Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Web authentication commands
- 06-Port security commands
- 07-Password control commands
- 08-Keychain commands
- 09-Public key management commands
- 10-PKI commands
- 11-IPsec commands
- 12-SSH commands
- 13-SSL commands
- 14-Object group commands
- 15-Attack detection and prevention commands
- 16-TCP attack prevention commands
- 17-IP source guard commands
- 18-ARP attack protection commands
- 19-ND attack defense commands
- 20-uRPF commands
- 21-MFF commands
- 22-FIPS commands
- 23-MACsec commands
- 24-802.1X client commands
- 25-Microsegmentation commands
- 26-SAVA commands
- 27-Crypto engine commands
- 28-IP-SGT mapping commands
- 29-User profile commands
- 30-CloudSec commands
- 31-SAVI commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 30-CloudSec commands | 159.92 KB |
1 CloudSec commands
1.1.1 cloudsec peer
Use cloudsec peer to create a CloudSec peer and enter its view, or enter the view of an existing CloudSec peer.
Use undo cloudsec peer to delete a CloudSec peer.
Syntax
cloudsec peer { ipv4-address | ipv6-address }
undo cloudsec peer { ipv4-address | ipv6-address }
Default
No CloudSec peers exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies the IPv4 address of a CloudSec peer.
ipv6-address: Specifies the IPv6 address of a CloudSec peer.
Usage guidelines
After you create a CloudSec peer, you can specify the CloudSec parameters used for protection of communication with that peer. These parameters include a keychain and CloudSec policy binding, as well as the transmit and receive SCIs. The CloudSec policy contains settings such as the cipher suite and SAK rekey interval.
Examples
# Specify the node at 11.1.1.1 as a CloudSec peer and enter CloudSec peer view.
<Sysname> system-view
[Sysname] cloudsec peer 11.1.1.1
[Sysname-cloudsec-peer-11.1.1.1]
Related commands
cloudsec policy
1.1.2 cloudsec policy
Use cloudsec policy to create a CloudSec policy and enter its view, or enter the view of an existing CloudSec policy.
Use undo cloudsec policy to delete a CloudSec policy.
Syntax
cloudsec policy policy-name
undo cloudsec policy policy-name
Default
The device has a default CloudSec policy named default-policy.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
policy-name: Specifies a CloudSec policy by its name, a case-sensitive string of 1 to 16 characters.
Usage guidelines
To configure CloudSec, you must first create a CloudSec policy, and then configure CloudSec settings such as cipher suites and the SAK update interval in the policy.
To create multiple CloudSec policies, repeat this command.
The default CloudSec policy is named default-policy. You cannot delete or modify it.
Examples
# Create a CloudSec policy named abcd and enter its view.
<Syaname> system-view
[Sysname] cloudsec policy abcd
[Sysname-cloudsec-policy-abcd]
Related commands
cipher-suite
1.1.3 cloudsec source-interface
Use cloudsec source-interface to associate a VXLAN tunnel source interface with CloudSec.
Use undo cloudsec source-interface to disassociate a tunnel source interface from CloudSec.
Syntax
cloudsec source-interface interface-type interface-number
undo cloudsec source-interface interface-type interface-number
Default
No tunnel source interfaces associate with CloudSec.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
interface-type interface-number: Specifies a tunnel source interface by its type and number.
Usage guidelines
Operating mechanism
To protect the packets transmitted in an EVPN VXLAN tunnel with CloudSec, you must associate its tunnel source interface with CloudSec.
Restrictions and guidelines
To associate multiple tunnel source interfaces with CloudSecCloudSec, repeat this command. CloudSec is automatically enabled when you execute this command, the cloudsec peer command, or the cloudsec policy command for the first time.
Examples
# Associate a tunnel source interface with CloudSec.
<Sysname> system-view
[Sysname] cloudsec source-interface loopback 0
Related commands
cloudsec peer
cloudsec policy
1.1.4 cipher-suite
Use cipher-suite to specify a cipher suite for CloudSec to encrypt data.
Use undo cipher-suite to restore the default.
Syntax
cipher-suite { gcm-aes-128 | gcm-aes-256 | gcm-aes-xpn-128 | gcm-aes-xpn-256 }
undo cipher-suite
Default
CloudSec uses the GCM-AES-128 cipher suite.
Views
CloudSec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
gcm-aes-128: Specifies the GCM-AES-128 cipher suite.
gcm-aes-256: Specifies the GCM-AES-256 cipher suite.
gcm-aes-xpn-128: Specifies the GCM-AES-XPN-128 cipher suite.
gcm-aes-xpn-256: Specifies the GCM-AES-XPN-256 cipher suite.
Usage guidelines
You must configure the local end and its peer end with the same cipher suite to successfully establish a CloudSec session. If you change the cipher suite at one end, you must ensure that the same change is made at the other end.
When you use the GCM-AES-XPN-128 or GCM-AES-XPN-256 cipher suite for a VXLAN tunnel, make sure its transport-facing physical interfaces are in the same port group on the same module. If they are in different port groups or on different modules, encryption or decryption will fail. To identify port group memberships, execute the display hardware internal port mapping command in probe view. Ports with the same LchipId value belong to the same group.
Examples
# In CloudSec policy abcd, set the cipher suite to GCM-AES-256.
<Syaname> system-view
[Sysname] cloudsec policy abcd
[Sysname-cloudsec-policy-abcd] cipher-suite gcm-aes-256
Related commands
cloudsec policy
1.1.5 display cloudsec local
Use display cloudsec local to display local CloudSec information.
Syntax
display cloudsec local [ ipv4-address | ipv6-address ]
Views
Any view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies an IPv4 address.
ipv6-address: Specifies an IPv6 address.
Usage guidelines
If you do not specify an IPv4 or IPv6 address, this command displays all local CloudSec information.
Examples
# Display local CloudSec information.
<Sysname> display cloudsec local
Local address 1.1.1.1
Current SA : AN 1
Previous SA : AN N/A
Local address 3.3.3.3
Current SA : AN 1
Previous SA : AN N/A
# Display CloudSec information for the address at 1.1.1.1 at the local end.
<Sysname> display cloudsec local 1.1.1.1
Local address 1.1.1.1
Current SA : AN 1
Previous SA : AN N/A
表1-1 Command output
|
Field |
Description |
|
Local address |
Local address. |
|
Current SA |
The current SA in use for the security channel. If this information is unavailable, the AN field displays N/A. |
|
Previous SA |
The previous SA used for the secure channel. If this information is unavailable, the AN field displays N/A. |
|
AN |
SA number. |
Related commands
cloudsec source-interface
1.1.6 display cloudsec peer
Use display cloudsec peer to display peer CloudSec information.
Syntax
display cloudsec peer [ ipv4-address | ipv6-address ] [ verbose ]
Views
Any view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv4-address: Specifies a peer by its IPv4 address.
ipv6-address: Specifies a peer by its IPv6 address.
verbose: Displays detailed information about CloudSec peers. If you do not specify this keyword, the command displays brief information about CloudSec peers.
Usage guidelines
If you do not specify an IPv4 or IPv6 address, this command displays all peer CloudSec information.
Examples
# Display brief information about the CloudSec peer at 2.2.2.2.
<Sysname> display cloudsec peer 2.2.2.2
Peer address 2.2.2.2
Active policy : PL01
TunnelNo : 1
# Display detailed information about the CloudSec peer at 2.2.2.2.
<Sysname> display cloudsec peer 2.2.2.2 verbose
Peer address 2.2.2.2
Active policy : PL01
TunnelNo : 1
Included SCI : No
Cipher suite : GCM-AES-128
SAK rekey interval : 1800s
Tx secure channel:
SCI : 000C292179BC0004
Current SA : AN 1
表1-2 Command output
|
Field |
Description |
|
|
|
Peer address |
Address of the peer. |
|
|
|
Active policy |
The CloudSec policy that has been applied to a peer and is in effect. The command does not display this field if the peer does not have an effective CloudSec policy. |
|
|
|
TunnelNo |
Number of the VXLAN tunnel protected by the CloudSec peer. |
|
|
|
Included SCI |
Whether the device sends CloudSec protected packets with the transmit SCI value included in the SecTAG field. |
|
|
|
Cipher suite |
Cipher suite for packet encryption: · GCM-AES-128. · GCM-AES-256. · GCM-AES-XPN-128. · GCM-AES-XPN-256. |
|
|
|
SAK rekey interval |
SAK rekey interval. |
||
|
Tx secure channel |
Secure channel information for sending packets. |
|
|
|
SCI |
SCI information. |
|
|
|
Current SA |
The current SA in use for the security channel. If this information is unavailable, the AN field displays N/A. |
|
|
|
AN |
SA number. |
|
|
Related commands
cloudsec peer
1.1.7 display cloudsec policy
Use display cloudsec policy to display CloudSec policies.
Syntax
display cloudsec policy [ name policy-name ]
Views
Any view
Predefined user roles
network-admin
mdc-admin
Parameters
name policy-name: Specifies a CloudSec policy by its name. The policy-name argument represents the policy name, a case-sensitive string of 1 to 16 characters. If you do not specify a policy, the command displays all CloudSec policies.
Examples
# Display all CloudSec policies.
<Sysname> display cloudsec policy
PolicyName : Policy-1
Included SCI : No
Cipher suite : GCM-AES-128
SAK rekey interval : 1800s
PolicyName : Policy-2
Included SCI : No
Cipher suite : GCM-AES-128
SAK rekey interval : 1800s
# Display the CloudSec policy for peer 2.2.2.2.
<Sysname> display cloudsec policy name Policy-1
PolicyName :Policy-1
Included SCI : No
Cipher suite : GCM-AES-128
SAK rekey interval : 1800s
表1-3 Command output
|
Field |
Description |
|
PolicyName |
CloudSec policy name. |
|
Included SCI |
Inclusion of the transmit SCI value in the encrypted packet. · No—SCI is not included. · Yes—SCI is included. |
|
Cipher suite |
Cipher suite: · GCM-AES-128. · GCM-AES-256. · GCM-AES-XPN-128. · GCM-AES-XPN-256. |
|
SAK rekey interval |
SAK rekey interval. |
cloudsec policy
1.1.8 include sci
Use include sci to enable the device to send CloudSec protected packets with the transmit SCI value included in the SecTAG field.
Use undo include sci to restore the default.
Syntax
include sci
undo include sci
Default
The device does not send CloudSec protected data packets with the transmit SCI value included in the SecTAG field.
Views
CloudSec policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
A transmit secure channel identifier (SCI) identifies the source of a packet and is manually configured.
For correct traffic forwarding through a CloudSec protected tunnel, enable or disable inclusion of the transmit SCI value in the SecTAG field on both ends of the tunnel. Do not enable the feature at one end and disable it at the other end.
Examples
# In CloudSec policy abcd, configure the device to include the SCI value in the SecTAG field of encrypted packets sent to peers.
<Syaname> system-view
[Sysname] cloudsec policy abcd
[Sysname-cloudsec-policy-abcd] include sci
Related commands
cloudsec policy
1.1.9 interface-peer/peer advertise-cloudsec
Use peer advertise-cloudsec or interface-peer advertise-cloudsec to configure the device to advertise CloudSec encryption information to a peer or peer group.
Use undo peer advertise-cloudsec or undo interface-peer advertise-cloudsec to remove a peer or peer group from the list of CloudSec encryption information recipients.
Syntax
In BGP IPv4 unicast address family view:
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } advertise-cloudsec
undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } advertise-cloudsec
In BGP IPv6 unicast address family view:
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | link-local-address interface interface-type interface-number } advertise-cloudsec
undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] | link-local-address interface interface-type interface-number } advertise-cloudsec
In BGP IPv4 unicast address family view or BGP IPv6 unicast address family view:
interface-peer interface-type interface-number advertise-cloudsec
undo interface-peer interface-type interface-number advertise-cloudsec
Default
The device does not advertise CloudSec encryption information to peers or peer groups.
Views
BGP IPv4 unicast address family view
BGP IPv6 unicast address family view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies a BGP peer group by its name, a case-sensitive string of 1 to 47 characters. The specified BGP peer group must already exist.
ipv4-address: Specifies a peer by its IPv4 address. The specified peer must already exist.
mask-length: Specifies a subnet mask length in the range of 0 to 32. If you specify a subnet, this command applies to all dynamic peers in the subnet.
ipv6-address: Specifies a peer by its IPv6 address. The specified peer must already exist.
prefix-length: Specifies a prefix length in the range of 0 to 128. If you specify a subnet, this command applies to all dynamic peers in the subnet.
link-local-address: Specifies the link-local address of the peer.
interface-type interface-number: Specifies the peer-connected interface by its type and number.
interface-peer interface-type interface-number: Indicates that the link-local address of the peer belongs to the ND entry learned for the peer on the interface specified by its type and number.
Usage guidelines
Application scenarios
CloudSec uses BGP to transmit encryption information between peers for data packet encryption during communication.
Operating mechanism
BGP conveys CloudSec encryption information in a BGP path called the Tunnel Encapsulation attribute. This attribute has a type value of 23 and contains one or more type-length-value TLV fields. The type value for CloudSec in the Tunnel Encapsulation attribute is 18. It indicates the tunnel encapsulation defined by the IANA for cloud security.
This feature uses BGP to advertise the source addresses of VXLAN tunnels as BGP unicast route prefixes to the specified peers. When BGP advertises this unicast route information, it also advertises the encryption information generated by the device to the specified peers. The peers will encrypt the packets transmitted in the CloudSec protected VXLAN tunnels to the device based on the received encryption information.
Restrictions and guidelines
The Tunnel Encapsulation attribute is optional transitive. You must make sure the specified peers can identify the Tunnel Encapsulation attribute and the encrypted information contained in this attribute. A peer will be unable to encrypt VXLAN tunneled packets with this information if it cannot identify the Tunnel Attribute or CloudSec encryption information.
Examples
# In BGP IPv4 unicast address family view, configure the device to advertise CloudSec encryption information to peer group test.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] address-family ipv4 unicast
[Sysname-bgp-default-ipv4] peer test advertise-cloudsec
1.1.10 keychain
Use keychain to specify a pair of keychain and CloudSec policy for a CloudSec peer.
Use undo keychain to restore the default.
Syntax
keychain keychain-name policy policy-name
undo keychain
Default
No keychain and CloudSec policy pairs apply to CloudSec peers.
Views
CloudSec peer view
Predefined user roles
network-admin
mdc-admin
Parameters
keychain-name: Specifies a keychain name, a case-sensitive string 1 63 characters.
policy policy-name: Specifies a CloudSec policy by its name. The policy-name argument represents the policy name, a case-sensitive string of 1 to 16 characters.
Usage guidelines
If the CloudSec policy specified in a keychain and CloudSec policy pair has not been created, the device uses the default CloudSec policy named default-policy for the peer. The specified CloudSec policy applies after it is created.
You can specify only one pair of keychain and CloudSec policy for a peer.
CloudSec only uses keys for a keychain and does not use authentication algorithms for the keys. The keys can be activated only after you configure authentication algorithms for them. You must configure the same key for keychains and specify an authentication algorithm for each key at both ends of the CloudSec protected tunnel. The specified authentication algorithms can be different. To configure a key for a keychain, use the key-string command. To specify an authentication algorithm for a key, use the authentication-algorithm command.
Examples
# Apply keychain abcd and CloudSec policy aa to a CloudSec peer.
<Sysname> system-view
[Sysname] cloudsec peer-ip 11.1.1.1
[Sysname-cloudsec-peer-11.1.1.1] keychain abcd policy aa
Related commands
authentication-algorithm (Security Command Reference)
cloudsec policy
key-string (Security Command Reference)
1.1.11 sak-rekey-interval
Use sak-rekey-interval to set the SAK rekey interval.
Use undo sak-rekey-interval to restore the default.
Syntax
sak-rekey-interval interval
undo sak-rekey-interval
Default
SAKs do not rekey.
Views
CloudSec policy view
Predefined user roles
network-admin
mdc-admin
Parameters
interval: Specifies the SAK rekey interval, in seconds. The value range is 1800 to 2592000.
Usage guidelines
A security association (SA) is an agreement negotiated by CA participants. The agreement includes a cipher suite and keys for integrity check.
A secure channel can contain multiple SAs, each with a unique key called a secure association key (SAK). An SAK is derived from the CAK to encrypt data transmitted in the secure channel. To regularly update the SAKs for enhanced key security, use this command to set a SAK rekey interval.
Examples
# Set the SAK rekey interval to 2000 seconds in CloudSec policy abcd.
<Syaname> system-view
[Sysname] cloudsec policy abcd
[Sysname-cloudsec-policy-abcd] sak-rekey-interval 2000
Related commands
cloudsec policy
1.1.12 sci rx
Use sci rx to set a receive SCI value for CloudSec protected packets.
Use undo sci rx to restore the default.
Syntax
sci rx sci-value
undo sci rx
Default
No receive SCI value is set for CloudSec protected packets.
Views
CloudSec peer view.
Predefined user roles
network-admin
mdc-admin
Parameters
sci-value: Specifies a receive SCI value for CloudSec protected packets. The value range is 1 to 4294967295.
Usage guidelines
A secure channel identifier (SCI) uniquely identifies a secure channel. It ensures that every pair of communicating nodes correctly identifies and verifies their secure channel, preventing unauthorized nodes from inserting or tampering with data. By using SCIs to identify secure channels, CloudSec provides enhanced data protection and security to ensure secrecy and integrity of data.
The sender inserts the SCI value in a packet based on its configuration and policy. The receiver verifies this SCI value and compares it with the preconfigured policy to determine if the packet comes from the expected secure channel.
When the device receives a CloudSec protected packet from the peer, it compares the SCI value in the packet with the local receive SCI value. If the two SCI values match, the device processes the CloudSec packet.
Examples
# In CloudSec peer view, set the receive SCI value to 10000.
<Syaname> system-view
[Sysname] cloudsec peer 2.2.2.2
[Sysname-cloudsec-peer-2.2.2.2] sci rx 10000
Related commands
cloudsec peer
1.1.13 sci tx
Use sci tx to set a transmit SCI value for CloudSec protected packets.
Use undo sci tx to restore the default.
Syntax
sci tx sci-value
undo sci tx
Default
No transmit SCI value is set for CloudSec protected packets.
Views
CloudSec peer view
Predefined user roles
network-admin
mdc-admin
Parameters
sci-value: Specifies a transmit SCI value for CloudSec protected packets. The value range is 1 to 4294967295.
Usage guidelines
A secure channel identifier (SCI) uniquely identifies a secure channel. It ensures that every pair of communicating nodes correctly identifies and verifies their secure channel, preventing unauthorized nodes from inserting or tampering with data. By using SCIs to identify secure channels, CloudSec provides enhanced data protection and security to ensure secrecy and integrity of data.
The sender inserts the SCI value in a packet based on its configuration and policy. The receiver verifies this SCI value and compares it with the preconfigured policy to determine if the packet comes from the expected secure channel.
With SCI inclusion enabled, the device sends the specified transmit SCI value in the CloudSec protected packets sent to the peer device. Upon receipt of the packets, the peer device compares the transmit SCI value in the packets with its local receive SCI value. The peer device processes the packets only if the two SCI values match.
Examples
# In CloudSec peer view, set the transmit SCI value to 10000.
<Syaname> system-view
[Sysname] cloudsec peer 2.2.2.2
[Sysname-cloudsec-peer-2.2.2.2] sci tx 10000
Related commands
cloudsec peer
