HP 5120 SI Series, Command Reference Manual

Page 1: ...HP 5120 SI Switch Series Security Command Reference Part number 5998 1814 Software version Release 1513 Document version 6W100 20130830 ...

Page 2: ...MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompan...

Page 3: ... portal 15 authorization attribute user profile 15 cut connection 16 display connection 17 display domain 20 domain 21 domain default enable 22 idle cut enable 23 nas id bind vlan 24 self service url enable 24 state 25 Local user configuration commands 26 access limit 26 authorization attribute local user view user group view 27 bind attribute 28 display local user 29 display user group 31 expirat...

Page 4: ...9 HWTACACS configuration commands 70 data flow format HWTACACS scheme view 70 display hwtacacs 71 display stop accounting buffer 74 hwtacacs nas ip 74 hwtacacs scheme 75 key HWTACACS scheme view 76 nas ip HWTACACS scheme view 77 primary accounting HWTACACS scheme view 78 primary authentication HWTACACS scheme view 79 primary authorization 80 reset hwtacacs statistics 81 reset stop accounting buffe...

Page 5: ... authentication guest vlan 121 mac authentication max user 122 mac authentication timer 122 mac authentication user name format 123 reset mac authentication statistics 124 Portal configuration commands 126 display portal acl 126 display portal connection statistics 129 display portal free rule 132 display portal interface 134 display portal local server 135 display portal server 136 display portal...

Page 6: ...p 176 User profile configuration commands 178 display user profile 178 user profile enable 179 user profile 179 Password control configuration commands 181 display password control 181 display password control blacklist 182 password 183 password control aging 184 password control alert before expire 185 password control authentication timeout 186 password control complexity 186 password control co...

Page 7: ...te request from 216 certificate request mode 217 certificate request polling 217 certificate request url 218 common name 219 country 219 crl check 220 crl update period 220 crl url 221 display pki certificate 222 display pki certificate access control policy 223 display pki certificate attribute group 224 display pki crl domain 225 fqdn 227 ip PKI entity view 227 ldap server 228 locality 229 organ...

Page 8: ...sh client first time 248 ssh client ipv6 source 249 ssh client source 250 ssh2 250 ssh2 ipv6 252 SFTP configuration commands 254 SFTP server configuration commands 254 sftp server enable 254 sftp server idle timeout 254 SFTP client configuration commands 255 bye 255 cd 255 cdup 256 delete 256 dir 257 display sftp client source 258 exit 258 get 259 help 259 ls 260 mkdir 261 put 261 pwd 262 quit 262...

Page 9: ...ess based ARP attack detection configuration commands 293 arp anti attack source mac 293 arp anti attack source mac aging time 294 arp anti attack source mac exclude mac 295 arp anti attack source mac threshold 295 display arp anti attack source mac 296 ARP packet source MAC address consistency check configuration commands 297 arp anti attack valid check enable 297 ARP active acknowledgement confi...

Page 10: ... fips mode enable 317 display fips status 317 fips self test 318 IPsec configuration commands 319 ah authentication algorithm 319 connection name 319 display ipsec policy 320 display ipsec proposal 323 display ipsec sa 324 display ipsec session 327 display ipsec statistics 328 display ipsec tunnel 330 encapsulation mode 331 esp authentication algorithm 332 esp encryption algorithm 332 ike peer IPs...

Page 11: ...361 ike dpd 362 ike local name 362 ike next payload check disabled 363 ike peer system view 364 ike proposal 364 ike sa keepalive timer interval 365 ike sa keepalive timer timeout 365 ike sa nat keepalive timer interval 366 interval time 367 local address 367 local name 368 nat traversal 369 peer 369 pre shared key 370 proposal IKE peer view 370 remote address 371 remote name 372 reset ike sa 373 ...

Page 12: ...w Default level 2 System level Parameters profile name Name of the NAS ID profile a case insensitive string of 1 to 16 characters Description Use the aaa nas id profile command to create a NAS ID profile and enter its view A NAS ID profile maintains the bindings between NAS IDs and VLANs Use the undo aaa nas id profile command to remove a NAS ID profile Related commands nas id bind vlan Examples C...

Page 13: ...r connections for ISP domain test Sysname system view Sysname domain test Sysname isp test access limit enable 500 accounting command Syntax accounting command hwtacacs scheme hwtacacs scheme name undo accounting command View ISP domain view Default level 2 System level Parameters hwtacacs scheme hwtacacs scheme name Specifies an HWTACACS scheme by its name which is a string of 1 to 32 characters ...

Page 14: ...ult command to configure the default accounting method for an ISP domain Use the undo accounting default command to restore the default By default the default accounting method of an ISP domain is local The specified RADIUS or HWTACACS scheme must have been configured The default accounting method will be used for all users for whom no specific accounting methods are configured Local accounting is...

Page 15: ...efault the default accounting method for the ISP domain is used for LAN users The specified RADIUS scheme must have been configured Related commands local user accounting default and radius scheme Examples Configure ISP domain test to use local accounting for LAN users Sysname system view Sysname domain test Sysname isp test accounting lan access local Configure ISP domain test to use RADIUS accou...

Page 16: ... the default By default the default accounting method for the ISP domain is used for login users The specified RADIUS or HWTACACS scheme must have been configured Accounting is not supported for login users that use FTP Related commands local user accounting default hwtacacs scheme and radius scheme Examples Configure ISP domain test to use local accounting for login users Sysname system view Sysn...

Page 17: ...d in local user view is not effective Examples Enable the accounting optional feature for users in domain test Sysname system view Sysname domain test Sysname isp test accounting optional accounting portal Syntax accounting portal local none radius scheme radius scheme name local undo accounting portal View ISP domain view Default level 2 System level Parameters local Performs local accounting non...

Page 18: ...is a string of 1 to 32 characters local Performs local authentication none Does not perform any authentication radius scheme radius scheme name Specifies a RADIUS scheme by its name which is a string of 1 to 32 characters Description Use the authentication default command to configure the default authentication method for an ISP domain Use the undo authentication default command to restore the def...

Page 19: ...n lan access command to restore the default By default the default authentication method for the ISP domain is used for LAN users The specified RADIUS scheme must have been configured Related commands local user authentication default and radius scheme Examples Configure ISP domain test to use local authentication for LAN users Sysname system view Sysname domain test Sysname isp test authenticatio...

Page 20: ...ntication method for the ISP domain is used for login users The specified RADIUS or HWTACACS scheme must have been configured Related commands local user authentication default hwtacacs scheme and radius scheme Examples Configure ISP domain test to use local authentication for login users Sysname system view Sysname domain test Sysname isp test authentication login local Configure ISP domain test ...

Page 21: ...hentication of portal users and use local authentication as the backup Sysname system view Sysname domain test Sysname isp test authentication portal radius scheme rd local authentication super Syntax authentication super hwtacacs scheme hwtacacs scheme name radius scheme radius scheme name undo authentication super View ISP domain view Default level 2 System level Parameters hwtacacs scheme hwtac...

Page 22: ...e which is a string of 1 to 32 characters local Performs local authorization none Does not perform any authorization exchange In this case an authenticated user can access only commands of Level 0 Description Use the authorization command command to configure the command line authorization method Use the undo authorization command command to restore the default By default the default authorization...

Page 23: ...nly the commands of Level 0 radius scheme radius scheme name Specifies a RADIUS scheme by its name which is a string of 1 to 32 characters Description ion Use the authorization default command to configure the default authorization method for an ISP domain Use the undo authorization default command to restore the default By default the default authorization method for the ISP domain of an ISP doma...

Page 24: ...thod for LAN users Use the undo authorization lan access command to restore the default By default the default authorization method for the ISP domain is used for LAN users The specified RADIUS scheme must have been configured The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme Related command...

Page 25: ...igure the authorization method for login users users logging in through the console port Telnet or FTP Use the undo authorization login command to restore the default By default the default authorization method for the ISP domain is used for login users The specified RADIUS or HWTACACS scheme must have been configured The RADIUS authorization configuration takes effect only when the authentication...

Page 26: ...tion method for the ISP domain is used for portal users The specified RADIUS scheme must have been configured The RADIUS authorization configuration takes effect only when the authentication method and authorization method of the ISP domain use the same RADIUS scheme Related commands local user authorization default and radius scheme Examples Configure ISP domain test to use local authorization fo...

Page 27: ...ile specified by the authorization attribute user profile command as that of the ISP domain If you configure the authorization attribute user profile command repeatedly only the last one takes effect Examples Specify the default authorization user profile for domain test as profile1 Sysname system view Sysname domain test Sysname isp test authorization attribute user profile profile1 cut connectio...

Page 28: ...evice number Description Use the cut connection command to tear down the specified connections forcibly This command applies to only LAN and portal user connections For 802 1X users whose usernames carry the version number or contain spaces you cannot cut the connections by username For 802 1X users whose usernames use a forward slash or backward slash as the domain name delimiter you cannot cut t...

Page 29: ...1 to 4094 slot slot number Specifies the member number of the device in the IRF which you can display with the display irf command The value range for the slot number argument depends on the number of members and numbering conditions in the current IRF If no IRF exists the slot number argument is the current device number Filters command output by specifying a regular expression For more informati...

Page 30: ...1 connection s matched on slot 1 Total 1 connection s matched Display information about AAA user connections using the index of 0 Sysname display connection ucibindex 0 Slot 0 Index 0 Username telnet system IP 10 0 0 1 IPv6 N A Access Admin AuthMethod PAP Port Type Virtual Port Name N A Initial VLAN 999 Authorized VLAN 20 ACL Group Disable User Profile N A CAR Disable Priority Disable Start 2011 0...

Page 31: ...e first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitive string of 1 to 256 characters Description Use the display domain command to display the co...

Page 32: ...n Domain Domain name State Status of the domain active or block Access limit Limit on the number of user connections Accounting method Accounting method either required or optional Default authentication scheme Default authentication method Default authorization scheme Default authorization method Default accounting scheme Default accounting method Lan access authentication scheme Authentication m...

Page 33: ... ISP domain system cannot be deleted you can only modify its configuration Related commands state and display domain Examples Create ISP domain test and enter ISP domain view Sysname system view Sysname domain test Sysname isp test domain default enable Syntax domain default enable isp name undo domain default enable View System view Default level 3 Manage level Parameters isp name Name of the ISP...

Page 34: ...d which is in the range 1 to 10240000 bytes and defaults to 10240 Description Use the idle cut enable command to enable the idle cut function and set the relevant parameters With the idle cut function enabled for a domain the system logs out any user in the domain whose traffic is less than the specified minimum traffic during the idle timeout period Use the undo idle cut enable command to restore...

Page 35: ...S ID profile view you can configure multiple NAS ID VLAN bindings A NAS ID can be bound with more than one VLAN but one VLAN can be bound with only one NAS ID If you bind a VLAN with different NAS IDs only the last binding takes effect Related commands aaa nas id profile Examples Bind NAS ID 222 with VLAN 2 Sysname system view Sysname aaa nas id profile aaa Sysname nas id prof aaa nas id 222 bind ...

Page 36: ...user can change his or her password through the page Only authenticated users can select Service Change Password from the 802 1X client The option is gray and unavailable for unauthenticated users Examples For ISP domain test enable the self service server location function and specify the URL of the self service server for changing user password to http 10 153 89 94 selfservice modPasswd1x jsp us...

Page 37: ...current users of the current local user account in the range 1 to 1024 Description Use the access limit command to limit the number of concurrent users of a local user account Use the undo access limit command to remove the limitation By default there is no limit to the number of users who concurrently use the same local user account This command takes effect only when local accounting is used for...

Page 38: ...t of English letters digits and underlines and must start with an English letter After a user passes authentication and gets online the switch uses the settings in the user profile to restrict the access behavior of the user user role security audit Specifies the role of the local user as security audit Users with different roles can access different levels of commands security audit is used to sp...

Page 39: ...er group abc Sysname ugroup abc authorization attribute vlan 3 bind attribute Syntax bind attribute ip ip address location port slot number subslot number port number mac mac address vlan vlan id undo bind attribute ip location mac vlan View Local user view Default level 3 Manage level Parameters ip ip address Specifies the IP address of the user location Specifies the port binding attribute of th...

Page 40: ...telnet terminal web state active block user name user name vlan vlan id slot slot number begin exclude include regular expression View Any view Default level 1 Monitor level Parameters idle cut disable enable Specifies local users with the idle cut function disabled or enabled service type Specifies the local users that use a specified type of service ftp FTP users lan access Users accessing the n...

Page 41: ...display local user command to display information about local users Related commands local user Examples Display the information of local user bbb on slot 1 Sysname display local user user name bbb slot 1 Slot 1 The contents of local user bbb State Active ServiceType ftp Access limit Enable Current AccessNum 0 Max AccessNum 300 User group system Bind attributes IP address 1 2 3 4 Bind location 1 4...

Page 42: ...al user Password Aging Aging time of the local user password Password Length Minimum length of the local user password Password Composition Password composition policy of the local user display user group Syntax display user group group name begin exclude include regular expression View Any view Default level 2 System level Parameters group name User group name a case insensitive string of 1 to 32...

Page 43: ...anges from 2000 to 2035 MM ranges from 1 to 12 and the range of DD depends on the month Except for the zeros in 00 00 00 leading zeros can be omitted For example 2 2 0 201 1 2 2 equals to 02 02 00 201 1 02 02 Description Use the expiration date command to configure the expiration time of a local user Use the undo expiration date command to remove the configuration By default a local user has no ex...

Page 44: ...r group Use the undo group command to restore the default By default a local user belongs to the system default user group system Examples Assign local user 1 1 1 to user group abc Sysname system view Sysname local user 111 Sysname luser 111 group abc local user Syntax local user user name undo local user user name all service type ftp lan access portal ssh telnet terminal web View System view Def...

Page 45: ... add a local user and enter local user view Use the undo local user command to remove the specified local users By default no local user is configured Related commands display local user and service type Examples Add a local user named user1 Sysname system view Sysname local user user1 Sysname luser user1 password Syntax In non FIPS mode password hash cipher simple password undo password In FIPS m...

Page 46: ...globally by using the password control enable command local user passwords such as the length and complexity are under the restriction of the password control feature and will not be displayed You cannot configure a password by using the password hash cipher password command For security purposes all passwords including passwords configured in plain text are saved in ciphertext Related commands di...

Page 47: ...cify the service types that a user can use Use the undo service type command to delete one or all service types configured for a user By default a user is authorized with no service Examples Authorize user user1 to use the Telnet service Sysname system view Sysname local user user1 Sysname luser user1 service type telnet state local user view Syntax state active block undo state View ISP domain vi...

Page 48: ...oup command to create a user group and enter its view Use the undo user group command to remove a user group A user group consists of a group of local users and has a set of local user attributes You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group Configurable user attributes include password control attri...

Page 49: ...out the online users of the device Use the undo accounting on enable command to disable the accounting on feature By default the accounting on feature is disabled Parameters set with the accounting on enable command take effect immediately NOTE When you execute the accounting on enable command if the accounting on feature is already enabled for another authentication scheme the command takes effec...

Page 50: ...y to interpret RADIUS attribute 25 as CAR parameters Sysname system view Sysname radius scheme radius1 Sysname radius radius1 attribute 25 car data flow format RADIUS scheme view Syntax data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet undo data flow format data packet View RADIUS scheme view Default level 2 System level Parameters data ...

Page 51: ... name RADIUS scheme name slot slot number Specifies the member number of the device in the IRF virtual device which you can display with the display irf command The value range for the slot number argument depends on the number of members and numbering conditions in the current IRF virtual device If no IRF virtual device exists the slot number argument is the current device number Filters command ...

Page 52: ... 2 1 Port 1812 State active Encryption Key N A IP 1 1 3 1 Port 1812 State active Encryption Key N A Probe username test Probe interval 60 min Second Acct Server IP 1 1 2 1 Port 1813 State block Encryption Key N A Probe username test Probe interval 60 min Auth Server Encryption Key Acct Server Encryption Key N A Accounting On packet disable send times 5 interval 3s Interval for timeout second 3 Ret...

Page 53: ...ve or block Auth Server Encryption Key Shared key for secure authentication communication displayed as a series of asterisks If no shared key is configured this field displays N A Acct Server Encryption Key Shared key for secure accounting communication displayed as a series of asterisks If no shared key is configured this field displays N A Accounting On packet disable The accounting on feature i...

Page 54: ...ession For more information about regular expressions see the Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression whic...

Page 55: ...ucc 0 Normal author request Num 0 Err 0 Succ 0 Set policy result Num 0 Err 0 Succ 0 RADIUS sent messages statistic Auth accept Num 10 Auth reject Num 14 EAP auth replying Num 0 Account success Num 4 Account failure Num 3 Server ctrl req Num 0 RecError_MSG_sum 0 SndMSG_Fail_sum 0 Timer_Err 0 Alloc_Mem_Err 0 State Mismatch 0 Other_Error 0 No response acct stop packet 1 Discarded No response acct sto...

Page 56: ... messages statistic Number of messages received by RADIUS Normal auth request Number of normal authentication requests EAP auth request Number of EAP authentication requests Account request Number of accounting requests Account off request Number of stop accounting requests PKT auth timeout Number of authentication timeout messages PKT acct_timeout Number of accounting timeout messages Realtime Ac...

Page 57: ...me name Specifies a RADIUS scheme by its name which is a string of 1 to 32 characters session id session id Specifies a session by its ID The ID is a string of 1 to 50 characters time range start time stop time Specifies a time range by its start time and end time in the format HH MM SS MM DD YYYY or HH MM SS YYYY MM DD user name user name Specifies a user by the username which is a case sensitive...

Page 58: ...p accounting buffer enable user name format retry and retry stop accounting Examples Display information about the buffered stop accounting requests from 0 0 0 to 23 59 59 on March 31 201 1 Sysname display stop accounting buffer time range 0 0 0 03 31 2011 23 59 59 03 31 2011 Slot 1 Total 0 record s Matched key RADIUS scheme view Syntax key accounting authentication cipher simple key undo key acco...

Page 59: ...hello for RADIUS scheme radius1 Sysname system view Sysname radius scheme radius1 Sysname radius radius1 key authentication simple hello Set the plaintext shared key for accounting packets to ok for RADIUS scheme radius1 Sysname system view Sysname radius scheme radius1 Sysname radius radius1 key accounting simple ok nas ip RADIUS scheme view Syntax nas ip ip address ipv6 ipv6 address undo nas ip ...

Page 60: ...ommands radius nas ip Examples Set the IP address for the device to use as the source address of the RADIUS packets to 10 1 1 1 Sysname system view Sysname radius scheme test1 Sysname radius test1 nas ip 10 1 1 1 primary accounting RADIUS scheme view Syntax primary accounting ipv4 address ipv6 ipv6 address port number key cipher simple key undo primary accounting View RADIUS scheme view Default le...

Page 61: ...the primary accounting server when the device is already sending a start accounting request to the server the communication with the original primary server will time out and then the device will look for a server in active state from scratch the new primary server is evaluated at first and then the secondary servers according to the order in which they are configured If you remove an accounting s...

Page 62: ...to 60 in minutes Description Use the primary authentication command to specify the primary RADIUS authentication authorization server Use the undo primary authentication command to remove the configuration By default no primary RADIUS authentication authorization server is specified After creating a RADIUS scheme you are supposed to configure the IP address and UDP port of each RADIUS server prima...

Page 63: ... 1X authentication if the status of every server is block the device will assign the port connected to an authentication user to the specified 802 1X critical VLAN For more information about the 802 1X critical VLAN see Security Configuration Guide To ensure that the device can set the server to its actual status set a longer quiet timer for the primary server with the timer quiet command If you s...

Page 64: ...ounting scheme are configured The buffered accounting packets cannot be sent out and will be deleted from the buffer when the configured maximum number of attempts is reached Examples Enable the listening port of the RADIUS client Sysname system view Sysname radius client enable radius nas ip Syntax radius nas ip ip address ipv6 ipv6 address undo radius nas ip ip address ipv6 ipv6 address View Sys...

Page 65: ...ource address of the RADIUS packets to 129 10 10 1 Sysname system view Sysname radius nas ip 129 10 10 1 radius scheme Syntax radius scheme radius scheme name undo radius scheme radius scheme name View System view Default level 3 Manage level Parameters radius scheme name RADIUS scheme name a case insensitive string of 1 to 32 characters Description Use the radius scheme command to create a RADIUS...

Page 66: ...tion Use the radius trap command to enable the RADIUS trap function Use the undo radius trap command to disable the specified function By default the RADIUS trap function is disabled With the trap function for RADIUS a NAS sends a trap message in the following cases The status of a RADIUS server changes If a NAS sends a request but receives no response before the maximum number of attempts is exce...

Page 67: ... buffer Syntax reset stop accounting buffer radius scheme radius scheme name session id session id time range start time stop time user name user name slot slot number View User view Default level 2 System level Parameters radius scheme radius scheme name Specifies a RADIUS scheme by its name a string of 1 to 32 characters session id session id Specifies a session by its ID a string of 1 to 50 cha...

Page 68: ...9 59 03 31 2011 retry Syntax retry retry times undo retry View RADIUS scheme view Default level 2 System level Parameters retry times Maximum number of transmission attempts in the range 1 to 20 Description Use the retry command to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server Use the undo retry command to restore the default By default the maximum n...

Page 69: ...some other parameters enables the NAS to disconnect the user in time NOTE The maximum number of accounting attempts together with some other parameters controls how the NAS sends accounting request packets Suppose that the RADIUS server response timeout period is three seconds set with the timer response timeout command the maximum number of RADIUS packet transmission attempts is three set with th...

Page 70: ...aximum number of transmission attempts is five set with the retry command and the maximum number of stop accounting attempts is 20 set with the retry stop accounting command For each stop accounting request if the device receives no response within three seconds it retransmits the request If it receives no responses after retransmitting the request five times it considers the stop accounting attem...

Page 71: ...ion By default no secondary RADIUS accounting server is specified To configure multiple secondary RADIUS accounting servers execute this command repeatedly After the configuration if the primary server fails the device looks for a secondary server in active state a secondary RADIUS accounting server configured earlier has a higher priority and tries to communicate with it A RADIUS scheme supports ...

Page 72: ...name system view Sysname radius scheme radius2 Sysname radius radius2 secondary accounting 10 110 1 1 1813 Sysname radius radius2 secondary accounting 10 110 1 2 1813 secondary authentication RADIUS scheme view Syntax secondary authentication ipv4 address ipv6 ipv6 address port number key cipher simple key probe username name interval interval undo secondary authentication ipv4 address ipv6 ipv6 a...

Page 73: ...ry or secondary must use IP addresses of the same IP version The IP addresses of the primary and secondary authentication authorization servers must be different from each other Otherwise the configuration fails The RADIUS service port configured on the device and that of the RADIUS server must be consistent The shared keys configured on the device for authentication authorization packets and that...

Page 74: ... radius1 Sysname system view Sysname radius scheme radius1 Sysname radius radius1 secondary authentication 10 110 1 2 1812 Specify two secondary authentication authorization servers for RADIUS scheme radius2 with the server IP addresses of 10 1 10 1 1 and 10 1 10 1 2 and the UDP port number of 1813 Sysname system view Sysname radius scheme radius2 Sysname radius radius2 secondary authentication 10...

Page 75: ...fault level 2 System level Parameters extended Specifies the extended RADIUS server typically IMC which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the proprietary RADIUS protocol standard Specifies the standard RADIUS server which requires the RADIUS client end and RADIUS server to interact according to the regulation and ...

Page 76: ... the primary server to blocked starts a quiet timer for the server and then tries to communicate with a secondary server in the active state a secondary RADIUS server configured earlier has a higher priority When the quiet timer of the primary server times out the status of the server changes to active automatically If you set the status of the server to blocked before the quiet timer times out th...

Page 77: ...nges the status of the secondary server to blocked starts a quiet timer for the server and continues to try to communicate with the next secondary server in the active state a secondary RADIUS server configured earlier has a higher priority When the quiet timer of a server times out the status of the server changes to active automatically If you set the status of the server to blocked before the q...

Page 78: ...p accounting buffer Examples In RADIUS scheme radius1 enable the device to buffer the stop accounting requests getting no responses Sysname system view Sysname radius scheme radius1 Sysname radius radius1 stop accounting buffer enable timer quiet RADIUS scheme view Syntax timer quiet minutes undo timer quiet View RADIUS scheme view Default level 2 System level Parameters minutes Server quiet perio...

Page 79: ...he undo timer realtime accounting command to restore the default By default the real time accounting interval is 12 minutes For real time accounting a NAS must transmit the accounting information of online users to the RADIUS accounting server periodically This command sets the interval When the real time accounting interval on the device is zero the device will send online user accounting informa...

Page 80: ... response from the RADIUS server in a period of time after sending a RADIUS request authentication authorization or accounting request it has to resend the request so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout timer to control the transmission interval A proper value for the RADIUS server response timeout timer can help improve t...

Page 81: ...S server If a RADIUS scheme defines that the username is sent without the ISP domain name do not apply the RADIUS scheme to more than one ISP domain avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one user For 802 1X users using EAP authentication the user name format command configured for a RADIUS scheme does not take...

Page 82: ...ame hwtacacs scheme hwt1 Sysname hwtacacs hwt1 data flow format data kilo byte packet kilo packet display hwtacacs Syntax display hwtacacs hwtacacs scheme name statistics slot slot number begin exclude include regular expression View Any view Default level 2 System level Parameters hwtacacs scheme name HWTACACS scheme name statistics Displays detailed statistics about the HWTACACS server slot slot...

Page 83: ...mes on all members of an IRF virtual device Related commands hwtacacs scheme Examples Display configuration information about HWTACACS scheme gy Sysname display hwtacacs gy HWTACACS scheme name gy Primary Authen Server IP 10 1 1 2 Port 49 State Active Encryption Key Secondary Authen Server IP 20 1 1 2 Port 49 State Active Encryption Key Primary Author Server IP 10 1 1 3 Port 49 State Active Encryp...

Page 84: ...ization or accounting server NAS IP address IP address of the NAS If no NAS is specified this field displays Not configured Authentication key Authentication key which is applicable to all authentication servers The key is displayed as a string of asterisks If no key is configured this field displays Not configured Authorization key Authorization key which is applicable to all authorization server...

Page 85: ...rmation about regular expressions see the Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitiv...

Page 86: ...e IP address of the packet is the IP address of any managed NAS If yes the server processes the packet If not the server drops the packet You can specify up to 16 source IP addresses NOTE The setting by the nas ip command in HWTACACS scheme view is only for the HWTACACS scheme whereas the setting by the hwtacacs nas ip command in system view is for all HWTACACS schemes The setting in HWTACACS sche...

Page 87: ...e Sets a plaintext shared key key Specifies the shared key string This argument is case sensitive In non FIPS mode a ciphertext key is a string of 1 to 1 17 characters and a plaintext key is a string of 1 to 64 characters In FIPS mode a ciphertext key is a string of 8 to 1 17 characters and a plaintext key is a string of 8 to 64 characters that must include uppercase letters lowercase letters numb...

Page 88: ...TACACS packets that a NAS sends must match the IP address of the NAS that is configured on the HWTACACS server An HWTACACS server identifies a NAS by IP address Upon receiving an HWTACACS packet an HWTACACS server checks whether the source IP address of the packet is the IP address of any managed NAS If yes the server processes the packet If not the server drops the packet If you configure the com...

Page 89: ...e key argument is case sensitive If you specify neither this keyword nor the cipher keyword the shared key is set in plain text In non FIPS mode the key is a string of 1 to 255 characters In FIPS mode the key is a string of 8 to 255 characters and must contain digits uppercase letters lowercase letters and special characters Description Use the primary accounting command to specify the primary HWT...

Page 90: ...hared key The key argument is case sensitive If you specify neither this keyword nor the simple keyword the shared key is set in plain text In non FIPS mode the key is a string of 1 to 373 characters In FIPS mode the key is a string of 8 to 373 characters simple key Sets a plaintext shared key The key argument is case sensitive If you specify neither this keyword nor the cipher keyword the shared ...

Page 91: ...notation The default is 0 0 0 0 port number Port number of the primary HWTACACS authorization server It ranges from 1 to 65535 and defaults to 49 key cipher simple key Sets the shared key for secure communication with the primary HWTACACS authorization server Make sure the shared key configured on the device is the same as the one configured on the server cipher key Sets a ciphertext shared key Th...

Page 92: ...of the primary authorization server for HWTACACS scheme hwt1 as 10 163 155 13 and 49 Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 primary authorization 10 163 155 13 49 reset hwtacacs statistics Syntax reset hwtacacs statistics accounting all authentication authorization slot slot number View User view Default level 1 Monitor level Parameters accounting Clears HWTACACS ac...

Page 93: ... numbering conditions in the current IRF virtual device If no IRF virtual device exists the slot number argument is the current device number Description Use the reset stop accounting buffer command to clear the buffered stop accounting requests that get no responses Related commands stop accounting buffer enable retry stop accounting and display stop accounting buffer Examples Clear the buffered ...

Page 94: ...he default is 0 0 0 0 port number Port number of the secondary HWTACACS accounting server It ranges from 1 to 65535 and defaults to 49 key cipher simple key Sets the shared key for secure communication with the secondary HWTACACS accounting server Make sure the shared key configured on the device is the same as the one configured on the server cipher key Sets a ciphertext shared key The key argume...

Page 95: ... scheme Examples Specify the IP address and port number of the secondary accounting server for HWTACACS scheme hwt1 as 10 163 155 12 with TCP port number 49 Sysname system view Sysname hwtacacs scheme hwt1 Sysname hwtacacs hwt1 secondary accounting 10 163 155 12 49 secondary authentication HWTACACS scheme view Syntax secondary authentication ip address port number key cipher simple key undo second...

Page 96: ...P addresses of the primary and secondary authentication servers cannot be the same Otherwise the configuration fails The shared key configured by using the secondary authentication command takes precedence over the one configured by using the key authentication cipher simple key command The HWTACACS service port configured on the device and that of the HWTACACS server must be consistent If you con...

Page 97: ...Description Use the secondary authorization command to specify a secondary HWTACACS authorization server Use the undo secondary authorization command to remove secondary HWTACACS authorization servers If you specify an IP address this command removes the secondary HWTACACS authorization server using that IP address If you do not specify an IP address this command removes all secondary HWTACACS aut...

Page 98: ... best effort to send every stop accounting request to the HWTACACS accounting servers For each stop accounting request getting no response in the specified period of time the NAS buffers and resends the packet until it receives a response or the number of transmission attempts reaches the configured limit In the latter case the NAS discards the packet Related commands reset stop accounting buffer ...

Page 99: ... in minutes zero or a multiple of 3 in the range 3 to 60 A value of zero means Do not send online user accounting information to the HWTACACS server Description Use the timer realtime accounting command to set the real time accounting interval Use the undo timer realtime accounting command to restore the default By default the real time accounting interval is 12 minutes For real time accounting a ...

Page 100: ...Description Use the timer response timeout command to set the HWTACACS server response timeout timer Use the undo timer command to restore the default By default the HWTACACS server response timeout time is 5 seconds HWTACACS is based on TCP If the server response timeout timer or the TCP timeout timer times out the device will be disconnected from the HWTACACS server Related commands display hwta...

Page 101: ...e sending a username including a domain name to such an HWTACACS server the device must remove the domain name This command allows you to specify whether to include a domain name in a username to be sent to an HWTACACS server If an HWTACACS scheme defines that the username is sent without the ISP domain name do not apply the HWTACACS scheme to more than one ISP domain avoiding the confused situati...

Page 102: ...g a regular expression For more information about regular expressions see the Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular...

Page 103: ...n NOT configured Guest VLAN 4 Auth fail VLAN NOT configured Critical VLAN 3 Critical recovery action reinitialize Max number of on line users is 256 EAPOL Packet Tx 1087 Rx 986 Sent EAP Request Identity Packets 943 EAP Request Challenge Packets 60 EAP Success Packets 29 Fail Packets 55 Received EAPOL Start Packets 60 EAPOL LogOff Packets 24 EAP Response Identity Packets 724 EAP Response Challenge ...

Page 104: ...isabled Specifies whether 802 1X is enabled on the port Handshake is disabled Specifies whether handshake is enabled on the port Handshake secure is disabled Specifies whether handshake security is enabled on the port 802 1X unicast trigger is disabled Specifies whether unicast trigger is enabled on the port Periodic reauthentication is disabled Specifies whether periodic online user re authentica...

Page 105: ...dentity Packets Number of received EAP Response Identity packets EAP Response Challenge Packets Number of received EAP Response Challenge packets Error Packets Number of received error packets Authenticated user User that has passed 802 1X authentication Controlled User s amount Number of authenticated users on the port dot1x Syntax In system view dot1x interface interface list undo dot1x interfac...

Page 106: ...ters either before or after enabling 802 1X Related commands display dot1x Examples Enable 802 1X for ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 5 to GigabitEthernet 1 0 7 Sysname system view Sysname dot1x interface gigabitethernet 1 0 1 gigabitethernet 1 0 5 to gigabitethernet 1 0 7 Or Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 dot1x Sysname ...

Page 107: ...s that do not require high security To use PAP the client must be an HP iNode 802 1X client CHAP transports username and encrypted password over the network It is more secure than PAP In this mode the RADIUS server supports only MD5 Challenge 2 In EAP relay mode the access device relays EAP messages between the client and the RADIUS server The EAP relay mode supports multiple EAP authentication me...

Page 108: ...ss control method from MAC based to port based on a port that carries an Auth Fail VLAN the mappings between MAC addresses and the 802 1X Auth Fail VLAN are removed You can use the display mac vlan command to display MAC to VLAN mappings You must enable 802 1X multicast trigger function for an Auth Fail VLAN to take effect on a port that performs port based access control When you change the acces...

Page 109: ... VLAN the port is removed from the critical VLAN To delete a VLAN that has been configured as an 802 1X critical VLAN you must perform the undo dot1x critical vlan command first Related commands dot1x dot1x port method and dot1x critical recovery action Examples Specify VLAN 3 as the 802 1X critical VLAN on GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname G...

Page 110: ...e dot1x domain delimiter Syntax dot1x domain delimiter string undo dot1x domain delimiter View System view Default level 2 System level Parameters string Specifies a set of 1 to 16 domain name delimiters for 802 1X users No space is required between delimiters Available delimiters include the at sign back slash forward slash and dot Description Use dot1x domain delimiter to specify a set of domain...

Page 111: ...The interface list argument is in the format of interface list interface type interface number to interface type interface number 1 10 where interface type represents the port type interface number represents the port number and 1 10 means that you can provide up to 10 ports or port ranges The start port number must be smaller than the end number and the two ports must be of the same type If no in...

Page 112: ...uest vlan 999 interface gigabitethernet 1 0 1 Specify VLAN 10 as the 802 1X guest VLAN for ports GigabitEthernet 1 0 2 to GigabitEthernet 1 0 5 Sysname system view Sysname dot1x guest vlan 10 interface gigabitethernet 1 0 2 to gigabitethernet 1 0 5 Specify VLAN 7 as the 802 1X guest VLAN for all ports Sysname system view Sysname dot1x guest vlan 7 Specify VLAN 3 as the 802 1X guest VLAN for port G...

Page 113: ...event users from using illegal client software Use the undo dot1x handshake secure command to disable the function By default the function is disabled The online user handshake security function is implemented based on the online user handshake function To bring the security function into effect ensure the online user handshake function is enabled HP recommends you use the iNode client software an...

Page 114: ...mand The output of the display connection command without any parameters displays domain names input by users at login For more information about the display connection command or the cut connection command see the chapter AAA configuration commands Related commands display dot1x Examples Configure the mandatory authentication domain my domain for 802 1X users on GigabitEthernet 1 0 1 Sysname syst...

Page 115: ...user command to set the maximum number of concurrent 802 1X users on a port Use the undo dot1x max user command to restore the default By default the maximum number of concurrent 802 1X users on a port is 256 In system view If you do not specify the interface list argument the command applies to all ports If you specify the interface list argument the command applies to the specified ports In Laye...

Page 116: ... default the multicast trigger function is enabled Related commands display dot1x Examples Enable the multicast trigger function on interface GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 dot1x multicast trigger dot1x port control Syntax In system view dot1x port control authorized force auto unauthorized force interface interface li...

Page 117: ...ller than the end number and the two ports must be of the same type Description Use the dot1x port control command to set the authorization state for the specified or all ports Use the undo dot1x port control command to restore the default The default port authorization state is auto In system view if no interface list argument is specified the command applies to all ports Related commands display...

Page 118: ...ents the port number and 1 10 means that you can provide up to 10 ports or port ranges for this argument The start port number must be smaller than the end number and the two ports must be the same type Description Use the dot1x port method command to specify an access control method for the specified or all ports Use the undo dot1x port method command to restore the default By default MAC based a...

Page 119: ...ndo dot1x re authenticate View Layer 2 Ethernet interface view Default level 2 System level Parameters None Description Use the dot1x re authenticate command to enable the periodic online user re authentication function Use the undo dot1x re authenticate command to disable the function By default the periodic online user re authentication function is disabled Periodic re authentication enables the...

Page 120: ...uest to a client Use the undo dot1x retry command to restore the default By default the device sends an authentication request to a client twice at most After the network access device sends an authentication request to a client if the device receives no response from the client within the username request timeout timer by the dot1x timer tx period tx period value command or the client timeout tim...

Page 121: ...r is 100 seconds the client timeout timer is 30 seconds and the username request timeout timer is 30 seconds You can set the client timeout timer to a high value in a low performance network set the quiet timer to a high value in a vulnerable network or a low value for quicker authentication response or adjust the server timeout timer to adapt to the performance of different authentication servers...

Page 122: ...Set the server timeout timer to 150 seconds Sysname system view Sysname dot1x timer server timeout 150 dot1x unicast trigger Syntax dot1x unicast trigger undo dot1x unicast trigger View Layer 2 Ethernet interface view Default level 2 System level Parameters None Description Use the dot1x unicast trigger command to enable the 802 1X unicast trigger function Use the undo dot1x unicast trigger comman...

Page 123: ...type interface number represents the port number and 1 10 means that you can provide up to 10 ports or port ranges The start port number must be smaller than the end number and the two ports must be of the same type Description Use the reset dot1x statistics command to clear 802 1X statistics If a list of ports is specified the command clears 802 1X statistics for all the specified ports If no por...

Page 124: ...ption Use the dot1x free ip command to configure a free IP Users can access the segment before passing 802 1X authentication Use the undo dot1x free ip command to remove the specified or all free IP addresses By default no free IP is configured When global MAC authentication Layer 2 portal authentication or port security is enabled the free IP does not take effect Related commands display dot1x Ex...

Page 125: ...the network to access the free IP To prevent ACL rule resources from being used up you can shorten the timer when the amount of EAD users is large Related commands display dot1x Examples Set the EAD rule timer to 5 minutes Sysname system view Sysname dot1x timer ead timeout 5 dot1x url Syntax dot1x url url string undo dot1x url View System view Default level 2 System level Parameters url string Sp...

Page 126: ...115 Related commands display dot1x and dot1x free ip Examples Configure the redirect URL as http 192 168 0 1 Sysname system view Sysname dot1x url http 192 168 0 1 ...

Page 127: ...lar expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitive string of 1 to 256 characters Description Use the display mac authentication command to display MAC authentication settings and statis...

Page 128: ...ames and passwords For example MAC addresses without hyphens in lower case If a shared account is used this field displays User name format is fixed account Fixed username Username of the shared account for MAC authentication users If MAC based accounts are used this field displays mac Fixed password Password of the shared account for MAC authentication users If MAC based accounts are used or if a...

Page 129: ...rs allowed on the port If MAC authentication is not enabled on the port the field displays 0 Current online user number Number of online users on the port MAC Addr MAC address of the online user Authenticate state User status Possible values including the following CONNECTING The user is logging in SUCCESS The user has passed the authentication FAILURE The user failed the authentication LOGOFF The...

Page 130: ... any port To use MAC authentication on a port you must enable the function both globally and on the port Examples Enable MAC authentication globally Sysname system view Sysname mac authentication Mac auth is enabled globally Enable MAC authentication on port GigabitEthernet 1 0 1 Sysname system view Sysname mac authentication interface gigabitethernet 1 0 1 Mac auth is enabled on port GigabitEther...

Page 131: ...ated commands mac authentication mac vlan enable Layer 2 LAN Switching Command Reference Examples Specify VLAN 5 as the MAC authentication critical VLAN for port GigabitEthernet 1 0 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 mac authentication critical vlan 5 mac authentication domain Syntax mac authentication domain domain name undo mac authenticati...

Page 132: ...tem level Parameters guest vlan id Specifies a VLAN as the MAC authentication guest VLAN The value range is from 1 to 4094 Ensure that the VLAN has been created Description Use the mac authentication guest vlan command to specify a MAC authentication guest VLAN on a port Any users that have failed MAC authentication on the port is assigned to this VLAN so they can access a limited set of network r...

Page 133: ... mac authentication max user command to set the maximum number of concurrent MAC authentication users on a port Use the undo mac authentication max user command to restore the default The default maximum number of concurrent MAC authentication users allowed on a port is 256 Examples Configure port GigabitEthernet 1 0 1 to allow up to 32 concurrent MAC authentication users Sysname system view Sysna...

Page 134: ...timer expires during MAC authentication the user cannot access the network Description Use the mac authentication timer command to set the MAC authentication timers Use the undo mac authentication timer command to restore the defaults By default the offline detect timer is 300 seconds the quiet timer is 60 seconds and the server timeout timer is 100 seconds Related commands display mac authenticat...

Page 135: ...ername and password for MAC authentication and the MAC address must be in lowercase and hyphenated MAC authentication supports the following types of user account One MAC based user account for each user A user can pass MAC authentication only when its MAC address matches a MAC based user account This approach is suitable for an insecure environment One shared user account for all users Any user c...

Page 136: ...ut the to interface type interface number portion comprises only one port Description Use the reset mac authentication statistics command to clear MAC authentication statistics If no port list is specified the command clears all global and port specific MAC authentication statistics If a port list is specified the command clears the MAC authentication statistics on the specified ports Related comm...

Page 137: ...ters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular ex...

Page 138: ...rface any VLAN 2 Protocol 0 Destination IP 0 0 0 0 Mask 0 0 0 0 Author ACL Number 3001 Rule 2 Inbound interface all Type static Action redirect Source IP 0 0 0 0 Mask 0 0 0 0 MAC 0000 0000 0000 Interface any VLAN 2 Protocol 6 Destination IP 0 0 0 0 Mask 0 0 0 0 Rule 3 Inbound interface all Type static Action deny Source IP 0 0 0 0 Mask 0 0 0 0 MAC 0000 0000 0000 Interface any VLAN 2 ...

Page 139: ...nterface any VLAN 8 Protocol 0 Destination IP 2 2 Prefix length 128 Port any Rule 1 Inbound interface all Type static Action redirect Source IP Prefix length 0 MAC 0000 0000 0000 Interface any VLAN 8 Protocol 6 Destination IP Prefix length 0 Port 80 Rule 2 Inbound interface GigabitEthernet1 0 1 Type static Action deny Source IP Prefix length 0 MAC 0000 0000 0000 Interface GigabitEthernet1 0 1 ...

Page 140: ...ce MAC address in the portal ACL Interface Source interface in the portal ACL VLAN Source VLAN in the portal ACL Protocol Protocol type in the portal ACL Destination Destination information in the portal ACL IP Destination IP address in the portal ACL Port Destination transport layer port number in the portal ACL Mask Subnet mask of the destination IP address in the portal ACL Prefix length Destin...

Page 141: ...ring of 1 to 256 characters Description Use the display portal connection statistics command to display portal connection statistics on a specific interface or all interfaces Examples Display portal connection statistics on interface GigabitEthernet1 0 1 Sysname display portal connection statistics interface gigabitethernet1 0 1 Interface GigabitEthernet1 0 1 User state statistics State Name User ...

Page 142: ...tatistics on messages Msg Name Message type Total Total number of messages of a specific type Err Number of erroneous messages of a specific type Discard Number of discarded messages of a specific type MSG_AUTHEN_ACK Authentication acknowledgment message MSG_AUTHOR_ACK Authorization acknowledgment message MSG_LOGIN_ACK Accounting acknowledgment message MSG_LOGOUT_ACK Accounting stop acknowledgment...

Page 143: ...ification message MSG_SETPOLICY Set policy message for assigning security ACL MSG_SETPOLICY_RESULT Set policy response message display portal free rule Syntax display portal free rule rule number begin exclude include regular expression View Any view Default level 1 Monitor level Parameters rule number Specifies the number of a portal free rule The value range is from 0 to 255 Filters command outp...

Page 144: ...eld Description Rule Number Number of the portal free rule Source Source information in the portal free rule IP Source IP address in the portal free rule Mask Subnet mask of the source IP address in the portal free rule MAC Source MAC address in the portal free rule Interface Source interface in the portal free rule Vlan Source VLAN in the portal free rule Destination Destination information in th...

Page 145: ...s that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Description Use the display portal interface command to display the portal configuration of an interface Examples Display the portal configuration for interface VLAN interface 2 Sysname display portal interface vlan interface 2 Portal configuration of Vlan ...

Page 146: ...h Prefix length of the IPv6 address of the portal authentication subnet display portal local server Syntax display portal local server begin exclude include regular expression View Any view Default level 1 Monitor level Parameters Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first li...

Page 147: ...ers Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression reg...

Page 148: ...ferenced on an interface and the portal server detection function is enabled but the portal server is unreachable This field is not displayed for IPv6 portal servers because IPv6 portal servers do not support the portal server detection function display portal server statistics Syntax display portal server statistics all interface interface type interface number begin exclude include regular expre...

Page 149: ...EQ_LOGOUT 1 0 0 ACK_LOGOUT 1 0 0 AFF_ACK_AUTH 3 0 0 NTF_LOGOUT 1 0 0 REQ_INFO 6 0 0 ACK_INFO 6 0 0 NTF_USERDISCOVER 0 0 0 NTF_USERIPCHANGE 0 0 0 AFF_NTF_USERIPCHANGE 0 0 0 ACK_NTF_LOGOUT 1 0 0 NTF_USERSYNC 2 0 0 ACK_NTF_USERSYNC 0 0 0 NTF_CHALLENGE 0 0 0 NTF_USER_NOTIFY 0 0 0 AFF_NTF_USER_NOTIFY 0 0 0 Table 17 Output description Field Description Interface Interface referencing the portal server I...

Page 150: ...GOUT Forced logout acknowledgment message from the portal server NTF_USERSYNC User synchronization packet the access device received from the portal server ACK_NTF_USERSYNC User synchronization acknowledgment packet the access device sent to the portal server NTF_CHALLENGE Challenge request the access device sent to the portal server NTF_USER_NOTIFY User information notification message the access...

Page 151: ...n TCP Cheat Statistic TCP spoofing statistics Total Opens Total number of opened connections Resets Connections Number of connections reset through RST packets Current Opens Number of connections being set up Packets Received Number of received packets Packets Sent Number of sent packets Packets Retransmitted Number of retransmitted packets Packets Dropped Number of dropped packets HTTP Packets Se...

Page 152: ...ude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Description Use the display portal user command to display information about portal users on a specific interface or all interfaces Examples Display informati...

Page 153: ...l VLAN ID After an Auth Fail VLAN is specified a client failing portal authentication is added to the Auth Fail VLAN Description Use the portal auth fail vlan command to specify an Auth Fail VLAN for portal authentication on the current port Use the undo portal auth fail vlan command to restore the default setting By default no Auth Fail VLAN is specified for portal authentication on a port The sp...

Page 154: ... on an interface You can use this command to configure multiple portal authentication source subnets on an interface Then only HTTP packets from the subnets can trigger portal authentication on the interface If an unauthenticated user is not on any authentication source subnet the access device discards all the user s HTTP packets that do not match any portal free rule Use the undo portal auth net...

Page 155: ...v6 address Logs off the portal user with the specified IPv6 address Description Use the portal delete user command to log off portal users Related commands display portal user Examples Log out the portal user whose IP address is 1 1 1 1 Sysname system view Sysname portal delete user 1 1 1 1 portal domain Syntax portal domain ipv6 domain name undo portal domain ipv6 View Interface view Default leve...

Page 156: ...pv6 address prefix length any mac mac address vlan vlan id undo portal free rule rule number all View System view Default level 2 System level Parameters rule number Number for the portal free rule in the range 0 to 255 any Imposes no limitation on the previous keyword ip ip address Specifies an IP address for the portal free rule mask mask length mask Specifies a mask or mask length for the IP ad...

Page 157: ...n Sysname system view Sysname portal free rule 15 source ip 10 10 10 1 mask 24 destination ip any portal local server Syntax portal local server http https server policy policy name undo portal local server http https View System view Default level 2 System level Parameters http Specifies that the local portal server use HTTP to exchange authentication packets with clients https Specifies that the...

Page 158: ...ed by HTTPS service you must cancel the HTTPS configuration using the undo portal local server https command and then specify the desired SSL server policy Related commands display portal local server and ssl server policy Examples Configure the local portal server to support HTTP Sysname system view Sysname portal local server http Configure the local portal server to support HTTPS and reference ...

Page 159: ...at of a Layer 3 interface on the access device and is routable to from the portal client Description Use the portal local server ip command to specify the listening IP address of the local portal server for Layer 2 portal authentication With a listening IP address specified the device redirects Web requests from portal clients to the authentication page at the listening IP address Use the undo por...

Page 160: ...ber of portal users specified in the command is less than that of the current online portal users the command can be executed successfully and does not impact the online portal users but the system does not allow new portal users to log in until the number drops down below the limit Examples Set the maximum number of portal users allowed in the system to 100 Sysname system view Sysname portal max ...

Page 161: ... hubs Layer 2 switches or APs exist between users and the access devices Examples Enable support for portal user moving Sysname system view Sysname portal move mode auto portal nas id profile Syntax portal nas id profile profile name undo portal nas id profile View Interface view Default level 2 System level Parameters profile name Name of the profile that defines the binding relationship between ...

Page 162: ... IPv6 address must be a local IPv6 address but cannot be a multicast address an all 0 address or a link local address Description Use the portal nas ip command to configure an interface to use a specific source IP address for outgoing portal packets Use the undo portal nas ip command to restore the delete the specified source IP address If you do not specify the ipv6 keyword this command delete th...

Page 163: ...ype value of VLAN interface 2 as IEEE 802 1 1 standard wireless interface Sysname system view Sysname interface vlan interface 2 Sysname Vlan interface2 portal nas port type wireless portal offline detect interval Syntax portal offline detect interval offline detect interval undo portal offline detect interval View Layer 2 Ethernet interface view Default level 2 System level Parameters offline det...

Page 164: ...econds Description Use the portal redirect url command to specify the auto redirection URL for authenticated portal users Use the undo portal redirect url command to restore the default By default a user authenticated is redirected to the URL the user typed in the address bar before portal authentication With Layer 3 portal authentication this feature requires the cooperation of the iMC server and...

Page 165: ...d message to the portal server in the range of 1 to 65534 The default is 50100 url url string Specifies the uniform resource locator URL to which HTTP packets are to be redirected The default URL is in the http ip address format where ip address is the IP address of the portal server You can also specify the domain name of the portal server in which case you must use the portal free rule command t...

Page 166: ...er for the Web page a case sensitive string of 1 to 50 characters It cannot contain the less than sign or the and sign If multiple continuous spaces exist in the string the browser recognizes them as one Description Use the portal server banner command to configure the welcome banner of the default Web page provided by the local portal server Use the undo portal server banner command to restore th...

Page 167: ...ist You can enable both an IPv4 portal server and an IPv6 portal server for Layer 3 portal authentication on an interface but you cannot enable two IPv4 or two IPv6 portal servers on the interface If you do not specify a portal server in the undo portal command the command removes all Layer 3 portal authentication configurations on the interface Related commands display portal server Examples Enab...

Page 168: ... to the probe interval configured on the device action log permit all trap Specifies the actions to be taken when the status of a portal server changes The following actions are available log Specifies the action as sending a log message When the status reachable unreachable of a portal server changes the access device sends a log message The log message contains the portal server name and the cur...

Page 169: ...portal server such as logon requests and logoff requests have the same effect as the portal heartbeat packets for the portal server detection function Related command display portal server Examples Configure the device to detect portal server pts Specifying both the HTTP probe and portal heartbeat probe methods Setting the probe interval to 600 seconds Specifying the device to send a server unreac...

Page 170: ...tion function you also need to configure the user heartbeat function on the portal server and make sure that the user heartbeat interval configured on the portal server is shorter than or equal to the synchronization probe interval configured on the device Deleting a portal server on the device will delete the portal user synchronization configuration with the portal server If you configure the us...

Page 171: ...hentication You must add the port numbers of the Web proxy servers on the device and make sure that their browsers that use a Web proxy server do not use the proxy server for the listening IP address of the local portal server Thus HTTP packets that the portal user sends to the local portal server are not sent to the Web proxy server Examples Add Web proxy server port number 8080 on the device so ...

Page 172: ...istics command to clear portal server statistics on a specific interface or all interfaces Examples Clear portal server statistics on interface VLAN interface 1 Sysname reset portal server statistics interface vlan interface 1 reset portal tcp cheat statistics Syntax reset portal tcp cheat statistics View User view Default level 1 Monitor level Parameters None Description Use the reset portal tcp ...

Page 173: ... expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitive string of 1 to 256 characters Description Use the display port security command to display port security configuration information operation information and statistics about one or more ports If the interface interface list parameter is not ...

Page 174: ... information after it detects illegal packets Dot1x logon trap Whether trapping for 802 1X logon is enabled or not If it is enabled the port sends trap information after a user passes 802 1X authentication Dot1x logoff trap Whether trapping for 802 1X logoff is enabled or not If it is enabled the port sends trap information after an 802 1X user logs off Dot1x logfailure Whether trapping for 802 1X...

Page 175: ...trusion protection action mode which can be one of the following modes BlockMacAddress Adds the source MAC address of the illegal packet to the blocked MAC address list DisablePort Shuts down the port that receives illegal packets permanently DisablePortTemporarily Shuts down the port that receives illegal packets for some time NoAction Performs no intrusion protection Max MAC address number Maxim...

Page 176: ...ensitive string of 1 to 256 characters Description Use the display port security mac address block command to display information about blocked MAC addresses With no keyword or argument specified the command displays information about all blocked MAC addresses Related commands port security intrusion mode Examples Display information about all blocked MAC addresses Sysname display port security ma...

Page 177: ...d Description MAC ADDR Blocked MAC address From Port Port having received frames with the blocked MAC address being the source address VLAN ID ID of the VLAN to which the port belongs x mac address es found Number of blocked MAC addresses display port security mac address security Syntax display port security mac address security interface interface type interface number vlan vlan id count begin e...

Page 178: ... s 0002 0002 0002 1 Security GigabitEthernet1 0 1 NOAGED 000d 88f8 0577 1 Security GigabitEthernet1 0 1 NOAGED 2 mac address es found Display only the count of the secure MAC addresses Sysname display port security mac address security count 2 mac address es found Display information about secure MAC addresses in VLAN 1 Sysname display port security mac address security vlan 1 MAC ADDR VLAN ID STA...

Page 179: ...re undo port security authorization ignore View Layer 2 Ethernet interface view Default level 2 System level Parameters None Description Use the port security authorization ignore command to configure a port to ignore the authorization information from the RADIUS server Use the undo port security authorization ignore command to restore the default By default a port uses the authorization informati...

Page 180: ...ed port access control method macbased and port authorization mode auto MAC authentication disabled 3 Disabling port security resets the following configurations on a port to the defaults bracketed Port security mode noRestrictions 802 1X disabled port access control method macbased and port authorization mode auto MAC authentication disabled 4 Port security cannot be disabled when a user is prese...

Page 181: ...ction is triggered on the port Use the undo port security intrusion mode command to restore the default By default intrusion protection is disabled To restore the connection of the port use the undo shutdown command Related commands display port security display port security mac address block and port security timer disableport Examples Configure port GigabitEthernet 1 0 1 to block the source MAC...

Page 182: ...urity set the port security mode of port GigabitEthernet 1 0 1 to autoLearn and add a secure MAC address of 0001 0001 0002 belonging to VLAN 10 for port GigabitEthernet 1 0 1 in system view Sysname system view Sysname port security enable Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 port security max mac count 100 Sysname GigabitEthernet1 0 1 port security port mode autolea...

Page 183: ... ntk mode View Layer 2 Ethernet interface view Default level 2 System level Parameters ntk withbroadcasts Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses ntk withmulticasts Forwards only broadcast frames multicast frames and unicast frames with authenticated destination MAC addresses ntkonly Forwards only unicast frames with authenticated destination ...

Page 184: ... index By default no OUI value is configured An OUI the first 24 binary bits of a MAC address is assigned by IEEE to uniquely identify a device vendor Use this command when you configure a device to allow packets from certain wired devices to pass authentication or to allow packets from certain wireless devices to initiate authentication For example when a company allows only IP phones of vendor A...

Page 185: ...priority Upon receiving a non 802 1X frame a port in this mode performs only MAC authentication Upon receiving an 802 1X frame the port performs MAC authentication and then if MAC authentication fails 802 1X authentication mac else userlogin secur e ext macAddressElseUserL oginSecureExt Similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802 1X and M...

Page 186: ...ort Use the undo port security port mode command to restore the default By default a port operates in noRestrictions mode where port security does not take effect Configuration of port security mode on a port is mutually exclusive with the configuration of 802 1X authentication port access control method port authorization mode and MAC authentication on the port You can change the port security mo...

Page 187: ...the port temporarily whenever it receives an illegal frame use this command to set the silence period Related commands display port security Examples Configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame and set the silence period to 30 seconds Sysname system view Sysname port security timer disableport 30 Sysname interface gigabitetherne...

Page 188: ...cation failure traps The port security module sends traps when a MAC authentication fails ralmlogoff Enables MAC authentication user logoff traps The port security module sends traps when a MAC authentication user is logged off ralmlogon Enables MAC authentication success traps The port security module sends traps when a MAC authentication is passed NOTE RALM RADIUS Authenticated Login using MAC a...

Page 189: ...at do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitive string of 1 to 256 characters Description Use the display user profile command to display information of all the user profiles that have been created Examples Display information of all the user profiles ...

Page 190: ...e string of 1 to 31 characters It can only contain English letters digits and underlines and it must start with an English letter Description Use the user profile enable command to enable a user profile that has been created If the user profile does not exist the command fails Only enabled user profiles can be applied to authenticated users Use the undo user profile enable command to disable the s...

Page 191: ...er profile and enter the user profile view If the specified user profile has been created you enter the user profile view Use the undo user profile command to remove an existing disabled user profile You cannot remove a user profile that is enabled By default no user profiles exist on the device Related commands user profile enable Examples Create a user profile a123 Sysname system view Sysname us...

Page 192: ...he specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitive string of 1 to 256 characters Description Use the display password control command to display password control config...

Page 193: ...abled and if enabled the setting Early notice on password expiration Number of days during which the user is warned of the pending password expiration User authentication timeout Password authentication timeout time Maximum failed login attempts Allowed maximum number of consecutive failed login attempts for FTP and VTY users Login attempt failed action Action to be taken after a user fails to log...

Page 194: ...sensitive string of 1 to 256 characters Description Use the display password control blacklist command to display information about users blacklisted due to authentication failure With no arguments provided this command displays information about all users in the blacklist Examples Display information about users blacklisted due to authentication failure Sysname display password control blacklist ...

Page 195: ...Set a password for local user test in interactive mode Sysname system view Sysname local user test Sysname luser test password Password Confirm Updating user s information please wait password control aging Syntax password control aging aging time undo password control aging View System view user group view local user view Default level 2 System level Parameters aging time Password aging time in d...

Page 196: ...er abc to 100 days Sysname local user abc Sysname luser abc password control aging 100 password control alert before expire Syntax password control alert before expire alert time undo password control alert before expire View System view Default level 2 System level Parameters alert time Number of days before a user s password expires during which the user is warned of the pending password expirat...

Page 197: ...thentication timeout 40 password control complexity Syntax password control complexity same character user name check undo password control complexity same character user name check View System view Default level 2 System level Parameters same character Refuses a password that contains any character repeated consecutively three or more times user name Refuses a password that contains the username ...

Page 198: ...default In non FIPS mode by default the global password composition policy is as follows A password must contain at least one type of characters from uppercase letters lowercase letters digits or special characters see password and each type contains at least one character In FIPS mode by default the global password composition policy is as follows A password must contain four types of characters ...

Page 199: ...ory length enable undo password control aging composition history length enable View System view Default level 2 System level Parameters aging Enables the password aging function composition Enables the password composition restriction function history Enables the password history control function length Enables the minimum password length restriction function Description Use the password control ...

Page 200: ...me password control length enable Enable the password history function Sysname password control history enable password control enable Syntax password control enable undo password control enable View System view Default level 2 System level Parameters None Description Use the password control enable command to enable the password control feature globally Use the undo password control enable comman...

Page 201: ... password expires Use the undo password control expired user login command to restore the defaults By default a user can log in three times within 30 days after the password expires Related commands display password control Examples Specify that a user can log in five times within 60 days after the password expires Sysname system view Sysname password control expired user login delay 60 times 5 pa...

Page 202: ...roup to which the local user belongs The setting in system view has global significance and applies to all user groups the setting in user group view applies to all local users in the user group and the setting in local user view applies to only the local user A minimum password length setting with a smaller application range has higher priority The priority in descending order is setting for a lo...

Page 203: ...word control login idle time command to set the maximum account idle time If a user account is idle for this period of time it becomes invalid Use the undo password control login idle time command to restore the default By default the maximum account idle time is 90 days Related commands display password control Examples Set the maximum account idle time to 30 days Sysname system view Sysname pass...

Page 204: ... again after the lock time elapses or an administrator removes the user from the blacklist If not prohibited to log in a user is removed from the blacklist as long as the user logs in successfully or after the blacklist aging time one minute elapses Related commands display password control display password control blacklist reset password control blacklist Examples Set the maximum number of login...

Page 205: ...nimum interval at which users can change their passwords Use the undo password control password update interval command to restore the default By default the minimum password update interval is 24 hours This function is not effective in the case that a user is prompted to change the password when the user logs in for the first time or after the password is aged out Related commands display passwor...

Page 206: ...on View System view Default level 2 System level Parameters type number type number Specifies the minimum number of character types for super passwords The value range for the type number argument is 1 to 4 in non FIPS mode and fixed at 4 in FIPS mode type length type length Specifies the minimum number of characters that are from each character type The value range for the type length argument is...

Page 207: ...per length command to set the minimum length for super passwords Use the undo password control super length command to restore the default By default the minimum super password length is the same as the global minimum password length If you do not specify the minimum length of super passwords the system applies the global minimum password length to super passwords If you have specified the minimum...

Page 208: ...level Parameters user name name Specifies the username of the user whose password records are to be deleted name is a case sensitive string of 1 to 80 characters super Deletes the history records of the super password specified by the level level combination or the history records of all super passwords level level Specifies a user level in the range 1 to 3 Description Use the reset password contr...

Page 209: ...Specifies a regular expression which is a case sensitive string of 1 to 256 characters Description Use the display habp command to display HABP configuration information If the HABP function is not enabled on the device this command does not display the HABP configuration but only the running status of the HABP function Examples Display HABP configuration information Sysname display habp Global HA...

Page 210: ...ve string of 1 to 256 characters Description Use the display habp table command to display HABP MAC address table entries This command is only applicable on an HABP server to display the MAC address entries collected by the HABP server Examples On the HABP server display HABP MAC address table entries Sysname display habp table MAC Holdtime Receive Port 001f 3c00 0030 53 GigabitEthernet1 0 1 Table...

Page 211: ...nd to display HABP packet statistics Examples Display HABP packet statistics Sysname display habp traffic HABP counters Packets output 0 Input 0 ID error 0 Type error 0 Version error 0 Sent failed 0 Table 28 Output description Field Description Packets output Number of HABP packets sent Input Number of HABP packets received ID error Number of packets with an incorrect ID Type error Number of packe...

Page 212: ...ient to belong to VLAN 2 Sysname system view Sysname habp client vlan 2 habp enable Syntax habp enable undo habp enable View System view Default level 2 System level Parameters None Description Use the habp enable command to enable HABP Use the undo habp enable command to disable HABP By default HABP is enabled Examples Enable HABP Sysname system view Sysname habp enable habp server vlan Syntax ha...

Page 213: ...ached to this member device For information about the cluster function see the Network Management and Monitoring Configuration Guide Examples Configure HABP to work in server mode and specify the VLAN for HABP packets as VLAN 2 Sysname system view Sysname habp server vlan 2 habp timer Syntax habp timer interval undo habp timer View System view Default level 2 System level Parameters interval Inter...

Page 214: ...st line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitive string of 1 to 256 characters Description Use the display public key local public command to di...

Page 215: ...421F22C3C89CB9B06FD60FE01941DDD77FE6B12893DA76EEBC1D128D97F067 8D7722B5341C8506F358214B16A2FAC4B368950387811C7DA33021500C773218C737EC8EE993B4F2DED30 F48EDACE915F0281810082269009E14EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF931 33E84B47093C52B20CD35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC 717B612391C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F...

Page 216: ...Description Use the display public key peer command to display information about the specified or all locally saved public keys of remote hosts With neither the brief keyword nor the name publickey name combination specified the command displays detailed information about all locally saved public keys of remote hosts You can use the public key peer command or the public key peer import sshkey comm...

Page 217: ...peer key1 Sysname pkey public key peer public key end Sysname public key code begin Syntax public key code begin View Public key view Default level 2 System level Parameters None Description Use the public key code begin command to enter public key code view Then input the key data in the correct format to specify the remote host s host or server public key Spaces and carriage returns are allowed ...

Page 218: ...1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE675AC30CB020301 Sysname pkey key code 0001 public key code end Syntax public key code end View Public key code view Default level 2 System level Parameters None Description Use the public key code end command to return from public key code view to public key view and to save the configured public key The system verifies the key befo...

Page 219: ... will be prompted to provide the length of the key modulus If the specified type of key pair already exists the system will ask you whether you want to overwrite it The ranges and default values of DSA and RSA key modulus lengths differ in FIPS mode and non FIPS mode In non FIPS mode the DSA and RSA key modulus lengths are in the range of 512 to 2048 bits and default to 1024 bits In FIPS mode the ...

Page 220: ...iew Default level 2 System level Parameters dsa DSA key pair rsa RSA key pair Description Use the public key local destroy command to destroy the local key pairs Related commands public key local create Examples Destroy the local RSA key pairs Sysname system view Sysname public key local destroy rsa Warning Confirm to destroy these keys Y N y Destroy the local DSA key pair Sysname system view Sysn...

Page 221: ...ANdXJixFhMRMIR8YvZbl8GHE8KQj9 5ra4WzTO9yzhSg06UiL CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh kiuoRCHyLDyJy5sG WD AZQd3Xf axKJPadu68HRKNl BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEK...

Page 222: ...ile and saves the file Otherwise the command displays the local RSA host public key on the screen SSH1 SSH2 0 and OpenSSH are three different public key formats for different requirements Related commands public key local create and public key local destroy Examples Export the local RSA host public key in OpenSSH format to a file named key pub Sysname system view Sysname public key local export rs...

Page 223: ... a remote host s public key on the local host obtain the public key in hexadecimal from the remote host beforehand and perform the following configurations 1 Execute the public key peer command and then the public key code begin command to enter public key code view 2 Type the public key of the remote host 3 Execute the public key code end command to save the public key and return to public key vi...

Page 224: ...the public key file Use the undo public key peer command to remove the specified host public key of a remote host After execution of this command the system automatically transforms the host public key in SSH1 SSH2 0 or OpenSSH format to PKCS format and imports the key This operation requires that you get a copy of the public key file from the remote host through FTP or TFTP in advance Related com...

Page 225: ...ty ip Specifies the IP address of the entity issuer name Specifies the name of the certificate issuer subject name Specifies the name of the certificate subject dn Specifies the distinguished name of the entity ctn Specifies the contain operation equ Specifies the equal operation nctn Specifies the not contain operation nequ Specifies the not equal operation attribute value Specifies the value of ...

Page 226: ...address in the alternative subject name cannot be 10 0 0 1 Sysname pki cert attribute group mygroup attribute 3 alt subject name ip nequ 10 0 0 1 ca identifier Syntax ca identifier name undo ca identifier View PKI domain view Default level 2 System level Parameters name Specifies a trusted CA name a case insensitive string of 1 to 63 characters Description Use the ca identifier command to specify ...

Page 227: ...me pki domain 1 certificate request entity entity1 certificate request from Syntax certificate request from ca ra undo certificate request from View PKI domain view Default level 2 System level Parameters ca Indicates that the entity requests a certificate from a CA ra Indicates that the entity requests a certificate from an RA Description Use the certificate request from command to specify the au...

Page 228: ...ficate in manual mode Description Use the certificate request mode command to set the certificate request mode Use the undo certificate request mode command to restore the default By default manual mode is used In auto mode an entity automatically requests a certificate from an RA or CA when it has no certificate However if the certificate will expire or has expired the entity does not initiate a ...

Page 229: ...cate as soon as possible after the certificate is signed Related commands display pki certificate Examples Specify the polling interval as 15 minutes and the maximum number of attempts as 40 Sysname system view Sysname pki domain 1 Sysname pki domain 1 certificate request polling interval 15 Sysname pki domain 1 certificate request polling count 40 certificate request url Syntax certificate reques...

Page 230: ...el 2 System level Parameters name Specifies a common name for the entity a case insensitive string of 1 to 31 characters No comma can be included Description Use the common name command to configure the common name of an entity which can be for example the user name Use the undo common name command to remove the configuration By default no common name is specified Examples Configure the common nam...

Page 231: ... crl check disable enable View PKI domain view Default level 2 System level Parameters disable Disables CRL checking enable Enables CRL checking Description Use the crl check command to enable or disable CRL checking By default CRL checking is enabled CRLs are files issued by the CA to publish all certificates that have been revoked Revocation of a certificate might occur before the certificate ex...

Page 232: ...url string undo crl url View PKI domain view Default level 2 System level Parameters url string Specifies the URL of the CRL distribution point a case insensitive string of 1 to 127 characters in the format of ldap server_location or http server_location where server_location must be an IP address and does not support domain name resolution Description Use the crl url command to specify the URL of...

Page 233: ... first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitive string of 1 to 256 characters Description Use the display pki certificate command to displa...

Page 234: ...able 30 Output description Field Description Version Version of the certificate Serial Number Serial number of the certificate Signature Algorithm Signature algorithm Issuer Issuer of the certificate Validity Validity period of the certificate Subject Entity holding the certificate Subject Public Key Info Public key information of the entity X509v3 extensions Extensions of the X 509 version 3 cert...

Page 235: ...ters Description Use the display pki certificate access control policy command to display information about one or all certificate attribute based access control policies Examples Display information about the certificate attribute based access control policy named mypolicy Sysname display pki certificate access control policy mypolicy access control policy name mypolicy rule 1 deny mygroup1 rule ...

Page 236: ...nformation about certificate attribute group mygroup Sysname display pki certificate attribute group mygroup attribute group name mygroup attribute 1 subject name dn ctn abc attribute 2 issuer name fqdn nctn app Table 32 Output description Field Description attribute group name Name of the certificate attribute group attribute number Number of the attribute rule subject name Name of the certificat...

Page 237: ... saved CRLs Sysname display pki crl domain 1 Certificate Revocation List CRL Version 2 0x1 Signature Algorithm sha1WithRSAEncryption Issuer C CN O abc OU soft CN A Test Root Last Update Jan 5 08 44 19 2004 GMT Next Update Jan 5 21 42 13 2004 GMT CRL extensions X509v3 Authority Key Identifier keyid 0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC Revoked Certificates Serial Number 05a234448E Revocation...

Page 238: ... qualified domain name FQDN of an entity a case insensitive string of 1 to 127 characters Description Use the fqdn command to configure the FQDN of an entity Use the undo fqdn command to remove the configuration By default no FQDN is specified for an entity An FQDN is the unique identifier of an entity on a network It consists of a host name and a domain name and can be resolved into an IP address...

Page 239: ...r undo ldap server View PKI domain view Default level 2 System level Parameters ip address Specifies the IP address of the LDAP server in dotted decimal format port number Specifies the port number of the LDAP server in the range 1 to 65535 The default is 389 version number Specifies the LDAP version number The value can be 2 or 3 and the default is 2 Description Use the ldap server command to spe...

Page 240: ...default no geographical locality is specified for an entity Examples Configure the locality of an entity as city Sysname system view Sysname pki entity 1 Sysname pki entity 1 locality city organization Syntax organization org name undo organization View PKI entity view Default level 2 System level Parameters org name Specifies an organization name a case insensitive string of 1 to 31 characters No...

Page 241: ...Use the undo organization unit command to remove the configuration By default no organization unit name is specified for an entity Examples Configure the name of the organization unit to which an entity belongs as group1 Sysname system view Sysname pki entity 1 Sysname pki entity 1 organization unit group1 pki certificate access control policy Syntax pki certificate access control policy policy na...

Page 242: ...te group group name all View System view Default level 2 System level Parameters group name Specifies a name for the certificate attribute group a case insensitive string of 1 to 16 characters It cannot be a al or all all Specifies all certificate attribute groups Description Use the pki certificate attribute group command to create a certificate attribute group and enter its view Use the undo pki...

Page 243: ...local domain cer pki domain Syntax pki domain domain name undo pki domain domain name View System view Default level 2 System level Parameters domain name Specifies a name for the PKI domain a case insensitive string of 1 to 15 characters Description Use the pki domain command to create a PKI domain and enter PKI domain view or enter the view of an existing PKI domain Use the undo pki domain comma...

Page 244: ...rtificate Syntax pki import certificate ca local domain domain name der p12 pem filename filename View System view Default level 2 System level Parameters ca Specifies the CA certificate local Specifies the local certificate domain name Specifies a PKI domain by its name a string of 1 to 15 characters der Specifies the certificate format of DER p12 Specifies the certificate format of P12 pem Speci...

Page 245: ...rtificate domain command to request a local certificate from a CA through SCEP If SCEP fails you can use the pkcs10 keyword to save the local certificate request in BASE64 format and send it to the CA by an out of band means like phone disk or email This operation will not be saved in the configuration file Related commands pki domain Examples Display the PKCS 10 certificate request information Sy...

Page 246: ...d commands pki domain Examples Retrieve the CA certificate from the certificate issuing server Sysname system view Sysname pki retrieval certificate ca domain 1 pki retrieval crl domain Syntax pki retrieval crl domain domain name View System view Default level 2 System level Parameters domain name Specifies a PKI domain by its name a string of 1 to 15 characters Description Use the pki retrieval c...

Page 247: ...cate has neither expired nor been revoked Related commands pki domain Examples Verify the validity of the local certificate Sysname system view Sysname pki validate certificate local domain 1 root certificate fingerprint Syntax root certificate fingerprint md5 sha1 string undo root certificate fingerprint View PKI domain view Default level 2 System level Parameters md5 Uses an MD5 fingerprint sha1...

Page 248: ... to 16 The default is the smallest unused number in this range deny Indicates that a certificate whose attributes match an attribute rule in the specified attribute group is considered invalid and denied permit Indicates that a certificate whose attributes match an attribute rule in the specified attribute group is considered valid and permitted group name Specifies a certificate attribute group b...

Page 249: ...e a case insensitive string of 1 to 31 characters No comma can be included Description Use the state command to specify the name of the state or province where an entity resides Use the undo state command to remove the configuration By default no state or province is specified Examples Specify the state where an entity resides Sysname system view Sysname pki entity 1 Sysname pki entity 1 state cou...

Page 250: ...ar expressions see the Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitive string of 1 to 25...

Page 251: ...tempts for SSH users SFTP Server Whether the SFTP server function is enabled SFTP Server Idle Timeout SFTP connection idle timeout period Display the SSH server session information Sysname display ssh server session Conn Ver Encry State Retry SerType Username VTY 0 2 0 DES Established 0 SFTP client001 Table 35 Output description Field Description Conn Connected VTY channel Ver SSH server protocol ...

Page 252: ...splay information about one or all SSH users This command displays only information about SSH users configured through the ssh user command on the SSH server Without the username argument the command displays information about all SSH users Related commands ssh user NOTE This command is also available on an SFTP server Examples Display information about all SSH users Sysname display ssh user infor...

Page 253: ...ntication retries command If the authentication method of SSH users is password publickey the server first uses publickey authentication and then uses password authentication to authenticate SSH users The process is regarded as one authentication attempt Related commands display ssh server Examples Set the maximum number of connection authentication attempts for SSH users to 4 Sysname system view ...

Page 254: ... specified the command can also enable the SSH server to support SSH1 clients Description Use the ssh server compatible ssh1x command to enable the SSH server to support SSH1 clients Use the undo ssh server compatible ssh1x command to disable the SSH server from supporting SSH1 clients By default the SSH server supports SSH1 clients This configuration takes effect only for users logging in after t...

Page 255: ...rs Server key pair update interval in hours in the range 1 to 24 Description Use the ssh server rekey interval command to set the interval for updating the RSA server key Use the undo ssh server rekey interval command to restore the default By default the update interval of the RSA server key is 0 That is the RSA server key is not updated This command is only available to SSH users using SSH1 clie...

Page 256: ...cifies Stelnet SFTP and SCP scp Specifies the service type as secure copy sftp Specifies the service type as secure FTP stelnet Specifies the service type of secure Telnet authentication type Specifies the authentication method of an SSH user which can be one the following values password Performs password authentication any Performs either password authentication or publickey authentication passw...

Page 257: ...blickey authentication and password authentication the working folder is the one set by using the ssh user command Related commands display ssh user information Examples Create an SSH user named user1 setting the service type as sftp the authentication method as publickey the working directory of the SFTP server as flash and assigning a public key named key1 to the user Sysname system view Sysname...

Page 258: ...splays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitive string of 1 to 256 characters Description Use the display ssh server info command...

Page 259: ...termine whether the server is trustworthy Use the undo ssh client authentication server command to remove the configuration By default the host public key of the server is not configured and when logging into the server the client uses the IP address or host name used for login as the public key name If the client does not support first time authentication it will reject unauthenticated servers In...

Page 260: ...client will use the saved server host public key to authenticate the server Without first time authentication a client not configured with the server host public key will deny to access the server To access the server a user must configure in advance the server host public key locally and specify the public key name for authentication Because the server might update its key pairs periodically clie...

Page 261: ...ce interface type interface number undo ssh client source View System view Default level 3 Manage level Parameters ip ip address Specifies a source IPv4 address interface interface type interface number Specifies a source interface by its type and number Description Use the ssh client source command to specify the source IPv4 address or source interface of the SSH client Use the undo ssh client so...

Page 262: ...des Encryption algorithm des cbc prefer ctos hmac Preferred HMAC algorithm from client to server defaulted to sha1 96 md5 HMAC algorithm hmac md5 md5 96 HMAC algorithm hmac md5 96 sha1 HMAC algorithm hmac sha1 sha1 96 HMAC algorithm hmac sha1 96 prefer kex Preferred key exchange algorithm defaulted to dh group exchange in non FIPS mode and dh group14 in FIPS mode dh group exchange Key exchange alg...

Page 263: ...c md5 md5 96 sha1 sha1 96 In FIPS mode ssh2 ipv6 server port number identity key rsa prefer ctos cipher aes128 aes256 prefer ctos hmac sha1 sha1 96 prefer kex dh group14 prefer stoc cipher aes128 aes256 prefer stoc hmac sha1 sha1 96 View User view Default level 0 Visit level Parameters server IPv6 address or host name of the server a case insensitive string of 1 to 46 characters port number Port n...

Page 264: ...gorithm and the preferred encryption algorithm and preferred HMAC algorithm between the client and server When the client s authentication method is publickey the client needs to get the local private key for validation As the publickey authentication includes RSA and DSA algorithms you must specify an algorithm by using the identity key keyword to get the correct data for the local private key By...

Page 265: ...ax sftp server enable undo sftp server enable View System view Default level 3 Manage level Parameters None Description Use the sftp server enable command to enable SFTP server Use the undo sftp server enable command to disable SFTP server By default SFTP server is disabled Related commands display ssh server Examples Enable SFTP server Sysname system view Sysname sftp server enable sftp server id...

Page 266: ...et the idle timeout period for SFTP user connections to 500 minutes Sysname system view Sysname sftp server idle timeout 500 SFTP client configuration commands bye Syntax bye View SFTP client view Default level 3 Manage level Parameters None Description Use the bye command to terminate the connection with a remote SFTP server and return to user view This command functions as the exit and quit comm...

Page 267: ...directory You can use the cd command to return to the root directory of the system Examples Change the working path to new1 sftp client cd new1 Current Directory is new1 cdup Syntax cdup View SFTP client view Default level 3 Manage level Parameters None Description Use the cdup command to return to the upper level directory Examples From the current working directory new1 return to the upper level...

Page 268: ...Default level 3 Manage level Parameters a Displays the names of the files and sub directories under the specified directory l Displays the detailed information of the files and sub directories under the specified directory in the form of a list remote path Name of the directory to be queried Description Use the dir command to display information about the files and sub directories under a specifie...

Page 269: ...expressions see the Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression which is a case sensitive string of 1 to 256 c...

Page 270: ...le View SFTP client view Default level 3 Manage level Parameters remote file Name of a file on the remote SFTP server local file Name for the local file Description Use the get command to download a file from a remote SFTP server and save it locally If you do not specify the local file argument the file will be saved locally with the same name as that on the remote SFTP server Examples Download fi...

Page 271: ... a Displays the filenames and the folder names of the specified directory l Displays in a list form detailed information of the files and folders of the specified directory remote path Name of the directory to be queried Description Use the ls command to display file and folder information under a specified directory With the a and l keyword not specified the command displays detailed information ...

Page 272: ...escription Use the mkdir command to create a directory on a remote SFTP server Examples Create a directory named test on the remote SFTP server sftp client mkdir test New directory created put Syntax put local file remote file View SFTP client view Default level 3 Manage level Parameters local file Name of a local file remote file Name for the file on a remote SFTP server Description Use the put c...

Page 273: ... a remote SFTP server Examples Display the current working directory of the remote SFTP server sftp client pwd quit Syntax quit View SFTP client view Default level 3 Manage level Parameters None Description Use the quit command to terminate the connection with a remote SFTP server and return to user view This command functions as the bye and exit commands Examples Terminate the connection with the...

Page 274: ...lient remove temp c The following files will be deleted temp c Are you sure to delete it Y N y This operation might take a long time Please wait File successfully Removed rename Syntax rename oldname newname View SFTP client view Default level 3 Manage level Parameters oldname Name of an existing file or directory newname New name for the file or directory Description Use the rename command to cha...

Page 275: ...5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 In FIPS mode sftp server port number identity key rsa prefer ctos cipher aes128 aes256 prefer ctos hmac sha1 sha1 96 prefer kex dh group14 prefer stoc cipher aes128 aes256 prefer stoc hmac sha1 sha1 96 View User view Default level 3 Manage level Parameters...

Page 276: ...se the sftp command to establish a connection to a remote IPv4 SFTP server and enter SFTP client view When the client s authentication method is publickey the client needs to get the local private key for validation As the publickey authentication includes RSA and DSA algorithms you must specify an algorithm by using the identity key keyword to get the correct data for the local private key By def...

Page 277: ...ient ipv6 source ipv6 2 2 2 2 sftp client source Syntax sftp client source ip ip address interface interface type interface number undo sftp client source View System view Default level 3 Manage level Parameters ip ip address Specifies a source IPv4 address interface interface type interface number Specifies a source interface by its type and number Description Use the sftp client source command t...

Page 278: ...r Preferred encryption algorithm from client to server defaulted to aes128 3des Encryption algorithm 3des cbc aes128 Encryption algorithm aes128 cbc aes256 Encryption algorithm aes256 cbc des Encryption algorithm des cbc prefer ctos hmac Preferred HMAC algorithm from client to server defaulted to sha1 96 md5 HMAC algorithm hmac md5 md5 96 HMAC algorithm hmac md5 96 sha1 HMAC algorithm hmac sha1 sh...

Page 279: ... the local private key By default the public key algorithm is DSA Examples Connect to server 2 5 8 9 using the following algorithms Preferred key exchange algorithm dh group1 Preferred encryption algorithm from server to client aes128 Preferred HMAC algorithm from client to server md5 Preferred HMAC algorithm from server to client sha1 96 Sysname sftp ipv6 2 5 8 9 prefer kex dh group1 prefer stoc ...

Page 280: ...4 prefer stoc cipher aes128 aes256 prefer stoc hmac sha1 sha1 96 View User view Default level 3 Manage level Parameters ipv6 Specifies the type of the server as IPv6 If this keyword is not specified the server is an IPv4 server server Specifies an IPv4 or IPv6 server by its address or host name For an IPv4 server it is a case insensitive string of 1 to 20 characters For an IPv6 server it is a case...

Page 281: ... algorithm diffie hellman group14 sha1 prefer stoc cipher Specifies the preferred encryption algorithm from server to client defaulted to aes128 prefer stoc hmac Specifies the preferred HMAC algorithm from server to client defaulted to sha1 96 Description Use the scp command to transfer files with an SCP server When the client s authentication method is publickey the client needs to get the local ...

Page 282: ...128 bit AES_CBC and the MAC algorithm of SHA rsa_des_cbc_sha Specifies the key exchange algorithm of RSA the data encryption algorithm of DES_CBC and the MAC algorithm of SHA rsa_rc4_128_md5 Specifies the key exchange algorithm of RSA the data encryption algorithm of 128 bit RC4 and the MAC algorithm of MD5 rsa_rc4_128_sha Specifies the key exchange algorithm of RSA the data encryption algorithm o...

Page 283: ...ore the default By default certificate based SSL client authentication is disabled Related commands display ssl server policy Examples Enable certificate based SSL client authentication Sysname system view Sysname ssl server policy policy1 Sysname ssl server policy policy1 client verify enable close mode wait Syntax close mode wait undo close mode wait View SSL server policy view Default level 2 S...

Page 284: ...nformation about all SSL client policies Filters command output by specifying a regular expression For more information about regular expressions see the Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that m...

Page 285: ...licies Filters command output by specifying a regular expression For more information about regular expressions see the Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular express...

Page 286: ...a close notify alert message to the client and then closes the connection immediately without waiting for the close notify alert message of the client wait enabled In this mode the server sends a close notify alert message to the client and then waits for the close notify alert message of the client Only after receiving the expected message does the server close the connection Session Timeout Sess...

Page 287: ... Syntax pki domain domain name undo pki domain View SSL server policy view SSL client policy view Default level 2 System level Parameters domain name Name of a PKI domain a case insensitive string of 1 to 15 characters Description Use the pki domain command to specify a PKI domain for an SSL server policy or SSL client policy Use the undo pki domain command to restore the default By default no PKI...

Page 288: ...f DES_CBC and the MAC algorithm of SHA rsa_rc4_128_md5 Specifies the key exchange algorithm of RSA the data encryption algorithm of 128 bit RC4 and the MAC algorithm of MD5 rsa_rc4_128_sha Specifies the key exchange algorithm of RSA the data encryption algorithm of 128 bit RC4 and the MAC algorithm of SHA Description Use the prefer cipher command to specify the preferred cipher suite for an SSL cl...

Page 289: ... session Syntax session cachesize size timeout time undo session cachesize timeout View SSL server policy view Default level 2 System level Parameters cachesize size Specifies the maximum number of cached sessions in the range 100 to 1000 timeout time Specifies the caching timeout time in seconds in the range 1800 to 72000 Description Use the session command to set the maximum number of cached ses...

Page 290: ...e undo ssl client policy policy name all View System view Default level 2 System level Parameters policy name SSL client policy name a case insensitive string of 1 to 16 characters which cannot be a al or all all Specifies all SSL client policies Description Use the ssl client policy command to create an SSL policy and enter its view Use the undo ssl client policy command to delete a specified SSL...

Page 291: ...r protocols Related commands display ssl server policy Examples Create SSL server policy policy1 and enter its view Sysname system view Sysname ssl server policy policy1 Sysname ssl server policy policy1 version Syntax In non FIPS mode version ssl3 0 tls1 0 undo version In FIPS mode version tls1 0 undo version View SSL client policy view Default level 2 System level Parameters ssl3 0 Specifies SSL...

Page 292: ...281 Examples Specify the SSL protocol version for SSL client policy policy1 as SSL 3 0 Sysname system view Sysname ssl client policy policy1 Sysname ssl client policy policy1 version ssl3 0 ...

Page 293: ... regular expression Specifies a regular expression which is a case sensitive string of 1 to 256 characters Description Use the display tcp status command to display status of all TCP connections for monitoring TCP connections Examples Display status of all TCP connections Sysname display tcp status TCP MD5 Connection TCPCB Local Add port Foreign Add port State 03e37dc4 0 0 0 0 4001 0 0 0 0 0 Liste...

Page 294: ...mmands will be removed after the protection against Naptha attack is disabled Examples Enable the protection against Naptha attack Sysname system view Sysname tcp anti naptha enable tcp state Syntax tcp state closing established fin wait 1 fin wait 2 last ack syn received connection number number undo tcp state closing established fin wait 1 fin wait 2 last ack syn received connection number View ...

Page 295: ...er of TCP connections in each state If the maximum number of TCP connections in a state is 0 the aging of TCP connections in this state will not be accelerated Related commands tcp anti naptha enable Examples Set the maximum number of TCP connections in the ESTABLISHED state to 100 Sysname system view Sysname tcp anti naptha enable Sysname tcp state established connection number 100 tcp syn cookie...

Page 296: ...fault the TCP connection state check interval is 30 seconds The device periodically checks the number of TCP connections in each state If it detects that the number of TCP connections in a state exceeds the maximum number it will accelerate the aging of TCP connections in such a state Note that you need to enable the protection against Naptha attack before executing this command Otherwise an error...

Page 297: ... a regular expression For more information about regular expressions see the Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular ...

Page 298: ...VLAN information exists in the entry Interface Interface of the IP source guard entry Type Type of the IP source guard entry including Static Static IPv4 binding entry Static IPv6 Static IPv6 binding entry DHCP SNP DHCP snooping entry DHCP RLY DHCP relay entry DHCPv6 SNP DHCPv6 snooping entry ND SNP ND snooping entry display user bind Syntax display user bind ipv6 interface interface type interfac...

Page 299: ...ples Display all static IPv4 source guard entries Sysname display user bind Total entries found 4 MAC Address IP Address VLAN Interface Type N A 1 1 1 1 N A GE1 0 1 Static 0001 0001 0001 2 2 2 2 200 GE1 0 1 Static 0003 0003 0003 N A N A GE1 0 1 Static 0004 0004 0004 4 4 4 4 N A GE1 0 1 Static Display all static IPv6 source guard entries Sysname display user bind ipv6 Total entries found 3 MAC Addr...

Page 300: ...P source guard function on a port in an aggregation group Related commands display ip check source Examples Configure dynamic IPv4 binding of packet source IP address and MAC address on Layer 2 Ethernet port GigabitEthernet 1 0 1 to filter packets based on the dynamically generated DHCP snooping entries Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 ip che...

Page 301: ...Pv6 snooping entries or ND snooping entries Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 ip check source ipv6 ip address mac address ip check source max entries Syntax ip check source ipv6 max entries number undo ip check source ipv6 max entries View Layer 2 Ethernet interface view Default level 2 System level Parameters ipv6 Limits the number of IPv6 so...

Page 302: ...address mac address mac address vlan vlan id View Layer 2 Ethernet interface view Default level 2 System level Parameters ip address ip address Specifies the IPv4 address for the static binding The IPv4 address can only be a Class A Class B or Class C address and can be neither 127 x x x nor 0 0 0 0 mac address mac address Specifies the MAC address for the static binding in the format H H H The MA...

Page 303: ...all 0s all Fs a broadcast address or a multicast address vlan vlan id Specifies the VLAN for the static binding The vlan id argument is the ID of the VLAN to be bound in the range 1 to 4094 Description Use the user bind ipv6 command to configure an IPv6 static binding Use the undo user bind ipv6 command to delete an IPv6 static binding By default no static binding exists on a port You can configur...

Page 304: ...on Use the arp rate limit command to configure or disable ARP packet rate limit on an interface Use the undo arp rate limit command to restore the default By default ARP packet rate limit is disabled Examples Specify the ARP packet rate on GigabitEthernet 1 0 1 as 50 pps and exceeded packets will be discarded Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 ...

Page 305: ...switch displays a log message and filters out the ARP packets from the MAC address In monitor detection mode the switch only displays a log message If no detection mode is specified in the undo arp anti attack source mac command both detection modes are disabled Examples Enable filter mode source MAC address based ARP attack detection Sysname system view Sysname arp anti attack source mac filter a...

Page 306: ...ted MAC addresses that you can configure Description Use the arp anti attack source mac exclude mac command to configure protected MAC addresses which will be excluded from ARP packet detection Use the undo arp anti attack source mac exclude mac command to remove the configured protected MAC addresses By default no protected MAC address is configured If no MAC address is specified in the undo arp ...

Page 307: ...s attacking MAC addresses detected on the interface slot slot number Displays attacking MAC addresses detected on the specified device If the device is in an IRF the slot number argument represents the member ID of the device if the device is not in any IRF the slot number argument represents the device ID Filters command output by specifying a regular expression For more information about regular...

Page 308: ...MAC address consistency check on the gateway After you execute this command the gateway device can filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message Use the undo arp anti attack valid check enable command to restore the default By default ARP packet source MAC address consistency check is disabled Examples Enable ARP ...

Page 309: ...Examples Enable the ARP active acknowledgement function Sysname system view Sysname arp anti attack active ack enable ARP detection configuration commands arp detection enable Syntax arp detection enable undo arp detection enable View VLAN view Default level 2 System level Parameters None Description Use the arp detection enable command to enable ARP detection for the VLAN Use the undo arp detecti...

Page 310: ...etection validate dst mac ip src mac View System view Default level 2 System level Parameters dst mac Checks the target MAC address of ARP responses If the target MAC address is all zero all one or inconsistent with the destination MAC address in the Ethernet header the packet is considered invalid and discarded ip Checks the source and destination IP addresses of ARP packets The all zero all one ...

Page 311: ... dst mac src mac ip arp restricted forwarding enable Syntax arp restricted forwarding enable undo arp restricted forwarding enable View VLAN view Default level 2 System level Parameters None Description Use the arp restricted forwarding enable command to enable ARP restricted forwarding Use the undo arp restricted forwarding enable command to disable ARP restricted forwarding By default ARP restri...

Page 312: ...lowing VLANs 1 2 4 5 Table 43 Output description Field Description ARP detection is enabled in the following VLANs VLANs that are enabled with ARP detection display arp detection statistics Syntax display arp detection statistics interface interface type interface number begin exclude include regular expression View Any view Default level 1 Monitor level Parameters interface interface type interfa...

Page 313: ...valid source and destination IP addresses Src MAC Number of ARP packets discarded due to invalid source MAC address Dst MAC Number of ARP packets discarded due to invalid destination MAC address Inspect Number of ARP packets that failed to pass ARP detection based on static IP Source Guard binding entries DHCP snooping entries 802 1X security entries OUI MAC addresses reset arp detection statistic...

Page 314: ...RP gateway protection for a specified gateway By default ARP gateway protection is disabled Note You can enable ARP gateway protection for up to eight gateways on a port You cannot configure both arp filter source and arp filter binding commands on a port Examples Enable ARP gateway protection for the gateway with IP address 1 1 1 1 Sysname system view Sysname interface gigabitethernet 1 0 1 Sysna...

Page 315: ...arded Use the undo arp filter binding command to remove an ARP filtering entry By default no ARP filtering entry is configured Note You can configure up to eight ARP filtering entries on a port You cannot configure both arp filter source and arp filter binding commands on a port Examples Configure an ARP filtering entry with permitted sender IP address 1 1 1 1 and MAC address 2 2 2 Sysname system ...

Page 316: ...heck for ND packets By default source MAC consistency check is disabled for ND packets In a typical forged ND packet the Ethernet frame header conveys a source MAC address different than the source link layer address option To filter out these invalid ND packets use the source MAC consistency check function to check ND packets for MAC address inconsistency Examples Enable source MAC consistency ch...

Page 317: ...etection enable and ipv6 nd detection trust Examples Display ND detection configuration Sysname display ipv6 nd detection ND detection is enabled on the following VLANs 1 2 4 5 ND detection trust is configured on the following interfaces GigabitEthernet1 0 1 GigabitEthernet1 0 2 Table 45 Output description Field Description ND detection is enabled on the following VLANs List of VLANs enabled with ...

Page 318: ...s Description Use the display ipv6 nd detection statistics command to display ND detection statistics The statistics count only ND packets discarded for validity check failure If an interface is specified the command displays only the statistic for the interface If no interface is specified the command displays statistics for all interfaces Examples Display the statistics for discarded ND packets ...

Page 319: ... two roles ND trusted and ND untrusted On an ND trusted port the ND detection function does not check ND packets for address spoofing On an ND untrusted port RA and RR messages are considered illegal and discarded directly all other ND packets in the VLAN are checked for source spoofing Examples Configure Layer 2 interface GigabitEthernet1 0 1 as an ND trusted port Sysname system view Sysname inte...

Page 320: ...ace type interface number arguments represent the interface type and number Description Use the reset ipv6 nd detection statistics command to clear the ND detection statistics of an interface If no interface is specified the ND detection statistics of all interfaces are cleared Examples Clear the ND detection statistics of all interfaces Sysname reset ipv6 nd detection statistics ...

Page 321: ...Use the undo ipv6 savi dad delay command to restore the default By default the time to wait for a DAD NA is 100 centiseconds 1 second Examples Set the time to wait for a DAD NA to 100 seconds Sysname system view Sysname ipv6 savi dad delay 10000 ipv6 savi dad preparedelay Syntax ipv6 savi dad preparedelay value undo ipv6 savi dad preparedelay View System view Default level 2 System level Parameter...

Page 322: ...for a DAD NS from a DHCPv6 client to 100 seconds Sysname system view Sysname ipv6 savi dad preparedelay 10000 ipv6 savi down delay Syntax ipv6 savi down delay time undo ipv6 savi down delay View System view Default level 2 System level Parameters time Specifies the delay time in the range of 0 to 86400 seconds Description Use ipv6 savi down delay to set the deletion delay time for SAVI Use undo ip...

Page 323: ...one Description Use the ipv6 savi strict command to enable the SAVI function Use the undo ipv6 savi strict command to disable the SAVI function By default the SAVI function is disabled Examples Enable the SAVI function Sysname system view Sysname ipv6 savi strict ...

Page 324: ... regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Description Use the display system guard command to display system guard configuration Examples Display system guard configuration Sysname display system guard system guard detect threshold 300pps system guard aging time 60s system guard rate limit queue0 360 queue1 360 queue2 360 q...

Page 325: ...system guard aging time command to restore the default By default the aging time is 60 seconds Examples Set the system guard aging time to 100 seconds Sysname system view Sysname system guard aging time 100 system guard control Syntax system guard control undo system guard control View Layer 2 Ethernet port view Default level 2 System level Parameters None Description Use the system guard control ...

Page 326: ...he range of 50 to 1000 in pps packets per seconds Description Use the system guard detect threshold command to set a rate threshold for system guard If the number of packets a port submits to the CPU in a second exceeds the specified threshold system guard determines that the port is under an attack Use the undo system guard detect threshold command to restore the default By default the rate thres...

Page 327: ...limit queue queue number 1 8 View System view Default level 2 System level Parameters queue queue number rate Set a rate limit for the specified queues The queue number argument is in the range of 0 to 7 1 8 indicates that you can specify up to 8 queues The rate argument is the rate limit you want to set for the queue in the range of 5 to 1000 in pps Description Use the system guard rate limit com...

Page 328: ... to make your configuration effective After the switch starts up the switch works in FIPS mode The FIPS mode complies with the FIPS 140 2 standard Related commands display fips status Examples Enable the FIPS mode Sysname system view Sysname fips mode enable FIPS mode change requires a device reboot Continue Y N y Change the configuration to meet FIPS mode requirements save the configuration to th...

Page 329: ...Parameters None Description Use fips self test to trigger a self test on the password algorithms To examine whether the cryptography modules operate normally you can use a command to trigger a self test on the cryptographic algorithms The triggered self test is the same as the power up self test If the self test fails the device automatically reboots Examples Trigger a self test on the cryptograph...

Page 330: ...on algorithm for the authentication header AH protocol Use the undo ah authentication algorithm command to restore the default By default SHA 1 is used Before specifying the authentication algorithm for AH be sure to use the transform command to specify the security protocol as AH or both AH and ESP Related commands ipsec proposal and transform Examples Configure IPsec proposal prop1 to use AH and...

Page 331: ...on about all IPsec policies name Displays detailed information about a specified IPsec policy or IPsec policy group policy name Name of the IPsec policy a string of 1 to 15 characters seq number Sequence number of the IPsec policy in the range 1 to 65535 Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide beg...

Page 332: ...able 47 Output description Field Description IPsec Policy Name Name and sequence number of the IPsec policy separated by hyphen Mode Negotiation mode of the IPsec policy manual Manual mode isakmp IKE negotiation mode acl Access control list ACL referenced by the IPsec policy ike peer name IKE peer name Local Address IP address of the local end Remote Address IP address of the remote end Display de...

Page 333: ...mode standard tunnel remote address perfect forward secrecy proposal name IPsec sa local duration time based 3600 seconds IPsec sa local duration traffic based 1843200 kilobytes policy enable True Table 48 Output description Field Description security data flow ACL referenced by the IPsec policy Interface Interface to which the IPsec policy is applied sequence number Sequence number of the IPsec p...

Page 334: ...gular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expressio...

Page 335: ...acters seq number Sequence number of the IPsec policy in the range 1 to 65535 remote ip address Displays detailed information about the IPsec SA with a specified remote address Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and a...

Page 336: ...cified Display detailed information about all IPsec SAs Sysname display ipsec sa Interface Vlan interface 1 path MTU 1500 IPsec policy name r2 sequence number 1 mode isakmp connection id 3 encapsulation mode tunnel perfect forward secrecy tunnel local address 2 2 2 2 remote address 1 1 1 2 flow sour addr 192 168 2 0 255 255 255 0 port 0 protocol IP dest addr 192 168 1 0 255 255 255 0 port 0 protoc...

Page 337: ...rward secrecy feature is enabled tunnel IPsec tunnel local address Local IP address of the IPsec tunnel remote address Remote IP address of the IPsec tunnel flow Data flow sour addr Source IP address of the data flow dest addr Destination IP address of the data flow port Port number protocol Protocol type inbound Information of the inbound SA spi Security parameter index proposal Security protocol...

Page 338: ...ll lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Description Use the display ipsec session command to display information about IPsec sessions If you do not specify any parameters the command displays information about all IPsec sessions IPsec can find matched tunnels directly by session reducing t...

Page 339: ...nnel id IPsec tunnel ID same as the connection id of the IPsec SA session idle time Idle duration of the IPsec session in seconds total duration Lifetime of the IPsec session in seconds defaulted to 300 seconds session flow Flow information of the IPsec session times matched Total number of packets matching the IPsec session Sour Addr Source IP address of the IPsec session Dest Addr Destination IP...

Page 340: ...s on all IPsec packets Sysname display ipsec statistics the security packet statistics input output security packets 47 62 input output security bytes 3948 5208 input output dropped security packets 0 45 dropped security packet detail not enough memory 0 can t find SA 45 queue is full 0 authentication has failed 0 wrong length 0 replay packet 0 packet too long 0 wrong SA 0 Table 53 Output descript...

Page 341: ...lays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regular expression regular expression Specifies a regular expression a case sensitive string of 1 to 256 characters Description Use the display ipsec tunnel command to display in...

Page 342: ... IP address destination IP address source port destination port and protocol as defined in acl 3001 The IPsec tunnel protects all data flows defined by ACL 3001 current Encrypt card Encryption card interface used by the current tunnel encapsulation mode Syntax encapsulation mode transport tunnel undo encapsulation mode View IPsec proposal view Default level 2 System level Parameters transport Uses...

Page 343: ...SP not to perform authentication on packets By default SHA 1 is used You must use both ESP authentication and encryption For ESP you must specify an encryption algorithm an authentication algorithm or both The undo esp authentication algorithm command takes effect only if one encryption algorithm is specified for ESP Related commands ipsec proposal esp encryption algorithm proposal and transform E...

Page 344: ...p encryption algorithm command takes effect only if one authentication algorithm is specified for ESP Related commands ipsec proposal esp authentication algorithm proposal and transform Examples Configure IPsec proposal prop1 to use ESP and specify AES as the encryption algorithm for ESP Sysname system view Sysname ipsec proposal prop1 Sysname ipsec proposal prop1 transform esp Sysname ipsec propo...

Page 345: ...ng Use the undo ipsec anti replay check command to disable IPsec anti replay checking By default IPsec anti replay checking is enabled Examples Enable IPsec anti replay checking Sysname system view Sysname ipsec anti replay check ipsec anti replay window Syntax ipsec anti replay window width undo ipsec anti replay window View System view Default level 2 System level Parameters width Size of the an...

Page 346: ...ommand to enable ACL checking of de encapsulated IPsec packets Use the undo ipsec decrypt check command to disable ACL checking of de encapsulated IPsec packets By default ACL checking of de encapsulated IPsec packets is enabled Examples Enable ACL checking of de encapsulated IPsec packets Sysname system view Sysname ipsec decrypt check ipsec policy interface view Syntax ipsec policy policy name u...

Page 347: ...c policies matches the packet it does not provide IPsec protection for the packet and sends the packet out directly Related commands ipsec policy system view Examples Apply IPsec policy group pg1 to interface VLAN interface 1 Sysname system view Sysname interface vlan interface 1 Sysname Vlan interface1 ipsec policy pg1 ipsec policy system view Syntax ipsec policy policy name seq number isakmp man...

Page 348: ...icy isakmp policy1 100 Create an IPsec policy with the name policy1 and specify the manual mode for it Sysname system view Sysname ipsec policy policy1 101 manual Sysname ipsec policy manual policy1 101 ipsec proposal Syntax ipsec proposal proposal name undo ipsec proposal proposal name View System view Default level 2 System level Parameters proposal name Name for the proposal a case insensitive ...

Page 349: ...the IPsec policy is not configured with its own lifetime IKE uses the global SA lifetime When negotiating to set up an SA IKE prefers the shorter one of the local lifetime and that proposed by the remote You can configure both a time based lifetime and a traffic based lifetime An SA expires when either lifetime expires The SA lifetime applies to only IKE negotiated SAs It is not effective for manu...

Page 350: ... dh group5 Uses 1536 bit Diffie Hellman group dh group14 Uses 2048 bit Diffie Hellman group Description Use the pfs command to enable and configure the perfect forward secrecy PFS feature so that the system uses the feature when employing the IPsec policy to initiate a negotiation Use the undo pfs command to remove the configuration By default the PFS feature is not used for negotiation In terms o...

Page 351: ... enable command to enable the IPsec policy Use the undo policy enable command to disable the IPsec policy By default the IPsec policy is enabled If the IPsec policy is not enabled for the IKE peer the peer cannot take part in the IKE negotiation Related commands ipsec policy system view Examples Enable the IPsec policy with the name policy1 and sequence number 100 Sysname system view Sysname ipsec...

Page 352: ...to remove the original proposal binding and then use the proposal command to reconfigure one An IKE negotiated IPsec policy can reference up to six IPsec proposals The IKE negotiation process will search for and use the exactly matched proposal Related commands ipsec proposal ipsec policy system view Examples Configure IPsec policy policy1 to reference IPsec proposal prop1 Sysname system view Sysn...

Page 353: ...e insensitive spi Security parameter index in the range 256 to 4294967295 policy Specifies IPsec SAs that use an IPsec policy policy name Name of the IPsec policy a case insensitive string of 1 to 15 characters including letters and digits seq number Sequence number of the IPsec policy in the range 1 to 65535 If no seq number is specified all the policies in the IPsec policy group named policy nam...

Page 354: ...ers 10 1 1 2 ah 10000 reset ipsec session Syntax reset ipsec session tunnel id integer View User view Default level 2 System level Parameters integer ID of the IPsec tunnel in the range 1 to 2000000000 Description Use the reset ipsec session command to clear the sessions of a specified IPsec tunnel or all IPsec tunnels Related commands display ipsec session Examples Clear all IPsec sessions Sysnam...

Page 355: ...sitive plaintext hexadecimal string when the simple keyword is specified The plaintext string must be a 20 byte hexadecimal string for SHA1 If neither cipher nor simple is specified you set a plaintext authentication key string Description Use the sa authentication hex command to configure an authentication key for an SA Use the undo sa authentication hex command to remove the configuration When c...

Page 356: ...SA lifetime is 1843200 kilobytes When negotiating to set up an SA IKE prefers the lifetime settings of the IPsec policy that it uses If the IPsec policy or IPsec proposal is not configured with its own lifetime settings IKE uses the global SA lifetime settings which are configured with the ipsec sa global duration command When negotiating to set up an SA IKE prefers the shorter ones of the local l...

Page 357: ...ecimal string for AES256 CBC If neither cipher nor simple is specified you set a plaintext encryption key string Description Use the sa encryption hex command to configure an encryption key for an SA Use the undo sa encryption hex command to remove the configuration When configuring a manual IPsec policy you must set the parameters of both the inbound and outbound SAs The encryption key for the in...

Page 358: ... When configuring a manual IPsec policy you must configure parameters for both inbound and outbound SAs and make sure that you specify different SPIs for different SAs The local inbound SA must use the same SPI and keys as the remote outbound SA The same is true of the local outbound SA and remote inbound SA Related commands ipsec policy system view Examples Set the SPI for the inbound SA to 10000...

Page 359: ...an aggregate interface or a tunnel interface You cannot specify multiple ACLs for one IPsec policy or one ACL for multiple IPsec policies To configure ACL rules you want to deploy for an IPsec policy you must configure all of them in one ACL and specify the ACL for the IPsec policy You can specify only one ACL for an IPsec policy To deploy multiple ACL rules configure the ACL rules in one ACL and ...

Page 360: ...l must use the same security protocol Related commands ipsec proposal Examples Configure IPsec proposal prop1 to use AH Sysname system view Sysname ipsec proposal prop1 Sysname ipsec proposal prop1 transform ah tunnel local Syntax tunnel local ip address undo tunnel local View IPsec policy view Default level 2 System level Parameters ip address Local address for the IPsec tunnel Description Use th...

Page 361: ...and to configure the remote address of an IPsec tunnel Use the undo tunnel remote command to remove the configuration By default no remote address is configured for the IPsec tunnel If you configure the remote address repeatedly the last one takes effect An IPsec tunnel is established between the local and remote ends The remote IP address of the local end must be the same as that of the local IP ...

Page 362: ...fy an authentication algorithm for an IKE proposal Use the undo authentication algorithm command to restore the default By default an IKE proposal uses the SHA1 authentication algorithm Related commands ike proposal and display ike proposal Examples Set SHA1 as the authentication algorithm for IKE proposal 10 Sysname system view Sysname ike proposal 10 Sysname ike proposal 10 authentication algori...

Page 363: ...authentication method pre share certificate domain Syntax certificate domain domain name undo certificate domain View IKE peer view Default level 2 System level Parameters domain name Name of the PKI domain a string of 1 to 15 characters Description Use the certificate domain command to configure the PKI domain of the certificate when IKE uses digital signature as the authentication mode Use the u...

Page 364: ...al 10 dh group5 display ike dpd Syntax display ike dpd dpd name begin exclude include regular expression View Any view Default level 1 Monitor level Parameters dpd name DPD name a string of 1 to 32 characters Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the sp...

Page 365: ...of 1 to 32 characters Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression and all lines that follow exclude Displays all lines that do not match the specified regular expression include Displays all lines that match the specified regu...

Page 366: ...led dpd Name of the peer DPD detector display ike proposal Syntax display ike proposal begin exclude include regular expression View Any view Default level 1 Monitor level Parameters Filters command output by specifying a regular expression For more information about regular expressions see Fundamentals Configuration Guide begin Displays the first line that matches the specified regular expression...

Page 367: ...algorithm used by the IKE proposal Diffie Hellman group DH group used in IKE negotiation phase 1 duration seconds ISAKMP SA lifetime of the IKE proposal in seconds display ike sa Syntax display ike sa verbose connection id connection id remote address remote address begin exclude include regular expression View Any view Default level 1 Monitor level Parameters verbose Displays detailed information...

Page 368: ...r of the ISAKMP SA peer Remote IP address of the SA flag Status of the SA RD READY The SA has been established ST STAYALIVE This end is the initiator of the tunnel negotiation RL REPLACED The tunnel has been replaced by a new one and will be deleted later FD FADING The soft lifetime is over but the tunnel is still in use The tunnel will be deleted when the hard lifetime is over TO TIMEOUT The SA h...

Page 369: ...ection id 2 connection id 2 transmitting entity initiator local ip 4 4 4 4 local id type IPV4_ADDR local id 4 4 4 4 remote ip 4 4 4 5 remote id type IPV4_ADDR remote id 4 4 4 5 authentication method PRE SHARED KEY authentication algorithm HASH SHA1 encryption algorithm AES CBC life duration sec 86400 remaining key duration sec 82480 exchange mode MAIN diffie hellman group GROUP14 nat traversal NO ...

Page 370: ...ntifier of the local gateway remote ip IP address of the remote gateway remote id type Identifier type of the remote gateway remote id Identifier of the remote security gateway authentication method Authentication method used by the IKE proposal authentication algorithm Authentication algorithm used by the IKE proposal encryption algorithm Encryption algorithm used by the IKE proposal life duratio...

Page 371: ...evel Parameters aes cbc Uses the AES algorithm in CBC mode as the encryption algorithm The AES algorithm uses 128 bit 192 bit or 256 bit keys for encryption key length Key length for the AES algorithm which can be 128 192 or 256 bits and is defaulted to 128 bits Description Use the encryption algorithm command to specify an encryption algorithm for an IKE proposal Use the undo encryption algorithm...

Page 372: ...works in main mode Sysname system view Sysname ike peer peer1 Sysname ike peer peer1 exchange mode main id type Syntax id type ip name user fqdn undo id type View IKE peer view Default level 2 System level Parameters ip Uses an IP address as the ID during IKE negotiation name Uses a FQDN name as the ID during IKE negotiation user fqdn Uses a user FQDN name as the ID during IKE negotiation Descript...

Page 373: ... name undo ike dpd dpd name View System view Default level 2 System level Parameters dpd name Name for the dead peer detection DPD detector a string of 1 to 32 characters Description Use the ike dpd command to create a DPD detector and enter IKE DPD view Use the undo ike dpd command to remove a DPD detector Related commands display ike dpd interval time and time out Examples Create a DPD detector ...

Page 374: ...y gateway name as its ID to the peer and the peer uses the security gateway name configured with the remote name command to authenticate the initiator Make sure the local gateway name matches the remote gateway name configured on the peer Related commands remote name and id type Examples Configure the local security gateway name as app Sysname system view Sysname ike local name app ike next payloa...

Page 375: ...1 Sysname ike peer peer1 ike proposal Syntax ike proposal proposal number undo ike proposal proposal number View System view Default level 2 System level Parameters proposal number IKE proposal number in the range 1 to 65535 The lower the number the higher the priority of the IKE proposal During IKE negotiation a high priority IKE proposal is matched before a low priority IKE proposal Description ...

Page 376: ...P SA keepalives in seconds in the range 20 to 28 800 Description Use the ike sa keepalive timer interval command to set the ISAKMP SA keepalive interval Use the undo ike sa keepalive timer interval command to disable the ISAKMP SA keepalive transmission function By default no keepalive packet is sent The keepalive interval configured at the local end must be shorter than the keepalive timeout conf...

Page 377: ...be three times of the keepalive interval Related commands ike sa keepalive timer interval Examples Set the keepalive timeout to 20 seconds Sysname system view Sysname ike sa keepalive timer timeout 20 ike sa nat keepalive timer interval Syntax ike sa nat keepalive timer interval seconds undo ike sa nat keepalive timer interval View System view Default level 2 System level Parameters seconds NAT ke...

Page 378: ...ry triggering interval for a DPD detector Use the undo interval time command to restore the default The default DPD interval is 10 seconds Examples Set the DPD interval to 1 second for dpd2 Sysname system view Sysname ike dpd dpd2 Sysname ike dpd dpd2 interval time 1 local address Syntax local address ip address undo local address View IKE peer view Default level 2 System level Parameters ip addre...

Page 379: ...he device name is used as the name of the local security gateway view If you configure the id type name or id type user fqdn command on the initiator the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation and you must configure the ike local name command in system view or the local name command in IKE peer view on the local device If you configure both the ik...

Page 380: ...versal function for IKE peer peer1 Sysname system view Sysname ike peer peer1 Sysname ike peer peer1 nat traversal peer Syntax peer multi subnet single subnet undo peer View IKE peer view Default level 2 System level Parameters multi subnet Sets the subnet type to multiple single subnet Sets the subnet type to single Description Use the peer command to set the subnet type of the peer security gate...

Page 381: ...rs simple key Specifies the plaintext pre shared key to be displayed in plain text a case sensitive string of 8 to 128 characters which must contain digits upper case letters lower case letters and special characters Description Use the pre shared key command to configure the pre shared key to be used in IKE negotiation Use the undo pre shared key command to remove the configuration Related comman...

Page 382: ... Configure IKE peer peer1 to reference IKE proposal 10 Sysname system view Sysname ike peer peer1 Sysname ike peer peer1 proposal 10 remote address Syntax remote address hostname dynamic low ip address high ip address undo remote address View IKE peer view Default level 2 System level Parameters hostname Host name of the IPsec remote security gateway a case insensitive string of 1 to 255 character...

Page 383: ...ure the IP address of the remote security gateway as 10 0 0 1 Sysname system view Sysname ike peer peer1 Sysname ike peer peer1 remote address 10 0 0 1 Configure the host name of the remote gateway as test com and specify the local peer to dynamically update the remote IP address Sysname system view Sysname ike peer peer2 Sysname ike peer peer2 remote address test com dynamic remote name Syntax re...

Page 384: ... ISAKMP SA can transmit the Delete message to notify the remote end to delete the paired IPsec SA If the ISAKMP SA has been cleared the local end cannot notify the remote end to clear the paired IPsec SA and you must manually clear the remote IPsec SA Related commands display ike sa Examples Clear an IPsec tunnel to 202 38 0 2 Sysname display ike sa total phase 1 SAs 1 connection id peer flag phas...

Page 385: ... set up and the old one will be cleared automatically when it expires Related commands ike proposal and display ike proposal Examples Specify the ISAKMP SA lifetime for IKE proposal 10 as 600 seconds 10 minutes Sysname system view Sysname ike proposal 10 Sysname ike proposal 10 sa duration 600 time out Syntax time out time out undo time out View IKE DPD view Default level 2 System level Parameters...

Page 386: ...375 Examples Set the DPD packet retransmission interval to 1 second for dpd2 Sysname system view Sysname ike dpd dpd2 Sysname ike dpd dpd2 time out 1 ...

Page 387: ...ing you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals For related documentation navigate to the Networking section and select a networking category For a complete list ...

Page 388: ...eparated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in bold text For example the New User window appears cl...

Page 389: ... 2 features Represents an access controller a unified wired WLAN module or the switching engine on a unified wired WLAN switch Represents an access point Represents a security product such as a firewall a UTM or a load balancing or security card that is installed in a device Represents a security card such as a firewall card a load balancing card or a NetStream card Port numbering in examples The ...

Page 390: ... authentication login 8 authentication portal 9 authentication super 10 authentication algorithm 351 authentication method 351 authorization command 1 1 authorization default 12 authorization lan access 13 authorization login 14 authorization portal 15 authorization attribute local user view user group view 27 authorization attribute user profile 15 B bind attribute 28 bye 255 C ca identifier 215 ...

Page 391: ... port security mac address block 164 display port security mac address security 166 display public key local public 203 display public key peer 205 display radius scheme 40 display radius statistics 43 display sftp client source 258 display ssh client source 246 display ssh server 239 display ssh server info 247 display ssh user information 240 display ssl client policy 273 display ssl server poli...

Page 392: ...m view 336 ipsec proposal 337 ipsec sa global duration 338 ipsec session idle time 338 ipv6 nd detection enable 307 ipv6 nd detection trust 308 ipv6 nd mac check enable 305 ipv6 savi dad delay 310 ipv6 savi dad preparedelay 310 ipv6 savi down delay 31 1 ipv6 savi strict 31 1 K key HWTACACS scheme view 76 key RADIUS scheme view 47 L ldap server 228 local address 367 locality 229 local name 368 loca...

Page 393: ...l nas ip 151 portal nas port type 151 portal offline detect interval 152 portal redirect url 153 portal server 154 portal server banner 155 portal server method 155 portal server server detect 156 portal server user sync 158 portal web proxy port 159 port security authorization ignore 168 port security enable 169 port security intrusion mode 169 port security mac address security 170 port security...

Page 394: ...ry authorization 85 security acl 347 security policy server 63 self service url enable 24 server type 64 server verify enable 277 service type 35 session 278 sftp 264 sftp client ipv6 source 265 sftp client source 266 sftp ipv6 267 sftp server enable 254 sftp server idle timeout 254 ssh client authentication server 248 ssh client first time 248 ssh client ipv6 source 249 ssh client source 250 ssh ...

Page 395: ...se timeout RADIUS scheme view 69 transform 348 tunnel local 349 tunnel remote 350 U user bind 291 user bind ipv6 292 user group 37 user name format HWTACACS scheme view 89 user name format RADIUS scheme view 69 user profile 179 user profile enable 179 V version 280 ...