Login
- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-DAE proxy commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Session management commands
- 10-Object group commands
- 11-Attack detection and prevention commands
- 12-IP-based attack prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-uRPF commands
- 17-SAVA commands
- 18-SAVA-P commands
- 19-Crypto engine commands
- 20-Trust level commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 20-Trust level commands | 78.65 KB |
Trust level commands
bind ssl-server-policy
Use bind ssl-server-policy to bind an SSL policy for a server.
Use undo bind ssl-server-policy to unbind an SSL policy for a server.
Syntax
bind ssl-server-policy ssl-server-policy-name
undo bind ssl-server-policy
Default
No SSL policies for a server are bound.
Views
Trust-level-server view
Predefined user roles
network-admin
Parameters
ssl-server-policy-name: Specifies an SSL server policy by its name, a string of 1 to 31 case-insensitive characters.
Usage guidelines
With this command configured, when the trust level client initiates a connection request, the trust level server uses the SSL parameters specified by an SSL server policy to establish a connection, so as to enhance the connection security. For more information about SSL, see "Configuring SSL."
Before configuring this command, create an SSL server policy. Otherwise, the configuration fails.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Create an SSL server policy named ssl-p1 for the trust level server.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] server enable
[Sysname-trust-level-server] bind ssl-server-policy ssl-p1
Related commands
ssl server-policy
boundary
Use boundary to specify boundary points to extract the packet security levels.
Use undo boundary to restore the default.
Syntax
boundary origin-point k0 level-point k1 k2 k3 k4 k5 k6 k7
undo boundary
Default
No boundary points for extracting the packet security levels are configured.
Views
Trust-level view
Predefined user roles
network-admin
Parameters
origin-point k0: Specifies the origin boundary point.
level-point k1 k2 k3 k4 k5 k6 k7: Specifies boundary point 1 to 7. You must enter the seven boundary points at one time. The boundary points are separated by spaces. For the convenience of users, when executing this command, enter the seven boundary points in any order.
Usage guidelines
This command can only be configured on trust level servers and takes effect on the clients. After configuring this command on a trust level server, the server deploys the configurations to the clients.
The boundary points can be used to determine the security levels of packets. Security level is an attribute carried in the packets to identify the security status of the packets. Packets are classified into eight security levels from 0 through 7 in ascending order. The larger the value, the better the security status.
· When the terminal generates packets, it uses 3 bits in the last 64 bits of the source IPv6 addresses to identify the security levels of the packets. The terminal sends the source IPv6 addresses to an edge device after algorithm conversion.
· After receiving the packets, the edge device compares the source IPv6 addresses of the received packets with the configured boundary points, and assigns corresponding security levels according to the comparison result. Then, the edge device maps the security levels to the trust levels, and the routing module selects the paths according to the trust levels so as to forward the packets.
The boundary points uses IPv6 address format. For more information about the generation method of the boundary points, see the configuration guide.
Examples
# Specify boundary points to extract the security level of the packets. (As the conversion algorithm on the client is unknown, below shows an example of the value for the k0 argument and the value for the k1 k2 k3 k4 k5 k6 k7 argument.)
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] server enable
[Sysname-trust-level-server] quit
[Sysname-trust-level] boundary origin-point ::8000:0:0:0 level-point ::2000:0:0:0 ::4000:0:0:0 ::6000:0:0:0 :: ::A000:0:0:0 ::C000:0:0:0 ::E000:0:0:0
Related commands
server enable
trust-level
client enable
Use client enable to enable the trust level client feature and enter trust-level-client view.
Use undo client enable to disable the trust level client feature.
Syntax
client enable
undo client enable
Default
The trust level client feature is disabled.
Views
Trust-level view
Predefined user roles
network-admin
Usage guidelines
With this command configured, a device acts as a trust level client and applies the configurations deployed by a trust level server.
Examples
# Enable the trust level client feature and enter trust-level-client view.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] client enable
[Sysname-trust-level-client]
flex-algo
Use flex-algo to bind a flexible algorithm to a security level.
Use undo flex-algo to restore the default.
Syntax
flex-algo algorithm-id
undo flex-algo
Default
No flexible algorithm is bound to a security level.
Views
Packet security level view
Predefined user roles
network-admin
Parameters
algorithm-id: Specifies a flexible algorithm identifier, in the range of 128 to 255.
Usage guidelines
With this command configured, after receiving the packets with specified security levels, a device uses the routing topologies calculated by the flexible algorithms bound to the security levels for packet forwarding.
The flexible algorithms configured by this command must be contained in the flexible algorithms configured in IS-IS view. Otherwise, the trust level function cannot forward the packets according to the expected paths. For more information about flexible algorithms, see IS-IS configuration in Layer 3—IP Routing Configuration Guide.
Examples
# Bind flexible algorithm 128 to security level 5.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] server enable
[Sysname-trust-level-server] quit
[Sysname-trust-level] security-level 5
[Sysname-trust-level-sec-5] flex-algo 128
Related commands
trust-level
isis-system-id
Use isis-system-id to specify an IS-IS System ID contained in a trust level policy.
Use undo isis-system-id to restore the default.
Syntax
isis-system-id system-id
undo isis-system-id
Default
No IS-IS System IDs contained in a trust level policy are configured.
Views
Trust-level-policy view
Predefined user roles
network-admin
Parameters
system-id: Specifies a device participating in trusted forwarding in a trust network.
Usage guidelines
An IS-IS System ID uniquely identifies a device in IS-IS protocol. The IS-IS System IDs can be obtained by using the network-entity command in IS-IS Command Reference.
If you execute this command multiple times in the same view, the most recent configuration takes effect.
Examples
# Specify IS-IS System ID 1680.1000.1001 contained in trust level policy a.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] server enable
[Sysname-trust-level-server] quit
[Sysname-trust-level] policy a
[Sysname-trust-level-policy-a] isis-system-id 1680.1000.1001
Related commands
network-entity (Layer 3—IP Routing Command Reference)
policy
Use policy to create a trust level policy and enter trust-level-policy view, or enter trust-level-policy view if a trust level policy exists.
Use undo policy to delete a trust level policy.
Syntax
policy policy-name
undo policy policy-name
Default
No trust level policies exist.
Views
Trust-level view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a trust level policy by its name, a string of 1 to 31 case-insensitive characters.
Usage guidelines
This command can only be configured on a server.
A trust level policy is used to bind a network transmission device to its trust level. Configure a trust level policy on the server for each network transmission device participating in forwarding in a trust network. The server deploys all configured trust policies to all clients. All devices participating in trusted forwarding in the network save a table containing the IS-IS System IDs and trust levels of all network transmission devices. The table can be used to calculate forwarding topologies.
You can create multiple trust policies. You need to configure a trust level policy for each network transmission device participating in trusted forwarding.
Examples
# Create trust level policy A and enter trust-level-policy view.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] server enable
[Sysname-trust-level-server] quit
[Sysname-trust-level] policy A
[Sysname-trust-level-policy-a]
Related commands
isis-system-id
trust level
port trust-level enable
Use port trust-level enable to enable the trust level feature on an interface.
Use undo port trust-level enable to disable the trust level feature on an interface.
Syntax
port trust-level enable
undo port trust-level enable
Default
The trust level feature on an interface is disabled.
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
Predefined user roles
network-admin
Usage guidelines
To enable this command on a Layer 3 Ethernet or aggregate subinterface, make sure common Dot1q termination or common QinQ termination is enabled on the subinterface (by using the vlan-type dot1q vid or vlan-type dot1q vid second-dot1q command). For more information about VLAN termination commands, see Layer 2—LAN Switching Command Reference.
This command can only be configured on the interfaces of an edge device connected to the trusted terminals.
With the trust level feature on the interfaces enabled, the edge device can extract the security levels of the received packets according to the boundary point configuration for trusted forwarding.
Do not configure this feature on non-edge devices. The packets received by non-edge devices can be forwarded normally according to the routes.
Examples
# Enable the trust level feature on Ten-GigabitEthernet3/0/1.
<Sysname> system-view
[Sysname] interface ten-gigabitethernet 3/0/1
[Sysname-Ten-GigabitEthernet3/0/1] port trust-level enable
security-level
Use security-level to enter packet security level view.
Use undo security-level to delete packet security level view and all configurations in the view.
Syntax
security-level sec-level
undo security-level sec-level
Views
Trust-level view
Predefined user roles
network-admin
Parameters
sec-level: Specifies a packet security level, in the range of 0 to 7. The larger the value, the higher the security level and the trustworthiness.
Usage guidelines
The packet security level view can be used to configure the following parameters for forwarding packets with specified security levels:
· Flexible algorithm—A flexible algorithm determines the routing topology for trusted forwarding of the packets with a specific security level.
· Service class—A service class determines an SRv6 TE policy for trusted forwarding of the packets with a specific security level.
For the security-level command to take effect, you must first use the server enable command to enable the trust level server feature.
Examples
# Enter packet security level view 7.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] server enable
[Sysname-trust-level-server] quit
[Sysname-trust-level] security-level 7
[Sysname-trust-level-sec-7]
Related commands
flex-algo
server enable
service-class
server enable
Use server enable to enable the trust level server feature and enter trust-level-server view.
Use undo server enable to disable the trust level server feature.
Syntax
server enable
undo server enable
Default
The trust level server feature is disabled.
Views
Trust-level view
Predefined user roles
network-admin
Usage guidelines
The configuration of a trust level server or client is as follows:
1. The user configures the trust level parameters on the server.
2. A client automatically establishes SSL connection to the server after the server address is specified.
3. The server automatically deploys the trust level configurations to the client through SSL connection.
Examples
# Enable the trust level server feature and enter trust-level-server view.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] server enable
[Sysname-trust-level-server]
Related commands
bind ssl-server-policy
server ipv6-address
Use server ipv6-address to configure the parameters of a trust level server.
Use undo server ipv6-address to restore the default.
Syntax
server ipv6-address ipv6-address ssl-client-policy policy-name
undo server ipv6-address
Default
No parameters of a trust level server are configured.
Views
Trust-level-client view
Predefined user roles
network-admin
Parameters
ipv6-address: Specifies the IPv6 address of a trust level server.
ssl-client-policy policy-name: Specifies an SSL client policy by its name, a string of 1 to 31 case-insensitive characters.
Usage guidelines
Use this command to configure the parameters of a trust level server on a trust level client, so as to establish SSL connection to the server.
Examples
# Specify IPv6 address 2000::1 and SSL client policy test of a trust level server on a client.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] client enable
[Sysname-trust-level-client] server ipv6-address 2000::1 ssl-client-policy test
Related commands
ssl client-policy
service-class
Use service-class to bind a service class for an SRv6 TE policy to a security level.
Use undo service-class to restore the default.
Syntax
service-class service-class-value
undo service-class
Default
No service class for an SRv6 TE policy is bound to a security level.
Views
Packet security level view
Predefined user roles
network-admin
Parameters
service-class-value: Specifies a service class value. The value range for this argument is 1 to 15. The smaller the service class value, the lower the SRv6 TE policy priority. An SRv6 TE policy that is not assigned a service class value has the lowest priority.
Usage guidelines
With this command configured, when a device receives the packets with specified security levels, it selects a matching SRv6 TE policy tunnel according to the bound service classes for packet forwarding. For more information about SRv6 TE Policy, see Segment Routing Configuration Guide.
Examples
# Bind service class 5 for an SRv6 TE policy to security level 7.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] server enable
[Sysname-trust-level-server] quit
[Sysname-trust-level] security-level 7
[Sysname-trust-level-sec-7] service-class 5
trust level
Use trust level to specify the trust level of a device.
Use undo trust level to restore the default.
Syntax
trust level trust-level
undo trust level
Default
The trust level of a device is not configured.
Views
Trust-level-policy view
Predefined user roles
network-admin
Parameters
trust-level: Specifies the trust level of a network transmission device. The value range for this argument is 0 to 7. The larger the value, the higher the trustworthiness and the reliability.
Usage guidelines
An IS-IS System ID uniquely identifies a device participating in trusted forwarding. The trust level command specifies the trust level of the device to which the IS-IS System ID belongs. The IS-IS System ID and the trust level configuration are both contained in a trust level policy.
Trust level is an attribute of the network transmission devices in a trust network to identify device trustworthiness. Network transmission devices are classified into eight trust levels from 0 through 7 in ascending order, corresponding to eight packet security levels. The larger the value, the higher the security level and the trustworthiness.
A network transmission device forwards packets with a security level that is lower than or equal to its trust level. For example, a network transmission device with a trust level of 5 forwards packets with security levels of 0 to 5, but not packets with security levels of 6 and 7.
If you execute this command multiple times in the same view, the most recent configuration takes effect.
Examples
# Specify trust level 3 contained in trust level policy a.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level] server enable
[Sysname-trust-level-server] quit
[Sysname-trust-level] policy a
[Sysname-trust-level-policy-a] trust level 7
trust-level
Use trust-level to enable the trust level feature and enter trust-level view, or enter trust-level view if the trust level feature is enabled.
Use undo trust-level to disable the trust level feature.
Syntax
trust-level
undo trust-level
Default
The trust level feature is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
|
|
CAUTION: If you disable the trust level feature, all configurations in trust-level view are restored to the default. |
The trust level feature provides differential forwarding for packets with different security levels. In this way, packets with a specified security level can only be forwarded through the devices with trust levels greater than or equal to the specified security level.
Examples
# Enable the trust level feature and enter trust-level view.
<Sysname> system-view
[Sysname] trust-level
[Sysname-trust-level]
# Disable the trust level feature.
<Sysname> system-view
[Sysname] undo trust-level
Disabling trust level will restore the default settings in trust-level view. Continue? [Y/N]: Y
[Sysname]
