Login
- Table of Contents
-
- 19-Security Command Reference
- 00-Preface
- 01-Object group commands
- 02-Keychain commands
- 03-Public key management commands
- 04-PKI commands
- 05-Crypto engine commands
- 06-SSH commands
- 07-SSL commands
- 08-Security zone commands
- 09-Packet filter commands
- 10-ASPF commands
- 11-Security policy commands
- 12-Session management commands
- 13-ARP attack protection commands
- 14-ND attack defense commands
- 15-Attack detection and prevention commands
- 16-mGRE commands
- 17-Connection limit commands
- 18-IP-based attack prevention commands
- 19-IP source guard commands
- 20-uRPF commands
- 21-APR commands
- 22-FIPS commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-ASPF commands | 108.23 KB |
Contents
ASPF commands
aspf apply policy
Use aspf apply policy to apply an ASPF policy to an interface.
Use undo aspf apply policy to remove an ASPF policy application from an interface.
Syntax
aspf apply policy aspf-policy-number { inbound | outbound }
undo aspf apply policy aspf-policy-number { inbound | outbound }
Default
No ASPF policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
aspf-policy-number: Specifies an ASPF policy number. The value range for this argument varies by device model.
inbound: Applies the ASPF policy to incoming packets.
outbound: Applies the ASPF policy to outgoing packets.
Usage guidelines
To inspect the traffic through an interface, you must apply a configured ASPF policy to that interface.
Make sure a connection initiation packet and the response packet pass through the same interface, because an ASPF stores and maintains the application layer protocol status based on interfaces.
You can apply an ASPF policy to both the inbound and outbound directions of an interface.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply ASPF policy 1 to the outbound direction of GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] aspf apply policy 1 outbound
Related commands
aspf policy
display aspf all
display aspf interface
aspf policy
Use aspf policy to create an ASPF policy and enter its view, or enter the view of an existing ASPF policy.
Use undo aspf policy to remove an ASPF policy.
Syntax
aspf policy aspf-policy-number
undo aspf policy aspf-policy-number
Default
No ASPF policies exist.
Views
System view
Predefined user roles
network-admin
Parameters
aspf-policy-number: Assigns a number to the ASPF policy. The value range for this argument varies by device model.
Examples
# Create ASPF policy 1 and enter its view.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1]
Related commands
display aspf all
display aspf policy
detect
Use detect to configure ASPF inspection for an application layer protocol.
Use undo detect to restore the default.
Syntax
detect { dns [ action { drop | logging } * ] | { ftp | h323 | http | sccp | sip | smtp } [ action drop ] | gtp | ils | mgcp | nbt | pptp | rsh | rtsp | sqlnet | tftp | xdmcp }
undo detect { dns | ftp | gtp | h323 | http | ils | mgcp | nbt | pptp | rsh | rtsp | sccp | sip | smtp | sqlnet | tftp | xdmcp }
Default
ASPF inspects only transport layer protocols and application protocol FTP.
Views
ASPF policy view
Predefined user roles
network-admin
Parameters
dns: Specifies DNS, an application layer protocol.
ftp: Specifies FTP, an application layer protocol.
gtp: Specifies GPRS Tunneling Protocol (GTP), an application layer protocol.
h323: Specifies H.323 protocol stack, application layer protocols.
http: Specifies HTTP, an application layer protocol.
ils: Specifies Internet Locator Service (ILS), an application layer protocol.
mgcp: Specifies Media Gateway Control Protocol (MGCP), an application layer protocol.
nbt: Specifies NetBIOS over TCP/IP (NBT), an application layer protocol.
pptp: Specifies Point-to-Point Tunneling Protocol (PPTP), an application layer protocol.
rsh: Specifies Remote Shell (RSH), an application layer protocol.
rtsp: Specifies Real Time Streaming Protocol (RTSP), an application layer protocol.
sccp: Specifies Skinny Client Control Protocol (SCCP), an application layer protocol.
sip: Specifies Session Initiation Protocol (SIP), an application layer protocol.
smtp: Specifies SMTP, an application layer protocol.
sqlnet: Specifies SQLNET, an application layer protocol.
tftp: Specifies TFTP, an application layer protocol.
xdmcp: Specifies X Display Manager Control Protocol (XDMCP), an application layer protocol.
action: Specifies an action on the packets that do not pass the protocol status validity check. If you do not specify an action, ASPF does not perform the protocol status validity check, and it only maintains connection status information.
drop: Drops the packets that do not pass the protocol status validity check.
logging: Generates log messages for packets that do not pass the protocol status validity check.
Usage guidelines
This command is required to ensure successful data connections for multichannel protocols when either of the following conditions exists:
· The ALG feature is disabled in other service modules (such as NAT).
· Other service modules with the ALG feature (such as DPI) are not configured.
This command is optional for multichannel protocols if ALG is enabled in other service modules (such as NAT) or if other service modules with the ALG feature are configured.
Application protocols supported by this command (except HTTP, SMTP, and TFTP) are multichannel protocols.
Repeat the detect command to configure ASPF inspection for multiple application protocols.
ASPF inspection for transport layer protocols is always enabled and is not configurable. The supported transport layer protocols include TCP, UDP, UDP-Lite, SCTP, Raw IP, ICMP, ICMPv6, and DCCP.
This command configures ASPF inspection for application protocols. ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323, HTTP, SCCP, SIP, and SMTP. The device deals with packets with invalid protocol status according to the actions you have specified. To configure protocol status validity check for an application protocol, you must specify the action keyword.
Examples
# Configure ASPF inspection for FTP packets.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] detect ftp
# Configure ASPF inspection for DNS packets, drop packets that fail protocol status validity check and generate log messages for these packets.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] detect dns action drop logging
Related commands
display aspf policy
display aspf all
Use display aspf all to display the configuration of all ASPF policies and their applications.
Syntax
display aspf all
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display the configuration of all ASPF policies and their applications.
<Sysname> display aspf all
ASPF policy configuration:
Policy default:
ICMP error message check: Disabled
Inspected protocol Action
FTP None
Policy number: 1
ICMP error message check: Disabled
TCP SYN packet check: Disabled
Inspected protocol Action
FTP None
Interface configuration:
GigabitEthernet1/0/1
Inbound policy : 1
Outbound policy: none
Table 1 Command output
|
Field |
Description |
|
Policy default |
Predefined ASPF policy. |
|
ICMP error message check |
Whether ICMP error message check is enabled. |
|
TCP SYN packet check |
Whether TCP SYN check is enabled. |
|
Inspected protocol |
Protocols to be inspected by ASPF. |
|
Action |
Actions on the detected illegal packets: · Drop—Drops illegal packets. · Log—Generates log messages for illegal packets. · None—Allows illegal packets to pass. If the protocol does not support the action configuration, this field displays a hyphen (-). |
|
Interface configuration |
Interfaces where ASPF policy is applied. |
|
Inbound policy |
Inbound ASPF policy number. |
|
Outbound policy |
Outbound ASPF policy number. |
Related commands
aspf apply policy
aspf policy
display aspf policy
display aspf interface
Use display aspf interface to display ASPF policy application on interfaces.
Syntax
display aspf interface
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display ASPF policy application on interfaces.
<Sysname> display aspf interface
Interface configuration:
GigabitEthernet1/0/1
Inbound policy : 1
Outbound policy: none
Table 2 Command output
|
Field |
Description |
|
Interface configuration |
Interfaces where ASPF policy is applied. |
|
Inbound policy |
Inbound ASPF policy number. |
|
Outbound policy |
Outbound ASPF policy number. |
Related commands
aspf apply policy
aspf policy
display aspf policy
Use display aspf policy to display the configuration of an ASPF policy.
Syntax
display aspf policy { aspf-policy-number | default }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
aspf-policy-number: Specifies the number of an ASPF policy. The value range for this argument varies by device model.
default: Specifies the predefined ASPF policy.
Examples
# Display the configuration of ASPF policy 1.
<Sysname> display aspf policy 1
ASPF policy configuration:
Policy number: 1
ICMP error message check: Disabled
TCP SYN packet check: Enabled
Inspected protocol Action
FTP Drop
HTTP None
RSH -
Table 3 Command output
|
Field |
Description |
|
ICMP error message check |
Whether ICMP error message check is enabled. |
|
TCP SYN packet check |
Whether TCP SYN check is enabled. |
|
Inspected protocol |
Protocols to be inspected by ASPF. |
|
Action |
Actions on the detected illegal packets: · Drop—Drops illegal packets. · Log—Generates log messages for illegal packets. · None—Allows illegal packets to pass. If the protocol does not support the action configuration, this field displays a hyphen (-). |
Related commands
aspf policy
display aspf session
Use display aspf session to display ASPF sessions.
Syntax
display aspf session [ ipv4 | ipv6 ] [ slot slot-number ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv4: Displays IPv4 ASPF sessions.
ipv6: Displays IPv6 ASPF sessions.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ASPF sessions on all cards.
verbose: Displays detailed information about ASPF sessions. If you do not specify this keyword, the command displays the brief information about ASPF sessions.
Usage guidelines
If you do not specify the ipv4 keyword or the ipv6 keyword, this command displays all ASPF sessions on the device.
Examples
# Display brief information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Total sessions found: 2
# Display detailed information about IPv4 ASPF sessions.
<Sysname> display aspf session ipv4 verbose
Slot 1:
Initiator:
Source IP/port: 192.168.1.18/1877
Destination IP/port: 192.168.1.55/22
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/22
Destination IP/port: 192.168.1.18/1877
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/2
Source security zone: DestZone
State: TCP_SYN_SENT
Application: SSH
Start time: 2011-07-29 19:12:36 TTL: 28s
Initiator->Responder: 1 packets 48 bytes
Responder->Initiator: 0 packets 0 bytes
Initiator:
Source IP/port: 192.168.1.18/1792
Destination IP/port: 192.168.1.55/2048
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/1
Source security zone: SrcZone
Responder:
Source IP/port: 192.168.1.55/1792
Destination IP/port: 192.168.1.18/0
DS-Lite tunnel peer: -
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: ICMP(1)
Inbound interface: GigabitEthernet1/0/2
Source security zone: DestZone
State: ICMP_REQUEST
Application: OTHER
Start time: 2011-07-29 19:12:33 TTL: 55s
Initiator->Responder: 1 packets 6048 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 2
Table 4 Command output
|
Field |
Description |
|
Initiator |
Session information from initiator to responder. |
|
Responder |
Session information from responder to initiator. |
|
Source IP/port |
Source IP address and port number. |
|
Destination IP/port |
Destination IP address and port number. |
|
DS-Lite tunnel peer |
IP address of the DS-Lite tunnel peer. If the session is not tunneled by DS-Lite, this field displays a hyphen (-). |
|
VPN-instance/VLAN ID/Inline ID |
· VPN-instance—MPLS L3VPN instance where the session is initiated. · VLAN ID—VLAN to which the session belongs during Layer 2 forwarding. · Inline ID—Inline to which the session belongs during Layer 2 forwarding. If no MPLS L3VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for each field. |
|
Protocol |
Transport layer protocols, including DCCP, ICMP, ICMPv6, Raw IP, SCTP, TCP, UDP, and UDP-Lite. Number in parentheses represents the protocol number. |
|
Source security zone |
Security zone to which the inbound interface belongs. If the inbound interface does not belong to any security zone, this field displays a hyphen (-). |
|
State |
Protocol status of the session. |
|
Application |
Application layer protocol, including FTP and DNS. If it is an unknown protocol identified by an unknown port, this field displays OTHER. |
|
Start time |
Establishment time of the session. |
|
TTL |
Remaining lifetime of the session, in seconds. |
|
Initiator->Responder |
Number of packets and bytes from initiator to responder. |
|
Responder->Initiator |
Number of packets and bytes from responder to initiator. |
Related commands
reset aspf session
icmp-error drop
Use icmp-error drop to enable ICMP error message dropping.
Use undo icmp-error drop to disable ICMP error message dropping.
Syntax
icmp-error drop
undo icmp-error drop
Default
ICMP error message dropping is disabled.
Views
ASPF policy view
Predefined user roles
network-admin
Usage guidelines
An ICMP error message carries information about the corresponding connection. ICMP error message dropping verifies the information. If the information does not match the connection, ASPF drops the message.
Examples
# Enable ICMP error message dropping for ASPF policy 1.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] icmp-error drop
aspf policy
display aspf policy
reset aspf session
Use reset aspf session to clear ASPF session statistics.
Syntax
reset aspf session [ ipv4 | ipv6 ] [ slot slot-number ]
Views
User view
Predefined user roles
network-admin
Parameters
ipv4: Clears IPv4 ASPF session statistics.
ipv6: Clears IPv6 ASPF session statistics.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears ASPF session statistics for all cards.
Usage guidelines
If you do not specify the ipv4 keyword or the ipv6 keyword, this command clears all ASPF session statistics.
Examples
# Clear all ASPF session statistics.
<Sysname> reset aspf session
display aspf session
tcp syn-check
Use tcp syn-check to enable TCP SYN check.
Use undo tcp syn-check to disable TCP SYN check.
Syntax
tcp syn-check
undo tcp syn-check
Default
TCP SYN check is disabled.
Views
ASPF policy view
Predefined user roles
network-admin
Usage guidelines
TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet. If the first packet is not a SYN packet, ASPF drops the packet.
When a router attached to the network is started up, it can receive a non-SYN packet of an existing TCP connection for the first time. If you do not want to interrupt the existing TCP connection, you can disable the TCP SYN check. Then, the router allows the non-SYN packet that is the first packet to establish a TCP connection to pass. After the network topology becomes steady, you can enable TCP SYN check again.
Examples
# Enable TCP SYN check for ASPF policy 1.
<Sysname> system-view
[Sysname] aspf policy 1
[Sysname-aspf-policy-1] tcp syn-check
Related commands
aspf policy
