HP 6125 Blade Switch Series Security Command Reference Part number: 5998-3171 Software version: Release 2103 Document version: 6W100-20120907...
Page 2
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
AAA configuration commands General AAA configuration commands aaa nas-id profile Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name View System view Default level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters. Description Use aaa nas-id profile to create a NAS ID profile and enter its view.
Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Description Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default.
undo accounting lan-access View ISP domain view Default level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use accounting lan-access to configure the accounting method for LAN users.
local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use accounting login to configure the accounting method for login users through the console port or through Telnet.
communication with the current accounting server fails. However, the switch no longer sends real-time accounting updates for the user. The accounting optional feature applies to scenarios where accounting is not important. After you configure the accounting optional command, the setting configured by the access-limit command in local user view is not effective.
Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use authentication super to configure the authentication method for user privilege level switching. Use undo authentication super to restore the default. By default, the default authentication method for the ISP domain is used for user privilege level switching authentication.
Related commands: local-user, authorization default, and hwtacacs scheme. Examples # Configure ISP domain test to use local command line authorization. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command line authorization and use local authorization as the backup.
Examples # Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd and use local authorization as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization default radius-scheme rd local authorization lan-access Syntax authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo authorization lan-access View ISP domain view...
authorization-attribute user-profile Syntax authorization-attribute user-profile profile-name undo authorization-attribute user-profile View ISP domain view Default level 3: Manage level Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. Description Use authorization-attribute user-profile to specify the default authorization user profile for an ISP domain.
mac-authentication: Indicates MAC address authentication. • all: Specifies all user connections. domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a string of 1 to 24 characters. interface interface-type interface-number: Specifies the user connections on an interface.
Page 24
View Any view Default level 1: Monitor level Parameters access-type: Specifies the user connections of the specified access type. dot1x: Indicates 802.1X authentication. • mac-authentication: Indicates MAC address authentication. • domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.
Page 25
access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain. How the switch displays the username of a user on an interface configured with a mandatory authentication domain depends on the format of the username entered by the user at login: If the username does not contain the character @, the switch displays the username in the format •...
Field Description MAC address of the user. IPv4 address of the user. IPv6 IPv6 address of the user. Access User access type. Authorization ACL group. If no authorization ACL group is assigned, this field ACL Group displays Disable. User Profile Authorization user profile.
Page 27
State : Active Access-limit : Disabled Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes : Domain : test State : Active Access-limit : Disabled Accounting method : Required...
Field Description Lan-access authorization scheme Authorization method for LAN users. Lan-access accounting scheme Accounting method for LAN users. Domain User Template Indicates some functions and attributes set for users in the domain. Indicates whether the idle cut function is enabled. With the idle cut function enabled for a domain, the system logs out any user in the Idle-cut domain whose traffic is less than the specified minimum traffic...
[Sysname] domain test [Sysname-isp-test] domain default enable Syntax domain default enable isp-name undo domain default enable View System view Default level 3: Manage level Parameters isp-name: Name of the ISP domain, a case-insensitive string of 1 to 24 characters. Description Use domain default enable to specify the default ISP domain.
Parameters minute: Idle timeout period, in the range of 1 to 600 minutes. flow: Minimum traffic during the idle timeout period, which is in the range of 1 to 10240000 bytes and defaults to 10240. Description Use idle-cut enable to enable the idle cut function and set the relevant parameters. With the idle cut function enabled for a domain, the switch checks the traffic of each online user in the domain at the idle timeout interval, and logs out any user in the domain whose traffic during the idle timeout period is less than the specified minimum traffic.
A NAS ID can be bound with more than one VLAN, but one VLAN can be bound with only one NAS ID. If you bind a VLAN with different NAS IDs, only the last binding takes effect. Related commands: aaa nas-id profile. Examples # Bind NAS ID 222 with VLAN 2.
View ISP domain view Default level 2: System level Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.
This command takes effect only when local accounting is used for the user account. This limit is not effective for FTP users because accounting is not available for FTP users. Related commands: display local-user. Examples # Limit the maximum number of concurrent users of local user account abc to 5. <Sysname>...
security-audit: After passing authentication, a security log administrator can manage security log • files, for example, save security log files. For more information about the commands that a security log administrator can use, see Network Management and Monitoring Command Reference. vlan vlan-id: Specifies the authorized VLAN.
View Local user view Default level 3: Manage level Parameters ip ip-address: Specifies the IP address of the user. This option applies only to 802.1X users. location port slot-number subslot-number port-number: Specifies the port to which the user is bound, where slot-number is in the range of 0 to 255, subslot-number is in the range of 0 to 15, and port-number is in the range of 0 to 255.
Page 36
Parameters idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled. service-type: Specifies the local users who use a specific type of service. ftp: FTP users. • lan-access: Users accessing the network through Ethernet, such as 802.1X users. •...
Authorization attributes: Idle TimeOut: 10(min) Work Directory: flash:/ User Privilege: Acl ID: 2000 Vlan ID: User Profile: prof1 Expiration date: 12:12:12-2018/09/16 Password aging: Enabled (30 days) Password length: Enabled (4 characters) Password composition: Enabled (4 types, 2 characters per type) Total 1 local user(s) matched.
Page 38
Default level 2: System level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
expiration-date (local user view) Syntax expiration-date time undo expiration-date View Local user view Default level 3: Manage level Parameters time: Expiration time local user, format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month.
Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use group to assign a local user to a user group. Use undo group to restore the default. By default, a local user belongs to the system default user group system. Examples # Assign local user 1 1 1 to user group abc.
undo local-user { user-name | all [ service-type { ftp | lan-access | ssh | telnet | terminal | web } ] } View System view Default level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name.
password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext string of 1 to 1 17 characters. Description Use password to configure a password for a local user.
terminal: Authorizes the user to use the terminal service, allowing the user to log in through the console port. web: Authorizes the user to use the Web service. Description Use service-type to specify the service types that a user can use. Use undo service-type to delete service types configured for a user.
user-group Syntax user-group group-name undo user-group group-name View System view Default level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use user-group to create a user group and enter its view. Use undo user-group to remove a user group.
or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-201 1/2/2 equals 02:02:00-201 1/02/02. Description Use validity-date to set the validity time of a local user.
Use undo accounting-on enable to disable the accounting-on feature. By default, the accounting-on feature is disabled. Parameters set with the accounting-on enable command take effect immediately. After executing the accounting-on enable command, issue the save command to make sure that the command takes effect after the switch reboots.
undo data-flow-format { data | packet } View RADIUS scheme view Default level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 48
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display radius scheme to display the configuration of RADIUS schemes.
Page 49
Retransmission times for timeout Interval for realtime accounting(minute) : 12 Retransmission times of realtime-accounting packet Retransmission times of stop-accounting packet : 500 Quiet-interval(min) Username format : without-domain Data flow unit : Byte Packet unit : one NAS-IP address : 1.1.1.1 Attribute 25 : car ------------------------------------------------------------------...
Field Description interval Interval at which the switch retransmits accounting-on packets. Interval for timeout(second) RADIUS server response timeout period, in seconds. Maximum number of attempts for transmitting a RADIUS packet to a single Retransmission times for timeout RADIUS server. Interval for realtime Interval for real-time accounting, in minutes.
Page 51
Examples # Display statistics about RADIUS packets. <Sysname> display radius statistics Slot 1:state statistic(total=4096): DEAD = 4096 AuthProc = 0 AuthSucc = 0 AcctStart = 0 RLTSend = 0 RLTWait = 0 AcctStop = 0 OnLine = 0 Stop = 0 Received and Sent packets statistic: Sent PKT total = 1547...
Page 52
Table 6 Command output Field Description state statistic User statistics, by state DEAD Number of idle users AuthProc Number of users waiting for authentication AuthSucc Number of users who have passed authentication AcctStart Number of users for whom accounting has been started Number of users for whom the system sends real-time accounting RLTSend packets...
Field Description Normal author request Number of normal authorization requests Set policy result Number of responses to the Set policy packets RADIUS sent messages statistic Statistics for sent RADIUS messages Auth accept Number of accepted authentication packets Auth reject Number of rejected authentication packets EAP auth replying Number of replying packets of EAP authentication Account success...
user-name user-name: Specifies the stop-accounting requests buffered for a user. The username is a case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain name depends on the setting configured by the user-name-format command for the RADIUS scheme. slot slot-number: Specifies the stop-accounting requests buffered for an IRF member device.
authentication: Sets the shared key for secure RADIUS authentication/authorization communication. cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. key: Specifies the shared key string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 64 characters.
Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. ipv6 ipv6-address: Specifies an IPv6 address. It must be an address of the switch and must be a unicast address that is neither a loopback address nor a link-local address.
Page 57
ipv6 ipv6-address: Specifies the IPv6 address of the primary accounting server. port-number: Specifies the service port number of the primary RADIUS accounting server, which is a UDP port number in the range of 1 to 65535 and defaults to 1813. key [ cipher | simple ] key: Sets the shared key for secure communication with the primary RADIUS accounting server.
The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
View System view Default level 2: System level Parameters None Description Use radius client enable to enable the RADIUS listening port of a RADIUS client. Use undo radius client to disable the RADIUS listening port of a RADIUS client. By default, the RADIUS listening port is enabled. When the listening port of the RADIUS client is disabled: No more stop-accounting requests of online users cannot be sent out or buffered, and the RADIUS •...
Examples # Set the DSCP value to 6 for IPv4 RADIUS protocol packets. <Sysname> system-view [Sysname] radius dscp 6 radius ipv6 dscp Syntax radius ipv6 dscp dscp-value undo radius ipv6 dscp View System view Default level 2: System level Parameters dscp-value: DSCP value in the protocol packets, which ranges from 0 to 63.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network source IPv4 address. With no VPN specified, the command specifies a public-network source IPv4 address.
A RADIUS scheme can be referenced by more than one ISP domain at the same time. A RADIUS scheme referenced by ISP domains cannot be removed. Related commands: display radius scheme. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view. <Sysname>...
reset radius statistics Syntax reset radius statistics [ slot slot-number ] View User view Default level 2: System level Parameters slot slot-number: Clears the RADIUS statistics for an IRF member device. The slot-number argument represents the ID of the IRF member device. The value range for the argument depends on the number of member devices and their member IDs in the IRF fabric.
slot slot-number: Clears the stop-accounting requests buffered for an IRF member device. The slot-number argument represents the ID of the IRF member device. The value range for the argument depends on the number of member devices and their member IDs in the IRF fabric. Description Use reset stop-accounting-buffer to clear the buffered stop-accounting requests for which no responses have been received.
[Sysname-radius-radius1] retry 5 retry realtime-accounting Syntax retry realtime-accounting retry-times undo retry realtime-accounting View RADIUS scheme view Default level 2: System level Parameters retry-times: Maximum number of accounting attempts, in the range of 1 to 255. Description Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default.
retry stop-accounting (RADIUS scheme view) Syntax retry stop-accounting retry-times undo retry stop-accounting View RADIUS scheme view Default level 2: System level Parameters retry-times: Maximum number of stop-accounting attempts, in the range of 10 to 65535. Description Use retry stop-accounting to set the maximum number of stop-accounting attempts. Use undo retry stop-accounting to restore the default.
Page 68
Default level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary accounting server, in dotted decimal notation. ipv6 ipv6-address: Specifies the IPv6 address of the secondary accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server, which is a UDP port number in the range of 1 to 65535 and defaults to 1813.
Related commands: key, state, and vpn-instance (RADIUS scheme view). Examples # For RADIUS scheme radius1, set the IP address of the secondary accounting server to 10.1 10.1.1, the UDP port to 1813, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text. <Sysname>...
Page 70
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication/authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Description Use secondary authentication to specify secondary RADIUS authentication/authorization servers for a RADIUS scheme.
Examples # For RADIUS scheme radius1, set the IP address of the secondary authentication/authorization server to 10.1 10.1.2, the UDP port to 1812, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 key cipher $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B # Specify two secondary authentication/authorization servers for RADIUS scheme radius2, with the server IP addresses of 10.1 10.1.1 and 10.1 10.1.2, and the UDP port number of 1813.
[Sysname] radius scheme radius1 [Sysname-radius-radius1] security-policy-server 10.110.1.2 server-type Syntax server-type { extended | standard } undo server-type View RADIUS scheme view Default level 2: System level Parameters extended: Specifies the extended RADIUS server (generally running on IMC), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the proprietary RADIUS protocol.
block: Specifies the blocked state, the out-of-service state. Description Use state primary to set the status of a primary RADIUS server. By default, the primary RADIUS server specified for a RADIUS scheme is in active state. During an authentication or accounting process, the switch first tries to communicate with the primary server if the primary server is in active state.
If the switch finds that a secondary server in active state is unreachable, the switch changes the status of the secondary server to blocked, starts a quiet timer for the server, and continues to try to communicate with the next secondary server in active state (a secondary RADIUS server configured earlier has a higher priority).
timer quiet (RADIUS scheme view) Syntax timer quiet minutes undo timer quiet View RADIUS scheme view Default level 2: System level Parameters minutes: Server quiet period in minutes, in the range of 0 to 255. If you set this argument to 0, when the switch attempts to send an authentication or accounting request but the current server is unreachable, the switch sends the request to the next server in active state, without changing the current server’s status.
Default level 2: System level Parameters minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range of 3 to 60. Description Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. By default, the real-time accounting interval is 12 minutes.
Parameters seconds: RADIUS server response timeout period in seconds, in the range of 1 to 10. Description Use timer response-timeout to set the RADIUS server response timeout timer. Use undo timer response-timeout to restore the default. By default, the RADIUS server response timeout period is 3 seconds. If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it resends the request so that the user has more opportunity to obtain the RADIUS service.
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one. For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the switch does not change the usernames from clients before forwarding them to the RADIUS server.
Page 80
Parameters hwtacacs-scheme-name: HWTACACS scheme name. statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration of the HWTACACS scheme. slot slot-number: Specifies the configuration or statistics for an IRF member device. The slot-number argument represents the ID of the IRF member device.
Page 81
Quiet-interval(min) Realtime-accounting-interval(min) : 12 Response-timeout-interval(sec) Acct-stop-PKT retransmit times : 100 Username format : with-domain Data traffic-unit Packet traffic-unit : one-packet -------------------------------------------------------------------- Table 8 Command output Field Description HWTACACS-server template name Name of the HWTACACS scheme. IP address and port number of the primary authentication server. If no primary authentication server is specified, this field displays Primary-authentication-server 0.0.0.0:0.
Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
Description Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view. Use undo hwtacacs scheme to delete an HWTACACS scheme. By default, no HWTACACS scheme exists. An HWTACACS scheme can be referenced by more than one ISP domain at the same time. An HWTACACS scheme referenced by ISP domains cannot be removed.
Examples # Set the shared key for secure HWTACACS accounting communication to hello in plain text. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting simple hello # Set the shared key for secure HWTACACS accounting communication to hello in plain text. <Sysname>...
Related commands: stop-accounting-buffer enable and display stop-accounting-buffer. Examples # Clear the stop-accounting requests buffered for HWTACACS scheme hwt1. <Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1 retry stop-accounting (HWTACACS scheme view) Syntax retry stop-accounting retry-times undo retry stop-accounting View HWTACACS scheme view Default level 2: System level Parameters retry-times: Maximum number of stop-accounting request transmission attempts, in the range of 1 to 300.
port-number: Service port number of the secondary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Description Use secondary authentication to specify the secondary HWTACACS authentication server. Use undo secondary authentication to remove the configuration.
Description Use secondary authorization to specify the secondary HWTACACS authorization server. Use undo secondary authorization to remove the configuration. By default, no secondary HWTACACS authorization server is specified. The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
Parameters minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range of 3 to 60. A value of zero means "Do not send online user accounting information to the HWTACACS server." Description Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default.
By default, the HWTACACS server response timeout time is 5 seconds. HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the switch is disconnected from the HWTACACS server. Related commands: display hwtacacs. Examples # Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
vpn-instance (HWTACACS scheme view) Syntax vpn-instance vpn-instance-name undo vpn-instance View HWTACACS scheme view Default level 2: System level Parameters vpn-instance-name: Name of MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters. Description Use vpn-instance to specify a VPN for the HWTACACS scheme. Use undo vpn-instance to remove the configuration.
Page 100
Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times EAD quick deploy configuration: URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout: The maximum 802.1X user resource number is 2048 per slot...
Page 101
Table 10 Command output Field Description Equipment 802.1X protocol is enabled Specifies whether 802.1X is enabled globally CHAP authentication is enabled Specifies whether CHAP authentication is enabled EAD quick deploy is enabled Specifies whether EAD fast deployment is enabled Transmit Period Username request timeout timer in seconds Handshake Period Handshake timer in seconds...
Field Description Auth-Fail VLAN configured on the port. NOT configured is Auth-fail VLAN displayed if no Auth-Fail VLAN is configured. 802.1X critical VLAN configured on the port. NOT configured Critical VLAN is displayed if no 802.1X critical VLAN is configured on the port.
Parameters interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1- 1 0>, where interface-type represents the port type, interface-number represents the port number, and &...
Page 104
undo dot1x authentication-method View System view Default level 2: System level Parameters chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server. eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.
[Sysname] dot1x authentication-method pap dot1x auth-fail vlan Syntax dot1x auth-fail vlan authfail-vlan-id undo dot1x auth-fail vlan View Ethernet interface view Default level 2: System level Parameters authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make sure that the VLAN has been created.
Page 106
undo dot1x critical vlan View Layer 2 Ethernet interface view Default level 2: System level Parameters vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. Make sure the VLAN has been created. Description Use dot1x critical vlan to configure an 802.1X critical VLAN on a port for 802.1X users that have failed authentication because all the RADIUS authentication servers in their ISP domain are unreachable.
dot1x critical recovery-action Syntax dot1x critical recovery-action reinitialize undo dot1x critical recovery-action View Layer 2 Ethernet interface view Default level 2: System level Parameters reinitialize: Enables the port to trigger 802.1X re-authentication on detection of a reachable RADIUS authentication server for users in the critical VLAN. Description Use dot1x critical recovery-action to configure the action that a port takes when an active (reachable) RADIUS authentication server is detected for users in the critical VLAN.
Default level 2: System level Parameters string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (/), and forward slash (\). Description Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the access device.
Page 109
interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1- 1 0>, where interface-type represents the port type, interface-number represents the port number, and & <1- 1 0> means that you can provide up to 10 ports or port ranges.
dot1x handshake Syntax dot1x handshake undo dot1x handshake View Ethernet Interface view Default level 2: System level Parameters None Description Use dot1x handshake to enable the online user handshake function. The function enables the device to periodically send handshake messages to the client to check whether a user is online. Use undo dot1x handshake to disable the function.
By default, the function is disabled. The online user handshake security function is implemented based on the online user handshake function. To bring the security function into effect, make sure the online user handshake function is enabled. HP recommends you use the iNode client software and IMC server to guarantee the normal operation of the online user handshake security function.
[Sysname-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain # After 802.1X user usera passes the authentication, execute the display connection command to display the user connection information on GigabitEthernet 1/0/1. For more information about the display connection command, see "AAA configuration commands." [Sysname-GigabitEthernet1/0/1] display connection interface gigabitethernet 1/0/1 Slot: Index=68 ,Username=usera@my-domian...
If you specify the interface-list argument, the command applies to the specified ports. • In Ethernet interface view, the interface-list argument is not available and the command applies to only the Ethernet port. Related commands: display dot1x. Examples # Set the maximum number of concurrent 802.1X users on port GigabitEthernet 1/0/1 to 32. <Sysname>...
View Ethernet interface view Default level 2: System level Parameters None Description Use dot1x re-authenticate to enable the periodic online user re-authentication function. Use undo dot1x re-authenticate to disable the function. By default, the periodic online user re-authentication function is disabled. Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port.
After the network access device sends an authentication request to a client, if the device receives no response from the client within the username request timeout timer (set with the dot1x timer tx-period tx-period-value command) or the client timeout timer (set with the dot1x timer supp-timeout supp-timeout-value command), the device retransmits the authentication request.
The network device uses the following 802.1X timers: • Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.
The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time (set with the dot1x timer tx-period command).
Parameters ead-timeout-value: Specifies the EAD rule timer in minutes, in the range of 1 to 1440. Description Use dot1x timer ead-timeout to set the EAD rule timer. Use undo dot1x timer ead-timeout to restore the default. By default, the timer is 30 minutes. EAD fast deployment automatically creates an ACL rule, or EAD rule, to open access to the redirect URL for each redirected user seeking to access the network.
Page 123
Examples # Configure the redirect URL as http://192.168.0.1. <Sysname> system-view [Sysname] dot1x url http://192.168.0.1...
MAC authentication configuration commands display mac-authentication Syntax display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0>...
Page 125
Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 2048 Current online user number is 0 MAC Addr Authenticate state...
Field Description Whether MAC authentication is enabled on port MAC address authentication is enabled GigabitEthernet1/0/1. MAC authentication statistics, including the number of successful Authenticate success: 0, failed: 0 and unsuccessful authentication attempts Maximum number of concurrent online users allowed on the port.
Use mac-authentication interface interface-list in system view to enable MAC authentication on a list of ports, or mac-authentication in interface view to enable MAC authentication on a port. Use undo mac-authentication in system view to disable MAC authentication globally. Use undo mac-authentication interface interface-list in system view to disable MAC authentication on a list of ports, or undo mac-authentication in interface view to disable MAC authentication on a port.
The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port. You can specify different authentication domains on different ports. A port chooses an authentication domain for MAC authentication users in this order: port specific domain, global domain, and the default authentication domain.
mac-authentication timer Syntax mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } undo mac-authentication timer { offline-detect | quiet | server-timeout } View System view Default level 2: System level Parameters offline-detect offline-detect-value: Sets the offline detect timer, in the range of 60 to 65535 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user idle.
Page 130
Default level 2: System level Parameters fixed: Uses a shared account for all MAC authentication users. account name: Specifies the username for the shared account. The name takes a case-insensitive string of 1 to 55 characters. If no username is specified, the default name mac applies. password: Specifies the password for the shared user account.
# Configure a shared account for MAC authentication users: set the username as abc and password as a ciphertext string of $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg. <Sysname> system-view [Sysname] mac-authentication user-name-format fixed account abc password cipher $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg # Use MAC-based user accounts for MAC authentication users, and each MAC address must be hyphenated, and in upper case.
Port security configuration commands display port-security Syntax display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters interface interface-list: Specifies Ethernet ports by an Ethernet port list in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0>...
Page 133
RALM logoff trap is enabled RALM logfailure trap is enabled AutoLearn aging time is 1 minutes Disableport Timeout: 20s OUI value: Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet1/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Portection mode is DisablePort Max MAC address number is 50...
Page 134
Field Description Whether trapping for MAC authentication failure is enabled or not. If it is RALM logfailure trap enabled, the port sends trap information when a user fails MAC address authentication. Secure MAC aging timer. The timer applies to sticky or dynamic secure MAC AutoLearn aging time addresses.
--- On slot 1, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses in VLAN 30. <Sysname> display port-security mac-address block vlan 30 MAC ADDR From Port VLAN ID 000f-3d80-0d2d GigabitEthernet1/0/1 --- On slot 1, 1 mac address(es) found --- --- 1 mac address(es) found ---...
Page 137
View Any view Default level 2: System level Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID, in the range of 1 to 4094. count: Displays only the count of the secure MAC addresses. |: Filters command output by specifying a regular expression.
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 000d-88f8-0577 Security GigabitEthernet1/0/1 NOAGED 1 mac address(es) found # Display information about secure MAC addresses of port GigabitEthernet 1/0/1 in VLAN 1. <Sysname> display port-security mac-address security interface gigabitethernet 1/0/1 vlan MAC ADDR VLAN ID STATE...
View Layer 2 Ethernet interface view Default level 2: System level Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed.
Description Use port-security mac-address aging-type inactivity to enable inactivity aging for secure MAC addresses (sticky or dynamic). Use undo port-security mac-address aging-type inactivity to restore the default. By default, the inactivity aging function is disabled. If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address.
You can display dynamic secure MAC addresses by using the display port-security mac-address security command. Related commands: display port-security mac-address security, mac-address dynamic. Examples # Enable the dynamic secure MAC function on interface GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet1/0/1 [Sysname-GigabitEthernet1/0/1] port-security mac-address dynamic port-security mac-address security Syntax...
When a port is operating in autoLearn mode, you can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure. Static secure MAC addresses never age out unless you remove them by using the undo port-security mac-address security command, changing the port security mode, or disabling the port security feature.
Default level 2: System level Parameters count-value: Specifies the maximum number of MAC addresses that port security allows on the port. The value is in the range of 1 to 1024. Description Use port-security max-mac-count to set the maximum number of MAC addresses that port security allows on a port.
Description Use port-security ntk-mode to configure the NTK feature. Use undo port-security ntk-mode to restore the default. By default, NTK is disabled on a port and all frames are allowed to be sent. The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic.
Page 147
Keyword Security mode Description In this mode, a port performs 802.1X authentication and implements port-based access control. userlogin userLogin If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication. In this mode, a port performs 802.1X authentication and userlogin-secure userLoginSecure implements MAC-based access control.
Description Use port-security timer disableport to set the silence period during which the port remains disabled. Use undo port-security timer disableport to restore the default. By default, the silence period is 20 seconds. If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame, use this command to set the silence period.
Page 150
ralmlogon: Enables MAC authentication success traps. The port security module sends traps when a MAC authentication is passed. NOTE: RALM (RADIUS Authenticated Login using MAC-address) means RADIUS authentication based on MAC address. Description Use port-security trap to enable port security traps. Use undo port-security trap to disable port security traps.
User profile configuration commands display user-profile Syntax display user-profile [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
user-profile enable Syntax user-profile profile-name enable undo user-profile profile-name enable View System view Default level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. The user profile must already exist.
Page 153
Use undo user-profile to remove an existing disabled user profile. You cannot remove a user profile that is enabled. By default, no user profiles exist on the device. Related commands: user-profile enable. Examples # Create user profile a123. <Sysname> system-view [Sysname] user-profile a123 [Sysname-user-profile-a123] # Enter the user profile view of a123.
Password control configuration commands display password-control Syntax display password-control [ super ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters super: Displays the password control information of the super passwords. Without this keyword, the command displays the password control information for all passwords.
# Display the password control configuration information for super passwords. <Sysname> display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 16 Command output Field Description Password control...
Default level 2: System level Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
View Local user view Default level 2: System level Parameters None Description Use password to set a password for a local user in interactive mode. Use undo password to remove the password for a local user. Valid characters for a local user password include uppercase letters A to Z; lowercase letters a to z; numbers 0 to 9;...
Use undo password-control aging to restore the default. By default, the global password aging time is 90 days, the password aging time of a user group equals the global setting, and the password aging time of a local user equals that of the user group to which the local user belongs.
<Sysname> system-view [Sysname] password-control alert-before-expire 10 password-control authentication-timeout Syntax password-control authentication-timeout authentication-timeout undo password-control authentication-timeout View System view Default level 2: System level Parameters authentication-timeout: Specifies the user authentication timeout time in seconds, in the range of 30 to 120. Description Use password-control authentication-timeout to set the user authentication timeout time.
Use undo password-control complexity check to remove a password complexity checking item. By default, no user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively. Related commands: display password-control.
[Sysname] password-control composition type-number 3 type-length 5 # Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control composition type-number 3 type-length 5 [Sysname-ugroup-test] quit # Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for local user abc.
View System view Default level 2: System level Parameters delay delay: Specifies the maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90. times times: Specifies the maximum number of times a user can log in after the password expires, in the range of 0 to 10.
Examples # Set the maximum number of history password records for each user to 10. <Sysname> system-view [Sysname] password-control history 10 password-control length Syntax password-control length length undo password-control length View System view, user group view, local user view Default level 2: System level Parameters length: Specifies the minimum password length in characters, in the range of 4 to 32.
password-control login idle-time Syntax password-control login idle-time idle-time undo password-control login idle-time View System view Default level 2: System level Parameters idle-time: Specifies the maximum account idle time, in the range of 0 to 365, in days. 0 means no restriction for account idle time.
Page 166
unlock: Allows a user who fails to log in after the specified number of attempts to continue trying to log Description Use password-control login-attempt to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts. Use undo password-control login-attempt to restore the default.
password-control password update interval Syntax password-control password update interval interval undo password-control password update interval View System view Default level 2: System level Parameters interval: Specifies the minimum password update interval, in the range of 0 to 168, in hours. 0 means no requirements for password update interval.
By default, the aging time for super passwords is the same as the global password aging time. The setting for super passwords, if present, overrides that for all passwords. Related commands: password-control aging. Examples # Set the aging time for super passwords to 10 days. <Sysname>...
View System view Default level 2: System level Parameters length: Specifies the minimum length for super passwords in characters, in the range of 4 to 16. Description Use password-control super length to set the minimum length for super passwords. Use undo password-control super length to restore the default. By default, the minimum super password length is the same as the global minimum password length.
Page 170
View User view Default level 3: Manage level Parameters user-name name: Specifies the username of the user whose password records are to be deleted. name is a case-sensitive string of 1 to 80 characters. super: Deletes the history records of the super password specified by the level level combination or the history records of all super passwords.
Public key configuration commands display public-key local public Syntax display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair.
Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 20:00:16 2012/03/07 Key name: HOST_KEY Key type: DSA Encryption Key =====================================================...
Page 173
Default level 1: Monitor level Parameters brief: Displays brief information about all peer public keys saved on the local device. name publickey-name: Displays information about a peer public key saved on the local device. The publickey-name argument represents a public key by its name, a case-sensitive string of 1 to 64 characters.
# Display brief information about all locally saved peer public keys. <Sysname> display public-key peer brief Type Module Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 20 Command output Field Description Type Key type, RSA or DSA. Module Key modulus length in bits Name Name of the public key peer-public-key end...
Parameters None Description Use public-key-code begin to enter public key code view. Then input the key data in the correct format to specify the peer public key. Spaces and carriage returns are allowed between characters, but are not saved. If the peer device is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant.
+++++++ +++++++++ # Create a local DSA key pair. <Sysname> system-view [Sysname] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
public-key local export dsa Syntax public-key local export dsa { openssh | ssh2 } [ filename ] View System view Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the local public key. For more information about file name, see Fundamentals Configuration Guide.
B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp RjxsSrhXFVIdRjxw59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOL o2/RyGqDJIqB4FQwmrkwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22 dsa-key public-key local export rsa Syntax public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ] View System view Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh1: Uses the format of SSH1.5.
[Sysname] public-key local export rsa openssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6u t5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j +o0MpOpzh3W768/+u1riz+1LcwVTs51Q== rsa-key public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Default level 2: System level Parameters keyname: Specifies a name for the peer public key on the local device, a case-sensitive string of 1 to 64 characters.
Page 181
View System view Default level 2: System level Parameters keyname: Specifies a public key name, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file that saves the peer host public key. For more information about file name, see Fundamentals Configuration Guide.
<Sysname> system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc. [Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc # Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot be 10.0.0.1.
Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Description Use certificate request entity to specify the entity for certificate request. Use undo certificate request entity to remove the configuration. By default, no entity is specified for certificate request. Related commands: pki entity.
undo certificate request mode View PKI domain view Default level 2: System level Parameters auto: Requests certificates in auto mode. key-length: Length of the RSA keys in bits, in the range of 512 to 2048. It is 1024 bits by default. cipher: Sets a ciphertext password for certificate revocation.
Parameters count count: Specifies the maximum number of attempts to poll the status of the certificate request, in the range of 1 to 100. interval minutes: Specifies the polling interval in minutes, in the range of 5 to 168. Description Use certificate request polling to specify the certificate request polling interval and attempt limit.
[Sysname-pki-domain-1] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll common-name Syntax common-name name undo common-name View PKI entity view Default level 2: System level Parameters name: Common name of an entity, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use common-name to configure the common name of an entity, which can be, for example, the user name.
By default, no country code is specified. Examples # Set the country code of an entity to CN. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] country CN crl check Syntax crl check { disable | enable } View PKI domain view Default level 2: System level Parameters...
Description Use crl update-period to set the CRL update period, the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server. Use undo crl update-period to restore the default. By default, the CRL update period depends on the next update field in the CRL file. Examples # Set the CRL update period to 20 hours.
Page 190
View Any view Default level 1: Monitor level Parameters ca: Displays the CA certificate. local: Displays the local certificate. domain-name: Name of the PKI domain, a string of 1 to 15 characters. request-status: Displays the status of a certificate request. |: Filters command output by specifying a regular expression.
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display pki certificate access-control-policy to display information about certificate attribute-based access control policies.
Examples # Display information about certificate attribute group mygroup. <Sysname> display pki certificate attribute-group mygroup attribute group name: mygroup attribute 1 subject-name attribute 2 issuer-name fqdn nctn Table 23 Command output Field Description attribute group name Name of the certificate attribute group attribute number Number of the attribute rule subject-name...
undo fqdn View PKI entity view Default level 2: System level Parameters name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters. Description Use fqdn to configure the FQDN of an entity. Use undo fqdn to remove the configuration. By default, no FQDN is specified for an entity.
ldap-server Syntax ldap-server ip ip-address [ port port-number ] [ version version-number ] undo ldap-server View PKI domain view Default level 2: System level Parameters ip-address: IP address of the LDAP server, in dotted decimal format. port-number: Port number of the LDAP server, in the range of 1 to 65535. The default is 389. version-number: LDAP version number, either 2 or 3.
Examples # Configure the locality of an entity as city. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] locality city organization Syntax organization org-name undo organization View PKI entity view Default level 2: System level Parameters org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be included.
Description Use organization-unit to specify the name of the organization unit to which this entity belongs. Use undo organization-unit to remove the configuration. By default, no organization unit name is specified for an entity. Examples # Configure the name of the organization unit to which an entity belongs as group1. <Sysname>...
View System view Default level 2: System level Parameters group-name: Name for the certificate attribute group, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all. all: Specifies all certificate attribute groups. Description Use pki certificate attribute-group to create a certificate attribute group and enter its view. Use undo pki certificate attribute-group to delete certificate attribute groups.
pki domain Syntax pki domain domain-name undo pki domain domain-name View System view Default level 2: System level Parameters domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters. Description Use pki domain to create a PKI domain and enter PKI domain view. Use undo pki domain to remove a PKI domain.
Examples # Create a PKI entity named en and enter its view. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] pki import-certificate Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] View System view Default level...
Parameters domain-name: Name of the PKI domain name, a string of 1 to 15 characters. password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.
The retrieved certificates are stored in the root directory of the switch, with the file name as domain-name_ca.cer or domain-name_local.cer according to the certificate type. Related commands: pki domain. Examples # Retrieve the CA certificate from the certificate issuing server. <Sysname>...
Description Use pki validate-certificate to examine the validity of a certificate. Certificate validity verification examines whether the certificate is signed by the CA and that the certificate has neither expired nor been revoked. Related commands: pki domain. Examples # Verify the validity of the local certificate. <Sysname>...
rule (PKI CERT ACP view) Syntax rule [ id ] { deny | permit } group-name undo rule { id | all } View PKI certificate access control policy view Default level 2: System level Parameters id: Number of the certificate attribute access control rule, in the range of 1 to 16. The default is the smallest unused number in this range.
Page 206
Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use state to specify the name of the state or province where an entity resides. Use undo state to remove the configuration. By default, no state or province is specified.
SSH2.0 configuration commands SSH2.0 server configuration commands display ssh server Syntax display ssh server { session | status } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters session: Displays the session information of the SSH server. status: Displays the status information of the SSH server.
Table 25 Command output Field Description SSH Server Whether the SSH server function is enabled. SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2.0. SSH authentication-timeout Authentication timeout period. SSH server key generating interval SSH server key pair update interval.
Default level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Default level 3: Manage level Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Description Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default.
Related commands: display ssh server. Examples # Set the SSH user authentication timeout period to 10 seconds. <Sysname> system-view [Sysname] ssh server authentication-timeout 10 ssh server compatible-ssh1x Syntax ssh server compatible-ssh1x [ enable ] undo ssh server compatible-ssh1x View System view Default level 3: Manage level Parameters...
Parameters dscp-value: Specifies the DSCP value in the IPv4 packets sent by the SSH server, which ranges from 0 to Description Use ssh server dscp to set the DSCP value for IPv4 packets sent by the SSH server. Use undo ssh server dscp to restore the default. By default, the DSCP value in IPv4 packets sent by the SSH server is 16.
View System view Default level 2: System level Parameters dscp-value: Specifies the DSCP value in the IPv6 packets sent by the SSH server, which ranges from 0 to Description Use ssh server ipv6 dscp to set the DSCP value for IPv6 packets sent by the SSH server. Use undo ssh server ipv6 dscp to restore the default.
For a publickey authentication user, you must configure the username and the public key on the switch. For a password authentication user, you can configure the account information on either the switch or the remote authentication server, such as a RADIUS server. If you use the ssh user command to configure a public key for a user who has already had a public key, the new one overwrites the old one.
If neither source IP address nor source interface is specified for the SSH client, the system displays the message "Neither source IP address nor source interface was specified for the Stelnet client." Related commands: ssh client source. Examples # Display the source IP address or source interface of the SSH client. <Sysname>...
Table 28 Command output Field Description Server Name(IP) Name or IP address of the server Server public key name Name of the host public key of the server ssh client authentication server Syntax ssh client authentication server server assign publickey keyname undo ssh client authentication server server assign publickey View System view...
View System view Default level 2: System level Parameters dscp-value: Specifies the DSCP value in the IPv4 packets sent by the SSH client, which ranges from 0 to Description Use ssh client dscp to set the DSCP value for IPv4 packets sent by the SSH client. Use undo ssh client dscp to restore the default.
Because the server might update its key pairs periodically, clients must obtain the most recent public keys of the server for successful authentication of the server. Examples # Enable the first-time authentication function. <Sysname> system-view [Sysname] ssh client first-time enable ssh client ipv6 dscp Syntax ssh client ipv6 dscp dscp-value...
Description Use ssh client ipv6 source to specify the source IPv6 address or source interface for the SSH client. Use undo ssh client ipv6 source to remove the configuration. By default, an SSH client uses the IPv6 address of the interface specified by the route of the device to access the SSH server.
When the server adopts publickey authentication to authenticate a client, the client needs to get the local private key for digital signature. As the publickey authentication uses either RSA or DSA algorithm, you must specify an algorithm for the client (by using the identity-key keyword) in order to get the correct data for the local private key.
Page 223
dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. • prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to aes128. prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96. Description Use ssh2 ipv6 to establish a connection to an IPv6 SSH server and specify publickey algorithm, the preferred key exchange algorithm, and the preferred encryption algorithms and preferred HMAC algorithms between the client and server.
SFTP configuration commands SFTP server configuration commands sftp server enable Syntax sftp server enable undo sftp server enable View System view Default level 3: Manage level Parameters None Description Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. By default, the SFTP server function is disabled.
Description Use sftp server idle-timeout to set the idle timeout period for SFTP user connections. Use undo sftp server idle-timeout to restore the default. By default, the idle timeout period is 10 minutes. If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection.
View SFTP client view Default level 3: Manage level Parameters remote-path: Specifies the name of a path on the server. Description Use cd to change the working path on a remote SFTP server. With the argument not specified, the command displays the current working path. You can use the cd ..
View SFTP client view Default level 3: Manage level Parameters remote-file&<1- 1 0>: Specifies the names of files on the server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Description Use delete to delete files from a server. This command functions as the remove command.
Examples # Display detailed information about the files and sub-directories under the current working directory in the form of a list. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup...
View SFTP client view Default level 3: Manage level Parameters None Description Use exit to terminate the connection with a remote SFTP server and return to user view. This command functions as the bye and quit commands. Examples # Terminate the connection with the remote SFTP server. sftp-client>...
Page 230
View SFTP client view Default level 3: Manage level Parameters all: Displays a list of all commands. command-name: Specifies the name of a command. Description Use help to display a list of all commands or the help information of an SFTP client command. With neither the argument nor the keyword specified, the command displays a list of all commands.
Local file:temp.c ---> Remote file: /temp1.c Uploading file successfully ended Syntax View SFTP client view Default level 3: Manage level Parameters None Description Use pwd to display the current working directory of a remote SFTP server. Examples # Display the current working directory of the remote SFTP server. sftp-client>...
remove Syntax remove remote-file&<1- 1 0> View SFTP client view Default level 3: Manage level Parameters remote-file&<1- 1 0>: Specifies names of files on an SFTP server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Description Use remove to delete files from a remote server.
rmdir Syntax rmdir remote-path&<1- 1 0> View SFTP client view Default level 3: Manage level Parameters remote-path&<1- 1 0>: Specifies the names of directories on the remote SFTP server. &<1- 1 0> means that you can provide up to 10 directory names that are separated by space. Description Use rmdir to delete the specified directories from an SFTP server.
Description Use sftp client dscp to set the DSCP value for IPv4 packets sent by the SFTP client. Use undo sftp client dscp to restore the default. By default, the DSCP value in IPv4 packets sent by the SFTP client is 16. Examples # Set the DSCP value to 30 for IPv4 packets sent by the SFTP client.
Parameters ipv6 ipv6-address: Specifies a source IPv6 address. interface interface-type interface-number: Specifies a source interface by its type and number. Description Use sftp client ipv6 source to specify the source IPv6 address or source interface for an SFTP client. Use undo sftp client ipv6 source to remove the configuration. By default, an SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server.
Page 239
Examples # Connect to server 2:5::8:9, using the following connection scheme: Preferred key exchange algorithm: dh-group1. • • Preferred encryption algorithm from server to client: aes128. Preferred HMAC algorithm from client to server: md5. • Preferred HMAC algorithm from server to client: sha1-96. •...
Page 241
dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. • prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to aes128. prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96. Description Use scp to transfer files with an SCP server. When the server adopts publickey authentication to authenticate a client, the client needs to get the local private key for digital signature.
SSL configuration commands ciphersuite Syntax ciphersuite rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * View SSL server policy view Default level 2: System level Parameters rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.
client-verify enable Syntax client-verify enable undo client-verify enable View SSL server policy view Default level 2: System level Parameters None Description Use client-verify enable to configure the SSL server to require the client to pass certificate-based authentication. Use undo client-verify enable to restore the default. By default, the SSL server does not require certificate-based SSL client authentication.
Description Use client-verify weaken to enable SSL client weak authentication. Use undo client-verify weaken to restore the default. By default, SSL client weak authentication is disabled. If the SSL server requires certificate-based client authentication and the SSL client weak authentication function is enabled, whether the client must be authenticated is up to the client.
Field Description Server-verify Whether server authentication is enabled for the SSL client policy display ssl server-policy Syntax display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters.
Table 30 Command output Field Description SSL Server Policy SSL server policy name. PKI domain used by the SSL server policy. If no PKI domain is specified for the SSL server policy, nothing is displayed for PKI Domain this field, and the SSL server generates a certificate for itself and does not obtain a certificate from a CA server.
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] handshake timeout 3000 pki-domain Syntax pki-domain domain-name undo pki-domain View SSL server policy view, SSL client policy view Default level 2: System level Parameters domain-name: Name of a PKI domain, a case-insensitive string of 1 to 15 characters. Description Use pki-domain to specify a PKI domain for an SSL server policy or SSL client policy.
Default level 2: System level Parameters rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA. rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.
Use undo server-verify enable to disable certificate-based SSL server authentication. When certificate-based SSL server authentication is disabled, it is assumed that the SSL server is valid. By default, certificate-based SSL server authentication is enabled. Related commands: display ssl client-policy. Examples # Enable certificate-based SSL server authentication.
ssl client-policy Syntax ssl client-policy policy-name undo ssl client-policy { policy-name | all } View System view Default level 2: System level Parameters policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be a, al, or all.
You cannot delete an SSL server policy that has been associated with one or more application layer protocols. Related commands: display ssl server-policy. Examples # Create SSL server policy policy1 and enter its view. <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] version Syntax...
TCP attack protection configuration commands display tcp status Syntax display tcp status [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
tcp syn-cookie enable Syntax tcp syn-cookie enable undo tcp syn-cookie enable View System view Default level 2: System level Parameters None Description Use tcp syn-cookie enable to enable the SYN Cookie feature to protect the device against SYN Flood attacks. Use undo tcp syn-cookie enable to disable the SYN Cookie feature.
vlan vlan-id: Specifies the VLAN for the static binding. vlan-id is the ID of the VLAN to be bound, in the range of 1 to 4094. Description Use ip source binding to configure a static IPv4 source guard entry on a port. Use undo ip source binding to delete a static IPv4 source guard entry from a port.
By default, the IPv4 source guard function is disabled on a port. After you configure the IPv4 source guard function on a port, IPv4 source guard dynamically generates IPv4 source guard entries based on the DHCP snooping entries (on a Layer 2 Ethernet port) or the DHCP-relay entries (on a VLAN interface), and all static IPv4 source guard entries on the port become effective.
Page 259
Examples # Set the maximum number of IPv4 source guard entries to 100 on port GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] ip verify source max-entries 100...
Description Use arp source-suppression enable to enable the ARP source suppression function. Use undo arp source-suppression enable to disable the function. By default, the ARP source suppression function is disabled. Related commands: display arp source-suppression. Examples # Enable the ARP source suppression function. <Sysname>...
View Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Parameters disable: Disables ARP packet rate limit. rate pps: Specifies the ARP packet rate in pps, in the range of 50 to 500. drop: Discards the exceeded packets. Description Use arp rate-limit to configure or disable ARP packet rate limit on an interface. Use undo arp rate-limit to restore the default.
In filter detection mode, the device generates a log message and filters out the ARP packets from the • MAC address. In monitor detection mode, the device only generates a log message. • If no detection mode is specified in the undo arp anti-attack source-mac command, both detection modes are disabled.
Parameters mac-address&<1- 1 0>: Specifies a MAC address list. The mac-address argument indicates a protected MAC address in the format H-H-H. &<1- 1 0> indicates the number of protected MAC addresses that you can configure. Description Use arp anti-attack source-mac exclude-mac to configure protected MAC addresses that are excluded from ARP packet detection.
Parameters None Description Use arp anti-attack active-ack enable to enable the ARP active acknowledgement function. Use undo arp anti-attack active-ack enable to restore the default. By default, the ARP active acknowledgement function is disabled. This feature is configured on gateway devices to identify invalid ARP packets. Examples # Enable the ARP active acknowledgement function.
vlan vlan-id: Specifies the VLAN where the rule applies. The vlan-id argument is in the range of 1 to 4094. Description Use arp detection to set a rule for user validity check. Use undo arp detection to restore the default. By default, no rule is set for user validity check.
Description Use arp detection validate to configure ARP detection based on specified objects. You can specify one or more objects in one command line. Use undo arp detection validate to remove detected objects. If no keyword is specified, all the detected objects are removed.
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Description Use display arp detection statistics to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all the interfaces will be displayed. Examples # Display the ARP detection statistics of all the interfaces. <Sysname>...
ARP automatic scanning and fixed ARP configuration commands arp fixup Syntax arp fixup View System view Default level 2: System level Parameters None Description Use arp fixup to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static ARP entries.
Default level 2: System level Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. Description Use arp scan to enable ARP automatic scanning in the specified address range for neighbors.
Default level 2: System level Parameters ip-address: Specifies the IP address of a protected gateway. Description Use arp filter source to enable ARP gateway protection for a specified gateway. Use undo arp filter source to disable ARP gateway protection for a specified gateway. By default, ARP gateway protection is disabled.
Page 277
Examples # Configure an ARP filtering entry with permitted sender IP address 1.1.1.1 and MAC address 2-2-2. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] arp filter binding 1.1.1.1 2-2-2...
URPF configuration commands ip urpf strict Syntax ip urpf strict undo ip urpf View System view Default level 2: System level Parameters None Description Use ip urpf strict to enable URPF check to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. By default, URPF check is disabled.
MFF configuration commands display mac-forced-forwarding interface Syntax display mac-forced-forwarding interface [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 281
View Any view Default level 1: Monitor level Parameters vlan-id: Specifies a VLAN by its number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
mac-forced-forwarding Syntax mac-forced-forwarding { auto | default-gateway gateway-ip } undo mac-forced-forwarding View VLAN view Default level 2: System level Parameters auto: Specifies the automatic mode. default-gateway gateway-ip: Specifies the IP address of the default gateway in the manual mode. Description Use mac-forced-forwarding to enable MFF and specify an MFF operating mode.
Parameters None Description Use mac-forced-forwarding gateway probe to enable periodic gateway MAC address probe. The probe interval is 30 seconds, and the probe mode can be manual or automatic. Use undo mac-forced-forwarding gateway probe to restore the default. By default, periodic gateway MAC address probe is disabled. Make sure you have enabled MFF before enabling periodic gateway MAC address probe.
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] mac-forced-forwarding network-port mac-forced-forwarding server Syntax mac-forced-forwarding server server-ip&<1- 1 0> undo mac-forced-forwarding server [ server-ip&<1- 1 0> ] View VLAN view Default level 2: System level Parameters server-ip&<1- 1 0>: Specifies the IP address of a server in the network. &<1- 1 0> means you can specify up to ten server IP addresses in one command line.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers • • Technical support registration number (if applicable) Product serial numbers •...
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 287
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Index A B C D E F G H I K L M N O P Q R S T U V authorization login,12 authorization-attribute (local user view/user group aaa nas-id profile,1 view),24 access-limit,23 authorization-attribute user-profile,13 access-limit enable,1 accounting command,2 bind-attribute,25 accounting default,3...