification. If HTTP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent HTTP packets destined for the protected IP address.
logging: Enables logging for HTTP flood attack events.
none: Takes no action.
Usage guidelines
With HTTP flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of HTTP packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure HTTP flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood detect ip 192.168.1.2 port 80 8080 threshold 2000
Related commands
http-flood action
http-flood detect non-specific
http-flood threshold
http-flood port
http-flood detect non-specific
Use http-flood detect non-specific to enable global HTTP flood attack detection.
Use undo http-flood detect non-specific to disable global HTTP flood attack detection.
Syntax
http-flood detect non-specific
undo http-flood detect non-specific
Default
Global HTTP flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
The global HTTP flood attack detection applies to all IP addresses except for those specified by the http-flood detect command. The global detection uses the global trigger threshold set by the http-flood threshold command and global actions specified by the http-flood action command.
Examples
# Enable global HTTP flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect non-specific
Related commands
http-flood action
http-flood detect
http-flood threshold
http-flood port
Use http-flood port to specify the global ports to be protected against HTTP flood attacks.
Use undo http-flood port to restore the default.
Syntax
http-flood port port-list
undo http-flood port
Default
The global HTTP flood attack prevention protects port 80.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
port-list: Specifies a space-separated list of up to 32 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number.
Usage guidelines
The device detects only HTTP packets destined for the specified ports.
The global ports apply to global HTTP flood attack detection and IP address-specific HTTP flood attack detection with no port specified.
Examples
# Specify the ports 80 and 8080 as the global ports to be protected against HTTP flood attacks in the attack the defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood port 80 8080
Related commands
http-flood action
http-flood detect
http-flood detect non-specific
http-flood threshold
Use http-flood threshold to set the global threshold for triggering HTTP flood attack prevention.
Use undo http-flood threshold to restore the default.
Syntax
http-flood threshold threshold-value
undo http-flood threshold
Default
The global threshold is 1000 for triggering HTTP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of HTTP packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global HTTP flood attack detection. Adjust the threshold according to the application scenarios. If the number of HTTP packets sent to a protected HTTP server is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global HTTP flood attack detection configured, the device is in attack detection state. When the sending rate of HTTP packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering HTTP flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood threshold 100
Related commands
http-flood action
http-flood detect
http-flood detect non-specific
icmp-flood action
Use icmp-flood action to specify global actions against ICMP flood attacks.
Use undo icmp-flood action to restore the default.
Syntax
icmp-flood action { drop | logging } *
undo icmp-flood action
Default
No global action is specified for ICMP flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
drop: Drops subsequent ICMP packets destined for the victim IP addresses.
logging: Enables logging for ICMP flood attack events.
Examples
# Specify drop as the global action against ICMP flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood action drop
Related commands
icmp-flood detect non-specific
icmp-flood detect ip
icmp-flood threshold
icmp-flood detect ip
Use icmp-flood detect ip to configure IP address-specific ICMP flood attack detection.
Use undo icmp-flood detect ip to remove the IP address-specific ICMP flood attack detection configuration.
Syntax
icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]
undo icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ]
Default
IP address-specific ICMP flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be 255.255.255.255 or 0.0.0.0.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering ICMP flood attack prevention. The value range is 1 to 1000000 in units of ICMP packets sent to the specified IP address per second.
action: Specifies the actions when an ICMP flood attack is detected. If no action is specified, the global actions set by the icmp-flood action command apply.
drop: Drops subsequent ICMP packets destined for the protected IP address.
logging: Enables logging for ICMP flood attack events.
none: Takes no action.
Usage guidelines
With ICMP flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of ICMP packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure ICMP flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood detect ip 192.168.1.2 threshold 2000
Related commands
icmp-flood action
icmp-flood detect non-specific
icmp-flood threshold
icmp-flood detect non-specific
Use icmp-flood detect non-specific to enable global ICMP flood attack detection.
Use undo icmp-flood detect non-specific to disable global ICMP flood attack detection.
Syntax
icmp-flood detect non-specific
undo icmp-flood detect non-specific
Default
Global ICMP flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
The global ICMP flood attack detection applies to all IP addresses except for those specified by the icmp-flood detect ip command. The global detection uses the global trigger threshold set by the icmp-flood threshold command and global actions specified by the icmp-flood action command.
Examples
# Enable global ICMP flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood detect non-specific
Related commands
icmp-flood action
icmp-flood detect ip
icmp-flood threshold
icmp-flood threshold
Use icmp-flood threshold to set the global threshold for triggering ICMP flood attack prevention.
Use undo icmp-flood threshold to restore the default.
Syntax
icmp-flood threshold threshold-value
undo icmp-flood threshold
Default
The global threshold is 1000 for triggering ICMP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ICMP packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global ICMP flood attack detection. Adjust the threshold according to the application scenarios. If the number of ICMP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global ICMP flood attack detection configured, the device is in attack detection state. When the sending rate of ICMP packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering ICMP flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmp-flood threshold 100
Related commands
icmp-flood action
icmp-flood detect ip
icmp-flood detect non-specific
icmpv6-flood action
Use icmpv6-flood action to specify global actions against ICMPv6 flood attacks.
Use undo icmpv6-flood action to restore the default.
Syntax
icmpv6-flood action { drop | logging } *
undo icmpv6-flood action
Default
No global action is specified for ICMPv6 flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
drop: Drops subsequent ICMPv6 packets destined for the victim IP addresses.
logging: Enables logging for ICMPv6 flood attack events.
Examples
# Specify drop as the global action against ICMPv6 flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood action drop
Related commands
icmpv6-flood detect ipv6
icmpv6-flood detect non-specific
icmpv6-flood threshold
icmpv6-flood detect ipv6
Use icmpv6-flood detect ipv6 to configure IPv6 address-specific ICMPv6 flood attack detection.
Use undo icmpv6-flood detect ipv6 to remove the IPv6 address-specific ICMPv6 flood attack detection configuration.
Syntax
icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]
undo icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ]
Default
IPv6 address-specific ICMPv6 flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
Ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IPv6 address is on the public network.
threshold threshold-value: Specifies the threshold for triggering ICMPv6 flood attack prevention. The value range is 1 to 1000000 in units of ICMPv6 packets sent to the specified IP address per second.
action: Specifies the actions when an ICMPv6 flood attack is detected. If no action is specified, the global actions set by the icmpv6-flood action command apply.
drop: Drops subsequent ICMPv6 packets destined for the protected IPv6 address.
logging: Enables logging for ICMPv6 flood attack events.
none: Takes no action.
Usage guidelines
With ICMPv6 flood attack detection configured for an IPv6 address, the device is in attack detection state. When the sending rate of ICMPv6 packets to the IPv6 address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure ICMPv6 flood attack detection for 2012::12 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect ipv6 2012::12 threshold 2000
Related commands
icmpv6-flood action
icmpv6-flood detect non-specific
icmpv6-flood threshold
icmpv6-flood detect non-specific
Use icmpv6-flood detect non-specific to enable global ICMPv6 flood attack detection.
Use undo icmpv6-flood detect non-specific to disable global ICMPv6 flood attack detection.
Syntax
icmpv6-flood detect non-specific
undo icmpv6-flood detect non-specific
Default
Global ICMPv6 flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
The global ICMPv6 flood attack detection applies to all IPv6 addresses except for those specified by the icmpv6-flood detect ipv6 command. The global detection uses the global trigger threshold set by the icmpv6-flood threshold command and global actions specified by the icmpv6-flood action command.
Examples
# Enable global ICMPv6 flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood detect non-specific
Related commands
icmpv6-flood action
icmpv6-flood detect ipv6
icmpv6-flood threshold
icmpv6-flood threshold
Use icmpv6-flood threshold to set the global threshold for triggering ICMPv6 flood attack prevention.
Use undo icmpv6-flood threshold to restore the default.
Syntax
icmpv6-flood threshold threshold-value
undo icmpv6-flood threshold
Default
The global threshold is 1000 for triggering ICMPv6 flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of ICMPv6 packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global ICMPv6 flood attack detection. Adjust the threshold according to the application scenarios. If the number of ICMPv6 packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global ICMPv6 flood attack detection configured, the device is in attack detection state. When the sending rate of ICMPv6 packets to an IPv6 address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering ICMPv6 flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] icmpv6-flood threshold 100
Related commands
icmpv6-flood action
icmpv6-flood detect ipv6
icmpv6-flood detect non-specific
reset attack-defense policy flood
Use reset attack-defense policy flood statistics to clear flood attack detection and prevention statistics for protected IP addresses.
Syntax
reset attack-defense policy policy-name flood protected { ip | ipv6 } statistics
Views
User view
Predefined user roles
network-admin
Parameters
policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).
ip: Specifies protected IPv4 addresses.
ipv6: Specifies protected IPv6 addresses.
statistics: Clears flood attack detection and prevention statistics.
Examples
# Clear flood attack detection and prevention statistics for protected IPv4 addresses in the attack defense policy abc.
<Sysname> reset attack-defense policy abc flood protected ip statistics
# Clear flood attack detection and prevention statistics for protected IPv6 addresses in the attack defense policy abc.
<Sysname> reset attack-defense policy abc flood protected ipv6 statistics
Related commands
display attack-defense policy ip
display attack-defense policy ipv6
reset attack-defense statistics interface
Use reset attack-defense statistics interface to clear attack detection and prevention statistics for an interface.
Syntax
reset attack-defense statistics interface interface-type interface-number
Views
User view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Examples
# Clear attack detection and prevention statistics for interface GigabitEthernet 1/0/1.
<Sysname> reset attack-defense statistics interface gigabitethernet 1/0/1
Related commands
display attack defense policy
reset attack-defense statistics local
Use reset attack-defense statistics local to clear attack detection and prevention statistics for the device.
Syntax
reset attack-defense statistics local
Views
User view
Predefined user roles
network-admin
Examples
Clear attack detection and prevention statistics for the device.
<Sysname> reset attack-defense statistics local
Related commands
display attack-defense statistics local
reset attack-defense top-attack-statistics
Use reset attack-defense top-attack-statistics to clear top 10 attack statistics.
Syntax
reset attack-defense top-attack-statistics
Views
User view
Predefined user roles
network-admin
network-operator
Examples
# Clear top 10 attack statistics.
<Sysname> reset attack-defense top-attack-statistics
Related commands
attack-defense top-attack-statistics enable
display attack-defense top-attack-statistics
reset blacklist ip
Use rest blacklist ip to clear dynamic IPv4 blacklist entries.
Syntax
reset blacklist ip { source-ip-address [ vpn-instance vpn-instance-name ] [ ds-lite-peer ds-lite-peer-address ] | all }
Views
User view
Predefined user roles
network-admin
Parameters
source-ip-address: Specifies the IPv4 address for a blacklist entry.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv4 address is on the public network.
ds-lite-peer ds-lite-peer-address: Specifies the IPv6 address of the B4 element of the DS-Lite tunnel that transmits packets from the blacklisted IPv4 address. Do not specify this option if the IPv4 address is on the public network.
all: Specifies all dynamic IPv4 blacklist entries.
Usage guidelines
This command deletes dynamic IPv4 blacklist entries. To delete manual IPv4 blacklist entries, use the undo blacklist ip command.
Examples
# Clear all dynamic IPv4 blacklist entries.
<Sysname> reset blacklist ip all
Related commands
display blacklist ip
reset blacklist ipv6
Use rest blacklist ipv6 to clear dynamic IPv6 blacklist entries.
Syntax
reset blacklist ipv6 { source-ipv6-address [ vpn-instance vpn-instance-name ] | all }
Views
User view
Predefined user roles
network-admin
Parameters
source-ipv6-address: Specifies the IPv6 address for a blacklist entry.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv6 address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the IPv6 address is on the public network.
all: Specifies all dynamic IPv6 blacklist entries.
Usage guidelines
This command deletes dynamic IPv6 blacklist entries. To delete manual IPv6 blacklist entries, use the undo blacklist ipv6 command.
Examples
# Clear all dynamic IPv6 blacklist entries.
<Sysname> reset blacklist ipv6 all
Related commands
display blacklist ipv6
reset blacklist statistics
Use rest blacklist statistics to clear blacklist statistics.
Syntax
reset blacklist statistics
Views
User view
Predefined user roles
network-admin
Usage guidelines
This command resets the counter for dropped packets for all blacklist entries.
Examples
# Clear blacklist statistics.
<Sysname> reset blacklist statistics
Related commands
display blacklist ip
display blacklist ipv6
reset client-verify protected statistics
Use reset client-verify protected statistics to clear protected IP statistics for client verification.
Syntax
reset client-verify { dns | http | tcp } protected { ip | ipv6 } statistics
Views
User view
Predefined user roles
network-admin
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ip: Specifies the protected IPv4 list.
ipv6: Specifies the protected IPv6 list.
Examples
# Clear the protected IPv4 statistics for TCP client verification.
<Sysname> reset client-verify tcp protected ip statistics
Related commands
display client-verify protected ip
display client-verify protected ipv6
reset client-verify trusted
Use reset client-verify trusted to clear the trusted IP list for client verification.
Syntax
reset client-verify { dns | http | tcp } trusted { ip | ipv6 }
Views
User view
Predefined user roles
network-admin
Parameters
dns: Specifies the DNS client verification feature.
http: Specifies the HTTP client verification feature.
tcp: Specifies the TCP client verification feature.
ip: Specifies the trusted IPv4 list.
ipv6: Specifies the trusted IPv6 list.
Examples
# Clear the trusted IPv4 list for DNS client verification.
<Sysname> reset client-verify dns trusted ip
Related commands
display client-verify trusted ip
display client-verify trusted ipv6
reset whitelist statistics
Use reset whitelist statistics to clear statistics about packets that match the address object groups of the whitelist.
Syntax
reset whitelist statistics
Views
User view
Predefined user roles
network-admin
Usage guidelines
This command clears statistics about packets that match all address object groups of the whitelist.
Examples
# Clear statistics about packets that match the address object groups of the whitelist.
<Sysname> reset whitelist statistics
Related commands
display whitelist object-group
rst-flood action
Use rst-flood action to specify global actions against RST flood attacks.
Use undo rst-flood action to restore the default.
Syntax
rst-flood action { client-verify | drop | logging } *
undo rst-flood action
Default
No global action is specified for RST flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent RST packets destined for the victim IP addresses.
logging: Enables logging for RST flood attack events.
Usage guidelines
For the RST flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against RST flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood action drop
Related commands
client-verify tcp enable
rst-flood detect
rst-flood detect non-specific
rst-flood threshold
rst-flood detect
Use rst-flood detect to configure IP address-specific RST flood attack detection.
Use undo rst-flood detect to remove the IP address-specific RST flood attack detection configuration.
Syntax
rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific RST flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering RST flood attack prevention. The value range is 1 to 1000000 in units of RST packets sent to the specified IP address per second.
action: Specifies the actions when an RST flood attack is detected. If no action is specified, the global actions set by the rst-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent RST packets destined for the protected IP address.
logging: Enables logging for RST flood attack events.
none: Takes no action.
Usage guidelines
With RST flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of RST packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device considers returns to the attack detection state.
Examples
# Configure RST flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood detect ip 192.168.1.2 threshold 2000
Related commands
rst-flood action
rst-flood detect non-specific
rst-flood threshold
rst-flood detect non-specific
Use rst-flood detect non-specific to enable global RST flood attack detection.
Use undo rst-flood detect non-specific to disable global RST flood attack detection.
Syntax
rst-flood detect non-specific
undo rst-flood detect non-specific
Default
Global RST flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
The global RST flood attack detection applies to all IP addresses except for those specified by the rst-flood detect command. The global detection uses the global trigger threshold set by the rst-flood threshold command and global actions specified by the rst-flood action command.
Examples
# Enable global RST flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood detect non-specific
Related commands
rst-flood action
rst-flood detect
rst-flood threshold
rst-flood threshold
Use rst-flood threshold to set the global threshold for triggering RST flood attack prevention.
Use undo rst-flood threshold to restore the default.
Syntax
rst-flood threshold threshold-value
undo rst-flood threshold
Default
The global threshold is 1000 for triggering RST flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of RST packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global RST flood attack detection. Adjust the threshold according to the application scenarios. If the number of RST packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global RST flood attack detection configured, the device is in attack detection state. When the sending rate of RST packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering RST flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100
Related commands
rst-flood action
rst-flood detect
rst-flood detect non-specific
scan detect
Use scan detect to configure scanning attack detection.
Use undo scan detect to remove the scanning attack detection configuration.
Syntax
scan detect level { { high | low | medium } | user-defined { port-scan-threshold threshold-value | ip-sweep-threshold threshold-value } * [ period period-value ] } action { { block-source [ timeout minutes ] | drop } | logging } *
undo scan detect level { high | low | medium }
Default
Scanning attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
level: Specifies the level of the scanning attack detection.
high: Specifies the high level. This level can detect most of the scanning attacks, but has a high false alarm rate. Some packets from active hosts might be considered as attack packets. For high level detection, the detection cycle is 10 seconds. The threshold for triggering port scan attack prevention is 5000 packets in a detection cycle. The threshold for triggering IP sweep attack prevention is 5000 packets in a detection cycle.
low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm rate but many scanning attacks cannot be detected. For low level detection, the detection cycle is 10 seconds. The threshold for triggering port scan attack prevention is 100000 packets in a detection cycle. The threshold for triggering IP sweep attack prevention is 100000 packets in a detection cycle.
medium: Specifies the medium level. Compared with the high and low levels, this level has medium false alarm rate and attack detection accuracy. For medium level detection, the detection cycle is 10 seconds. The threshold for triggering port scan attack prevention is 40000 packets. The threshold for triggering IP sweep attack prevention is 40000 packets.
user-defined: Specifies the user-defined level. This level allows you to set the thresholds and detection cycle for port scan and IP sweep attacks on demand.
port-scan-threshold threshold-value: Sets the user-defined threshold for triggering port scan attack prevention. The value range is 1 to 1000000000. This threshold defines the maximum number of packets sent from an IP address to different ports within a detection cycle.
ip-sweep-threshold threshold-value: Sets the user-defined threshold for triggering IP sweep attack prevention. The value range is 1 to 1000000000. This threshold defines the maximum number of packets sent from an IP address to different IP addresses within a detection cycle.
period period-value: Sets the scanning attack detection cycle in the range of 1 to 1000000000 seconds. The default value is 10.
action: Specifies the actions against scanning attacks.
block-source: Adds the attackers' IP addresses to the IP blacklist. If the blacklist feature is enabled on the receiving interface, the device drops subsequent packets from the blacklisted IP addresses.
timeout minutes: Specifies the aging timer in minutes for the dynamically added blacklist entries, in the range of 1 to 1000. The default aging timer is 10 minutes.
drop: Drops subsequent packets from detected scanning attack sources.
logging: Enables logging for scanning attack events.
Usage guidelines
To collaborate with the IP blacklist feature, make sure the blacklist feature is enabled on the interface to which the attack defense policy is applied.
The aging timer set by the timeout minutes option must be longer than the statistics collection interval.
Examples
# Configure low level scanning attack detection and specify the prevention action as drop in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action drop
# Configure scanning attack detection in the attack defense policy atk-policy-1. Specify the detection level as low and the prevention actions as block-source and logging. Set the aging time for the dynamically added IP blacklist entries to 10 minutes.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action logging block-source timeout 10
# Configure scanning attack detection in attack defense policy atk-policy-1. Specify the detection level as user-defined and detection cycle as 30 seconds. Set the port scan attack prevention threshold and IP sweep attack prevention threshold to 6000 packets and 80000 packets, respectively. Specify the prevention action as block-source and logging. Set the aging time for the dynamically added IP blacklist entries to 10 minutes.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level user-defined port-scan-threshold 6000 ip-sweep-threshold 80000 period 30 action logging block-source timeout 10
Related commands
blacklist enable
blacklist global enable
signature { large-icmp | large-icmpv6 } max-length
Use signature { large-icmp | large-icmpv6 } max-length to set the maximum length of safe ICMP or ICMPv6 packets. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.
Use undo signature { large-icmp | large-icmpv6 } max-length to restore the default.
Syntax
signature { large-icmp | large-icmpv6 } max-length length
undo signature { large-icmp | large-icmpv6 } max-length
Default
The maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
large-icmp: Specifies large ICMP packet attack signature.
large-icmpv6: Specifies large ICMPv6 packet attack signature.
length: Specifies the maximum length of safe ICMP or ICMPv6 packets, in bytes. The value range for ICMP packet is 28 to 65534. The value range for ICMPv6 packet is 48 to 65534.
Examples
# Set the maximum length of safe ICMP packets for large ICMP attack to 50000 bytes in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] signature large-icmp max-length 50000
Related commands
signature detect
signature detect
Use signature detect to enable signature detection for single-packet attacks and specify the prevention actions.
Use undo signature detect to disable signature detection for single-packet attacks.
Syntax
signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]
undo signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke }
signature detect { ip-option-abnormal | ping-of-death | teardrop } action [ logging ] drop
undo signature detect { ip-option-abnormal | ping-of-death | teardrop }
signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]
undo signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request }
signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]
undo signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded }
signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]
undo signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing }
signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]
undo signature detect ipv6-ext-header next-header-value
Default
Signature detection is disabled for all single-packet attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
fraggle: Specifies the fraggle attack.
fragment: Specifies the IP fragment attack.
icmp-type: Specifies an ICMP packet attack by the packet type. You can specify the packet type by a number or a keyword:
· icmp-type-value: Specifies the ICMP packet type in the range of 0 to 255.
· address-mask-reply: Specifies the ICMP address mask reply type.
· address-mask-request: Specifies the ICMP address mask request type.
· destination-unreachable: Specifies the ICMP destination unreachable type.
· echo-reply: Specifies the ICMP echo reply type.
· echo-request: Specifies the ICMP echo request type.
· information-reply: Specifies the ICMP information reply type.
· information-request: Specifies the ICMP information request type.
· parameter-problem: Specifies the ICMP parameter problem type.
· redirect: Specifies the ICMP redirect type.
· source-quench: Specifies the ICMP source quench type.
· time-exceeded: Specifies the ICMP time exceeded type.
· timestamp-reply: Specifies the ICMP timestamp reply type.
· timestamp-request: Specifies the ICMP timestamp request type.
icmpv6-type: Specifies an ICMPv6 packet attack by the packet type. You can specify the packet type by a number or a keyword.
· icmpv6-type-value: Specifies the ICMPv6 packet type in the range of 0 to 255.
· destination-unreachable: Specifies the ICMPv6 destination unreachable type.
· echo-reply: Specifies the ICMPv6 echo reply type.
· echo-request: Specifies the ICMPv6 echo request type.
· group-query: Specifies the ICMPv6 group query type.
· group-reduction: Specifies the ICMPv6 group reduction type.
· group-report: Specifies the ICMPv6 group report type.
· packet-too-big: Specifies the ICMPv6 packet too big type.
· parameter-problem: Specifies the ICMPv6 parameter problem type.
· time-exceeded: Specifies the ICMPv6 time exceeded type.
impossible: Specifies the IP impossible packet attack.
ip-option: Specifies an IP option. You can specify the IP option by a number or a keyword:
· option-code: Specifies the IP option in the range of 0 to 255.
· internet-timestamp: Specifies the timestamp option.
· loose-source-routing: Specifies the loose source routing option.
· record-route: Specifies the record route option.
· route-alert: Specifies the route alert option.
· security: Specifies the security option.
· stream-id: Specifies the stream identifier option.
· strict-source-routing: Specifies the strict source route option.
ip-option-abnormal: Specifies the abnormal IP option attack.
ipv6-ext-header ext-header-value: Specifies an IPv6 extension header by its value in the range of 0 to 255.
land: Specifies the Land attack.
large-icmp: Specifies the large ICMP packet attack.
large-icmpv6: Specifies the large ICMPv6 packet attack.
ping-of-death: Specifies the ping-of-death attack.
smurf: Specifies the smurf attack.
snork: Specifies the UDP snork attack.
tcp-all-flags: Specifies the attack where the TCP packet has all flags set.
tcp-fin-only: Specifies the attack where the TCP packet has only the FIN flag set.
tcp-invalid-flags: Specifies the attack that uses TCP packets with invalid flags.
tcp-null-flag: Specifies the attack where the TCP packet has no flags set.
tcp-syn-fin: Specifies the attack where the TCP packet has both SYN and FIN flags set.
teardrop: Specifies the teardrop attack.
tiny-fragment: Specifies the tiny fragment attack.
traceroute: Specifies the traceroute attack.
udp-bomb: Specifies the UDP bomb attack.
winnuke: Specifies the WinNuke attack.
action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.
drop: Drops packets that match the specified signature.
logging: Enables logging for the specified single-packet attack.
none: Takes no action.
Usage guidelines
You can use this command multiple times to enable signature detection for multiple single-packet attack types.
When you specify a packet type by a number, if the packet type has a corresponding keyword, the keyword is displayed in command output. If the packet type does not have a corresponding keyword, the number is displayed.
Examples
# Enable signature detection for smurf attack and specify the prevention action as drop in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] signature detect smurf action drop
Related commands
signature level action
signature level action
Use signature level action to specify the actions against single-packet attacks on a specific level.
Use undo signature level action to restore the default.
Syntax
signature level { high | info | low | medium } action { { drop | logging } * | none }
undo signature level { high | info | low | medium } action
Default
For informational-level and low-level single-packet attacks, the action is logging.
For medium-level and high-level single-packet attacks, the actions are logging and drop.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level.
info: Specifies the informational level. For example, large ICMP packet attack is on this level.
low: Specifies the low level. For example, the traceroute attack is on this level.
medium: Specifies the medium level. For example, the WinNuke attack is on this level.
drop: Drops packets that match the specified level.
logging: Enable logging for single-packet attacks on the specified level.
none: Takes no action.
Usage guidelines
According to their severity, single-packet attacks are divided into four levels: info, low, medium, and high. Enabling signature detection for a specific level enables signature detection for all single-packet attacks on the level.
If you enable signature detection for a single-packet attack also by using the signature detect command, action parameters in the signature detect command take effect.
Examples
# Specify the action against informational-level single-packet attacks as drop in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] signature level info action drop
Related commands
signature detect
signature level detect
signature level detect
Use signature level detect to enable signature detection for single-packet attacks on a specific level.
Use undo signature level detect to disable signature detection for single-packet attacks on a specific level.
Syntax
signature level { high | info | low | medium } detect
undo signature level { high | info | low | medium } detect
Default
Signature detection is disabled for all levels of single-packet attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
high: Specifies the high level. None of the currently supported single-packet attacks belongs to this level.
info: Specifies the informational level. For example, large ICMP packet attack is on this level.
low: Specifies the low level. For example, the traceroute attack is on this level.
medium: Specifies the medium level. For example, the WinNuke attack is on this level.
Usage guidelines
According to their severity, single-packet attacks are divided into four levels: info, low, medium, and high. Enabling signature detection for a specific level enables signature detection for all single-packet attacks on the level. Use the signature level action command to specify the actions against single-packet attacks on a specific level. If you enable signature detection for a single-packet attack also by using the signature detect command, action parameters in the signature detect command take effect.
To display the level to which a single-packet attack belongs, use the display attack-defense policy command.
Examples
# Enable signature detection for informational-level single-packet attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] signature level info detect
Related commands
display attack-defense policy
signature detect
signature level action
syn-ack-flood action
Use syn-ack-flood action to specify global actions against SYN-ACK flood attacks.
Use undo syn-ack-flood action to restore the default.
Syntax
syn-ack-flood action { client-verify | drop | logging } *
undo syn-ack-flood action
Default
No global action is specified for SYN-ACK flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN-ACK packets destined for the victim IP addresses.
logging: Enables logging for SYN-ACK flood attack events.
Usage guidelines
For the SYN-ACK flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against SYN-ACK flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood action drop
Related commands
client-verify tcp enable
syn-ack-flood detect
syn-ack-flood detect non-specific
syn-ack-flood threshold
syn-ack-flood detect
Use syn-ack-flood detect to configure IP address-specific SYN-ACK flood attack detection.
Use undo syn-ack-flood detect to remove the IP address-specific SYN-ACK flood attack detection configuration.
Syntax
syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific SYN-ACK flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering SYN-ACK flood attack prevention. The value range is 1 to 1000000 in units of SYN-ACK packets sent to the specified IP address per second.
action: Specifies the actions when a SYN-ACK flood attack is detected. If no action is specified, the global actions set by the syn-ack-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN-ACK packets destined for the protected IP address.
logging: Enables logging for SYN-ACK flood attack events.
none: Takes no action.
Usage guidelines
With SYN-ACK flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of SYN-ACK packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure SYN-ACK flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect ip 192.168.1.2 threshold 2000
Related commands
syn-ack-flood action
syn-ack-flood detect non-specific
syn-ack-flood threshold
syn-ack-flood detect non-specific
Use syn-ack-flood detect non-specific to enable global SYN-ACK flood attack detection.
Use undo syn-ack-flood detect non-specific to disable global SYN-ACK flood attack detection.
Syntax
syn-ack-flood detect non-specific
undo syn-ack-flood detect non-specific
Default
Global SYN-ACK flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
The global SYN-ACK flood attack detection applies to all IP addresses except for those specified by the syn-ack-flood detect command. The global detection uses the global trigger threshold set by the syn-ack-flood threshold command and global actions specified by the syn-ack-flood action command.
Examples
# Enable global SYN-ACK flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect non-specific
Related commands
syn-ack-flood action
syn-ack-flood detect
syn-ack-flood threshold
syn-ack-flood threshold
Use syn-ack-flood threshold to set the global threshold for triggering SYN-ACK flood attack prevention.
Use undo syn-ack-flood threshold to restore the default.
Syntax
syn-ack-flood threshold threshold-value
undo syn-ack-flood threshold
Default
The global threshold is 1000 for triggering SYN-ACK flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of SYN-ACK packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global SYN-ACK flood attack detection. Adjust the threshold according to the application scenarios. If the number of SYN-ACK packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global SYN-ACK flood attack detection configured, the device is in attack detection state. When the sending rate of SYN-ACK packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering SYN-ACK flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood threshold 100
Related commands
syn-ack-flood action
syn-ack-flood detect
syn-ack-flood detect non-specific
syn-flood action
Use syn-flood action to specify global actions against SYN flood attacks.
Use undo syn-flood action to restore the default.
Syntax
syn-flood action { client-verify | drop | logging } *
undo syn-flood action
Default
No global action is specified for SYN flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN packets destined for the victim IP addresses.
logging: Enables logging for SYN flood attack events.
Usage guidelines
For the SYN flood attack detection to collaborate with the TCP client verification, make sure the client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against SYN flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood action drop
Related commands
syn-flood detect
syn-flood detect non-specific
syn-flood threshold
syn-flood detect
Use syn-flood detect to configure IP address-specific SYN flood attack detection.
Use undo syn-flood detect to remove the IP address-specific SYN flood attack detection configuration.
Syntax
syn-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { client-verify | drop | logging } * | none } ]
undo syn-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific SYN flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering SYN flood attack prevention. The value range is 1 to 1000000 in units of SYN packets sent to the specified IP address per second.
action: Specifies the actions when a SYN flood attack is detected. If no action is specified, the global actions set by the syn-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN packets destined for the protected IP address.
logging: Enables logging for SYN flood attack events.
none: Takes no action.
Usage guidelines
With SYN flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of SYN packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure SYN flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood detect ip 192.168.1.2 threshold 2000
Related commands
syn-flood action
syn-flood detect non-specific
syn-flood threshold
syn-flood detect non-specific
Use syn-flood detect non-specific to enable global SYN flood attack detection.
Use undo syn-flood detect non-specific to disable global SYN flood attack detection.
Syntax
syn-flood detect non-specific
undo syn-flood detect non-specific
Default
Global SYN flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
The global SYN flood attack detection applies to all IP addresses except for those specified by the syn-flood detect command. The global detection uses the global trigger threshold set by the syn-flood threshold command and global actions specified by the syn-flood action command.
Examples
# Enable global SYN flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood detect non-specific
Related commands
syn-flood action
syn-flood detect
syn-flood threshold
syn-flood threshold
Use syn-flood threshold to set the global threshold for triggering SYN flood attack prevention.
Use undo syn-flood threshold to restore the default.
Syntax
syn-flood threshold threshold-value
undo syn-flood threshold
Default
The global threshold is 1000 for triggering SYN flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 1000000 in units of SYN packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global SYN flood attack detection. Adjust the threshold according to the application scenarios. If the number of SYN packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global SYN flood attack detection configured, the device is in attack detection state. When the sending rate of SYN packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering SYN flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood threshold 100
Related commands
syn-flood action
syn-flood detect
syn-flood detect non-specific
threshold-learn apply
Use threshold-learn apply to apply the most recent threshold that the device has learned.
Syntax
threshold-learn apply
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
You can configure this command to apply the most recent threshold that the device has learned to a flood attack defense policy that meets the following requirements:
· The threshold learning feature is enabled for the policy.
· Auto applying the learned threshold is disabled for the policy.
The learned threshold is set as the global threshold for triggering flood attack prevention. The command does not take effect when application of the learned threshold is enabled for the policy. If you execute this command multiple times, the most recent configuration takes effect.
Before you apply the most recently learned threshold to a flood attack defense policy, make sure global attack detection is enabled for all existing flood types in this policy.
Examples
# Apply the most recent threshold that the device has learned to attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn apply
Related commands
threshold-learn enable
threshold-learn auto-apply enable
Use threshold-learn auto-apply enable to enable auto application of the learned threshold.
Use undo threshold-learn auto-apply enable to disable auto application of the learned threshold.
Syntax
threshold-learn auto-apply enable
undo threshold-learn auto-apply enable
Default
Auto application of the learned threshold is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
This command applies to only flood attack defense policies that are enabled with the threshold learning feature (set with the threshold-learn enable command). Each time the device learns a threshold, it uses the learned value to update the global threshold for triggering flood attack prevention. The formula for calculating the new global threshold is learned threshold × (1 + tolerance value). The learned threshold equals the peak packet sending rate that the device has learned within the learning duration.
To set a tolerance value, execute the threshold-learn tolerance-value command. Setting a tolerance value can prevent packet loss when the network experiences a traffic spike without being attacked.
Before you apply the most recently learned threshold to a flood attack defense policy, make sure global attack detection is enabled for all existing flood types in this policy.
Examples
# Enable auto application of the learned threshold for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn auto-apply enable
Related commands
threshold-learn enable
threshold-learn tolerance-value
threshold-learn duration
Use threshold-learn duration to set the threshold learning duration.
Use undo threshold-learn duration to restore the default.
Syntax
threshold-learn duration duration
undo threshold-learn duration
Default
The threshold learning duration is 1440 minutes.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
duration: Specifies the threshold learning duration in the range of 1 to 1200000 minutes.
Usage guidelines
The device starts threshold learning when you apply an attack defense policy enabled with the threshold learning feature. The learned threshold equals the peak packet sending rate learned within the duration. To ensure that the device learns the peak rate in a whole day, set a learning duration longer than 1440 minutes (24 hours). If you change the learning duration during the learning process, the device will restart threshold learning.
Examples
# Set the threshold learning duration to 2880 minutes (48 hours) for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn duration 2880
Related commands
threshold-learn enable
threshold-learn loop
threshold-learn enable
Use threshold-learn enable to enable the threshold learning feature for flood attack prevention.
Use undo threshold-learn enable to disable the threshold learning feature for flood attack prevention.
Syntax
threshold-learn enable
undo threshold-learn enable
Default
The threshold learning feature for flood attack prevention is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
An appropriate threshold can effectively prevent attacks. If the global threshold for triggering flood attack prevention is too low, false positives might occur, causing performance degradation or packet loss. If the global threshold is too high, false negatives might occur, making the network defenseless. Therefore, it is a good practice to enable the threshold learning feature. This feature allows the device to automatically learn the global threshold based on the traffic flows in the network.
Examples
# Enable the threshold learning feature for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn enable
Related commands
threshold-learn auto-apply enable
threshold-learn duration
threshold-learn interval
Use threshold-learn interval to set the threshold learning interval.
Use undo threshold-learn interval to restore the default.
Syntax
threshold-learn interval interval
undo threshold-learn interval
Default
The threshold learning interval is 1440 minutes.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
interval: Specifies a threshold learning interval in the range of 1 to 1200000 minutes.
Usage guidelines
The device performs periodic threshold learning when you apply an attack defense policy that meets the following requirements:
· The threshold learning feature is enabled for the policy by using the threshold-learn enable command.
· The periodic learning mode is set by using the threshold-learn mode periodic command.
Examples
# Set the threshold learning interval to 120 minutes for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn interval 120
Related commands
threshold-learn enable
threshold-learn mode
threshold-learn mode
Use threshold-learn mode to set the threshold learning mode.
Use undo threshold-learn mode to restore the default.
Syntax
threshold-learn mode { once | periodic }
undo threshold-learn mode
Default
The one-time learning mode is set.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
once: Specifies the one-time learning mode.
periodic: Specifies the periodic learning mode.
Usage guidelines
This command allows you to set the following threshold learning modes:
· One-time learning—The device performs threshold learning only once. This mode is applicable to stable networks.
· Periodic learning—The device performs threshold learning at intervals. The most recent learned threshold always takes effect. This mode is applicable to unstable networks. To set the threshold learning duration, use the threshold-learn duration command. To set the threshold learning interval, use the threshold-learn interval command.
Examples
# Set the periodic learning mode for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn mode periodic
Related commands
threshold-learn duration
threshold-learn enable
threshold-learn interval
threshold-learn tolerance-value
Use threshold-learn tolerance-value to set the threshold learning tolerance value.
Use undo threshold-learn tolerance-value to restore the default.
Syntax
threshold-learn tolerance-value tolerance-value
undo threshold-learn tolerance-value
Default
The threshold learning tolerance value is 50.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
tolerance-value: Specifies the threshold learning tolerance value in percentage, in the range of 0 to 4000.
Usage guidelines
When auto application of the learned threshold is enabled, the device uses the learned threshold and tolerance value to calculate the global threshold for triggering flood attack prevention. The formula for calculating the global threshold is learned threshold × (1 + tolerance value). Therefore, the calculated global threshold is larger than the learned threshold. This can prevent packet loss when the network experiences a traffic spike without being attacked.
The tolerance value takes effect only when auto application of the learned threshold is enabled.
Examples
# Set the threshold learning tolerance value to 100 for attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn auto-apply enable
[Sysname-attack-defense-policy-atk-policy-1] threshold-learn tolerance-value 100
Related commands
threshold-learn auto-apply enable
threshold-learn enable
udp-flood action
Use udp-flood action to specify global actions against UDP flood attacks.
Use undo udp-flood action to restore the default.
Syntax
udp-flood action { drop | logging } *
undo udp-flood action
Default
No global action is specified for UDP flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
drop: Drops subsequent UDP packets destined for the victim IP addresses.
logging: Enables logging for UDP flood attack events.
Examples
# Specify drop as the global action against UDP flood attacks in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] udp-flood action drop
Related commands
udp-flood detect
udp-flood detect non-specific
udp-flood threshold
udp-flood detect
Use udp-flood detect to configure IP address-specific UDP flood attack detection.
Use undo udp-flood detect to remove the IP address-specific UDP flood attack detection configuration.
Syntax
udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]
undo udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
IP address-specific UDP flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ipv4-address: Specifies the IPv4 address to be protected. The ipv4-address argument cannot be 255.255.255.255 or 0.0.0.0.
ipv6 ipv6-address: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.
threshold threshold-value: Specifies the threshold for triggering UDP flood attack prevention. The value range is 1 to 64000 in units of UDP packets sent to the specified IP address per second.
action: Specifies the actions when a UDP flood attack is detected. If no action is specified, the global actions set by the udp-flood action command apply.
drop: Drops subsequent UDP packets destined for the protected IP address.
logging: Enables logging for UDP flood attack events.
none: Takes no action.
Usage guidelines
With UDP flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of UDP packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure UDP flood attack detection for 192.168.1.2 in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] udp-flood detect ip 192.168.1.2 threshold 2000
Related commands
udp-flood action
udp-flood detect non-specific
udp-flood threshold
udp-flood detect non-specific
Use udp-flood detect non-specific to enable global UDP flood attack detection.
Use undo udp-flood detect non-specific to disable global UDP flood attack detection.
Syntax
udp-flood detect non-specific
undo udp-flood detect non-specific
Default
Global UDP flood attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Usage guidelines
The global UDP flood attack detection applies to all IP addresses except for those specified by the udp-flood detect command. The global detection uses the global trigger threshold set by the udp-flood threshold command and global actions specified by the udp-flood action command.
Examples
# Enable global UDP flood attack detection in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] udp-flood detect non-specific
Related commands
udp-flood action
udp-flood detect
udp-flood threshold
udp-flood threshold
Use udp-flood threshold to set the global threshold for triggering UDP flood attack prevention.
Use undo udp-flood threshold to restore the default.
Syntax
udp-flood threshold threshold-value
undo udp-flood threshold
Default
The global threshold is 1000 for triggering UDP flood attack prevention.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold value. The value range is 1 to 64000 in units of UDP packets sent to an IP address per second.
Usage guidelines
The global threshold applies to global UDP flood attack detection. Adjust the threshold according to the application scenarios. If the number of UDP packets sent to a protected server, such as an HTTP or FTP server, is normally large, set a large threshold. A small threshold might affect the server services. For a network that is unstable or susceptible to attacks, set a small threshold.
With global UDP flood attack detection configured, the device is in attack detection state. When the sending rate of UDP packets to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Set the global threshold to 100 for triggering UDP flood attack prevention in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100
Related commands
udp-flood action
udp-flood detect
udp-flood detect non-specific
whitelist enable
Use whitelist enable to enable the whitelist feature on an interface.
Use undo whitelist enable to disable the whitelist feature on an interface.
Syntax
whitelist enable
undo whitelist enable
Default
The whitelist feature is disabled on an interface.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
If the global whitelist feature is enabled, the whitelist feature is enabled on all interfaces. If the global whitelist feature is disabled, you can use this command to enable the whitelist feature on individual interfaces.
Examples
# Enable the whitelist feature on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] whitelist enable
whitelist global enable
Use whitelist global enable to enable the global whitelist feature.
Use undo whitelist global enable to disable the global whitelist feature.
Syntax
whitelist global enable
undo whitelist global enable
Default
The global whitelist feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
If you enable the global whitelist feature, the whitelist feature is enabled on all interfaces.
Examples
# Enable the global whitelist feature.
<Sysname> system-view
[Sysname] whitelist global enable
whitelist object-group
Use whitelist object-group to add an address object group to the whitelist.
Use undo whitelist object-group to restore the default.
Syntax
whitelist object-group object-group-name
undo whitelist object-group
Default
No address object group is added to the whitelist.
Views
System view
Predefined user roles
network-admin
Parameters
object-group-name: Specifies an address object group by its name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
|
MSR810-LMS/810-LUS |
No |
|
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
|
MSR 2630 |
Yes |
|
|
MSR3600-28/3600-51 |
Yes |
|
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
|
MSR5620/5660/5680 |
Yes |
|
This command must be used together with the address object group feature. For more information about address object groups, see "Configuring object groups."
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Add address object group object-group1 to the whitelist.
<Sysname> system-view
[Sysname] whitelist object-group object-group1
IP source guard commands
The following matrix shows the feature and hardware compatibility:
|
Hardware |
IP source guard compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
Static IPv4 SG is supported only on the following ports:
· Layer 2 Ethernet ports on the following modules:
¡ HMIM-8GSW.
¡ HMIM-8GSWF.
¡ HMIM-24GSW.
¡ HMIM-24GSWP.
¡ SIC-4GSW.
¡ SIC-4GSWF.
¡ SIC-4GSWP.
· Fixed Layer 2 Ethernet ports on the following routers:
¡ MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
¡ MSR2600-6-X1/2600-10-X1.
¡ MSR3600-28/3600-51.
¡ MSR3600-28-SI/3600-51-SI.
Static IPv6 SG is supported only on the following ports:
· Layer 2 Ethernet ports on the following modules:
¡ HMIM-8GSW.
¡ HMIM-8GSWF.
¡ HMIM-24GSW.
¡ HMIM-24GSWP.
¡ SIC-4GSW.
¡ SIC-4GSWF.
¡ SIC-4GSWP.
· Fixed Layer 2 Ethernet ports on the following routers:
¡ MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK.
¡ MSR2600-6-X1/2600-10-X1.
¡ MSR3600-28/3600-51.
Dynamic IPv4 SG is supported only on the following ports:
· Layer 2 Ethernet ports on the following modules:
¡ HMIM-8GSW.
¡ HMIM-8GSWF.
¡ HMIM-24GSW.
¡ HMIM-24GSWP.
· Fixed Layer 2 Ethernet ports on the following routers:
¡ MSR2600-6-X1/2600-10-X1.
¡ MSR3600-28/3600-51.
¡ MSR3600-28-SI/3600-51-SI.
Dynamic IPv6 SG is supported only on the following ports:
· Layer 2 Ethernet ports on the following modules:
¡ HMIM-8GSW.
¡ HMIM-8GSWF.
¡ HMIM-24GSW.
¡ HMIM-24GSWP.
· Fixed Layer 2 Ethernet ports on the following routers:
¡ MSR2600-6-X1/2600-10-X1.
¡ MSR3600-28/3600-51.
display ip source binding
Use display ip source binding to display IPv4SG bindings.
Syntax
Centralized devices in standalone mode:
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-snooping | dot1x | wlan-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-snooping | dot1x | wlan-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
Distributed devices in IRF mode:
display ip source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcp-snooping | dot1x | wlan-snooping ] ] [ ip-address ip-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
static: Displays static IPv4SG bindings.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The VPN instance name is a case-sensitive string of 1 to 31 characters. To display dynamic IPv4SG bindings for the public network, do not specify a VPN instance.
dhcp-snooping: Specifies the DHCP snooping module.
dot1x: Specifies the 802.1X module.
wlan-snooping: Specifies the WLAN snooping module.
ip-address ip-address: Specifies an IPv4 address.
mac-address mac-address: Specifies a MAC address in H-H-H format.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv4SG bindings for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv4SG bindings for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv4SG bindings for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Display all IPSG bindings on the public network.
<Sysname> display ip source binding
Total entries found: 5
IP Address MAC Address Interface VLAN Type
10.1.0.5 040a-0000-4000 GE1/0/1 1 DHCP snooping
10.1.0.6 040a-0000-3000 GE1/0/1 1 DHCP snooping
10.1.0.7 040a-0000-2000 GE1/0/1 1 DHCP snooping
10.1.0.9 040a-0000-2000 GE1/0/2 N/A Static
Table 183 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv4SG bindings. |
|
IP Address |
IPv4 address in the IPv4SG binding. If no IP address is bound in the binding, this field displays N/A. |
|
MAC Address |
MAC address in the IPv4SG binding. If no MAC address is bound in the binding, this field displays N/A. |
|
Interface |
Interface of the binding. |
|
VLAN |
VLAN information in the IPv4SG binding. If the binding contains no VLAN information, this field displays N/A. |
|
Type |
IPSG binding type: · Static—Manually configured by using the ip source binding command. Static bindings are for packet filtering in IPSG. · 802.1X—Dynamically generated based on 802.1X. The binding is used by other modules to provide security services. · DHCP snooping—Dynamically generated based on DHCP snooping. The binding is for packet filtering in IPSG. · WLAN snooping—Dynamically generated based on WLAN snooping. The binding is used by other modules to provide security services. |
Related commands
ip source binding
ip verify source
display ipv6 source binding
Use display ipv6 source binding to display IPv6SG bindings.
Syntax
Centralized devices in standalone mode:
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping | wlan-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping | wlan-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ slot slot-number ]
Distributed devices in IRF mode:
display ipv6 source binding [ static | [ vpn-instance vpn-instance-name ] [ dhcpv6-snooping | wlan-snooping ] ] [ ip-address ipv6-address ] [ mac-address mac-address ] [ vlan vlan-id ] [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
static: Displays static IPv6SG bindings.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name. The VPN instance name is a case-sensitive string of 1 to 31 characters. To display dynamic IPSG bindings for the public network, do not specify a VPN instance.
dhcpv6-snooping: Specifies the DHCPv6 snooping module.
wlan-snooping: Specifies the WLAN snooping module.
ip-address ipv6-address: Specifies an IPv6 address.
mac-address mac-address: Specifies a MAC address in H-H-H format.
vlan vlan-id: Specifies a VLAN ID in the range of 1 to 4094.
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6SG bindings for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6SG bindings for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6SG bindings for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Display all IPv6SG bindings on the public network.
<Sysname> display ipv6 source binding
Total entries found: 2
IPv6 Address MAC Address Interface VLAN Type
2012:1222:2012:1222: 000f-2202-0435 GE1/0/1 1 DHCPv6 snooping
2012:1222:2012:1222
2012:1222:2012:1222: 000f-2202-0436 GE1/0/1 N/A Static
2012:1222:2012:1223
Table 184 Command output
|
Field |
Description |
|
Total entries found |
Total number of IPv6SG bindings. |
|
IPv6 Address |
IPv6 address in the IPv6SG binding. If no IPv6 address is bound in the binding, this field displays N/A. |
|
MAC Address |
MAC address in the IPv6SG binding. If no MAC address is bound in the binding, this field displays N/A. |
|
Interface |
Interface of the IPv6SG binding. |
|
VLAN |
VLAN information in the IPv6SG binding. If the binding contains no VLAN information, this field displays N/A. |
|
Type |
IPv6SG binding type: · Static—Manually configured by using the ipv6 source binding command. Static bindings are for packet filtering in IPv6SG or used by other modules to provide security services. · DHCPv6 snooping—Dynamically generated based on DHCPv6 snooping. The binding is for packet filtering in IPv6SG. · WLAN snooping—Dynamically generated based on WLAN snooping. The binding is used by other modules to provide security services. |
Related commands
ipv6 source binding
ipv6 verify source
ip source binding (interface view)
Use ip source binding to configure a static IPv4SG binding on an interface.
Use undo ip source binding to delete the static IPv4SG bindings configured on an interface.
Syntax
ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
undo ip source binding { all | ip-address ip-address | ip-address ip-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
Default
No static IPv4SG bindings exist on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
all: Removes all static IPv4SG bindings on the interface.
ip-address ip-address: Specifies an IPv4 address for the static binding. The IPv4 address must be a class A, B, or C address, and cannot be 127.x.x.x, 0.0.0.0, or 255.255.255.255.
mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.
vlan vlan-id: Specifies a VLAN ID for the static binding. The value range is 1 to 4094.
Usage guidelines
|
|
IMPORTANT: Static IPv4SG bindings that contain IP addresses or VLANs are not supported on the following routers: · MSR810-W. · MSR810-W-DB. · MSR810-LM. · MSR810-W-LM. · MSR810-10-PoE. · MSR810-LM-HK. · MSR810-W-LM-HK. · MSR2600-6-X1/2600-10-X1. |
Static IPv4SG bindings on an interface implement the following functions:
· Filter incoming IPv4 packets on the interface.
· Check user validity by cooperating with the ARP attack detection feature.
You cannot configure static IPv4SG bindings on a service loopback interface.
An IPv4SG binding that contains a MAC address does not take effect when the following conditions exist:
· The interface in the IPv4SG binding belongs to a new VLAN.
· The new VLAN already has an IPv4SG binding that contains the same MAC address.
Examples
# Configure a static IPv4SG binding on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001
Related commands
display ip source binding
ip verify source
Use ip verify source to enable both static and dynamic IPv4SG on an interface.
Use undo ip verify source to disable IPv4SG on an interface.
Syntax
ip verify source { ip-address | ip-address mac-address | mac-address }
undo ip verify source
Default
The IPv4SG feature is disabled on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
ip-address: Filters incoming packets by source IPv4 addresses.
ip-address mac-address: Filters incoming packets by source IPv4 addresses and source MAC addresses.
mac-address: Filters incoming packets by source MAC addresses.
Usage guidelines
The matching criterion in this command applies only to dynamic IPSG. Static IPv4SG uses static bindings configured by using the ip source binding command.
Dynamic bindings generated from different source modules (802.1X, DHCP snooping, and WLAN snooping) are for different security services. For more information, see Security Configuration Guide.
You cannot enable dynamic IPv4SG on a service loopback interface.
Examples
# Enable IPv4SG on Layer 2 Ethernet interface GigabitEthernet 1/0/1 and verify the source IPv4 address and MAC address for dynamic IPSG.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip verify source ip-address mac-address
Related commands
display ip source binding
ipv6 source binding (interface view)
Use ipv6 source binding to configure a static IPv6SG binding.
Use undo ipv6 source binding to delete the static IPv6SG bindings configured on the interface.
Syntax
ipv6 source binding { ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
undo ipv6 source binding { all | ip-address ipv6-address | ip-address ipv6-address mac-address mac-address | mac-address mac-address } [ vlan vlan-id ]
Default
No static IPv6SG bindings exist on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
all: Removes all the static IPv6SG bindings on the interface.
ip-address ipv6-address: Specifies an IPv6 address for the static binding. The IPv6 address cannot be an all-zero address, a multicast address, or a loopback address.
mac-address mac-address: Specifies a MAC address for the static binding. The MAC address must be in H-H-H format, and cannot be all 0s, all Fs (a broadcast MAC address), or a multicast MAC address.
vlan vlan-id: Specifies a VLAN ID for the static binding. The value range is 1 to 4094.
Usage guidelines
|
|
IMPORTANT: Static IPv6SG bindings that contain MAC addresses are not supported on Layer 2 Ethernet ports on the following modules: · HMIM-24GSW. · HMIM-24GSWP. Static IPv6SG bindings that contain IP addresses or VLANs are not supported on the following routers: · MSR810. · MSR810-W. · MSR810-W-DB. · MSR810-LM. · MSR810-W-LM. · MSR810-10-PoE. · MSR810-LM-HK. · MSR810-W-LM-HK. · MSR2600-6-X1/2600-10-X1. |
Static IPv6SG bindings on an interface filter incoming IPv6 packets on the interface.
You cannot configure static IPv6SG bindings on a service loopback interface.
An IPv6SG binding that contains a MAC address does not take effect when the following conditions exist:
· The interface in the IPv6SG binding belongs to a new VLAN.
· The new VLAN already has an IPv6SG binding that contains the same MAC address.
Examples
# Configure a static IPv6SG binding on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 source binding ip-address 2001::1 mac-address 0002-0002-0002
Related commands
display ipv6 source binding
ipv6 verify source
Use ipv6 verify source to enable both static and dynamic IPv6SG on an interface.
Use undo ipv6 verify source to disable IPv6SG on an interface.
Syntax
ipv6 verify source { ip-address | ip-address mac-address | mac-address }
undo ipv6 verify source
Default
The IPv6SG feature is disabled on an interface.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
ip-address: Filters incoming packets by source IPv6 addresses.
ip-address mac-address: Filters incoming packets by source IPv6 addresses and source MAC addresses.
mac-address: Filters incoming packets by source MAC addresses.
Usage guidelines
|
|
IMPORTANT: The IPv6SG feature is not supported on Layer 2 Ethernet ports on the following modules if the ip-address mac-address or mac-address keyword is specified: · HMIM-24GSW. · HMIM-24GSWP. |
The matching criterion in this command applies only to dynamic IPv6SG. Static IPv6SG uses static bindings configured by using the ipv6 source binding command.
Dynamic bindings generated from different source modules (DHCPv6 snooping and WLAN snooping) are for different security services. For more information, see Security Configuration Guide.
You cannot enable dynamic IPv6SG on a service loopback interface.
Examples
# Enable IPv6SG on Layer 2 Ethernet interface GigabitEthernet 1/0/1 and verify the source IPv6 address and MAC address for dynamic IPv6SG.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 verify source ip-address mac-address
Related commands
display ipv6 source binding
ARP attack protection commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
Unresolvable IP attack protection commands
arp resolving-route enable
Use arp resolving-route enable to enable ARP blackhole routing.
Use undo arp resolving-route enable to disable ARP blackhole routing.
Syntax
arp resolving-route enable
undo arp resolving-route enable
Default
ARP blackhole routing is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Configure this command on the gateways.
Examples
# Enable ARP blackhole routing.
<Sysname> system-view
[Sysname] arp resolving-route enable
Related commands
arp resolving-route probe-count
arp resolving-route probe-interval
arp resolving-route probe-count
Use arp resolving-route probe-count to set the number of ARP blackhole route probes for each unresolved IP address.
Use undo arp resolving-route probe-count to restore the default.
Syntax
arp resolving-route probe-count count
undo arp resolving-route probe-count
Default
The device performs three ARP blackhole route probes for each unresolved IP address.
Views
System view
Predefined user roles
network-admin
Parameters
count: Sets the number of probes, in the range of 1 to 25.
Examples
# Configure the device to perform five ARP blackhole route probes for each unresolved IP address.
<Sysname> system-view
[Sysname] arp resolving-route probe-count 5
Related commands
arp resolving-route enable
arp resolving-route probe-interval
arp resolving-route probe-interval
Use arp resolving-route probe-interval to set the interval at which the device probes ARP blackhole routes.
Use undo arp resolving-route probe-interval to restore the default.
Syntax
arp resolving-route probe-interval interval
undo arp resolving-route probe-interval
Default
The device probes ARP blackhole routes every 1 second.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the probe interval in the range of 1 to 5 seconds.
Examples
# Configure the device to probe ARP blackhole routes every 3 seconds.
<Sysname> system-view
[Sysname] arp resolving-route probe-interval 3
Related commands
arp resolving-route enable
arp resolving-route probe-count
arp source-suppression enable
Use arp source-suppression enable to enable the ARP source suppression feature.
Use undo arp source-suppression enable to disable the ARP source suppression feature.
Syntax
arp source-suppression enable
undo arp source-suppression enable
Default
The ARP source suppression feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Configure this feature on the gateways.
Examples
# Enable the ARP source suppression feature.
<Sysname> system-view
[Sysname] arp source-suppression enable
Related commands
display arp source-suppression
arp source-suppression limit
Use arp source-suppression limit to set the maximum number of unresolvable packets that can be processed per source IP address within 5 seconds.
Use undo arp source-suppression limit to restore the default.
Syntax
arp source-suppression limit limit-value
undo arp source-suppression limit
Default
The device can process a maximum of 10 unresolvable packets per source IP address within 5 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
limit-value: Specifies the limit in the range of 2 to 1024.
Usage guidelines
If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse.
Examples
# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
<Sysname> system-view
[Sysname] arp source-suppression limit 100
Related commands
display arp source-suppression
display arp source-suppression
Use display arp source-suppression to display information about the current ARP source suppression configuration.
Syntax
display arp source-suppression
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display information about the current ARP source suppression configuration.
<Sysname> display arp source-suppression
ARP source suppression is enabled
Current suppression limit: 100
Table 185 Command output
|
Field |
Description |
|
Current suppression limit |
Maximum number of unresolvable packets that can be processed per source IP address within 5 seconds. |
Source MAC-based ARP attack detection commands
arp source-mac
Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify a handling method.
Use undo arp source-mac to disable the source MAC-based ARP attack detection feature.
Syntax
arp source-mac { filter | monitor }
undo arp source-mac [ filter | monitor ]
Default
The source MAC-based ARP attack detection feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
filter: Generates log messages and discards subsequent ARP packets from the MAC address.
monitor: Only generates log messages.
Usage guidelines
Configure this feature on the gateways.
This feature checks the number of ARP packets delivered to the CPU. If the number of ARP packets from the same MAC address within 5 seconds exceeds a threshold, the device takes the preconfigured method to handle the attack.
If you do not specify both the filter and monitor keywords in the undo arp source-mac command, the command disables this feature.
Examples
# Enable the source MAC-based ARP attack detection feature and specify the filter handling method.
<Sysname> system-view
[Sysname] arp source-mac filter
arp source-mac aging-time
Use arp source-mac aging-time to set the aging time for ARP attack entries.
Use undo arp source-mac aging-time to restore the default.
Syntax
arp source-mac aging-time time
undo arp source-mac aging-time
Default
The aging time for ARP attack entries is 300 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds.
Examples
# Set the aging time for ARP attack entries to 60 seconds.
<Sysname> system-view
[Sysname] arp source-mac aging-time 60
arp source-mac exclude-mac
Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.
Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection.
Syntax
arp source-mac exclude-mac mac-address&<1-10>
undo arp source-mac exclude-mac [ mac-address&<1-10> ]
Default
No MAC addresses are excluded from source MAC-based ARP attack detection.
Views
System view
Predefined user roles
network-admin
Parameters
mac-address&<1-10>: Specifies a MAC address list. The mac-address argument indicates an excluded MAC address in the format of H-H-H. &<1-10> indicates that you can configure a maximum of 10 excluded MAC addresses.
Usage guidelines
If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.
Examples
# Exclude a MAC address from source MAC-based ARP attack detection.
<Sysname> system-view
[Sysname] arp source-mac exclude-mac 2-2-2
arp source-mac threshold
Use arp source-mac threshold to set the threshold for source MAC-based ARP attack detection. If the number of ARP packets sent from a MAC address within 5 seconds exceeds this threshold, the device recognizes this as an attack.
Use undo arp source-mac threshold to restore the default.
Syntax
arp source-mac threshold threshold-value
undo arp source-mac threshold
Default
The threshold for source MAC-based ARP attack detection is 30.
Views
System view
Predefined user roles
network-admin
Parameters
threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range for this argument is 1 to 5000.
Examples
# Set the threshold for source MAC-based ARP attack detection to 30.
<Sysname> system-view
[Sysname] arp source-mac threshold 30
display arp source-mac
Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.
Syntax
Centralized devices in standalone mode:
display arp source-mac [ interface interface-type interface-number ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display arp source-mac { slot slot-number | interface interface-type interface-number }
Distributed devices in IRF mode:
display arp source-mac { chassis chassis-number slot slot-number | interface interface-type interface-number }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ARP attack entries for the active MPU. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its ID. If you do not specify a member device, this command displays ARP attack entries for the master device. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays ARP attack entries for the global active MPU. (Distributed devices in IRF mode.)
Examples
# Display the ARP attack entries detected by source MAC-based ARP attack detection.
<Sysname> display arp source-mac
Source-MAC VLAN ID Interface Aging-time
23f3-1122-3344 4094 GE1/0/1 10
23f3-1122-3355 4094 GE1/0/2 30
23f3-1122-33ff 4094 GE1/0/3 25
23f3-1122-33ad 4094 GE1/0/4 30
23f3-1122-33ce 4094 GE1/0/5 2
ARP packet source MAC consistency check commands
arp valid-check enable
Use arp valid-check enable to enable ARP packet source MAC address consistency check.
Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.
Syntax
arp valid-check enable
undo arp valid-check enable
Default
ARP packet source MAC address consistency check is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.
Examples
# Enable ARP packet source MAC address consistency check.
<Sysname> system-view
[Sysname] arp valid-check enable
ARP active acknowledgement commands
arp active-ack enable
Use arp active-ack enable to enable the ARP active acknowledgement feature.
Use undo arp active-ack enable to disable the ARP active acknowledgement feature.
Syntax
arp active-ack [ strict ] enable
undo arp active-ack [ strict ] enable
Default
The ARP active acknowledgement feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
strict: Enables strict mode for ARP active acknowledgement.
Usage guidelines
Configure this feature on gateways to prevent user spoofing.
In strict mode, a gateway learns an entry only when ARP active acknowledgement is successful based on the correct ARP resolution.
Examples
# Enable the ARP active acknowledgement feature.
<Sysname> system-view
[Sysname] arp active-ack enable
Authorized ARP commands
arp authorized enable
Use arp authorized enable to enable authorized ARP on an interface.
Use undo arp authorized enable to disable authorized ARP on an interface.
Syntax
arp authorized enable
undo arp authorized enable
Default
Authorized ARP is disabled on the interface.
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
VLAN interface view
Predefined user roles
network-admin
Examples
# Enable authorized ARP on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp authorized enable
ARP attack detection commands
This feature is supported only on the following ports:
· Layer 2 Ethernet ports on the following modules:
¡ HMIM-8GSW.
¡ HMIM-8GSWF.
¡ HMIM-24GSW.
¡ HMIM-24GSW-PoE.
¡ SIC-4GSW.
· Fixed Layer 2 Ethernet ports on the following routers:
¡ MSR2600-6-X1/2600-10-X1.
¡ MSR3600-28.
¡ MSR3600-51.
arp detection enable
Use arp detection enable to enable ARP attack detection.
Use undo arp detection enable to disable ARP attack detection.
Syntax
arp detection enable
undo arp detection enable
Default
ARP attack detection is disabled.
Views
VLAN view
Predefined user roles
network-admin
Examples
# Enable ARP attack detection for VLAN 2.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] arp detection enable
arp detection rule
arp detection rule
Use arp detection rule to configure a user validity check rule.
Use undo arp detection rule to delete a user validity check rule.
Syntax
undo arp detection rule [ rule-id ]
Default
No user validity check rule is configured.
Views
System view
Predefined user roles
network-admin
Parameters
rule-id: Assigns an ID to the user validity check rule. The ID value range is 0 to 511. A smaller value represents a higher priority.
deny: Denies matching ARP packets.
permit: Permits matching ARP packets.
ip { ip-address [ mask ] | any }: Specifies the sender IP address as the match criterion.
· ip-address: Specifies an IP address in dotted decimal notation.
· mask: Specifies the address mask in dotted decimal notation. If you do not specify the mask, the ip-address argument specifies a host IP address.
· any: Matches any IP address.
mac { mac-address [ mask ] | any }: Specifies the sender MAC address as the match criterion.
· mac-address: Specifies a MAC address in the H-H-H format.
· mask: Specifies the MAC address mask in the H-H-H format. If you do not specify the mask, the argument specifies the host MAC address.
· any: Matches any MAC address.
vlan vlan-id: Specifies the ID of a VLAN to which the specified rule applies. The value range for the vlan-id argument is 1 to 4094. If you do not specify a VLAN, the rule applies to all VLANs.
Usage guidelines
A user validity check rule takes effect only when ARP attack detection is enabled.
If you do not specify a rule ID, the undo arp detection rule command deletes all user validity check rules.
Examples
# Configure a user validity check rule and enable ARP detection for VLAN 2.
[Sysname] arp detection rule 0 permit ip 10.1.1.1 255.255.0.0 mac 0001-0203-0405 ffff-ffff-0000
[Sysname] vlan 2
[Sysname-vlan2] arp detection enable
Related commands
arp detection enable
arp detection trust
Use arp detection trust to configure an interface as an ARP trusted interface.
Use undo arp detection trust to restore the default.
Syntax
arp detection trust
undo arp detection trust
Default
An interface is an ARP untrusted interface.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Examples
# Configure GigabitEthernet 1/0/1 as an ARP trusted interface.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp detection trust
arp detection validate
Use arp detection validate to enable ARP packet validity check.
Use undo arp detection validate to disable ARP packet validity check.
Syntax
arp detection validate { dst-mac | ip | src-mac } *
undo arp detection validate [ dst-mac | ip | src-mac ] *
Default
ARP packet validity check is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
ip: Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded.
src-mac: Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.
Usage guidelines
You can specify more than one object to be checked in one command line.
If no keyword is specified, the undo arp detection validate command disables ARP packet validity check for all objects.
Examples
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.
<Sysname> system-view
[Sysname] arp detection validate dst-mac src-mac ip
arp restricted-forwarding enable
Use arp restricted-forwarding enable to enable ARP restricted forwarding.
Use undo arp restricted-forwarding enable to disable ARP restricted forwarding.
Syntax
arp restricted-forwarding enable
undo arp restricted-forwarding enable
Default
ARP restricted forwarding is disabled.
Views
VLAN view
Predefined user roles
network-admin
Examples
# Enable ARP restricted forwarding in VLAN 2.
<Sysname> system-view
[Sysname] vlan 2
[Sysname-vlan2] arp restricted-forwarding enable
display arp detection
Use display arp detection to display the VLANs enabled with ARP attack detection.
Syntax
display arp detection
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the VLANs enabled with ARP attack detection.
<Sysname> display arp detection
ARP detection is enabled in the following VLANs:
1-2, 4-5
Related commands
arp detection enable
display arp detection statistics
Use display arp detection statistics to display ARP attack detection statistics.
Syntax
display arp detection statistics [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Displays the ARP attack detection statistics of an interface.
Usage guidelines
This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify an interface, the command displays statistics for all interfaces.
Examples
# Display the ARP attack detection statistics for all interfaces.
<Sysname> display arp detection statistics
State: U-Untrusted T-Trusted
ARP packets dropped by ARP inspect checking:
Interface(State) IP Src-MAC Dst-MAC Inspect
GE1/0/1(U) 40 0 0 78
GE1/0/2(U) 0 0 0 0
GE1/0/3(T) 0 0 0 0
GE1/0/4(U) 0 0 30 0
Table 186 Command output
|
Field |
Description |
|
State |
State of an interface: · U—ARP untrusted interface. · T—ARP trusted interface. |
|
Interface(State) |
Inbound interface of ARP packets. State specifies the port state, trusted or untrusted. |
|
IP |
Number of ARP packets discarded due to invalid sender and target IP addresses. |
|
Src-MAC |
Number of ARP packets discarded due to invalid source MAC address. |
|
Dst-MAC |
Number of ARP packets discarded due to invalid destination MAC address. |
|
Inspect |
Number of ARP packets that failed to pass user validity check. |
reset arp detection statistics
Use reset arp detection statistics to clear ARP attack detection statistics.
Syntax
reset arp detection statistics [ interface interface-type interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface interface-type interface-number: Clears the ARP attack detection statistics of an interface.
Usage guidelines
If you do not specify an interface, this command clears the statistics of all interfaces.
Examples
# Clear the ARP attack detection statistics of all interfaces.
<Sysname> reset arp detection statistics
ARP scanning and fixed ARP commands
arp fixup
Use arp fixup to convert existing dynamic ARP entries to static ARP entries.
Syntax
arp fixup
Views
System view
Predefined user roles
network-admin
Usage guidelines
The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.
The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries. Due to the device's limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.
The static ARP entries after conversion can include the following entries:
· Existing dynamic and static ARP entries before conversion.
· New dynamic ARP entries learned during the conversion.
Dynamic ARP entries that are aged out during the conversion are not converted to static ARP entries.
To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.
Examples
# Enable fixed ARP.
<Sysname> system-view
[Sysname] arp fixup
arp scan
Use arp scan to trigger an ARP scanning in an address range.
Syntax
arp scan [ start-ip-address to end-ip-address ]
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
VLAN interface view
Predefined user roles
network-admin
Parameters
start-ip-address: Specifies the start IP address of the scanning range.
end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.
Usage guidelines
ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.
If the interface's primary and secondary IP addresses are in the address range, the sender IP address in the ARP request is the address on the smallest network segment.
If no address range is specified, the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.
The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addresses of the interface.
ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.
Examples
# Configure the device to scan neighbors on the network where the primary IP address of GigabitEthernet 1/0/1 resides.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp scan
# Configure the device to scan neighbors in an address range.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp scan 1.1.1.1 to 1.1.1.20
ARP gateway protection commands
arp filter source
Use arp filter source to enable ARP gateway protection for a gateway.
Use undo arp filter source to disable ARP gateway protection for a gateway.
Syntax
arp filter source ip-address
undo arp filter source ip-address
Default
ARP gateway protection is disabled.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies the IP address of a protected gateway.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
You can enable ARP gateway protection for a maximum of eight gateways on an interface.
You cannot configure both the arp filter source and arp filter binding commands on the same interface.
Examples
# Enable ARP gateway protection for the gateway with IP address 1.1.1.1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp filter source 1.1.1.1
ARP filtering commands
arp filter binding
Use arp filter binding to enable ARP filtering and configure an ARP permitted entry.
Use undo arp filter binding to remove an ARP permitted entry.
Syntax
arp filter binding ip-address mac-address
undo arp filter binding ip-address
Default
ARP filtering is disabled.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
Parameters
ip-address: Specifies a permitted sender IP address.
mac-address: Specifies a permitted sender MAC address.
Usage guidelines
The following matrix shows the command and hardware compatibility:
|
Hardware |
Command compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
If the sender IP and MAC addresses of an ARP packet match an ARP permitted entry, the ARP packet is permitted. If not, it is discarded.
You can configure a maximum of eight ARP permitted entries on an interface.
You cannot configure both the arp filter source and arp filter binding commands on the same interface.
Examples
# Enable ARP filtering and configure an ARP permitted entry.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp filter binding 1.1.1.1 2-2-2
IPv4 uRPF commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display ip urpf
Use display ip urpf to display uRPF configuration.
Syntax
Centralized devices in standalone mode:
display ip urpf [ interface interface-type interface-number ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ip urpf [ interface interface-type interface-number ] [ slot slot-number ]
Distributed devices in IRF mode:
display ip urpf [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays uRPF configuration for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays uRPF configuration for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays uRPF configuration for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display uRPF configuration on GigabitEthernet 1/0/1.
<Sysname> display ip urpf interface gigabitethernet 1/0/1
uRPF configuration information of interface GigabitEthernet1/0/1:
Check type: strict
Allow default route
Link check
Suppress drop ACL: 3000
# (Distributed devices in IRF mode.) Display uRPF configuration on GigabitEthernet 1/0/1 of the card in slot 1 on IRF member device 1.
<Sysname> display ip urpf interface gigabitethernet 1/0/1 chassis 1 slot 1
uRPF configuration information of interface GigabitEthernet1/0/1:
Check type: loose
Allow default route
Suppress drop ACL: 2000
Table 187 Command output
|
Field |
Description |
|
(failed) |
The system failed to deliver the uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
|
Check type |
uRPF check mode: loose or strict. |
|
Allow default route |
Using the default route is allowed. |
|
Link check |
Link layer check is enabled. |
|
Suppress drop ACL |
ACL used for drop suppression. |
ip urpf
Use ip urpf to enable uRPF.
Use undo ip urpf to disable uRPF.
Syntax
ip urpf { loose [ allow-default-route ] [ acl acl-number ] | strict [ allow-default-route ] [ acl acl-number ] [ link-check ] }
undo ip urpf
Default
uRPF is disabled.
Views
Interface view
Predefined user roles
network-admin
Parameters
loose: Enables loose uRPF check. To pass loose uRPF check, the source address of a packet must match the destination address of a FIB entry.
strict: Enables strict uRPF check. To pass strict uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of a FIB entry.
allow-default-route: Allows using the default route for uRPF check.
acl acl-number: Specifies an ACL by its number.
· For a basic ACL, the value range is 2000 to 2999.
· For an advanced ACL, the value range is 3000 to 3999.
link-check: Enables link layer check (Ethernet link).
Usage guidelines
uRPF can be deployed on a PE connected to a CE or another ISP, or on a CE.
Configure strict uRPF check on a PE interface connected to a CE, and configure loose uRPF check on a PE interface connected to another ISP.
For asymmetrical routing, configure loose uRPF to avoid discarding valid packets. For symmetrical routing, configure strict uRPF. An ISP usually adopts symmetrical routing on a PE device.
Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE that has a default route pointing to the PE, specify the allow-default-route keyword.
You can use an ACL to match specific packets, so they are forwarded even if they fail to pass uRPF check.
If a Layer 3 PE interface connects to a large number of PCs, configure the link-check keyword on the interface to enable link layer check. uRPF checks the validity of the source MAC address.
Examples
# Configure strict uRPF check on interface GigabitEthernet 1/0/2 and allow using the default route and ACL 2999 to match packets.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] ip urpf strict allow-default-route acl 2999
# Configure loose uRPF check on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ip urpf loose
Related commands
display ip urpf
IPv6 uRPF commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display ipv6 urpf
Use display ipv6 urpf to display IPv6 uRPF configuration.
Syntax
Centralized devices in standalone mode:
display ipv6 urpf [ interface interface-type interface-number ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display ipv6 urpf [ interface interface-type interface-number ] [ slot slot-number ]
Distributed devices in IRF mode:
display ipv6 urpf [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays IPv6 uRPF configuration for all cards. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays IPv6 uRPF configuration for all member devices. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays IPv6 uRPF configuration for all cards. (Distributed devices in IRF mode.)
Examples
# (Centralized devices in standalone mode.) Display IPv6 uRPF configuration on GigabitEthernet 1/0/1.
<Sysname> display ipv6 urpf interface gigabitethernet 1/0/1
IPv6 uRPF configuration information of interface GigabitEthernet1/0/1:
Check type: loose
Allow default route
Suppress drop ACL: 2000
# (Distributed devices in IRF mode.) Display IPv6 uRPF configuration on GigabitEthernet 1/0/1 of the card in slot 1 on IRF member device 1.
<Sysname> display ipv6 urpf interface gigabitethernet 1/0/1 chassis 1 slot 1
IPv6 uRPF configuration information of interface GigabitEthernet1/0/1:
Check type: loose
Allow default route
Suppress drop ACL: 2000
Table 188 Command output
|
Field |
Description |
|
(failed) |
The system failed to deliver the IPv6 uRPF configuration to the forwarding chip because of insufficient chip resources. This field is not displayed if the delivery is successful. |
|
Check type |
IPv6 uRPF check mode: loose or strict. |
|
Allow default route |
Using the default route is allowed. |
|
Suppress drop ACL |
IPv6 ACL used for drop suppression. |
ipv6 urpf
Use ipv6 urpf to enable IPv6 uRPF.
Use undo ipv6 urpf to disable IPv6 uRPF.
Syntax
ipv6 urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]
undo ipv6 urpf
Default
IPv6 uRPF is disabled.
Views
Interface view
Predefined user roles
network-admin
Parameters
loose: Enables loose IPv6 uRPF check. To pass loose IPv6 uRPF check, the source address of a packet must match the destination address of an IPv6 FIB entry.
strict: Enables strict IPv6 uRPF check. To pass strict IPv6 uRPF check, the source address and receiving interface of a packet must match the destination address and output interface of an IPv6 FIB entry.
allow-default-route: Allows using the default route for IPv6 uRPF check.
acl acl-number: Specifies an IPv6 ACL by its number.
· For a basic IPv6 ACL, the value range is 2000 to 2999.
· For an advanced IPv6 ACL, the value range is 3000 to 3999.
Usage guidelines
IPv6 uRPF can be deployed on a CE or on a PE connected to either a CE or another ISP.
Configure strict IPv6 uRPF check on a PE interface connected to a CE, and configure loose IPv6 uRPF check on a PE interface connected to another ISP.
For asymmetrical routing, configure loose IPv6 uRPF to avoid discarding valid packets. For symmetrical routing, configure strict IPv6 uRPF. An ISP usually adopts symmetrical routing on a PE device.
Typically, you do not need to configure the allow-default-route keyword on a PE device, because it has no default route pointing to a CE. If you enable uRPF on a CE that has a default route pointing to the PE, specify the allow-default-route keyword.
You can use an ACL to match specific packets, so they are forwarded even if they fail to pass IPv6 uRPF check.
Examples
# Configure strict IPv6 uRPF check on interface GigabitEthernet 1/0/2 and allow using the default route and IPv6 ACL 2999 to match packets.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/2
[Sysname-GigabitEthernet1/0/2] ipv6 urpf strict allow-default-route acl 2999
# Configure loose IPv6 uRPF check on interface GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipv6 urpf loose
Related commands
display ipv6 urpf
Crypto engine commands
Commands and descriptions for centralized devices apply to the following routers:
· MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/ 810-LMS/810-LUS.
· MSR2600-6-X1/2600-10-X1.
· MSR 2630.
· MSR3600-28/3600-51.
· MSR3600-28-SI/3600-51-SI.
· MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.
· MSR 3610/3620/3620-DP/3640/3660.
Commands and descriptions for distributed devices apply to the following routers:
· MSR5620.
· MSR 5660.
· MSR 5680.
display crypto-engine
Use display crypto-engine to display crypto engine information, including crypto engine names and supported algorithms.
Syntax
display crypto-engine
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
If the device does not have hardware crypto engines, this command displays information only about software crypto engines.
Examples
# Display crypto engine information.
<Sysname> display crypto-engine
Crypto engine name: cavium crypto driver
Crypto engine state: Enabled
Crypto engine type: Hardware
Slot ID: 0
CPU ID: 0
Crypto engine ID: 0
Symmetric algorithms: des-cbc des-ecb 3des-cbc 3des-ecb aes-cbc aes-ecb aes-ct
r md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2-384-
hmac sha2-512-hmac aes-xcbc-hmac
Asymmetric algorithms: dh-group1 dh-group2 dh-group5 dh-group14
Random number generation function: Supported
Crypto engine name: Software crypto engine
Crypto engine state: Enabled
Crypto engine type: Software
Slot ID: 0
CPU ID:0
Crypto engine ID: 1
Symmetric algorithms: des-cbc des-ecb 3des-cbc aes-cbc aes-ecb aes-ctr camell
ia_cbc md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2
-384-hmac sha2-512-hmac aes-xcbc aes-xcbc-hmac sm3 sm3-hmac sm4-cbc
Asymmetric algorithms:
Random number generation function: Supported
# (Devices without hardware crypto engines.) Display crypto engine information.
<Sysname> display crypto-engine
Crypto engine name: Software crypto engine
Crypto engine state: Enabled
Crypto engine type: Software
Slot ID: 0
CPU ID:0
Crypto engine ID: 0
Symmetric algorithms: des-cbc des-ecb 3des-cbc aes-cbc aes-ecb aes-ctr camell
ia_cbc md5 sha1 sha2-256 sha2-384 sha2-512 md5-hmac sha1-hmac sha2-256-hmac sha2
-384-hmac sha2-512-hmac aes-xcbc aes-xcbc-hmac sm3 sm3-hmac sm4-cbc
Asymmetric algorithms:
Random number generation function: Supported
Table 189 Command output
|
Field |
Description |
|
Crypto engine state |
Hardware crypto engine state: · Enabled. · Disabled. Software crypto engine state: Enabled. |
|
Crypto engine type |
Crypto engine type: · Hardware. · Software. |
|
Slot ID |
ID of the LPU that holds the crypto engine. |
|
CPU ID |
ID of the CPU on the card. This field is not supported in the current software version. |
|
Symmetric algorithms |
Supported symmetric algorithms. |
|
Asymmetric algorithms |
Supported asymmetric algorithms. |
|
Random number generation function |
Whether random number generation function is supported: · Supported. · Not supported. |
display crypto-engine statistics
Use display crypto-engine statistics to display crypto engine statistics, including the number of established sessions and the number of operations performed by crypto engines.
Syntax
Centralized devices in standalone mode:
display crypto-engine statistics [ engine-id engine-id ]
Distributed devices in standalone mode/centralized devices in IRF mode:
display crypto-engine statistics [ engine-id engine-id slot slot-number ]
Distributed devices in IRF mode:
display crypto-engine statistics [ engine-id engine-id chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
engine-id engine-id: Specifies a crypto engine by its ID. The value range is 0 to 4294967295.
slot slot-number: Specifies a card by its slot number. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (Distributed devices in IRF mode.)
Usage guidelines
If hardware crypto engines are not enabled or the device does not have hardware crypto engines, this command displays statistics only for software crypto engines.
If you do not specify any parameters, this command displays statistics for all crypto engines. (Centralized devices in standalone mode.)
If you do not specify any parameters, this command displays crypto engine statistics for all cards. (Distributed devices in standalone mode.)
If you do not specify any parameters, this command displays crypto engine statistics for all member devices. (Centralized devices in IRF mode.)
If you do not specify any parameters, this command displays crypto engine statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Display statistics for all crypto engines.
<Sysname> display crypto-engine statistics
Slot ID: 0
CPU ID: 0
Crypto engine ID: 0
Submitted sessions: 0
Failed sessions: 0
Symmetric operations: 0
Symmetric errors: 0
Asymmetric operations: 0
Asymmetric errors: 0
Get-random operations: 0
Get-random errors: 0
Slot ID: 2
CPU ID: 0
Crypto engine ID: 0
Submitted sessions: 0
Failed sessions: 0
Symmetric operations: 0
Symmetric errors: 0
Asymmetric operations: 0
Asymmetric errors: 0
Get-random operations: 0
Get-random errors: 0
# (Distributed devices in standalone mode/centralized devices in IRF mode.) Display statistics for all crypto engines.
<Sysname> display crypto-engine statistics
Slot ID: 0
CPU ID: 0
Crypto engine ID: 0
Submitted sessions: 0
Failed sessions: 0
Symmetric operations: 0
Symmetric errors: 0
Asymmetric operations: 0
Asymmetric errors: 0
Get-random operations: 0
Get-random errors: 0
Slot ID: 2
CPU ID: 0
Crypto engine ID: 0
Submitted sessions: 0
Failed sessions: 0
Symmetric operations: 0
Symmetric errors: 0
Asymmetric operations: 0
Asymmetric errors: 0
Get-random operations: 0
Get-random errors: 0
# (Distributed devices in IRF mode.) Display statistics for all crypto engines.
<Sysname> display crypto-engine statistics
Chassis ID: 1
Slot ID: 0
CPU ID: 0
Crypto engine ID: 0
Submitted sessions: 0
Failed sessions: 0
Symmetric operations: 0
Symmetric errors: 0
Asymmetric operations: 0
Asymmetric errors: 0
Get-random operations: 0
Get-random errors: 0
Chassis ID: 1
Slot ID: 2
CPU ID: 0
Crypto engine ID: 0
Submitted sessions: 0
Failed sessions: 0
Symmetric operations: 0
Symmetric errors: 0
Asymmetric operations: 0
Asymmetric errors: 0
Get-random operations: 0
Get-random errors: 0
# (Centralized devices in standalone mode.) Display statistics for crypto engine 1.
<Sysname> display crypto-engine statistics engine-id 1
Submitted sessions: 0
Failed sessions: 0
Symmetric operations: 0
Symmetric errors: 0
Asymmetric operations: 0
Asymmetric errors: 0
Get-random operations: 0
Get-random errors: 0
# (Distributed devices in standalone mode.) Display statistics for crypto engine 1 on card 2.
<Sysname> display crypto-engine statistics engine-id 1 slot 2
Submitted sessions: 0
Failed sessions: 0
Symmetric operations: 0
Symmetric errors: 0
Asymmetric operations: 0
Asymmetric errors: 0
Get-random operations: 0
Get-random errors: 0
# (Centralized devices in IRF mode.) Display statistics for crypto engine 1 on IRF member device 2.
<Sysname> display crypto-engine statistics engine-id 1 slot 2
Submitted sessions: 0
Failed sessions: 0
Symmetric operations: 0
Symmetric errors: 0
Asymmetric operations: 0
Asymmetric errors: 0
Get-random operations: 0
Get-random errors: 0
# (Distributed devices in IRF mode.) Display statistics for crypto engine 1 on card 2 in IRF member device 1.
<Sysname> display crypto-engine statistics engine-id 1 chassis 1 slot 2
Submitted sessions: 0
Failed sessions: 0
Symmetric operations: 0
Symmetric errors: 0
Asymmetric operations: 0
Asymmetric errors: 0
Get-random operations: 0
Get-random errors: 0
Table 190 Command output
|
Field |
Description |
|
Submitted sessions |
Number of established sessions. |
|
Failed sessions |
Number of failed sessions. |
|
Symmetric operations |
Number of operations using symmetric algorithms. |
|
Symmetric errors |
Number of failed operations using symmetric algorithms. |
|
Asymmetric operations |
Number of operations using asymmetric algorithms. |
|
Asymmetric errors |
Number of failed operations using asymmetric algorithms. |
|
Get-random operations |
Number of operations for obtaining random numbers. |
|
Get-random errors |
Number of failed operations for obtaining random numbers. |
Related commands
reset crypto-engine statistics
reset crypto-engine statistics
Use reset crypto-engine statistics to clear crypto engine statistics.
Syntax
Centralized devices in standalone mode:
reset crypto-engine statistics [ engine-id engine-id ]
Distributed devices in standalone mode/centralized devices in IRF mode:
reset crypto-engine statistics [ engine-id engine-id slot slot-number ]
Distributed devices in IRF mode:
reset crypto-engine statistics [ engine-id engine-id chassis chassis-number slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
engine-id engine-id: Specifies a crypto engine by its ID. The value range is 0 to 4294967295.
slot slot-number: Specifies a card by its slot number. (Distributed devices in standalone mode.)
slot slot-number: Specifies an IRF member device by its member ID. (Centralized devices in IRF mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (Distributed devices in IRF mode.)
Usage guidelines
If you do not specify any parameters, this command clears statistics for all crypto engines. (Centralized devices in standalone mode.)
If you do not specify any parameters, this command clears crypto engine statistics for all cards. (Distributed devices in standalone mode.)
If you do not specify any parameters, this command clears crypto engine statistics for all member devices. (Centralized devices in IRF mode.)
If you do not specify any parameters, this command clears crypto engine statistics for all cards. (Distributed devices in IRF mode.)
Examples
# Clear statistics for all crypto engines.
<Sysname> reset crypto-engine statistics
Related commands
display crypto-engine statistics
FIPS commands
The following matrix shows the feature and hardware compatibility:
|
FIPS compatibility |
|
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR5620/5660/5680 |
Yes |
display crypto version
Use display crypto version to display the version number of the device algorithm base.
Syntax
display crypto version
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
Each algorithm base version number represents a set of cryptographic algorithms.
Examples
# Display the version number of the current device algorithm base.
<Sysname> display crypto version
7.1.1.1.1.68
Table 191 Command output
|
Field |
Description |
|
7.1.1.1.1.68 |
Version number in the 7.1.X format. · 7.1—Comware V700R001. · X—Version number of the device algorithm base. |
display fips status
Use display fips status to display the current FIPS mode state.
Syntax
display fips status
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the current FIPS mode state.
<Sysname> display fips status
FIPS mode is enabled.
Related commands
fips mode enable
fips mode enable
Use fips mode enable to enable FIPS mode.
Use undo fips mode enable to disable FIPS mode.
Syntax
fips mode enable
undo fips mode enable
Default
FIPS mode is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you enable FIPS mode and reboot the device, the device operates in FIPS mode. The FIPS device has strict security requirements, and performs self-tests on cryptography modules to verify that they are operating correctly.
After you execute the fips mode enable command, the system provides the following methods to enter FIPS mode:
· Automatic reboot
Select the automatic reboot method. The system automatically performs the following tasks:
a. Create a default FIPS configuration file named fips-startup.cfg.
b. Specify the default file as the startup configuration file.
c. Require you to configure the username and password for next login.
You can press Ctrl+C to exit the configuring process so the fips mode enable command will not be executed.
The system automatically uses the specified startup configuration file to reboot the device after you configure the administrator's username and password.
· Manual reboot
This method requires that you manually complete the configurations for entering FIPS mode, and then reboot the device.
To use manual reboot to enter FIPS mode:
d. Enable the password control feature globally.
e. Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character.
f. Set the minimum length of user passwords to 15 characters.
g. Add a local user account for device management, including the following items:
- A username.
- A password that must comply with the password control policies.
- A user role of network-admin.
- A service type of terminal.
h. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP.
i. Save the configuration file and specify it as the startup configuration file.
j. Delete the original startup configuration file in binary format.
k. Reboot the device.
After the fips mode enable command is executed, the system prompts you to choose a reboot method. If you do not make a choice within 30 seconds, the system uses the manual reboot method by default.
After the undo fips mode enable command is executed, the system provides the following methods to exit FIPS mode:
· Automatic reboot
Select the automatic reboot method. The system automatically creates a default non-FIPS configuration file named non-fips-startup.cfg, and specifies the file as the startup configuration file. The system reboots the device by using the default non-FIPS configuration file. After the reboot, you are directly logged into the device.
· Manual reboot
This method requires that you manually complete the configurations for entering non-FIPS mode, and then reboot the device. After the device reboots, you must enter user information according to the authentication mode to log in to the device.
Examples
# Enable FIPS mode, and choose the automatic reboot method to enter FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
Reboot the device automatically? [Y/N]:y
The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically.
Enter username(1-55 characters): root
Enter password(15-63 characters):
Confirm password:
Waiting for reboot... After reboot, the device will enter FIPS mode.
# Enable FIPS mode, and choose the manual reboot method to enter FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
Reboot the device automatically? [Y/N]:n
Change the configuration to meet FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode.
# Disable FIPS mode, and choose the automatic reboot method to enter non-FIPS mode.
[Sysname] undo fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
The system will create a new startup configuration file for non-FIPS mode and then reboot automatically. Continue? [Y/N]:y
Waiting for reboot... After reboot, the device will enter non-FIPS mode.
# Disable FIPS mode, and choose the manual reboot method to enter non-FIPS mode.
[Sysname] undo fips mode enable
FIPS mode change requires a device reboot. Continue? [Y/N]:y
The system will create a new startup configuration file for non-FIPS mode, and then reboot automatically. Continue? [Y/N]:n
Change the configuration to meet non-FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter non-FIPS mode.
Related commands
display fips status
fips self-test
Use fips self-test to trigger a self-test on the cryptographic algorithms.
Syntax
fips self-test
Views
System view
Predefined user roles
network-admin
Usage guidelines
To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test.
A successful self-test requires that all cryptographic algorithms pass the self-test. If the self-test fails, the card where the self-test process exists reboots.
Examples
# Trigger a self-test on the cryptographic algorithms.
<Sysname> system-view
[Sysname] fips self-test
Cryptographic algorithms tests are running.
Slot 1:
Starting Known-Answer tests in the user space.
Known-answer test for 3DES passed.
Known-answer test for SHA1 passed.
Known-answer test for SHA224 passed.
Known-answer test for SHA256 passed.
Known-answer test for SHA384 passed.
Known-answer test for SHA512 passed.
Known-answer test for HMAC-SHA1 passed.
Known-answer test for HMAC-SHA224 passed.
Known-answer test for HMAC-SHA256 passed.
Known-answer test for HMAC-SHA384 passed.
Known-answer test for HMAC-SHA512 passed.
Known-answer test for AES passed.
Known-answer test for RSA(signature/verification) passed.
Pairwise conditional test for RSA(signature/verification) passed.
Pairwise conditional test for RSA(encrypt/decrypt) passed.
Pairwise conditional test for DSA(signature/verification) passed.
Pairwise conditional test for ECDSA(signature/verification) passed.
Known-answer test for ECDH passed.
Known-answer test for random number generator(x931) passed.
Known-answer test for DRBG passed.
Known-Answer tests in the user space passed.
Starting Known-Answer tests in the kernel.
Known-answer test for 3DES passed.
Known-answer test for AES passed.
Known-answer test for HMAC-SHA1 passed.
Known-answer test for HMAC-SHA256 passed.
Known-answer test for HMAC-SHA384 passed.
Known-answer test for HMAC-SHA512 passed.
Known-answer test for SHA1 passed.
Known-answer test for SHA256 passed.
Known-answer test for SHA384 passed.
Known-answer test for SHA512 passed.
Known-answer test for GCM passed.
Known-answer test for GMAC passed.
Known-Answer tests in the kernel passed.
Starting Known-Answer tests in the engine.
Known-answer test for SHA1 passed.
Known-answer test for HMAC-SHA1 passed.
Known-answer test for HMAC-SHA256 passed.
Known-answer test for HMAC-SHA384 passed.
Known-answer test for HMAC-SHA512 passed.
Known-answer test for 3DES passed.
Known-answer test for AES passed.
Known-answer test for RSA(signature/verification) passed.
Pairwise conditional test for RSA(signature/verification) passed.
Pairwise conditional test for RSA(encrypt/decrypt) passed.
Pairwise conditional test for DSA(signature/verification) passed.
Known-Answer tests in the engine passed.
Cryptographic algorithms tests passed.
mGRE commands
The following matrix shows the feature and hardware compatibility:
|
Hardware |
mGRE compatibility |
|
MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/MSR810-W-LM-HK |
Yes |
|
MSR810-LMS/810-LUS |
No |
|
MSR2600-6-X1/2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28/3600-51 |
Yes |
|
MSR3600-28-SI/3600-51-SI |
No |
|
MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC |
Yes |
|
MSR 3610/3620/3620-DP/3640/3660 |
Yes |
|
MSR5620/5660/5680 |
Yes |
display mgre session
Use display mgre session to display mGRE session information.
Syntax
display mgre session [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 10239. If you do not specify this option, the command displays mGRE session information for all mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command displays all mGRE session information for the specified mGRE tunnel interface.
verbose: Displays detailed information about IPv4 mGRE sessions. If you do not specify this keyword, the command displays brief information about mGRE sessions.
Usage guidelines
If you do not specify any parameters, this command displays brief information about all mGRE sessions on all tunnel interfaces.
Examples
# Display brief information about all mGRE sessions.
<Sysname> display mgre session
Interface : Tunnel1
Number of sessions: 2
Peer NBMA address Peer protocol address Type State State duration
10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01
10.0.1.4 192.168.180.137 C-C Establishing 00:30:02
# Display brief information about the mGRE session with the specified peer address.
<Sysname> display mgre session interface tunnel 1 peer 10.0.0.3
Interface : Tunnel1
Number of sessions: 1
Peer NBMA address Peer protocol address Type State State duration
10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01
Table 192 Command output
|
Field |
Description |
|
Interface |
Name of the mGRE tunnel interface. |
|
Number of sessions |
Total number of mGRE sessions on the tunnel interface. |
|
Peer NBMA address |
Public address of the peer. |
|
Peer protocol address |
IP address of the peer tunnel interface. |
|
Type |
mGRE session type: · C-S—The local end is an NHC, and the peer end is the NHS. · C-C—The local end is an NHC, and the peer end is an NHC. · UNKNOWN—The local end is an NHC, and the peer end type is unknown. |
|
State |
mGRE session state: · Succeeded. · Establishing. |
|
State duration |
Duration of the current session state, in the format of hh:mm:ss. |
# Display detailed information about all IPv4 mGRE sessions.
<Sysname> display mgre session verbose
Interface : Tunnel1
Link protocol : GRE
Number of sessions: 2
Peer NBMA address : 10.0.1.3
Peer protocol address: 192.168.180.136
Session type : C-S
State : Succeeded
State duration : 00:30:01
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Peer NBMA address : 10.0.1.4
Peer protocol address: 192.168.180.137
Session type : C-S
State : Succeeded
State duration : 00:31:01
Input : 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
Interface : Tunnel2
Link protocol : IPsec-GRE
Number of sessions: 1
Peer NBMA address : 20.0.0.3
Peer protocol Aaddress: 192.168.181.137
Behind NAT : No
Session type : C-C
SA's SPI :
Inbound : 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
State : Establishing
State duration : 00:31:01
Input : 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
Table 193 Command output
|
Field |
Description |
|
Interface |
Name of the mGRE tunnel interface. |
|
Link protocol |
Encapsulation protocol used by the mGRE tunnel: · GRE. · IPsec-GRE. |
|
Number of sessions |
Total number of mGRE sessions on the tunnel interface. |
|
Peer NBMA address |
Public address of the peer. |
|
Peer protocol address |
IP address of the peer tunnel interface. |
|
SA's SPI |
SPI of the inbound and outbound SAs. This field is available when the mGRE tunnel is carried over IPsec. |
|
Behind NAT |
Whether the peer NHC has traversed a NAT device. |
|
Session type |
mGRE session type: · C-S—The local end is an NHC, and the peer end is the NHS. · C-C—The local end is an NHC, and the peer end is an NHC. |
|
State |
mGRE session state: · Succeeded. · Establishing. |
|
State duration |
Duration of the current session state, in the format of hh:mm:ss. |
|
Input |
Statistics on received packets: · packets—Total number of packets. · data packets—Number of data packets. · control packets—Number of control packets. · multicasts—Number of multicast packets. · errors—Number of error packets. |
|
Output |
Statistics on sent packets: · packets—Total number of packets. · data packets—Number of data packets. · control packets—Number of control packets. · multicasts—Number of multicast packets. · errors—Number of error packets. |
display nhrp map
Use display nhrp map to display information about NHRP mapping entries.
Syntax
display nhrp map [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 10239. If you do not specify this option, the command displays NHRP mapping table information for all mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command displays NHRP mapping entries for all peers.
verbose: Displays detailed information about NHRP mapping entries. If you do not specify this keyword, the command displays brief information about NHRP mapping entries.
Usage guidelines
If you do not specify any parameters, this command displays brief information about all NHRP mapping entries.
Examples
# Display brief information about all NHRP mapping entries.
<Sysname> display nhrp map
Destination/mask Next hop NBMA address Type Interface
172.16.1.1/32 172.16.1.1 105.112.100.4 cached Tunnel0
172.16.1.2/32 172.16.1.2 105.112.100.92 cached Tunnel0
# Display detailed information about all NHRP mapping entries.
<Sysname> display nhrp map verbose
Interface : Tunnel0
Destination/mask : 172.16.1.1/32
Next hop : 172.16.1.1
Creation time : 00:38:44
Expiration time : 01:21:15
Type : cached
Flags : unique up used
NBMA address : 105.112.100.4
Interface : Tunnel0
Destination/mask : 172.16.1.2/32
Next hop : 172.16.1.2
Creation time : 00:25:53
Expiration time : 01:34:06
Type : cached
Flags : unique up used ipsec
NBMA address : 105.112.100.92
Table 194 Command output
|
Field |
Description |
|
Destination/mask |
Destination tunnel interface address and mask of the mapping entry. |
|
Next hop |
Next hop address to reach the destination network. |
|
Creation time |
Period of time for which the mapping entry has been created. |
|
Expiration time |
Period of time in which the mapping entry will expire. |
|
Type |
Mapping entry type: · static—The entry is statically configured. · cached—The entry is dynamically obtained. · Incomplete—The entry is dynamic and incomplete. |
|
Flags |
Mapping entry flags: · unique—The mapping entry in the registration request cannot be overwritten by a mapping entry that has the same protocol address and different public addresses. A client can register the new entry with the server only after the mapping entry on the server expires. · used—This mapping entry is used for packet forwarding. · up—Packets can be forwarded. · ipsec—IPsec negotiation succeeded. Packets will be protected by IPsec. · init—Initialization state. |
display nhrp statistics
Use display nhrp statistics to display NHRP packet statistics for a tunnel interface.
Syntax
display nhrp statistics [ interface tunnel interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 10239. If you do not specify this option, the command displays NHRP packet statistics for all tunnel interfaces.
Examples
# Display NHRP packet statistics.
<Sysname> display nhrp statistics
Tunnel0:
NHRP packets sent : 815
Resolution requests : 15
Resolution replies : 1
Registration requests : 0
Registration replies : 797
Purge requests : 2
Purge replies : 0
Error indications : 0
Traffic indications : 0
NHRP packets received : 1453
Resolution requests : 15
Resolution replies : 1
Registration requests : 1435
Registration replies : 2
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
Tunnel1:
NHRP packets sent : 3
Resolution Requests : 0
Resolution replies : 0
Registration requests : 0
Registration replies : 3
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
NHRP packets received : 3
Resolution requests : 0
Resolution replies : 0
Registration requests : 3
Registration replies : 0
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
nhrp authentication
Use nhrp authentication to configure an NHRP packet authentication key.
Use undo nhrp authentication to restore the default.
Syntax
nhrp authentication { cipher | simple } string
undo nhrp authentication
Default
No NHRP packet authentication key is configured. NHRP nodes do not authenticate NHRP packets received from each other.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
cipher: Specifies an authentication key in encrypted form.
simple: Specifies an authentication key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key string. Its plaintext form is a case-sensitive string of 1 to 8 characters. Its encrypted form is a case-sensitive string of 1 to 41 characters.
Usage guidelines
After an NHRP packet authentication key is configured for a tunnel interface, the tunnel interface adds the key in packets sent to the peer. The tunnel interface also uses the key to authenticate NHRP packets it receives. If a packet fails the authentication, the packet will be dropped.
For mGRE tunnels to be established successfully, configure the same NHRP authentication key for all NHCs and NHSs in the same mGRE network.
Examples
# On interface Tunnel1, set the NHRP packet authentication key to 123456.
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp authentication simple 123456
Related commands
interface tunnel (Layer 3—IP Services Command Reference)
nhrp holdtime
Use nhrp holdtime to configure the holdtime for NHRP mapping entries.
Use undo nhrp holdtime to restore the default.
Syntax
nhrp holdtime seconds
undo nhrp holdtime
Default
The holdtime of NHRP mapping entries is 7200 seconds.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
seconds: Specifies the holdtime in the range of 1 to 65535 seconds.
Usage guidelines
After the holdtime is configured, the local NHRP holdtime carried in outgoing packets is updated to the configured holdtime.
Examples
# On interface Tunnel1, set the holdtime of NHRP mapping entries to 600 seconds
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp holdtime 600
Related commands
interface tunnel (Layer 3—IP Services Command Reference)
nhrp network-id
Use nhrp network-id to configure an NHRP network ID for an mGRE tunnel.
Use undo nhrp network-id to delete the NHRP network ID of an mGRE tunnel.
Syntax
nhrp network-id number
undo nhrp network-id
Default
An mGRE tunnel does not have an NHRP network ID.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
number: Specifies an NHRP network ID in the range of 1 to 4294967295.
Usage guidelines
A network ID is only locally significant. You can configure different NHRP network IDs for different tunnel interfaces on the device. The NHC and NHS can have different NHRP network IDs.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the NHRP network ID to 10 for mGRE tunnel interface Tunnel1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp network-id 10
Related commands
interface tunnel (Layer 3—IP Services Command Reference)
nhrp nhs
Use nhrp nhs to configure an NHS private-to-public address mapping.
Use undo nhrp nhs to delete an NHS private-to-public address mapping.
Syntax
nhrp nhs nhs-address nbma nbma-address
undo nhrp nhs nhs-address nbma nbma-address
Default
No NHS private-to-public address mappings are configured.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
nhs-address: Specifies the private address of an NHS.
nbma-address: Specifies the public address (NBMA address) of the NHS.
Usage guidelines
You can configure multiple NHSs for redundancy. If multiple NHSs are configured, NHCs register with all the NHSs.
Examples
# On interface Tunnel1, configure the NHS private address as 1.1.1.1 and public address as 120.1.1.120.
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp nhs 1.1.1.1 nbma 120.1.1.120
Related commands
interface tunnel (Layer 3—IP Services Command Reference)
reset mgre session
Use reset mgre session to reset dynamic mGRE sessions.
Syntax
reset mgre session [ interface tunnel interface-number [ peer ipv4-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 10239. If you do not specify this option, the command resets dynamic mGRE sessions for all mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command resets all dynamic mGRE sessions for the specified mGRE tunnel interface.
Usage guidelines
If you do not specify any parameters, this command resets all dynamic mGRE sessions. When an mGRE session is reset, the NHC reregisters with the NHS.
Examples
# Reset the mGRE sessions on interface Tunnel1.
<Sysname> reset mgre session interface tunnel 1
# Reset the mGRE session with peer address 202.12.12.12 on interface Tunnel1.
<Sysname> reset mgre session interface tunnel 1 peer 202.12.12.12
Related commands
display mgre session
reset mgre statistics
Use reset mgre statistics to clear mGRE session statistics.
Syntax
reset mgre statistics [ interface tunnel interface-number [ peer ipv4-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 10239. If you do not specify this option, the command clears mGRE session statistics for all mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command clears statistics about all mGRE sessions on the specified mGRE tunnel interface.
Examples
# Clear statistics about mGRE sessions on interface Tunnel1.
<Sysname> reset mgre statistics interface tunnel 1
# Clear statistics about the mGRE session with peer public address 192.168.1.200 on interface Tunnel1.
<Sysname> reset mgre statistics interface tunnel 1 peer 192.168.1.200
reset nhrp statistics
Use reset nhrp statistics to clear NHRP packet statistics.
Syntax
reset nhrp statistics [ interface tunnel interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 10239. If you do not specify this option, the command clears NHRP packet statistics for all mGRE tunnel interfaces.
Examples
# Clear NHRP packet statistics for interface Tunnel1.
<Sysname> reset nhrp statistics interface tunnel 1
Related commands
display nhrp statistics
aaa authorization,654
aaa authorization,613
aaa device-id,88
aaa domain,796
aaa nas-id profile,1
aaa session-id mode,2
aaa session-limit,2
aaa-fail nobinding enable,245
accelerate,1023
accept-lifetime utc,455
access-limit,55
accounting advpn,3
accounting command,4
accounting default,5
accounting ipoe,6
accounting lan-access,8
accounting login,9
accounting portal,10
accounting ppp,12
accounting quota-out,13
accounting sslvpn,14
accounting start-fail,15
accounting update-fail,16
accounting-on enable,88
accounting-on extended,89
ack-flood action,1041
ack-flood detect,1042
ack-flood detect non-specific,1043
ack-flood threshold,1044
address,655
aging-time,246
ah authentication-algorithm,545
app-group,891
app-id (Facebook authentication server view),247
app-id (QQ authentication server view),247
app-id (WeChat authentication server view),248
app-key (Facebook authentication server view),249
app-key (QQ authentication server view),250
app-key (WeChat authentication server view),251
application statistics enable,892
app-secret,252
apr set detectlen,893
apr signature auto-update,894
apr signature auto-update-now,895
apr signature rollback,896
apr signature update,897
arp active-ack enable,1187
arp authorized enable,1188
arp detection enable,1189
arp detection rule,1189
arp detection trust,1191
arp detection validate,1191
arp filter binding,1197
arp filter source,1196
arp fixup,1194
arp resolving-route enable,1180
arp resolving-route probe-count,1181
arp resolving-route probe-interval,1181
arp restricted-forwarding enable,1192
arp scan,1195
arp source-mac,1184
arp source-mac aging-time,1184
arp source-mac exclude-mac,1185
arp source-mac threshold,1185
arp source-suppression enable,1182
arp source-suppression limit,1182
arp valid-check enable,1187
aspf apply policy (interface view),875
aspf apply policy (zone pair view),876
aspf icmp-error reply,877
aspf policy,877
attack-defense apply policy,1044
attack-defense local apply policy,1045
attack-defense login reauthentication-delay,1046
attack-defense policy,1047
attack-defense signature log non-aggregate,1047
attack-defense top-attack-statistics enable,1048
attribute,484
attribute 15 check-mode,90
attribute 25 car,91
attribute 31 mac-format,91
attribute convert (RADIUS DAS view),92
attribute convert (RADIUS scheme view),93
attribute reject (RADIUS DAS view),94
attribute reject (RADIUS scheme view),95
attribute remanent-volume,96
attribute translate,97
attribute vendor-id 2011 version,98
attribute-map,154
authentication advpn,16
authentication default,17
authentication ike,19
authentication ipoe,20
authentication lan-access,21
authentication login,22
authentication portal,23
authentication ppp,24
authentication sslvpn,25
authentication super,27
authentication use,797
authentication-algorithm,614
authentication-algorithm,456
authentication-method,655
authentication-method,615
authentication-server,154
authentication-timeout,253
authorization advpn,28
authorization command,29
authorization default,30
authorization ike,31
authorization ipoe,32
authorization lan-access,33
authorization login,34
authorization portal,36
authorization ppp,37
authorization sslvpn,38
authorization-attribute (ISP domain view),39
authorization-attribute (local user view/user group view),55
authorization-server,155
auth-url,253
bandwidth,798
basic-service-ip-type,42
bind-attribute,58
binding-retry,254
blacklist enable,1049
blacklist global enable,1049
blacklist ip,1050
blacklist ipv6,1051
blacklist logging enable,1052
blacklist object-group,1053
bye,736
ca identifier,485
captive-bypass enable,255
cd,736
cdup,737
certificate domain,657
certificate domain,616
certificate request entity,486
certificate request from,487
certificate request mode,487
certificate request polling,489
certificate request url,490
certificate-authentication enable,798
certificate-chain-sending enable,780
ciphersuite,781
client,98
client anti-replay window,696
client registration,697
client rekey encryption,698
client transform-sets,699
client-authentication,617
client-verify,783
client-verify dns enable,1054
client-verify http enable,1054
client-verify protected ip,1055
client-verify protected ipv6,1056
client-verify tcp enable,1057
cloud-binding enable,256
cloud-server url,257
common-name,490
company,60
config-exchange,658
connection-limit,988
connection-limit apply,989
connection-limit apply global,990
content-type,799
copy app-group,899
country,491
crl check,491
crl url,492
data-flow-format (HWTACACS scheme view),130
data-flow-format (RADIUS scheme view),100
default,800
default-logon-page,258
default-policy-group,800
delete,737
description,546
description,990
description,1024
description,60
description,618
description,1009
description (application group view),900
description (NBAR rule view),900
description (shortcut view),801
description (SSL VPN AC interface view),802
destination,901
detect,878
dh,619
dh,659
dhcpv6-follow-ipv6cp,42
dir,738
direction,902
disable,903
display app-group,904
display application,906
display application statistics,909
display application statistics top,911
display apr signature information,913
display arp detection,1192
display arp detection statistics,1193
display arp source-mac,1186
display arp source-suppression,1183
display aspf all,879
display aspf interface,881
display aspf policy,881
display aspf session,882
display attack-defense flood statistics ip,1058
display attack-defense flood statistics ipv6,1061
display attack-defense policy,1064
display attack-defense policy ip,1069
display attack-defense policy ipv6,1071
display attack-defense scan attacker ip,1074
display attack-defense scan attacker ipv6,1076
display attack-defense scan victim ip,1078
display attack-defense scan victim ipv6,1081
display attack-defense statistics interface,1083
display attack-defense statistics local,1088
display attack-defense top-attack-statistics,1094
display blacklist ip,1095
display blacklist ipv6,1097
display client-verify protected ip,1099
display client-verify protected ipv6,1104
display client-verify trusted ip,1108
display client-verify trusted ipv6,1112
display connection-limit,991
display connection-limit ipv6-stat-nodes,994
display connection-limit statistics,998
display connection-limit stat-nodes,999
display crypto version,1212
display crypto-engine,1205
display crypto-engine statistics,1207
display domain,43
display dot1x,169
display dot1x connection,174
display fips status,1213
display gdoi gm,699
display gdoi gm acl,704
display gdoi gm anti-replay,705
display gdoi gm ipsec sa,706
display gdoi gm members,707
display gdoi gm pubkey,708
display gdoi gm rekey,709
display hwtacacs scheme,131
display ike proposal,620
display ike sa,621
display ike statistics,624
display ikev2 policy,660
display ikev2 profile,661
display ikev2 proposal,662
display ikev2 sa,663
display ikev2 statistics,667
display interface sslvpn-ac,802
display ip source binding,1171
display ip urpf,1199
display ipsec { ipv6-policy | policy },547
display ipsec { ipv6-policy-template | policy-template },552
display ipsec profile,554
display ipsec sa,556
display ipsec statistics,560
display ipsec transform-set,562
display ipsec tunnel,563
display ipv6 source binding,1173
display ipv6 urpf,1202
display keychain,456
display ldap scheme,156
display local-guest waiting-approval,61
display local-user,62
display mac-authentication,204
display mac-authentication connection,208
display mgre session,1218
display nhrp map,1221
display nhrp statistics,1222
display object-group,1009
display object-policy accelerate,1025
display object-policy ip,1026
display object-policy ipv6,1027
display object-policy statistics zone-pair security,1028
display object-policy zone-pair security,1029
display password-control,435
display password-control blacklist,436
display pki certificate access-control-policy,493
display pki certificate attribute-group,494
display pki certificate domain,495
display pki certificate renew-status,500
display pki certificate request-status,501
display pki crl domain,503
display portal,259
display portal auth-error-record,264
display portal auth-fail-record,267
display portal captive-bypass statistics,270
display portal dns free-rule-host,271
display portal extend-auth-server,272
display portal local-binding mac-address,273
display portal logout-record,274
display portal mac-trigger user,277
display portal mac-trigger-server,278
display portal packet statistics,280
display portal permit-rule statistics,286
display portal redirect statistics,286
display portal rule,287
display portal safe-redirect statistics,298
display portal server,300
display portal user,301
display portal user count,316
display portal web-server,317
display port-mapping pre-defined,914
display port-mapping user-defined,915
display port-security,221
display port-security mac-address block,224
display port-security mac-address security,228
display public-key local public,462
display public-key peer,466
display radius scheme,100
display radius statistics,103
display session aging-time application,930
display session aging-time state,931
display session relation-table,932
display session statistics,935
display session statistics ipv4,940
display session statistics ipv6,942
display session statistics multicast,945
display session table ipv4,946
display session table ipv6,952
display session table multicast ipv4,956
display session table multicast ipv6,962
display sftp client source,738
display ssh client source,739
display ssh server,715
display ssh user-information,717
display ssh2 algorithm,775
display ssl client-policy,784
display ssl server-policy,785
display sslvpn context,805
display sslvpn gateway,807
display sslvpn ip-tunnel statistics,809
display sslvpn policy-group,811
display sslvpn port-forward connection,812
display sslvpn session,813
display user-group,66
display user-profile,429
display web-redirect rule,318
display whitelist object-group,1116
dns-flood action,1117
dns-flood detect,1118
dns-flood detect non-specific,1119
dns-flood port,1120
dns-flood threshold,1120
domain,47
domain default enable,48
domain if-unknown,49
dot1x,179
dot1x authentication-method,179
dot1x auth-fail vlan,180
dot1x critical vlan,181
dot1x domain-delimiter,182
dot1x ead-assistant enable,183
dot1x ead-assistant free-ip,184
dot1x ead-assistant url,185
dot1x guest-vlan,186
dot1x handshake,187
dot1x handshake reply enable,187
dot1x handshake secure,188
dot1x mandatory-domain,189
dot1x max-user,190
dot1x multicast-trigger,190
dot1x port-control,191
dot1x port-method,192
dot1x quiet-period,192
dot1x re-authenticate,193
dot1x re-authenticate server-unreachable keep-online,194
dot1x retry,194
dot1x smarton,195
dot1x smarton password,196
dot1x smarton retry,197
dot1x smarton switchid,197
dot1x smarton timer supp-timeout,198
dot1x timer,199
dot1x unicast-trigger,201
dpd,668
dpd,625
dynamic-password enable,816
email,67
emo-server,816
encapsulation-mode,566
encryption,669
encryption-algorithm,626
esn enable,567
esp authentication-algorithm,567
esp encryption-algorithm,569
exchange-mode,628
exclude,817
exclude-attribute (MAC binding server view),321
exclude-attribute (portal authentication server view),323
execution (port forwarding item view),818
execution (shortcut view),818
exempt acl,1121
exit,739
file-policy,819
filter ip-tunnel acl,820
filter ip-tunnel uri-acl,821
filter tcp-access acl,822
filter tcp-access uri-acl,823
filter web-access acl,824
filter web-access uri-acl,825
fin-flood action,1122
fin-flood detect,1123
fin-flood detect non-specific,1124
fin-flood threshold,1125
fips mode enable,1213
fips self-test,1215
force-logout,826
force-logout max-onlines enable,827
fqdn,504
free-traffic threshold,324
full-name,68
gateway,827
gdoi gm group,710
get,740
group,69
group,711
group-filter,158
heading,828
help,740
hostname,670
http-flood action,1126
http-flood detect,1127
http-flood detect non-specific,1128
http-flood port,1128
http-flood threshold,1129
http-redirect,829
hwtacacs nas-ip,136
hwtacacs scheme,138
icmp-error drop,888
icmp-flood action,1130
icmp-flood detect ip,1131
icmp-flood detect non-specific,1132
icmp-flood threshold,1132
icmpv6-flood action,1133
icmpv6-flood detect ipv6,1134
icmpv6-flood detect non-specific,1135
icmpv6-flood threshold,1135
identity,671
identity,712
identity local,672
idle-cut traffic-threshold,829
if-match,325
if-match temp-pass,327
ike address-group,629
ike compatible-sm4 enable,630
ike dpd,631
ike identity,632
ike invalid-spi-recovery enable,633
ike keepalive interval,634
ike keepalive timeout,634
ike keychain,635
ike limit,636
ike logging negotiation enable,636
ike nat-keepalive,637
ike profile,638
ike proposal,638
ike signature-identity from-certificate,639
ike-profile,571
ikev2 address-group,673
ikev2 cookie-challenge,673
ikev2 dpd,674
ikev2 ipv6-address-group,675
ikev2 keychain,676
ikev2 nat-keepalive,676
ikev2 policy,677
ikev2 profile,678
ikev2 proposal,679
ikev2-profile,572
include,830
include application,916
inside-vpn,640
inside-vrf,680
integrity,681
interface sslvpn-ac,831
ip,505
ip,158
ip (MAC binding server view),329
ip (portal authentication server view),330
ip address,832
ip source binding (interface view),1175
ip urpf,1200
ip verify source,1176
ip-route-list,832
ipsec { ipv6-policy | policy },573
ipsec { ipv6-policy | policy } isakmp template,574
ipsec { ipv6-policy | policy } local-address,575
ipsec { ipv6-policy-template | policy-template },576
ipsec anti-replay check,577
ipsec anti-replay window,578
ipsec apply,579
ipsec decrypt-check enable,579
ipsec df-bit,580
ipsec fragmentation,581
ipsec global-df-bit,581
ipsec limit max-tunnel,582
ipsec logging negotiation enable,583
ipsec logging packet enable,583
ipsec profile,584
ipsec redundancy enable,585
ipsec sa global-duration,585
ipsec sa global-soft-duration buffer,586
ipsec sa idle-time,587
ipsec transform-set,588
ip-tunnel access-route,833
ip-tunnel address-pool,834
ip-tunnel dns-server,835
ip-tunnel interface,835
ip-tunnel keepalive,836
ip-tunnel log connection-close,837
ip-tunnel wins-server,837
ipv6,159
ipv6 (portal authentication server view),331
ipv6 address,838
ipv6 source binding (interface view),1177
ipv6 urpf,1203
ipv6 verify source,1178
key,458
key (HWTACACS scheme view),138
key (RADIUS scheme view),104
keychain,641
keychain,458
keychain,681
key-string,459
ldap attribute-map,160
ldap scheme,161
ldap server,161
ldap-server,506
limit,1004
local-address,589
local-binding aging-time,332
local-binding enable,333
local-guest auto-delete enable,69
local-guest email format,70
local-guest email sender,71
local-guest email smtp-server,71
local-guest generate,72
local-guest manager-email,73
local-guest send-email,74
local-guest timer,75
local-identity,641
locality,507
local-port,839
local-user,75
local-user-export class network guest,77
local-user-import class network guest,78
log enable user-log,840
log resource-access enable,841
log resource-access enable,841
log user-login enable,842
login-dn,162
login-message,843
login-password,163
logo,843
logon-page bind,333
logout-notify,335
ls,741
mac-authentication,212
mac-authentication domain,213
mac-authentication host-mode,214
mac-authentication max-user,215
mac-authentication re-authenticate server-unreachable keep-online,215
mac-authentication timer,216
mac-authentication timer auth-delay,217
mac-authentication user-name-format,218
mail-domain-name,336
mail-protocol,337
map,163
match local (IKEv2 profile view),682
match local address (IKE keychain view),642
match local address (IKE profile view),643
match local address (IKEv2 policy view),683
match remote,644
match remote,684
match vrf (IKEv2 policy view),685
match vrf (IKEv2 profile view),686
max-onlines,844
max-users,844
message-server,845
mkdir,742
move rule,1029
mtu,846
nas-id,50
nas-id bind vlan,51
nas-ip (HWTACACS scheme view),139
nas-ip (RADIUS scheme view),105
nas-port-type,337
nat-keepalive,687
nbar application,917
network (IPv4 address object group view),1011
network (IPv6 address object group view),1013
network exclude,1015
new-content,846
nhrp authentication,1224
nhrp holdtime,1224
nhrp network-id,1225
nhrp nhs,1226
object-group,1016
object-group rename,1017
object-policy apply ip,1030
object-policy apply ipv6,1031
object-policy ip,1032
object-policy ipv6,1032
old-content,847
organization,507
organization-unit,508
override-current,918
password (device management user view),80
password (network access user view),81
password-authentication enable,848
password-control { aging | composition | history | length } enable,437
password-control aging,438
password-control alert-before-expire,440
password-control complexity,440
password-control composition,441
password-control enable,443
password-control expired-user-login,444
password-control history,445
password-control length,446
password-control login idle-time,447
password-control login-attempt,448
password-control super aging,450
password-control super composition,450
password-control super length,451
password-control update-interval,452
peer,688
peer-public-key end,468
pfs,590
phone,81
pkcs7-encryption-algorithm,508
pki abort-certificate-request,510
pki certificate access-control-policy,510
pki certificate attribute-group,511
pki delete-certificate,512
pki domain,513
pki entity,514
pki export,515
pki import,522
pki request-certificate,526
pki retrieve-certificate,527
pki retrieve-crl,529
pki storage,530
pki validate-certificate,530
pki-domain,786
policy-group,848
port,106
port (MAC binding server view),338
port (port object group view),1018
port (portal authentication server view),339
portal { bas-ip | bas-ipv6 },339
portal { ipv4-max-user | ipv6-max-user },341
portal apply mac-trigger-server,342
portal apply web-server,342
portal auth-error-record enable,344
portal auth-error-record export,344
portal auth-error-record max,346
portal auth-fail-record enable,347
portal auth-fail-record export,348
portal auth-fail-record max,349
portal authorization strict-checking,350
portal captive-bypass optimize delay,351
portal client-gateway interface,352
portal client-traffic-report interval,352
portal delete-user,353
portal device-id,355
portal domain,356
portal dual-stack enable,357
portal dual-stack traffic-separate enable,358
portal enable,359
portal extend-auth domain,360
portal extend-auth-server,361
portal fail-permit server,362
portal fail-permit web-server,363
portal forbidden-rule,364
portal free-all except destination,365
portal free-rule,366
portal free-rule description,368
portal free-rule destination,368
portal free-rule source,369
portal host-check enable,371
portal ipv6 free-all except destination,372
portal ipv6 layer3 source,373
portal ipv6 user-detect,374
portal layer3 source,375
portal local-web-server,376
portal logout-record enable,377
portal logout-record export,378
portal logout-record max,380
portal mac-trigger-server,381
portal max-user,381
portal nas-id profile,382
portal nas-port-id format,383
portal nas-port-type,385
portal oauth user-sync interval,387
portal outbound-filter enable,387
portal packet log enable,389
portal pre-auth domain,388
portal pre-auth ip-pool,390
portal redirect log enable,391
portal refresh enable,392
portal roaming enable,392
portal safe-redirect enable,393
portal safe-redirect forbidden-file,394
portal safe-redirect forbidden-url,394
portal safe-redirect method,395
portal safe-redirect user-agent,396
portal server,397
portal temp-pass enable,398
portal traffic-accounting disable,399
portal traffic-backup threshold,399
portal user log enable,403
portal user-detect,400
portal user-dhcp-only,401
portal user-logoff after-client-offline enable,402
portal web-server,404
port-forward,849
port-forward-item,850
port-mapping,919
port-mapping acl,920
port-mapping host,921
port-mapping subnet,922
port-security authorization ignore,229
port-security authorization-fail offline,230
port-security enable,231
port-security intrusion-mode,231
port-security mac-address aging-type inactivity,232
port-security mac-address dynamic,233
port-security mac-address security,234
port-security mac-move permit,235
port-security max-mac-count,236
port-security nas-id-profile,237
port-security ntk-mode,238
port-security oui,238
port-security port-mode,239
port-security timer autolearn aging,242
port-security timer disableport,242
prefer-cipher,787
pre-shared-key,688
pre-shared-key,645
prf,690
primary accounting (HWTACACS scheme view),140
primary accounting (RADIUS scheme view),107
primary authentication (HWTACACS scheme view),142
primary authentication (RADIUS scheme view),109
primary authorization,143
priority (IKE keychain view),647
priority (IKE profile view),647
priority (IKEv2 policy view),691
priority (IKEv2 profile view),692
proposal,648
proposal,692
protocol,591
protocol-version,164
public-key dsa,532
public-key ecdsa,534
public-key local create,469
public-key local destroy,473
public-key local export dsa,475
public-key local export ecdsa,477
public-key local export rsa,478
public-key local export sm2,480
public-key peer,482
public-key peer import sshkey,483
public-key rsa,535
public-key sm2,536
put,742
pwd,743
qos pre-classify,591
quit,743
radius attribute extended,110
radius dscp,111
radius dynamic-author server,112
radius nas-ip,113
radius scheme,114
radius session-control client,114
radius session-control enable,116
radius-server test-profile,116
redirect-url,404
redundancy replay-interval,592
remote-address,593
remove,744
rename,744
reset application statistics,924
reset arp detection statistics,1194
reset aspf session,889
reset attack-defense policy flood,1136
reset attack-defense statistics interface,1137
reset attack-defense statistics local,1137
reset attack-defense top-attack-statistics,1138
reset blacklist ip,1138
reset blacklist ipv6,1139
reset blacklist statistics,1139
reset client-verify protected statistics,1140
reset client-verify trusted,1140
reset connection-limit statistics,1007
reset counters interface sslvpn-ac,851
reset crypto-engine statistics,1210
reset dot1x guest-vlan,202
reset dot1x statistics,202
reset gdoi gm,712
reset hwtacacs statistics,145
reset ike sa,649
reset ike statistics,650
reset ikev2 sa,693
reset ikev2 statistics,694
reset ipsec sa,594
reset ipsec statistics,595
reset local-guest waiting-approval,82
reset mac-authentication statistics,219
reset mgre session,1226
reset mgre statistics,1227
reset nhrp statistics,1228
reset object-policy statistics,1033
reset password-control blacklist,453
reset password-control history-record,453
reset portal auth-error-record,405
reset portal auth-fail-record,406
reset portal captive-bypass statistics,408
reset portal local-binding mac-address,408
reset portal logout-record,409
reset portal packet statistics,410
reset portal redirect statistics,411
reset portal safe-redirect statistics,412
reset radius statistics,117
reset session relation-table,969
reset session statistics,970
reset session statistics multicast,970
reset session table,971
reset session table ipv4,972
reset session table ipv6,973
reset session table multicast,974
reset session table multicast ipv4,975
reset session table multicast ipv6,976
reset sslvpn ip-tunnel statistics,851
reset whitelist statistics,1141
resources port-forward,852
resources port-forward-item,853
resources shortcut,854
resources shortcut-list,854
resources url-list,855
retry,117
retry realtime-accounting,118
reverse-route dynamic,596
reverse-route preference,597
reverse-route tag,598
rewrite-rule,856
rmdir,745
root-certificate fingerprint,538
rst-flood action,1141
rst-flood detect,1142
rst-flood detect non-specific,1143
rst-flood threshold,1144
rule,539
rule,856
rule (IPv4 object policy view),1034
rule (IPv6 object policy view),1036
rule append,1038
rule comment,1040
sa duration,694
sa duration,650
sa duration,599
sa hex-key authentication,600
sa hex-key encryption,601
sa idle-time,602
sa soft-duration buffer,603
sa soft-duration buffer,651
sa spi,604
sa string-key,605
sa trigger-mode,606
scan detect,1145
scp,745
scp ipv6,748
scp ipv6 suite-b,751
scp server enable,718
scp suite-b,752
search-base-dn,165
search-scope,166
secondary accounting (HWTACACS scheme view),145
secondary accounting (RADIUS scheme view),119
secondary authentication (HWTACACS scheme view),147
secondary authentication (RADIUS scheme view),121
secondary authorization,148
security acl,607
security-zone,1020
send-lifetime utc,460
server address,713
server-detect (portal authentication server view),412
server-detect (portal Web server view),413
server-register,414
server-timeout,166
server-type (MAC binding server view),415
server-type(portal server view/portal Web server view),416
server-verify enable,789
service (service object group view),1020
service enable (SSL VPN context view),858
service enable (SSL VPN gateway view),858
service-port,924
service-type (ISP domain view),51
service-type (local user view),82
session,790
session aging-time application,978
session aging-time state,980
session log { bytes-active | packets-active },981
session log enable,982
session log flow-begin,983
session log flow-end,984
session log time-active,984
session persistent acl,985
session state-machine mode loose,986
session statistics enable,986
session-connections,859
session-time include-idle-time,52
sftp,754
sftp client ipv6 source,757
sftp client source,757
sftp ipv6,758
sftp ipv6 suite-b,761
sftp server enable,719
sftp server idle-timeout,719
sftp suite-b,762
shop-id,417
shortcut,859
shortcut-list,860
shutdown,861
signature,925
signature { large-icmp | large-icmpv6 } max-length,1147
signature detect,1147
signature level action,1150
signature level detect,1151
sms-imc address,861
sms-imc enable,862
snmp-agent trap enable ike,651
snmp-agent trap enable ipsec,608
snmp-agent trap enable port-security,243
snmp-agent trap enable radius,123
source,927
source,540
sponsor-department,84
sponsor-email,84
sponsor-full-name,85
ssh client ipv6 source,764
ssh client source,765
ssh ip alias,720
ssh redirect disconnect,721
ssh redirect enable,722
ssh redirect listen-port,723
ssh redirect timeout,724
ssh server acl,725
ssh server acl-deny-log enable,726
ssh server authentication-retries,726
ssh server authentication-timeout,727
ssh server compatible-ssh1x enable,728
ssh server dscp,728
ssh server enable,729
ssh server ipv6 acl,730
ssh server ipv6 dscp,731
ssh server pki-domain,731
ssh server port,732
ssh server rekey-interval,732
ssh user,733
ssh2,765
ssh2 algorithm cipher,775
ssh2 algorithm key-exchange,777
ssh2 algorithm mac,778
ssh2 algorithm public-key,778
ssh2 ipv6,768
ssh2 ipv6 suite-b,771
ssh2 suite-b,773
ssl client-policy,790
ssl client-policy,863
ssl renegotiation disable,791
ssl server-policy,792
ssl server-policy,863
ssl version disable,792
sslvpn context,864
sslvpn gateway,865
sslvpn ip address-pool,866
sslvpn log enable,866
state,541
state (ISP domain view),53
state (local user view),85
state primary,124
state secondary,125
subject-dn,542
subscribe-required enable,417
syn-ack-flood action,1152
syn-ack-flood detect,1153
syn-ack-flood detect non-specific,1154
syn-ack-flood threshold,1155
syn-flood action,1155
syn-flood detect,1156
syn-flood detect non-specific,1157
syn-flood threshold,1158
tcp syn-check,889
tcp-port,418
tfc enable,609
threshold-learn apply,1159
threshold-learn auto-apply enable,1159
threshold-learn duration,1160
threshold-learn enable,1161
threshold-learn interval,1162
threshold-learn mode,1162
threshold-learn tolerance-value,1163
timeout idle,867
timer quiet (HWTACACS scheme view),150
timer quiet (RADIUS scheme view),126
timer realtime-accounting (HWTACACS scheme view),150
timer realtime-accounting (RADIUS scheme view),126
timer response-timeout (HWTACACS scheme view),151
timer response-timeout (RADIUS scheme view),127
title,868
transform-set,610
tunnel protection ipsec,611
udp-flood action,1164
udp-flood detect,1165
udp-flood detect non-specific,1166
udp-flood threshold,1166
update schedule,928
uri-acl,868
url,419
url (file policy view),869
url (URL list view),870
url-list,871
url-parameter,420
usage,543
user-address-type,54
user-agent,422
user-group,86
user-name-format (HWTACACS scheme view),152
user-name-format (RADIUS scheme view),128
user-parameters,167
user-password modify enable,423
user-profile,434
user-sync,423
validity-datetime,87
verify-code,872
version,793
version,424
version disable,794
vpn-instance,425
vpn-instance,543
vpn-instance (HWTACACS scheme view),153
vpn-instance (RADIUS scheme view),129
vpn-instance (SSL VPN context view),872
vpn-instance (SSL VPN gateway view),873
web-redirect track,425
web-redirect url,426
whitelist enable,1167
whitelist global enable,1168
whitelist object-group,1168
