Login
- Table of Contents
-
- 16-Security Command Reference
- 00-Preface
- 01-ACL commands
- 02-Time range commands
- 03-User profile commands
- 04-Password control commands
- 05-Public key management commands
- 06-PKI commands
- 07-IPsec commands
- 08-SSH commands
- 09-SSL commands
- 10-SSL VPN commands
- 11-Session management commands
- 12-Connection limit commands
- 13-Attack detection and prevention commands
- 14-IP source guard commands
- 15-ARP attack protection commands
- 16-ND attack defense commands
- 17-ASPF commands
- 18-Protocol packet rate limit commands
- 19-Crypto engine commands
- 20-Security policy commands
- 21-Object group commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 17-ASPF commands | 84.80 KB |
ASPF commands
aspf apply policy
Use aspf apply policy to apply an ASPF policy to an interface.
Use undo aspf apply policy to remove an ASPF policy application from an interface.
Syntax
aspf apply policy aspf-policy-number { inbound | outbound }
undo aspf apply policy aspf-policy-number { inbound | outbound }
Default
No ASPF policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
aspf-policy-number: Specifies an ASPF policy number. The value range for this argument is 1 to 256.
inbound: Applies the ASPF policy to incoming packets.
outbound: Applies the ASPF policy to outgoing packets.
Usage guidelines
To inspect the traffic through an interface, you must apply a configured ASPF policy to that interface.
Make sure a connection initiation packet and the response packet pass through the same interface, because an ASPF stores and maintains the application layer protocol status based on interfaces.
You can apply an ASPF policy to both the inbound and outbound directions of an interface.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply ASPF policy 1 to the outbound direction of VLAN-interface 100.
<Sysname> system-view
[Sysname] interface vlan-interface 100
[Sysname-Vlan-interface100] aspf apply policy 1 outbound
Related commands
aspf policy
display aspf all
display aspf interface
aspf log sending-realtime enable
Use aspf log sending-realtime enable to enable real-time log sending mode.
Use undo aspf log sending-realtime enable to disable real-time log sending mode.
Syntax
aspf log sending-realtime enable
undo aspf log sending-realtime enable
Default
Real-time log sending mode is disabled. Logs are cached before they are sent.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Real-time log sending mode takes effect only on logs sent by the security policy, object policy, and packet filtering features.
The device supports the following log sending modes:
· Cache log sending mode—When the first packet of a flow matches a policy, the device generates a log and caches it and starts a five-minute timer at the same time. If the log matches traffic within five minutes, the device sends the log when the timer expires. If the log does not match any traffic within five minutes, the device deletes the log. The device stops generating logs if the number of cached logs reaches the upper limit.
· Real-time log sending mode—When the first packet of a flow matches a policy, the device sends a log immediately. For a policy that permits specific packets, the device sends only one log for a flow that matches the policy. For a policy that denies specific packets, the device sends a log for each packet of a flow that matches the policy. The number of logs is not limited.
For more information about logging configuration of the security policy, object policy, and packet filtering features, see Security Configuration Guide and ACL and QoS Configuration Guide.
Examples
# Enable real-time log sending mode.
<Sysname> system-view
[Sysname] aspf log sending-realtime enable
aspf policy
Use aspf policy to create an ASPF policy and enter its view, or enter the view of an existing ASPF policy.
Use undo aspf policy to remove an ASPF policy.
Syntax
aspf policy aspf-policy-number
undo aspf policy aspf-policy-number
Default
No ASPF policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
aspf-policy-number: Assigns a number to the ASPF policy. The value range for this argument is 1 to 256.
Examples
# Create ASPF policy 1 and enter its view.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1]
Related commands
display aspf all
display aspf policy
detect
Use detect to configure ASPF inspection for an application layer protocol.
Use undo detect to restore the default.
Syntax
detect { { ftp | h323 | sccp | sip } | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp }
undo detect { ftp | gtp | h323 | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | sqlnet | tftp | xdmcp }
Default
ASPF inspects only transport layer protocols and application protocol FTP.
Views
ASPF policy view
Predefined user roles
network-admin
Parameters
ftp: Specifies FTP, an application layer protocol.
gtp: Specifies GPRS Tunneling Protocol (GTP), an application layer protocol.
h323: Specifies H.323 protocol stack, application layer protocols.
ils: Specifies Internet Locator Service (ILS), an application layer protocol.
mgcp: Specifies Media Gateway Control Protocol (MGCP), an application layer protocol.
nbt: Specifies NetBIOS over TCP/IP (NBT), an application layer protocol.
pptp: Specifies Point-to-Point Tunneling Protocol (PPTP), an application layer protocol.
rsh: Specifies Remote Shell (RSH), an application layer protocol.
rtsp: Specifies Real Time Streaming Protocol (RTSP), an application layer protocol.
sccp: Specifies Skinny Client Control Protocol (SCCP), an application layer protocol.
sip: Specifies Session Initiation Protocol (SIP), an application layer protocol.
sqlnet: Specifies SQLNET, an application layer protocol.
tftp: Specifies TFTP, an application layer protocol.
xdmcp: Specifies X Display Manager Control Protocol (XDMCP), an application layer protocol.
Usage guidelines
This command is required to ensure successful data connections for multichannel protocols.
Application protocols supported by this command (except TFTP) are multichannel protocols.
Repeat the detect command to configure ASPF inspection for multiple application protocols.
ASPF inspection for transport layer protocols is always enabled and is not configurable. The supported transport layer protocols include TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and DCCP.
This command configures ASPF inspection for application protocols.
Examples
# Configure ASPF inspection for FTP packets.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] detect ftp
Related commands
display aspf policy
display aspf all
Use display aspf all to display the configuration of all ASPF policies and their applications.
Syntax
display aspf all
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the configuration of all ASPF policies and their applications.
<Sysname> display aspf all
ASPF policy configuration:
Policy default:
ICMP error message check: Disabled
Inspected protocol
FTP
Policy number: 1
ICMP error message check: Disabled
TCP SYN packet check: Disabled
Inspected protocol
FTP
Interface configuration:
GigabitEthernet1/0/1
Inbound policy : 1
Outbound policy: none
Table 1 Command output
|
Field |
Description |
|
Policy default |
Predefined ASPF policy. |
|
ICMP error message check |
Whether ICMP error message check is enabled. |
|
TCP SYN packet check |
Whether TCP SYN check is enabled. |
|
Inspected protocol |
Protocols to be inspected by ASPF. |
|
Interface configuration |
Interfaces where ASPF policy is applied. |
|
Inbound policy |
Inbound ASPF policy number. |
|
Outbound policy |
Outbound ASPF policy number. |
Related commands
aspf apply policy
aspf policy
display aspf policy
display aspf interface
Use display aspf interface to display ASPF policy application on interfaces.
Syntax
display aspf interface
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display ASPF policy application on interfaces.
<Sysname> display aspf interface
Interface configuration:
Vlan-interface 100
Inbound policy : 1
Outbound policy: none
Table 2 Command output
|
Field |
Description |
|
Interface configuration |
Interfaces where ASPF policy is applied. |
|
Inbound policy |
Inbound ASPF policy number. |
|
Outbound policy |
Outbound ASPF policy number. |
Related commands
aspf apply policy
aspf policy
display aspf policy
Use display aspf policy to display the configuration of an ASPF policy.
Syntax
display aspf policy { aspf-policy-number | default }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
aspf-policy-number: Specifies the number of an ASPF policy. The value range for this argument is 1 to 256.
default: Specifies the predefined ASPF policy.
Examples
# Display the configuration of ASPF policy 1.
<Sysname> display aspf policy 1
ASPF policy configuration:
Policy number: 1
ICMP error message check: Disabled
TCP SYN packet check: Enabled
Table 3 Command output
|
Field |
Description |
|
ICMP error message check |
Whether ICMP error message check is enabled. |
|
TCP SYN packet check |
Whether TCP SYN check is enabled. |
|
Inspected protocol |
Protocols to be inspected by ASPF. |
Related commands
aspf policy
display aspf session
Use display aspf session to display ASPF sessions.
Syntax
display aspf session [ ipv4 | ipv6 ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4: Displays IPv4 ASPF sessions.
ipv6: Displays IPv6 ASPF sessions.
verbose: Displays detailed information about ASPF sessions. If you do not specify this keyword, the command displays the brief information about ASPF sessions.
Usage guidelines
If you do not specify the ipv4 keyword or the ipv6 keyword, this command displays all ASPF sessions on the device.
Examples
# Display brief information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4
Slot 0:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: Vlan-interface 100
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface 100
Total sessions found: 2
# Display detailed information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4 verbose
Slot 0:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: Vlan-interface 100
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: Vlan-interface 101
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface 100
Responder:
Source IP/port: 192.168.1.55/1792
Destination IP/port: 192.168.1.18/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: Vlan-interface 101
State: ICMP_REQUEST
Application: OTHER
Start time: 2011-07-29 19:12:33 TTL: 55s
Initiator->Responder: 1 packets 60 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2
Table 4 Command output
|
Field |
Description |
|
Initiator |
Session information from initiator to responder. |
|
Responder |
Session information from responder to initiator. |
|
Source IP/port |
Source IP address and port number. |
|
Destination IP/port |
Destination IP address and port number. |
|
DS-Lite tunnel peer |
IP address of the DS-Lite tunnel peer. If the session is not tunneled by DS-Lite, this field displays a hyphen (-). |
|
VPN-instance/VLAN ID/Inline ID |
· VPN-instance—MPLS L3VPN instance where the session is initiated. · VLAN ID—VLAN to which the session belongs during Layer 2 forwarding. · Inline ID—Inline to which the session belongs during Layer 2 forwarding. If no MPLS L3VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for each field. |
|
Protocol |
Transport layer protocols, including DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite. Number in parentheses represents the protocol number. |
|
State |
Protocol status of the session. |
|
Application |
Application layer protocol, including FTP and DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER. |
|
Start time |
Establishment time of the session. |
|
TTL |
Remaining lifetime of the session, in seconds. |
|
Initiator->Responder |
Number of packets and bytes from initiator to responder. |
|
Responder->Initiator |
Number of packets and bytes from responder to initiator. |
Related commands
reset aspf session
icmp-error drop
Use icmp-error drop to enable ICMP error message dropping.
Use undo icmp-error drop to disable ICMP error message dropping.
Syntax
icmp-error drop
undo icmp-error drop
Default
ICMP error message dropping is disabled.
Views
ASPF policy view
Predefined user roles
network-admin
Usage guidelines
An ICMP error message carries information about the corresponding connection. ICMP error message dropping verifies the information. If the information does not match the connection, ASPF drops the message.
Examples
# Enable ICMP error message dropping for ASPF policy 1.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] icmp-error drop
aspf policy
display aspf policy
reset aspf session
Use reset aspf session to clear ASPF session statistics.
Syntax
reset aspf session [ ipv4 | ipv6 ]
Views
User view
Predefined user roles
network-admin
Parameters
ipv4: Clears IPv4 ASPF session statistics.
ipv6: Clears IPv6 ASPF session statistics.
Usage guidelines
If you do not specify the ipv4 keyword or the ipv6 keyword, this command clears all ASPF session statistics.
Examples
# Clear all ASPF session statistics.
<Sysname> reset aspf session
display aspf session
tcp syn-check
Use tcp syn-check to enable TCP SYN check.
Use undo tcp syn-check to disable TCP SYN check.
Syntax
tcp syn-check
undo tcp syn-check
Default
TCP SYN check is disabled.
Views
ASPF policy view
Predefined user roles
network-admin
Usage guidelines
TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet.
When a router attached to the network is started up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. Then, the router allows the non-SYN packet that is the first packet to establish a TCP connection to pass. After the network topology becomes steady, you can enable TCP SYN check again.
Examples
# Enable TCP SYN check for ASPF policy 1.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] tcp syn-check
Related commands
aspf policy
