Page 1: Command Reference
HP 6125 Blade Switch Series Security Command Reference Part number: 5998-3171 Software version: Release 2103 Document version: 6W100-20120907...
Page 2 HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Page 3: Table Of Contents
Contents AAA configuration commands ···································································································································· 1 General AAA configuration commands ························································································································· 1 aaa nas-id profile ····················································································································································· 1 access-limit enable ··················································································································································· 1 accounting command ··············································································································································· 2 accounting default ···················································································································································· 3 accounting lan-access ·············································································································································· 3 accounting login ·······················································································································································...
Page 4 key (RADIUS scheme view)··································································································································· 45 nas-ip (RADIUS scheme view) ······························································································································ 46 primary accounting (RADIUS scheme view) ······································································································· 47 primary authentication (RADIUS scheme view) ·································································································· 49 radius client ···························································································································································· 50 radius dscp ····························································································································································· 51 radius ipv6 dscp ···················································································································································· 52 ...
Page 5 dot1x auth-fail vlan················································································································································ 96 dot1x critical vlan ·················································································································································· 96 dot1x critical recovery-action ······························································································································· 98 dot1x domain-delimiter ········································································································································· 98 dot1x guest-vlan ···················································································································································· 99 dot1x handshake ················································································································································· 101 dot1x handshake secure ····································································································································· 101 dot1x mandatory-domain ··································································································································· 102 ...
Page 6 Password control configuration commands ··········································································································· 145 display password-control ···································································································································· 145 display password-control blacklist ····················································································································· 146 password ······························································································································································ 147 password-control { aging | composition | history | length } enable ···························································· 148 password-control aging ······································································································································ 149 ...
Page 7 ldap-server ···························································································································································· 187 locality ·································································································································································· 187 organization························································································································································· 188 organization-unit ·················································································································································· 188 pki certificate access-control-policy ··················································································································· 189 pki certificate attribute-group ····························································································································· 189 pki delete-certificate ············································································································································ 190 pki domain ··························································································································································· 191 pki entity ······························································································································································· 191 ...
Page 8 help ······································································································································································· 220 ls ············································································································································································ 221 mkdir ····································································································································································· 222 put ········································································································································································· 222 pwd ······································································································································································· 223 quit ········································································································································································ 223 remove ·································································································································································· 224 rename ·································································································································································· 224 rmdir ····································································································································································· 225 sftp········································································································································································· 225 sftp client dscp ····················································································································································· 226 ...
Page 9 arp anti-attack source-mac exclude-mac ··········································································································· 255 arp anti-attack source-mac threshold ················································································································· 256 display arp anti-attack source-mac ···················································································································· 257 ARP packet source mac address consistency check configuration commands ····················································· 258 arp anti-attack valid-check enable ····················································································································· 258 ARP active acknowledgement configuration commands ·························································································...
Page 10: Aaa Configuration Commands
AAA configuration commands General AAA configuration commands aaa nas-id profile Syntax aaa nas-id profile profile-name undo aaa nas-id profile profile-name View System view Default level 2: System level Parameters profile-name: Name of the NAS ID profile, a case-insensitive string of 1 to 16 characters. Description Use aaa nas-id profile to create a NAS ID profile and enter its view.
Page 11: Accounting Command
Parameters max-user-number: Maximum number of online users that the ISP domain can accommodate, in the range of 1 to 2147483646. Description Use access-limit enable to set the maximum number of online users in an ISP domain. After the number of online users reaches the allowed maximum number, no more users are accepted. Use undo access-limit enable to restore the default.
Page 12: Accounting Default
[Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac accounting default Syntax accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo accounting default View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 13: Accounting Login
undo accounting lan-access View ISP domain view Default level 2: System level Parameters local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use accounting lan-access to configure the accounting method for LAN users.
Page 14: Accounting Optional
local: Performs local accounting. none: Does not perform any accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use accounting login to configure the accounting method for login users through the console port or through Telnet.
Page 15: Authentication Default
communication with the current accounting server fails. However, the switch no longer sends real-time accounting updates for the user. The accounting optional feature applies to scenarios where accounting is not important. After you configure the accounting optional command, the setting configured by the access-limit command in local user view is not effective.
Page 16: Authentication Lan-Access
[Sysname-isp-test] authentication default radius-scheme rd local authentication lan-access Syntax authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo authentication lan-access View ISP domain view Default level 2: System level Parameters local: Performs local authentication. none: Does not perform any authentication.
Page 17: Authentication Super
Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform any authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 18: Authorization Command
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Description Use authentication super to configure the authentication method for user privilege level switching. Use undo authentication super to restore the default. By default, the default authentication method for the ISP domain is used for user privilege level switching authentication.
Page 19: Authorization Default
Related commands: local-user, authorization default, and hwtacacs scheme. Examples # Configure ISP domain test to use local command line authorization. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization command local # Configure ISP domain test to use HWTACACS scheme hwtac for command line authorization and use local authorization as the backup.
Page 20: Authorization Lan-Access
Examples # Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd and use local authorization as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization default radius-scheme rd local authorization lan-access Syntax authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] } undo authorization lan-access View ISP domain view...
Page 21: Authorization Login
authorization login Syntax authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] } undo authorization login View ISP domain view Default level 2: System level Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters.
Page 22: Authorization-Attribute User-Profile
authorization-attribute user-profile Syntax authorization-attribute user-profile profile-name undo authorization-attribute user-profile View ISP domain view Default level 3: Manage level Parameters profile-name: Name of the user profile, a case-sensitive string of 1 to 31 characters. For more information about user profile configuration, see Security Configuration Guide. Description Use authorization-attribute user-profile to specify the default authorization user profile for an ISP domain.
Page 23: Display Connection
mac-authentication: Indicates MAC address authentication. • all: Specifies all user connections. domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a string of 1 to 24 characters. interface interface-type interface-number: Specifies the user connections on an interface.
Page 24 View Any view Default level 1: Monitor level Parameters access-type: Specifies the user connections of the specified access type. dot1x: Indicates 802.1X authentication. • mac-authentication: Indicates MAC address authentication. • domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument refers to the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.
Page 25 access type. To display connections of such users, use the display connection domain isp-name command and specify the mandatory authentication domain. How the switch displays the username of a user on an interface configured with a mandatory authentication domain depends on the format of the username entered by the user at login: If the username does not contain the character @, the switch displays the username in the format •...
Page 26: Display Domain
Field Description MAC address of the user. IPv4 address of the user. IPv6 IPv6 address of the user. Access User access type. Authorization ACL group. If no authorization ACL group is assigned, this field ACL Group displays Disable. User Profile Authorization user profile.
Page 27 State : Active Access-limit : Disabled Accounting method : Required Default authentication scheme : local Default authorization scheme : local Default accounting scheme : local Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes : Domain : test State : Active Access-limit : Disabled Accounting method : Required...
Page 28: Domain
Field Description Lan-access authorization scheme Authorization method for LAN users. Lan-access accounting scheme Accounting method for LAN users. Domain User Template Indicates some functions and attributes set for users in the domain. Indicates whether the idle cut function is enabled. With the idle cut function enabled for a domain, the system logs out any user in the Idle-cut domain whose traffic is less than the specified minimum traffic...
Page 29: Domain Default Enable
[Sysname] domain test [Sysname-isp-test] domain default enable Syntax domain default enable isp-name undo domain default enable View System view Default level 3: Manage level Parameters isp-name: Name of the ISP domain, a case-insensitive string of 1 to 24 characters. Description Use domain default enable to specify the default ISP domain.
Page 30: Nas-Id Bind Vlan
Parameters minute: Idle timeout period, in the range of 1 to 600 minutes. flow: Minimum traffic during the idle timeout period, which is in the range of 1 to 10240000 bytes and defaults to 10240. Description Use idle-cut enable to enable the idle cut function and set the relevant parameters. With the idle cut function enabled for a domain, the switch checks the traffic of each online user in the domain at the idle timeout interval, and logs out any user in the domain whose traffic during the idle timeout period is less than the specified minimum traffic.
Page 31: Self-Service-Url Enable
A NAS ID can be bound with more than one VLAN, but one VLAN can be bound with only one NAS ID. If you bind a VLAN with different NAS IDs, only the last binding takes effect. Related commands: aaa nas-id profile. Examples # Bind NAS ID 222 with VLAN 2.
Page 32: Local User Configuration Commands
View ISP domain view Default level 2: System level Parameters active: Places the ISP domain in active state to allow the users in the ISP domain to request network services. block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network services.
Page 33: Authorization-Attribute (Local User View/User Group View)
This command takes effect only when local accounting is used for the user account. This limit is not effective for FTP users because accounting is not available for FTP users. Related commands: display local-user. Examples # Limit the maximum number of concurrent users of local user account abc to 5. <Sysname>...
Page 34: Bind-Attribute
security-audit: After passing authentication, a security log administrator can manage security log • files, for example, save security log files. For more information about the commands that a security log administrator can use, see Network Management and Monitoring Command Reference. vlan vlan-id: Specifies the authorized VLAN.
Page 35: Display Local-User
View Local user view Default level 3: Manage level Parameters ip ip-address: Specifies the IP address of the user. This option applies only to 802.1X users. location port slot-number subslot-number port-number: Specifies the port to which the user is bound, where slot-number is in the range of 0 to 255, subslot-number is in the range of 0 to 15, and port-number is in the range of 0 to 255.
Page 36 Parameters idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled. service-type: Specifies the local users who use a specific type of service. ftp: FTP users. • lan-access: Users accessing the network through Ethernet, such as 802.1X users. •...
Page 37: Display User-Group
Authorization attributes: Idle TimeOut: 10(min) Work Directory: flash:/ User Privilege: Acl ID: 2000 Vlan ID: User Profile: prof1 Expiration date: 12:12:12-2018/09/16 Password aging: Enabled (30 days) Password length: Enabled (4 characters) Password composition: Enabled (4 types, 2 characters per type) Total 1 local user(s) matched.
Page 38 Default level 2: System level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 39: Expiration-Date (Local User View)
expiration-date (local user view) Syntax expiration-date time undo expiration-date View Local user view Default level 3: Manage level Parameters time: Expiration time local user, format HH:MM:SS-MM/DD/YYYY, HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS indicates the time, where HH ranges from 0 to 23, and MM and SS range from 0 to 59. MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month.
Page 40: Group-Attribute Allow-Guest
Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use group to assign a local user to a user group. Use undo group to restore the default. By default, a local user belongs to the system default user group system. Examples # Assign local user 1 1 1 to user group abc.
Page 41: Password (Local User View)
undo local-user { user-name | all [ service-type { ftp | lan-access | ssh | telnet | terminal | web } ] } View System view Default level 3: Manage level Parameters user-name: Name for the local user, a case-sensitive string of 1 to 55 characters that does not contain the domain name.
Page 42: Service-Type
password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 63 characters. If cipher is specified, it must be a ciphertext string of 1 to 1 17 characters. Description Use password to configure a password for a local user.
Page 43: State (Local User View)
terminal: Authorizes the user to use the terminal service, allowing the user to log in through the console port. web: Authorizes the user to use the Web service. Description Use service-type to specify the service types that a user can use. Use undo service-type to delete service types configured for a user.
Page 44: User-Group
user-group Syntax user-group group-name undo user-group group-name View System view Default level 3: Manage level Parameters group-name: User group name, a case-insensitive string of 1 to 32 characters. Description Use user-group to create a user group and enter its view. Use undo user-group to remove a user group.
Page 45: Radius Configuration Commands
or YYYY/MM/DD indicates the date, where YYYY ranges from 2000 to 2035, MM ranges from 1 to 12, and the range of DD depends on the month. Except for the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-201 1/2/2 equals 02:02:00-201 1/02/02. Description Use validity-date to set the validity time of a local user.
Page 46: Attribute 25 Car
Use undo accounting-on enable to disable the accounting-on feature. By default, the accounting-on feature is disabled. Parameters set with the accounting-on enable command take effect immediately. After executing the accounting-on enable command, issue the save command to make sure that the command takes effect after the switch reboots.
Page 47: Display Radius Scheme
undo data-flow-format { data | packet } View RADIUS scheme view Default level 2: System level Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Page 48 begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display radius scheme to display the configuration of RADIUS schemes.
Page 49 Retransmission times for timeout Interval for realtime accounting(minute) : 12 Retransmission times of realtime-accounting packet Retransmission times of stop-accounting packet : 500 Quiet-interval(min) Username format : without-domain Data flow unit : Byte Packet unit : one NAS-IP address : 1.1.1.1 Attribute 25 : car ------------------------------------------------------------------...
Page 50: Display Radius Statistics
Field Description interval Interval at which the switch retransmits accounting-on packets. Interval for timeout(second) RADIUS server response timeout period, in seconds. Maximum number of attempts for transmitting a RADIUS packet to a single Retransmission times for timeout RADIUS server. Interval for realtime Interval for real-time accounting, in minutes.
Page 51 Examples # Display statistics about RADIUS packets. <Sysname> display radius statistics Slot 1:state statistic(total=4096): DEAD = 4096 AuthProc = 0 AuthSucc = 0 AcctStart = 0 RLTSend = 0 RLTWait = 0 AcctStop = 0 OnLine = 0 Stop = 0 Received and Sent packets statistic: Sent PKT total = 1547...
Page 52 Table 6 Command output Field Description state statistic User statistics, by state DEAD Number of idle users AuthProc Number of users waiting for authentication AuthSucc Number of users who have passed authentication AcctStart Number of users for whom accounting has been started Number of users for whom the system sends real-time accounting RLTSend packets...
Page 53: Display Stop-Accounting-Buffer (For Radius)
Field Description Normal author request Number of normal authorization requests Set policy result Number of responses to the Set policy packets RADIUS sent messages statistic Statistics for sent RADIUS messages Auth accept Number of accepted authentication packets Auth reject Number of rejected authentication packets EAP auth replying Number of replying packets of EAP authentication Account success...
Page 54: Key (Radius Scheme View)
user-name user-name: Specifies the stop-accounting requests buffered for a user. The username is a case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain name depends on the setting configured by the user-name-format command for the RADIUS scheme. slot slot-number: Specifies the stop-accounting requests buffered for an IRF member device.
Page 55: Nas-Ip (Radius Scheme View)
authentication: Sets the shared key for secure RADIUS authentication/authorization communication. cipher: Sets a ciphertext shared key. simple: Sets a plaintext shared key. key: Specifies the shared key string. This argument is case sensitive. If simple is specified, it must be a string of 1 to 64 characters.
Page 56: Primary Accounting (Radius Scheme View)
Parameters ipv4-address: IPv4 address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. ipv6 ipv6-address: Specifies an IPv6 address. It must be an address of the switch and must be a unicast address that is neither a loopback address nor a link-local address.
Page 57 ipv6 ipv6-address: Specifies the IPv6 address of the primary accounting server. port-number: Specifies the service port number of the primary RADIUS accounting server, which is a UDP port number in the range of 1 to 65535 and defaults to 1813. key [ cipher | simple ] key: Sets the shared key for secure communication with the primary RADIUS accounting server.
Page 58: Primary Authentication (Radius Scheme View)
primary authentication (RADIUS scheme view) Syntax primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key | probe username name [ interval interval ] | vpn-instance vpn-instance-name ] * undo primary authentication View RADIUS scheme view Default level...
Page 59: Radius Client
The shared key configured by this command takes precedence over that configured by using the key authentication [ cipher | simple ] key command. If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance vpn-instance-name option.
Page 60: Radius Dscp
View System view Default level 2: System level Parameters None Description Use radius client enable to enable the RADIUS listening port of a RADIUS client. Use undo radius client to disable the RADIUS listening port of a RADIUS client. By default, the RADIUS listening port is enabled. When the listening port of the RADIUS client is disabled: No more stop-accounting requests of online users cannot be sent out or buffered, and the RADIUS •...
Page 61: Radius Ipv6 Dscp
Examples # Set the DSCP value to 6 for IPv4 RADIUS protocol packets. <Sysname> system-view [Sysname] radius dscp 6 radius ipv6 dscp Syntax radius ipv6 dscp dscp-value undo radius ipv6 dscp View System view Default level 2: System level Parameters dscp-value: DSCP value in the protocol packets, which ranges from 0 to 63.
Page 62: Radius Scheme
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. With a VPN specified, the command specifies a private-network source IPv4 address. With no VPN specified, the command specifies a public-network source IPv4 address.
Page 63: Radius Trap
A RADIUS scheme can be referenced by more than one ISP domain at the same time. A RADIUS scheme referenced by ISP domains cannot be removed. Related commands: display radius scheme. Examples # Create a RADIUS scheme named radius1 and enter RADIUS scheme view. <Sysname>...
Page 64: Reset Radius Statistics
reset radius statistics Syntax reset radius statistics [ slot slot-number ] View User view Default level 2: System level Parameters slot slot-number: Clears the RADIUS statistics for an IRF member device. The slot-number argument represents the ID of the IRF member device. The value range for the argument depends on the number of member devices and their member IDs in the IRF fabric.
Page 65: Retry
slot slot-number: Clears the stop-accounting requests buffered for an IRF member device. The slot-number argument represents the ID of the IRF member device. The value range for the argument depends on the number of member devices and their member IDs in the IRF fabric. Description Use reset stop-accounting-buffer to clear the buffered stop-accounting requests for which no responses have been received.
Page 66: Retry Realtime-Accounting
[Sysname-radius-radius1] retry 5 retry realtime-accounting Syntax retry realtime-accounting retry-times undo retry realtime-accounting View RADIUS scheme view Default level 2: System level Parameters retry-times: Maximum number of accounting attempts, in the range of 1 to 255. Description Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default.
Page 67: Retry Stop-Accounting (Radius Scheme View)
retry stop-accounting (RADIUS scheme view) Syntax retry stop-accounting retry-times undo retry stop-accounting View RADIUS scheme view Default level 2: System level Parameters retry-times: Maximum number of stop-accounting attempts, in the range of 10 to 65535. Description Use retry stop-accounting to set the maximum number of stop-accounting attempts. Use undo retry stop-accounting to restore the default.
Page 68 Default level 2: System level Parameters ipv4-address: Specifies the IPv4 address of the secondary accounting server, in dotted decimal notation. ipv6 ipv6-address: Specifies the IPv6 address of the secondary accounting server. port-number: Specifies the service port number of the secondary RADIUS accounting server, which is a UDP port number in the range of 1 to 65535 and defaults to 1813.
Page 69: Secondary Authentication (Radius Scheme View)
Related commands: key, state, and vpn-instance (RADIUS scheme view). Examples # For RADIUS scheme radius1, set the IP address of the secondary accounting server to 10.1 10.1.1, the UDP port to 1813, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text. <Sysname>...
Page 70 vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS authentication/authorization server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Description Use secondary authentication to specify secondary RADIUS authentication/authorization servers for a RADIUS scheme.
Page 71: Security-Policy-Server
Examples # For RADIUS scheme radius1, set the IP address of the secondary authentication/authorization server to 10.1 10.1.2, the UDP port to 1812, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in cipher text. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 key cipher $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B # Specify two secondary authentication/authorization servers for RADIUS scheme radius2, with the server IP addresses of 10.1 10.1.1 and 10.1 10.1.2, and the UDP port number of 1813.
Page 72: Server-Type
[Sysname] radius scheme radius1 [Sysname-radius-radius1] security-policy-server 10.110.1.2 server-type Syntax server-type { extended | standard } undo server-type View RADIUS scheme view Default level 2: System level Parameters extended: Specifies the extended RADIUS server (generally running on IMC), which requires the RADIUS client and RADIUS server to interact according to the procedures and packet formats provisioned by the proprietary RADIUS protocol.
Page 73: State Secondary
block: Specifies the blocked state, the out-of-service state. Description Use state primary to set the status of a primary RADIUS server. By default, the primary RADIUS server specified for a RADIUS scheme is in active state. During an authentication or accounting process, the switch first tries to communicate with the primary server if the primary server is in active state.
Page 74: Stop-Accounting-Buffer Enable (Radius Scheme View)
If the switch finds that a secondary server in active state is unreachable, the switch changes the status of the secondary server to blocked, starts a quiet timer for the server, and continues to try to communicate with the next secondary server in active state (a secondary RADIUS server configured earlier has a higher priority).
Page 75: Timer Quiet (Radius Scheme View)
timer quiet (RADIUS scheme view) Syntax timer quiet minutes undo timer quiet View RADIUS scheme view Default level 2: System level Parameters minutes: Server quiet period in minutes, in the range of 0 to 255. If you set this argument to 0, when the switch attempts to send an authentication or accounting request but the current server is unreachable, the switch sends the request to the next server in active state, without changing the current server’s status.
Page 76: Timer Response-Timeout (Radius Scheme View)
Default level 2: System level Parameters minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range of 3 to 60. Description Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. By default, the real-time accounting interval is 12 minutes.
Page 77: User-Name-Format (Radius Scheme View)
Parameters seconds: RADIUS server response timeout period in seconds, in the range of 1 to 10. Description Use timer response-timeout to set the RADIUS server response timeout timer. Use undo timer response-timeout to restore the default. By default, the RADIUS server response timeout period is 3 seconds. If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request (authentication/authorization or accounting request), it resends the request so that the user has more opportunity to obtain the RADIUS service.
Page 78: Vpn-Instance (Radius Scheme View)
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domain, avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one. For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS scheme does not take effect and the switch does not change the usernames from clients before forwarding them to the RADIUS server.
Page 79: Hwtacacs Configuration Commands
HWTACACS configuration commands data-flow-format (HWTACACS scheme view) Syntax data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet | kilo-packet | mega-packet | one-packet } } * undo data-flow-format { data | packet } View HWTACACS scheme view Default level...
Page 80 Parameters hwtacacs-scheme-name: HWTACACS scheme name. statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme. Without this keyword, the command displays the configuration of the HWTACACS scheme. slot slot-number: Specifies the configuration or statistics for an IRF member device. The slot-number argument represents the ID of the IRF member device.
Page 81 Quiet-interval(min) Realtime-accounting-interval(min) : 12 Response-timeout-interval(sec) Acct-stop-PKT retransmit times : 100 Username format : with-domain Data traffic-unit Packet traffic-unit : one-packet -------------------------------------------------------------------- Table 8 Command output Field Description HWTACACS-server template name Name of the HWTACACS scheme. IP address and port number of the primary authentication server. If no primary authentication server is specified, this field displays Primary-authentication-server 0.0.0.0:0.
Page 82 HWTACACS server close number: 10 HWTACACS authen client access request packet number: 10 HWTACACS authen client access response packet number: 6 HWTACACS authen client unknown type number: 0 HWTACACS authen client timeout number: 4 HWTACACS authen client packet dropped number: 4 HWTACACS authen client access request change password number: 0 HWTACACS authen client access request login number: 5 HWTACACS authen client access request send authentication number: 0...
Page 83: Display Stop-Accounting-Buffer (For Hwtacacs)
HWTACACS account client response error number: 0 HWTACACS account client round trip time(s): 0 display stop-accounting-buffer (for HWTACACS) Syntax display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters...
Page 84: Hwtacacs Scheme
Default level 2: System level Parameters ip-address: IP address in dotted decimal notation. It must be an address of the switch and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters.
Page 85: Key (Hwtacacs Scheme View)
Description Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view. Use undo hwtacacs scheme to delete an HWTACACS scheme. By default, no HWTACACS scheme exists. An HWTACACS scheme can be referenced by more than one ISP domain at the same time. An HWTACACS scheme referenced by ISP domains cannot be removed.
Page 86: Nas-Ip (Hwtacacs Scheme View)
Examples # Set the shared key for secure HWTACACS accounting communication to hello in plain text. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key accounting simple hello # Set the shared key for secure HWTACACS accounting communication to hello in plain text. <Sysname>...
Page 87: Primary Accounting (Hwtacacs Scheme View)
Examples # Set the source address for outgoing HWTACACS packets to 10.1.1.1. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1 primary accounting (HWTACACS scheme view) Syntax primary accounting ip-address [ port-number | vpn-instance vpn-instance-name ] * undo primary accounting View HWTACACS scheme view Default level...
Page 88: Primary Authentication (Hwtacacs Scheme View)
<Sysname> system-view [Sysname] hwtacacs scheme test1 [Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 primary authentication (HWTACACS scheme view) Syntax primary authentication ip-address [ port-number | vpn-instance vpn-instance-name ] * undo primary authentication View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the primary HWTACACS authentication server, in dotted decimal notation.
Page 89: Primary Authorization
primary authorization Syntax primary authorization ip-address [ port-number | vpn-instance vpn-instance-name ] * undo primary authorization View HWTACACS scheme view Default level 2: System level Parameters ip-address: IP address of the primary HWTACACS authorization server, in dotted decimal notation. The default setting is 0.0.0.0.
Page 90: Reset Hwtacacs Statistics
reset hwtacacs statistics Syntax reset hwtacacs statistics { accounting | all | authentication | authorization } [ slot slot-number ] View User view Default level 1: Monitor level Parameters accounting: Clears HWTACACS accounting statistics. all: Clears all HWTACACS statistics. authentication: Clears HWTACACS authentication statistics. authorization: Clears HWTACACS authorization statistics.
Page 91: Retry Stop-Accounting (Hwtacacs Scheme View)
Related commands: stop-accounting-buffer enable and display stop-accounting-buffer. Examples # Clear the stop-accounting requests buffered for HWTACACS scheme hwt1. <Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1 retry stop-accounting (HWTACACS scheme view) Syntax retry stop-accounting retry-times undo retry stop-accounting View HWTACACS scheme view Default level 2: System level Parameters retry-times: Maximum number of stop-accounting request transmission attempts, in the range of 1 to 300.
Page 92: Secondary Authentication (Hwtacacs Scheme View)
port-number: Service port number of the secondary HWTACACS accounting server. It ranges from 1 to 65535 and defaults to 49. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS accounting server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.
Page 93: Secondary Authorization
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS authentication server belongs, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Description Use secondary authentication to specify the secondary HWTACACS authentication server. Use undo secondary authentication to remove the configuration.
Page 94: Stop-Accounting-Buffer Enable (Hwtacacs Scheme View)
Description Use secondary authorization to specify the secondary HWTACACS authorization server. Use undo secondary authorization to remove the configuration. By default, no secondary HWTACACS authorization server is specified. The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the configuration fails.
Page 95: Timer Quiet (Hwtacacs Scheme View)
Related commands: reset stop-accounting-buffer and display stop-accounting-buffer. Examples # In HWTACACS scheme hwt1, enable the switch to buffer the stop-accounting requests getting no responses. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] stop-accounting-buffer enable timer quiet (HWTACACS scheme view) Syntax timer quiet minutes undo timer quiet View HWTACACS scheme view...
Page 96: Timer Response-Timeout (Hwtacacs Scheme View)
Parameters minutes: Real-time accounting interval in minutes, zero or a multiple of 3 in the range of 3 to 60. A value of zero means "Do not send online user accounting information to the HWTACACS server." Description Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default.
Page 97: User-Name-Format (Hwtacacs Scheme View)
By default, the HWTACACS server response timeout time is 5 seconds. HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out, the switch is disconnected from the HWTACACS server. Related commands: display hwtacacs. Examples # Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
Page 98: Vpn-Instance (Hwtacacs Scheme View)
vpn-instance (HWTACACS scheme view) Syntax vpn-instance vpn-instance-name undo vpn-instance View HWTACACS scheme view Default level 2: System level Parameters vpn-instance-name: Name of MPLS L3VPN instance, a case-sensitive string of 1 to 31 characters. Description Use vpn-instance to specify a VPN for the HWTACACS scheme. Use undo vpn-instance to remove the configuration.
Page 99: 802.1X Configuration Commands
802.1X configuration commands display dot1x Syntax display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics.
Page 100 Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times EAD quick deploy configuration: URL: http://192.168.19.23 Free IP: 192.168.19.0 255.255.255.0 EAD timeout: The maximum 802.1X user resource number is 2048 per slot...
Page 101 Table 10 Command output Field Description Equipment 802.1X protocol is enabled Specifies whether 802.1X is enabled globally CHAP authentication is enabled Specifies whether CHAP authentication is enabled EAD quick deploy is enabled Specifies whether EAD fast deployment is enabled Transmit Period Username request timeout timer in seconds Handshake Period Handshake timer in seconds...
Page 102: Dot1X
Field Description Auth-Fail VLAN configured on the port. NOT configured is Auth-fail VLAN displayed if no Auth-Fail VLAN is configured. 802.1X critical VLAN configured on the port. NOT configured Critical VLAN is displayed if no 802.1X critical VLAN is configured on the port.
Page 103: Dot1X Authentication-Method
Parameters interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1- 1 0>, where interface-type represents the port type, interface-number represents the port number, and &...
Page 104 undo dot1x authentication-method View System view Default level 2: System level Parameters chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and use the Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server. eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server.
Page 105: Dot1X Auth-Fail Vlan
[Sysname] dot1x authentication-method pap dot1x auth-fail vlan Syntax dot1x auth-fail vlan authfail-vlan-id undo dot1x auth-fail vlan View Ethernet interface view Default level 2: System level Parameters authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make sure that the VLAN has been created.
Page 106 undo dot1x critical vlan View Layer 2 Ethernet interface view Default level 2: System level Parameters vlan-id: Specifies a VLAN ID, in the range of 1 to 4094. Make sure the VLAN has been created. Description Use dot1x critical vlan to configure an 802.1X critical VLAN on a port for 802.1X users that have failed authentication because all the RADIUS authentication servers in their ISP domain are unreachable.
Page 107: Dot1X Critical Recovery-Action
dot1x critical recovery-action Syntax dot1x critical recovery-action reinitialize undo dot1x critical recovery-action View Layer 2 Ethernet interface view Default level 2: System level Parameters reinitialize: Enables the port to trigger 802.1X re-authentication on detection of a reachable RADIUS authentication server for users in the critical VLAN. Description Use dot1x critical recovery-action to configure the action that a port takes when an active (reachable) RADIUS authentication server is detected for users in the critical VLAN.
Page 108: Dot1X Guest-Vlan
Default level 2: System level Parameters string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between delimiters. Available delimiters include the at sign (@), backslash (/), and forward slash (\). Description Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the access device.
Page 109 interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] } & <1- 1 0>, where interface-type represents the port type, interface-number represents the port number, and & <1- 1 0> means that you can provide up to 10 ports or port ranges.
Page 110: Dot1X Handshake
dot1x handshake Syntax dot1x handshake undo dot1x handshake View Ethernet Interface view Default level 2: System level Parameters None Description Use dot1x handshake to enable the online user handshake function. The function enables the device to periodically send handshake messages to the client to check whether a user is online. Use undo dot1x handshake to disable the function.
Page 111: Dot1X Mandatory-Domain
By default, the function is disabled. The online user handshake security function is implemented based on the online user handshake function. To bring the security function into effect, make sure the online user handshake function is enabled. HP recommends you use the iNode client software and IMC server to guarantee the normal operation of the online user handshake security function.
Page 112: Dot1X Max-User
[Sysname-GigabitEthernet1/0/1] dot1x mandatory-domain my-domain # After 802.1X user usera passes the authentication, execute the display connection command to display the user connection information on GigabitEthernet 1/0/1. For more information about the display connection command, see "AAA configuration commands." [Sysname-GigabitEthernet1/0/1] display connection interface gigabitethernet 1/0/1 Slot: Index=68 ,Username=usera@my-domian...
Page 113: Dot1X Multicast-Trigger
If you specify the interface-list argument, the command applies to the specified ports. • In Ethernet interface view, the interface-list argument is not available and the command applies to only the Ethernet port. Related commands: display dot1x. Examples # Set the maximum number of concurrent 802.1X users on port GigabitEthernet 1/0/1 to 32. <Sysname>...
Page 114: Dot1X Port-Control
[Sysname-GigabitEthernet1/0/1] dot1x multicast-trigger dot1x port-control Syntax In system view: dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ] undo dot1x port-control [ interface interface-list ] In Ethernet interface view: dot1x port-control { authorized-force | auto | unauthorized-force } undo dot1x port-control View System view, Ethernet interface view...
Page 115: Dot1X Port-Method
[Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] dot1x port-control unauthorized-force # Set the authorization state of ports GigabitEthernet 1/0/2 through GigabitEthernet 1/0/5 to unauthorized-force. <Sysname> system-view [Sysname] dot1x port-control unauthorized-force interface gigabitethernet 1/0/2 to gigabitethernet 1/0/5 dot1x port-method Syntax In system view: dot1x port-method { macbased | portbased } [ interface interface-list ] undo dot1x port-method [ interface interface-list ] In Ethernet interface view:...
Page 116: Dot1X Quiet-Period
Examples # Configure port GigabitEthernet 1/0/1 to implement port-based access control. <Sysname> system-view [Sysname] dot1x port-method portbased interface gigabitethernet 1/0/1 <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] dot1x port-method portbased # Configure ports GigabitEthernet 1/0/2 through GigabitEthernet 1/0/5 to implement port-based access control.
Page 117: Dot1X Retry
View Ethernet interface view Default level 2: System level Parameters None Description Use dot1x re-authenticate to enable the periodic online user re-authentication function. Use undo dot1x re-authenticate to disable the function. By default, the periodic online user re-authentication function is disabled. Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on a port.
Page 118: Dot1X Timer
After the network access device sends an authentication request to a client, if the device receives no response from the client within the username request timeout timer (set with the dot1x timer tx-period tx-period-value command) or the client timeout timer (set with the dot1x timer supp-timeout supp-timeout-value command), the device retransmits the authentication request.
Page 119: Dot1X Unicast-Trigger
The network device uses the following 802.1X timers: • Handshake timer (handshake-period)—Sets the interval at which the access device sends client handshake requests to check the online status of a client that has passed authentication. If the device receives no response after sending the maximum number of handshake requests, it considers that the client has logged off.
Page 120: Reset Dot1X Statistics
The unicast trigger function enables the network access device to initiate 802.1X authentication when it receives a data frame from an unknown source MAC address. The device sends a unicast Identity EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received no response within a period of time (set with the dot1x timer tx-period command).
Page 121: Ead Fast Deployment Configuration Commands
EAD fast deployment configuration commands dot1x free-ip Syntax dot1x free-ip ip-address { mask-address | mask-length } undo dot1x free-ip { ip-address { mask | mask-length } | all } View System view Default level 2: System level Parameters ip-address: Specifies a freely accessible IP address segment, also called "a free IP." mask: Specifies an IP address mask.
Page 122: Dot1X Url
Parameters ead-timeout-value: Specifies the EAD rule timer in minutes, in the range of 1 to 1440. Description Use dot1x timer ead-timeout to set the EAD rule timer. Use undo dot1x timer ead-timeout to restore the default. By default, the timer is 30 minutes. EAD fast deployment automatically creates an ACL rule, or EAD rule, to open access to the redirect URL for each redirected user seeking to access the network.
Page 123 Examples # Configure the redirect URL as http://192.168.0.1. <Sysname> system-view [Sysname] dot1x url http://192.168.0.1...
Page 124: Mac Authentication Configuration Commands
MAC authentication configuration commands display mac-authentication Syntax display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0>...
Page 125 Current user number amounts to 0 Current domain: not configured, use default domain Silent Mac User info: MAC Addr From Port Port Index GigabitEthernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 0, failed: 0 Max number of on-line users is 2048 Current online user number is 0 MAC Addr Authenticate state...
Page 126: Mac-Authentication
Field Description Whether MAC authentication is enabled on port MAC address authentication is enabled GigabitEthernet1/0/1. MAC authentication statistics, including the number of successful Authenticate success: 0, failed: 0 and unsuccessful authentication attempts Maximum number of concurrent online users allowed on the port.
Page 127: Mac-Authentication Domain
Use mac-authentication interface interface-list in system view to enable MAC authentication on a list of ports, or mac-authentication in interface view to enable MAC authentication on a port. Use undo mac-authentication in system view to disable MAC authentication globally. Use undo mac-authentication interface interface-list in system view to disable MAC authentication on a list of ports, or undo mac-authentication in interface view to disable MAC authentication on a port.
Page 128: Mac-Authentication Max-User
The global authentication domain is applicable to all MAC authentication enabled ports. A port specific authentication domain is applicable only to the port. You can specify different authentication domains on different ports. A port chooses an authentication domain for MAC authentication users in this order: port specific domain, global domain, and the default authentication domain.
Page 129: Mac-Authentication Timer
mac-authentication timer Syntax mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } undo mac-authentication timer { offline-detect | quiet | server-timeout } View System view Default level 2: System level Parameters offline-detect offline-detect-value: Sets the offline detect timer, in the range of 60 to 65535 seconds. This timer sets the interval that the device waits for traffic from a user before it regards the user idle.
Page 130 Default level 2: System level Parameters fixed: Uses a shared account for all MAC authentication users. account name: Specifies the username for the shared account. The name takes a case-insensitive string of 1 to 55 characters. If no username is specified, the default name mac applies. password: Specifies the password for the shared user account.
Page 131: Reset Mac-Authentication Statistics
# Configure a shared account for MAC authentication users: set the username as abc and password as a ciphertext string of $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg. <Sysname> system-view [Sysname] mac-authentication user-name-format fixed account abc password cipher $c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg # Use MAC-based user accounts for MAC authentication users, and each MAC address must be hyphenated, and in upper case.
Page 132: Port Security Configuration Commands
Port security configuration commands display port-security Syntax display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters interface interface-list: Specifies Ethernet ports by an Ethernet port list in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1- 1 0>, where &<1- 1 0>...
Page 133 RALM logoff trap is enabled RALM logfailure trap is enabled AutoLearn aging time is 1 minutes Disableport Timeout: 20s OUI value: Index is 1, OUI value is 000d1a Index is 2, OUI value is 003c12 GigabitEthernet1/0/1 is link-down Port mode is userLoginWithOUI NeedToKnow mode is NeedToKnowOnly Intrusion Portection mode is DisablePort Max MAC address number is 50...
Page 134 Field Description Whether trapping for MAC authentication failure is enabled or not. If it is RALM logfailure trap enabled, the port sends trap information when a user fails MAC address authentication. Secure MAC aging timer. The timer applies to sticky or dynamic secure MAC AutoLearn aging time addresses.
Page 135: Display Port-Security Mac-Address Block
Field Description Secure MAC address aging type: Security MAC address • absolute—Timer aging aging type • inactivity—Inactivity aging display port-security mac-address block Syntax display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ] View Any view Default level...
Page 136: Display Port-Security Mac-Address Security
--- On slot 1, 1 mac address(es) found --- --- 1 mac address(es) found --- # Display information about all blocked MAC addresses in VLAN 30. <Sysname> display port-security mac-address block vlan 30 MAC ADDR From Port VLAN ID 000f-3d80-0d2d GigabitEthernet1/0/1 --- On slot 1, 1 mac address(es) found --- --- 1 mac address(es) found ---...
Page 137 View Any view Default level 2: System level Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its ID, in the range of 1 to 4094. count: Displays only the count of the secure MAC addresses. |: Filters command output by specifying a regular expression.
Page 138: Port-Security Authorization Ignore
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 000d-88f8-0577 Security GigabitEthernet1/0/1 NOAGED 1 mac address(es) found # Display information about secure MAC addresses of port GigabitEthernet 1/0/1 in VLAN 1. <Sysname> display port-security mac-address security interface gigabitethernet 1/0/1 vlan MAC ADDR VLAN ID STATE...
Page 139: Port-Security Enable
Related commands: display port-security. Examples # Configure port GigabitEthernet 1/0/1 to ignore the authorization information from the authentication server. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port-security authorization ignore port-security enable Syntax port-security enable undo port-security enable View System view Default level 2: System level Parameters...
Page 140: Port-Security Mac-Address Aging-Type Inactivity
View Layer 2 Ethernet interface view Default level 2: System level Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed.
Page 141: Port-Security Mac-Address Dynamic
Description Use port-security mac-address aging-type inactivity to enable inactivity aging for secure MAC addresses (sticky or dynamic). Use undo port-security mac-address aging-type inactivity to restore the default. By default, the inactivity aging function is disabled. If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address.
Page 142: Port-Security Mac-Address Security
You can display dynamic secure MAC addresses by using the display port-security mac-address security command. Related commands: display port-security mac-address security, mac-address dynamic. Examples # Enable the dynamic secure MAC function on interface GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet1/0/1 [Sysname-GigabitEthernet1/0/1] port-security mac-address dynamic port-security mac-address security Syntax...
Page 143: Port-Security Max-Mac-Count
When a port is operating in autoLearn mode, you can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure. Static secure MAC addresses never age out unless you remove them by using the undo port-security mac-address security command, changing the port security mode, or disabling the port security feature.
Page 144: Port-Security Ntk-Mode
Default level 2: System level Parameters count-value: Specifies the maximum number of MAC addresses that port security allows on the port. The value is in the range of 1 to 1024. Description Use port-security max-mac-count to set the maximum number of MAC addresses that port security allows on a port.
Page 145: Port-Security Oui
Description Use port-security ntk-mode to configure the NTK feature. Use undo port-security ntk-mode to restore the default. By default, NTK is disabled on a port and all frames are allowed to be sent. The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic.
Page 146: Port-Security Port-Mode
<Sysname> system-view [Sysname] port-security oui 000d-2a10-0033 index 4 port-security port-mode Syntax port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } undo port-security port-mode View Layer 2 Ethernet interface view Default level 2: System level...
Page 147 Keyword Security mode Description In this mode, a port performs 802.1X authentication and implements port-based access control. userlogin userLogin If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication. In this mode, a port performs 802.1X authentication and userlogin-secure userLoginSecure implements MAC-based access control.
Page 148: Port-Security Timer Autolearn Aging
[Sysname-GigabitEthernet1/0/1] port-security port-mode secure # Change the port security mode of port GigabitEthernet 1/0/1 to userLogin. [Sysname-GigabitEthernet1/0/1] undo port-security port-mode [Sysname-GigabitEthernet1/0/1] port-security port-mode userlogin port-security timer autolearn aging Syntax port-security timer autolearn aging time-value undo port-security timer autolearn aging View System view Default level 2: System level...
Page 149: Port-Security Trap
Description Use port-security timer disableport to set the silence period during which the port remains disabled. Use undo port-security timer disableport to restore the default. By default, the silence period is 20 seconds. If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame, use this command to set the silence period.
Page 150 ralmlogon: Enables MAC authentication success traps. The port security module sends traps when a MAC authentication is passed. NOTE: RALM (RADIUS Authenticated Login using MAC-address) means RADIUS authentication based on MAC address. Description Use port-security trap to enable port security traps. Use undo port-security trap to disable port security traps.
Page 151: User Profile Configuration Commands
User profile configuration commands display user-profile Syntax display user-profile [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 152: User-Profile Enable
user-profile enable Syntax user-profile profile-name enable undo user-profile profile-name enable View System view Default level 2: System level Parameters profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only contain English letters, digits, and underlines, and it must start with an English letter. The user profile must already exist.
Page 153 Use undo user-profile to remove an existing disabled user profile. You cannot remove a user profile that is enabled. By default, no user profiles exist on the device. Related commands: user-profile enable. Examples # Create user profile a123. <Sysname> system-view [Sysname] user-profile a123 [Sysname-user-profile-a123] # Enter the user profile view of a123.
Page 154: Password Control Configuration Commands
Password control configuration commands display password-control Syntax display password-control [ super ] [ | { begin | exclude | include } regular-expression ] View Any view Default level 2: System level Parameters super: Displays the password control information of the super passwords. Without this keyword, the command displays the password control information for all passwords.
Page 155: Display Password-Control Blacklist
# Display the password control configuration information for super passwords. <Sysname> display password-control super Super password control configurations: Password aging: Enabled (90 days) Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 16 Command output Field Description Password control...
Page 156: Password
Default level 2: System level Parameters user-name name: Specifies a user by the name, a string of 1 to 80 characters. ip ipv4-address: Specifies the IPv4 address of a user. ipv6 ipv6-address: Specifies the IPv6 address of a user. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 157: Password-Control { Aging | Composition | History | Length } Enable
View Local user view Default level 2: System level Parameters None Description Use password to set a password for a local user in interactive mode. Use undo password to remove the password for a local user. Valid characters for a local user password include uppercase letters A to Z; lowercase letters a to z; numbers 0 to 9;...
Page 158: Password-Control Aging
length: Enables the minimum password length restriction function. Description Use password-control { aging | composition | history | length } enable to enable the password aging, composition restriction, history, or minimum password length restriction function. Use undo password-control { aging | composition | history | length } enable to disable the specified function.
Page 159: Password-Control Alert-Before-Expire
Use undo password-control aging to restore the default. By default, the global password aging time is 90 days, the password aging time of a user group equals the global setting, and the password aging time of a local user equals that of the user group to which the local user belongs.
Page 160: Password-Control Authentication-Timeout
<Sysname> system-view [Sysname] password-control alert-before-expire 10 password-control authentication-timeout Syntax password-control authentication-timeout authentication-timeout undo password-control authentication-timeout View System view Default level 2: System level Parameters authentication-timeout: Specifies the user authentication timeout time in seconds, in the range of 30 to 120. Description Use password-control authentication-timeout to set the user authentication timeout time.
Page 161: Password-Control Composition
Use undo password-control complexity check to remove a password complexity checking item. By default, no user password complexity checking is performed, and a password can contain the username, the reverse of the username, or a character repeated three or more times consecutively. Related commands: display password-control.
Page 162: Password-Control Enable
[Sysname] password-control composition type-number 3 type-length 5 # Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control composition type-number 3 type-length 5 [Sysname-ugroup-test] quit # Set the minimum number of password composition types to 3 and the minimum number of characters of each password composition type to 5 for local user abc.
Page 163: Password-Control History
View System view Default level 2: System level Parameters delay delay: Specifies the maximum number of days during which a user can log in using an expired password. It must be in the range of 1 to 90. times times: Specifies the maximum number of times a user can log in after the password expires, in the range of 0 to 10.
Page 164: Password-Control Length
Examples # Set the maximum number of history password records for each user to 10. <Sysname> system-view [Sysname] password-control history 10 password-control length Syntax password-control length length undo password-control length View System view, user group view, local user view Default level 2: System level Parameters length: Specifies the minimum password length in characters, in the range of 4 to 32.
Page 165: Password-Control Login Idle-Time
password-control login idle-time Syntax password-control login idle-time idle-time undo password-control login idle-time View System view Default level 2: System level Parameters idle-time: Specifies the maximum account idle time, in the range of 0 to 365, in days. 0 means no restriction for account idle time.
Page 166 unlock: Allows a user who fails to log in after the specified number of attempts to continue trying to log Description Use password-control login-attempt to specify the maximum number of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts. Use undo password-control login-attempt to restore the default.
Page 167: Password-Control Password Update Interval
password-control password update interval Syntax password-control password update interval interval undo password-control password update interval View System view Default level 2: System level Parameters interval: Specifies the minimum password update interval, in the range of 0 to 168, in hours. 0 means no requirements for password update interval.
Page 168: Password-Control Super Composition
By default, the aging time for super passwords is the same as the global password aging time. The setting for super passwords, if present, overrides that for all passwords. Related commands: password-control aging. Examples # Set the aging time for super passwords to 10 days. <Sysname>...
Page 169: Reset Password-Control Blacklist
View System view Default level 2: System level Parameters length: Specifies the minimum length for super passwords in characters, in the range of 4 to 16. Description Use password-control super length to set the minimum length for super passwords. Use undo password-control super length to restore the default. By default, the minimum super password length is the same as the global minimum password length.
Page 170 View User view Default level 3: Manage level Parameters user-name name: Specifies the username of the user whose password records are to be deleted. name is a case-sensitive string of 1 to 80 characters. super: Deletes the history records of the super password specified by the level level combination or the history records of all super passwords.
Page 171: Public Key Configuration Commands
Public key configuration commands display public-key local public Syntax display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters dsa: Specifies a DSA key pair. rsa: Specifies an RSA key pair.
Page 172: Display Public-Key Peer
Key name: SERVER_KEY Key type: RSA Encryption Key ===================================================== Key code: 307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12 B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75 1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001 # Display the public key information of the local DSA key pair. <Sysname> display public-key local dsa public ===================================================== Time of Key pair created: 20:00:16 2012/03/07 Key name: HOST_KEY Key type: DSA Encryption Key =====================================================...
Page 173 Default level 1: Monitor level Parameters brief: Displays brief information about all peer public keys saved on the local device. name publickey-name: Displays information about a peer public key saved on the local device. The publickey-name argument represents a public key by its name, a case-sensitive string of 1 to 64 characters.
Page 174: Peer-Public-Key End
# Display brief information about all locally saved peer public keys. <Sysname> display public-key peer brief Type Module Name --------------------------- 1024 idrsa 1024 10.1.1.1 Table 20 Command output Field Description Type Key type, RSA or DSA. Module Key modulus length in bits Name Name of the public key peer-public-key end...
Page 175: Public-Key-Code End
Parameters None Description Use public-key-code begin to enter public key code view. Then input the key data in the correct format to specify the peer public key. Spaces and carriage returns are allowed between characters, but are not saved. If the peer device is an HP device, input the key data displayed by the display public-key local public command so that the key is format compliant.
Page 176: Public-Key Local Create
[Sysname] public-key peer key1 [Sysname-pkey-public-key] public-key-code begin [Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC 8014F82515F6335A0A [Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D164 3135877E13B1C531B4 [Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6 B80EB5F52698FCF3D6 [Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1 DDE675AC30CB020301 [Sysname-pkey-key-code]0001 [Sysname-pkey-key-code] public-key-code end [Sysname-pkey-public-key] public-key local create Syntax public-key local create { dsa | rsa } View System view Default level 2: System level Parameters dsa: Specifies a DSA key pair.
Page 177: Public-Key Local Destroy
+++++++ +++++++++ # Create a local DSA key pair. <Sysname> system-view [Sysname] public-key local create dsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Press CTRL+C to abort.
Page 178: Public-Key Local Export Dsa
public-key local export dsa Syntax public-key local export dsa { openssh | ssh2 } [ filename ] View System view Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh2: Uses the format of SSH2.0. filename: Specifies the name of the file for storing the local public key. For more information about file name, see Fundamentals Configuration Guide.
Page 179: Public-Key Local Export Rsa
B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp RjxsSrhXFVIdRjxw59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOL o2/RyGqDJIqB4FQwmrkwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22 dsa-key public-key local export rsa Syntax public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ] View System view Default level 2: System level Parameters openssh: Uses the format of OpenSSH. ssh1: Uses the format of SSH1.5.
Page 180: Public-Key Peer
[Sysname] public-key local export rsa openssh ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6u t5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j +o0MpOpzh3W768/+u1riz+1LcwVTs51Q== rsa-key public-key peer Syntax public-key peer keyname undo public-key peer keyname View System view Default level 2: System level Parameters keyname: Specifies a name for the peer public key on the local device, a case-sensitive string of 1 to 64 characters.
Page 181 View System view Default level 2: System level Parameters keyname: Specifies a public key name, a case-sensitive string of 1 to 64 characters. filename: Specifies the name of the file that saves the peer host public key. For more information about file name, see Fundamentals Configuration Guide.
Page 182: Pki Configuration Commands
PKI configuration commands attribute Syntax attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn | equ | nctn | nequ } attribute-value undo attribute { id | all } View Certificate attribute group view Default level...
Page 183: Ca Identifier
<Sysname> system-view [Sysname] pki certificate attribute-group mygroup [Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc # Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of abc. [Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc # Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot be 10.0.0.1.
Page 184: Certificate Request From
Parameters entity-name: Name of the entity for certificate request, a case-insensitive string of 1 to 15 characters. Description Use certificate request entity to specify the entity for certificate request. Use undo certificate request entity to remove the configuration. By default, no entity is specified for certificate request. Related commands: pki entity.
Page 185: Certificate Request Polling
undo certificate request mode View PKI domain view Default level 2: System level Parameters auto: Requests certificates in auto mode. key-length: Length of the RSA keys in bits, in the range of 512 to 2048. It is 1024 bits by default. cipher: Sets a ciphertext password for certificate revocation.
Page 186: Certificate Request Url
Parameters count count: Specifies the maximum number of attempts to poll the status of the certificate request, in the range of 1 to 100. interval minutes: Specifies the polling interval in minutes, in the range of 5 to 168. Description Use certificate request polling to specify the certificate request polling interval and attempt limit.
Page 187: Common-Name
[Sysname-pki-domain-1] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll common-name Syntax common-name name undo common-name View PKI entity view Default level 2: System level Parameters name: Common name of an entity, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use common-name to configure the common name of an entity, which can be, for example, the user name.
Page 188: Crl Check
By default, no country code is specified. Examples # Set the country code of an entity to CN. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] country CN crl check Syntax crl check { disable | enable } View PKI domain view Default level 2: System level Parameters...
Page 189: Crl Url
Description Use crl update-period to set the CRL update period, the interval at which a PKI entity with a certificate downloads the latest CRL from the LDAP server. Use undo crl update-period to restore the default. By default, the CRL update period depends on the next update field in the CRL file. Examples # Set the CRL update period to 20 hours.
Page 190 View Any view Default level 1: Monitor level Parameters ca: Displays the CA certificate. local: Displays the local certificate. domain-name: Name of the PKI domain, a string of 1 to 15 characters. request-status: Displays the status of a certificate request. |: Filters command output by specifying a regular expression.
Page 191: Display Pki Certificate Access-Control-Policy
CN=pki test Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00D41D1F … Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS: hyf.xxyyzz.net X509v3 CRL Distribution Points: URI:http://1.1.1.1:447/myca.crl … … Signature Algorithm: md5WithRSAEncryption A3A5A447 4D08387D …...
Page 192: Display Pki Certificate Attribute-Group
begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression. regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters. Description Use display pki certificate access-control-policy to display information about certificate attribute-based access control policies.
Page 193: Display Pki Crl Domain
Examples # Display information about certificate attribute group mygroup. <Sysname> display pki certificate attribute-group mygroup attribute group name: mygroup attribute 1 subject-name attribute 2 issuer-name fqdn nctn Table 23 Command output Field Description attribute group name Name of the certificate attribute group attribute number Number of the attribute rule subject-name...
Page 194: Fqdn
Examples # Display the locally saved CRLs. <Sysname> display pki crl domain 1 Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN O=abc OU=soft CN=A Test Root Last Update: Jan 5 08:44:19 2012 GMT Next Update: Jan 5 21:42:13 2012 GMT CRL extensions: X509v3 Authority Key Identifier:...
Page 195: Ip (Pki Entity View)
undo fqdn View PKI entity view Default level 2: System level Parameters name-str: Fully qualified domain name (FQDN) of an entity, a case-insensitive string of 1 to 127 characters. Description Use fqdn to configure the FQDN of an entity. Use undo fqdn to remove the configuration. By default, no FQDN is specified for an entity.
Page 196: Ldap-Server
ldap-server Syntax ldap-server ip ip-address [ port port-number ] [ version version-number ] undo ldap-server View PKI domain view Default level 2: System level Parameters ip-address: IP address of the LDAP server, in dotted decimal format. port-number: Port number of the LDAP server, in the range of 1 to 65535. The default is 389. version-number: LDAP version number, either 2 or 3.
Page 197: Organization
Examples # Configure the locality of an entity as city. <Sysname> system-view [Sysname] pki entity 1 [Sysname-pki-entity-1] locality city organization Syntax organization org-name undo organization View PKI entity view Default level 2: System level Parameters org-name: Organization name, a case-insensitive string of 1 to 31 characters. No comma can be included.
Page 198: Pki Certificate Access-Control-Policy
Description Use organization-unit to specify the name of the organization unit to which this entity belongs. Use undo organization-unit to remove the configuration. By default, no organization unit name is specified for an entity. Examples # Configure the name of the organization unit to which an entity belongs as group1. <Sysname>...
Page 199: Pki Delete-Certificate
View System view Default level 2: System level Parameters group-name: Name for the certificate attribute group, a case-insensitive string of 1 to 16 characters. It cannot be a, al, or all. all: Specifies all certificate attribute groups. Description Use pki certificate attribute-group to create a certificate attribute group and enter its view. Use undo pki certificate attribute-group to delete certificate attribute groups.
Page 200: Pki Domain
pki domain Syntax pki domain domain-name undo pki domain domain-name View System view Default level 2: System level Parameters domain-name: PKI domain name, a case-insensitive string of 1 to 15 characters. Description Use pki domain to create a PKI domain and enter PKI domain view. Use undo pki domain to remove a PKI domain.
Page 201: Pki Import-Certificate
Examples # Create a PKI entity named en and enter its view. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] pki import-certificate Syntax pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ] View System view Default level...
Page 202: Pki Retrieval-Certificate
Parameters domain-name: Name of the PKI domain name, a string of 1 to 15 characters. password: Password for certificate revocation, a case-sensitive string of 1 to 31 characters. pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to request a certification by an out-of-band means, like phone, disk, or email.
Page 203: Pki Retrieval-Crl Domain
The retrieved certificates are stored in the root directory of the switch, with the file name as domain-name_ca.cer or domain-name_local.cer according to the certificate type. Related commands: pki domain. Examples # Retrieve the CA certificate from the certificate issuing server. <Sysname>...
Page 204: Root-Certificate Fingerprint
Description Use pki validate-certificate to examine the validity of a certificate. Certificate validity verification examines whether the certificate is signed by the CA and that the certificate has neither expired nor been revoked. Related commands: pki domain. Examples # Verify the validity of the local certificate. <Sysname>...
Page 205: Rule (Pki Cert Acp View)
rule (PKI CERT ACP view) Syntax rule [ id ] { deny | permit } group-name undo rule { id | all } View PKI certificate access control policy view Default level 2: System level Parameters id: Number of the certificate attribute access control rule, in the range of 1 to 16. The default is the smallest unused number in this range.
Page 206 Parameters state-name: State or province name, a case-insensitive string of 1 to 31 characters. No comma can be included. Description Use state to specify the name of the state or province where an entity resides. Use undo state to remove the configuration. By default, no state or province is specified.
Page 207: Ssh2.0 Configuration Commands
SSH2.0 configuration commands SSH2.0 server configuration commands display ssh server Syntax display ssh server { session | status } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters session: Displays the session information of the SSH server. status: Displays the status information of the SSH server.
Page 208: Display Ssh User-Information
Table 25 Command output Field Description SSH Server Whether the SSH server function is enabled. SSH protocol version. SSH version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2.0. SSH authentication-timeout Authentication timeout period. SSH server key generating interval SSH server key pair update interval.
Page 209: Ssh Server Authentication-Retries
Default level 1: Monitor level Parameters username: Specifies an SSH username, a string of 1 to 80 characters. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 210: Ssh Server Authentication-Timeout
Default level 3: Manage level Parameters times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5. Description Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default.
Page 211: Ssh Server Compatible-Ssh1X
Related commands: display ssh server. Examples # Set the SSH user authentication timeout period to 10 seconds. <Sysname> system-view [Sysname] ssh server authentication-timeout 10 ssh server compatible-ssh1x Syntax ssh server compatible-ssh1x [ enable ] undo ssh server compatible-ssh1x View System view Default level 3: Manage level Parameters...
Page 212: Ssh Server Enable
Parameters dscp-value: Specifies the DSCP value in the IPv4 packets sent by the SSH server, which ranges from 0 to Description Use ssh server dscp to set the DSCP value for IPv4 packets sent by the SSH server. Use undo ssh server dscp to restore the default. By default, the DSCP value in IPv4 packets sent by the SSH server is 16.
Page 213: Ssh Server Rekey-Interval
View System view Default level 2: System level Parameters dscp-value: Specifies the DSCP value in the IPv6 packets sent by the SSH server, which ranges from 0 to Description Use ssh server ipv6 dscp to set the DSCP value for IPv6 packets sent by the SSH server. Use undo ssh server ipv6 dscp to restore the default.
Page 214: Ssh User
[Sysname] ssh server rekey-interval 3 ssh user Syntax ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname } ssh user username service-type { all | scp | sftp } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname work-directory directory-name } undo ssh user username View...
Page 215: Ssh2.0 Client Configuration Commands
For a publickey authentication user, you must configure the username and the public key on the switch. For a password authentication user, you can configure the account information on either the switch or the remote authentication server, such as a RADIUS server. If you use the ssh user command to configure a public key for a user who has already had a public key, the new one overwrites the old one.
Page 216: Display Ssh Server-Info
If neither source IP address nor source interface is specified for the SSH client, the system displays the message "Neither source IP address nor source interface was specified for the Stelnet client." Related commands: ssh client source. Examples # Display the source IP address or source interface of the SSH client. <Sysname>...
Page 217: Ssh Client Authentication Server
Table 28 Command output Field Description Server Name(IP) Name or IP address of the server Server public key name Name of the host public key of the server ssh client authentication server Syntax ssh client authentication server server assign publickey keyname undo ssh client authentication server server assign publickey View System view...
Page 218: Ssh Client First-Time
View System view Default level 2: System level Parameters dscp-value: Specifies the DSCP value in the IPv4 packets sent by the SSH client, which ranges from 0 to Description Use ssh client dscp to set the DSCP value for IPv4 packets sent by the SSH client. Use undo ssh client dscp to restore the default.
Page 219: Ssh Client Ipv6 Dscp
Because the server might update its key pairs periodically, clients must obtain the most recent public keys of the server for successful authentication of the server. Examples # Enable the first-time authentication function. <Sysname> system-view [Sysname] ssh client first-time enable ssh client ipv6 dscp Syntax ssh client ipv6 dscp dscp-value...
Page 220: Ssh Client Source
Description Use ssh client ipv6 source to specify the source IPv6 address or source interface for the SSH client. Use undo ssh client ipv6 source to remove the configuration. By default, an SSH client uses the IPv6 address of the interface specified by the route of the device to access the SSH server.
Page 221: Ssh2
ssh2 Syntax ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * View User view...
Page 222: Ssh2 Ipv6
When the server adopts publickey authentication to authenticate a client, the client needs to get the local private key for digital signature. As the publickey authentication uses either RSA or DSA algorithm, you must specify an algorithm for the client (by using the identity-key keyword) in order to get the correct data for the local private key.
Page 223 dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. • prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to aes128. prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96. Description Use ssh2 ipv6 to establish a connection to an IPv6 SSH server and specify publickey algorithm, the preferred key exchange algorithm, and the preferred encryption algorithms and preferred HMAC algorithms between the client and server.
Page 224: Sftp Configuration Commands
SFTP configuration commands SFTP server configuration commands sftp server enable Syntax sftp server enable undo sftp server enable View System view Default level 3: Manage level Parameters None Description Use sftp server enable to enable the SFTP server function. Use undo sftp server enable to disable the SFTP server function. By default, the SFTP server function is disabled.
Page 225: Sftp Client Configuration Commands
Description Use sftp server idle-timeout to set the idle timeout period for SFTP user connections. Use undo sftp server idle-timeout to restore the default. By default, the idle timeout period is 10 minutes. If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection.
Page 226: Cdup
View SFTP client view Default level 3: Manage level Parameters remote-path: Specifies the name of a path on the server. Description Use cd to change the working path on a remote SFTP server. With the argument not specified, the command displays the current working path. You can use the cd ..
Page 227: Dir
View SFTP client view Default level 3: Manage level Parameters remote-file&<1- 1 0>: Specifies the names of files on the server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Description Use delete to delete files from a server. This command functions as the remove command.
Page 228: Display Sftp Client Source
Examples # Display detailed information about the files and sub-directories under the current working directory in the form of a list. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup...
Page 229: Get
View SFTP client view Default level 3: Manage level Parameters None Description Use exit to terminate the connection with a remote SFTP server and return to user view. This command functions as the bye and quit commands. Examples # Terminate the connection with the remote SFTP server. sftp-client>...
Page 230 View SFTP client view Default level 3: Manage level Parameters all: Displays a list of all commands. command-name: Specifies the name of a command. Description Use help to display a list of all commands or the help information of an SFTP client command. With neither the argument nor the keyword specified, the command displays a list of all commands.
Page 231: Mkdir
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2 -rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2 mkdir Syntax...
Page 232: Pwd
Local file:temp.c ---> Remote file: /temp1.c Uploading file successfully ended Syntax View SFTP client view Default level 3: Manage level Parameters None Description Use pwd to display the current working directory of a remote SFTP server. Examples # Display the current working directory of the remote SFTP server. sftp-client>...
Page 233: Remove
remove Syntax remove remote-file&<1- 1 0> View SFTP client view Default level 3: Manage level Parameters remote-file&<1- 1 0>: Specifies names of files on an SFTP server. &<1- 1 0> means that you can provide up to 10 filenames, which are separated by space. Description Use remove to delete files from a remote server.
Page 234: Rmdir
rmdir Syntax rmdir remote-path&<1- 1 0> View SFTP client view Default level 3: Manage level Parameters remote-path&<1- 1 0>: Specifies the names of directories on the remote SFTP server. &<1- 1 0> means that you can provide up to 10 directory names that are separated by space. Description Use rmdir to delete the specified directories from an SFTP server.
Page 235: Sftp Client Dscp
prefer-ctos-hmac: Specifies the preferred HMAC algorithm from client to server, defaulted to sha1-96. • md5: Specifies the HMAC algorithm hmac-md5. md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm, defaulted to dh-group-exchange.
Page 236: Sftp Client Ipv6 Dscp
Description Use sftp client dscp to set the DSCP value for IPv4 packets sent by the SFTP client. Use undo sftp client dscp to restore the default. By default, the DSCP value in IPv4 packets sent by the SFTP client is 16. Examples # Set the DSCP value to 30 for IPv4 packets sent by the SFTP client.
Page 237: Sftp Client Source
Parameters ipv6 ipv6-address: Specifies a source IPv6 address. interface interface-type interface-number: Specifies a source interface by its type and number. Description Use sftp client ipv6 source to specify the source IPv6 address or source interface for an SFTP client. Use undo sftp client ipv6 source to remove the configuration. By default, an SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server.
Page 238: Sftp Ipv6
<Sysname> system-view [Sysname] sftp client source ip 192.168.0.1 sftp ipv6 Syntax sftp ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * View...
Page 239 Examples # Connect to server 2:5::8:9, using the following connection scheme: Preferred key exchange algorithm: dh-group1. • • Preferred encryption algorithm from server to client: aes128. Preferred HMAC algorithm from client to server: md5. • Preferred HMAC algorithm from server to client: sha1-96. •...
Page 240: Scp Configuration Commands
SCP configuration commands SCP client configuration commands Command scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * View...
Page 241 dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. • prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to aes128. prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96. Description Use scp to transfer files with an SCP server. When the server adopts publickey authentication to authenticate a client, the client needs to get the local private key for digital signature.
Page 242: Ssl Configuration Commands
SSL configuration commands ciphersuite Syntax ciphersuite rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] * View SSL server policy view Default level 2: System level Parameters rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA.
Page 243: Client-Verify Enable
client-verify enable Syntax client-verify enable undo client-verify enable View SSL server policy view Default level 2: System level Parameters None Description Use client-verify enable to configure the SSL server to require the client to pass certificate-based authentication. Use undo client-verify enable to restore the default. By default, the SSL server does not require certificate-based SSL client authentication.
Page 244: Close-Mode Wait
Description Use client-verify weaken to enable SSL client weak authentication. Use undo client-verify weaken to restore the default. By default, SSL client weak authentication is disabled. If the SSL server requires certificate-based client authentication and the SSL client weak authentication function is enabled, whether the client must be authenticated is up to the client.
Page 245: Display Ssl Client-Policy
Examples # Set the SSL connection close mode to wait. <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] close-mode wait display ssl client-policy Syntax display ssl client-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] View Any view Default level...
Page 246: Display Ssl Server-Policy
Field Description Server-verify Whether server authentication is enabled for the SSL client policy display ssl server-policy Syntax display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters.
Page 247: Handshake Timeout
Table 30 Command output Field Description SSL Server Policy SSL server policy name. PKI domain used by the SSL server policy. If no PKI domain is specified for the SSL server policy, nothing is displayed for PKI Domain this field, and the SSL server generates a certificate for itself and does not obtain a certificate from a CA server.
Page 248: Pki-Domain
<Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] handshake timeout 3000 pki-domain Syntax pki-domain domain-name undo pki-domain View SSL server policy view, SSL client policy view Default level 2: System level Parameters domain-name: Name of a PKI domain, a case-insensitive string of 1 to 15 characters. Description Use pki-domain to specify a PKI domain for an SSL server policy or SSL client policy.
Page 249: Server-Verify Enable
Default level 2: System level Parameters rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 3DES_EDE_CBC, and the MAC algorithm of SHA. rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA. rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.
Page 250: Session
Use undo server-verify enable to disable certificate-based SSL server authentication. When certificate-based SSL server authentication is disabled, it is assumed that the SSL server is valid. By default, certificate-based SSL server authentication is enabled. Related commands: display ssl client-policy. Examples # Enable certificate-based SSL server authentication.
Page 251: Ssl Client-Policy
ssl client-policy Syntax ssl client-policy policy-name undo ssl client-policy { policy-name | all } View System view Default level 2: System level Parameters policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be a, al, or all.
Page 252: Version
You cannot delete an SSL server policy that has been associated with one or more application layer protocols. Related commands: display ssl server-policy. Examples # Create SSL server policy policy1 and enter its view. <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] version Syntax...
Page 253: Tcp Attack Protection Configuration Commands
TCP attack protection configuration commands display tcp status Syntax display tcp status [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 254: Tcp Syn-Cookie Enable
tcp syn-cookie enable Syntax tcp syn-cookie enable undo tcp syn-cookie enable View System view Default level 2: System level Parameters None Description Use tcp syn-cookie enable to enable the SYN Cookie feature to protect the device against SYN Flood attacks. Use undo tcp syn-cookie enable to disable the SYN Cookie feature.
Page 255: Ip Source Guard Configuration Commands
IP source guard configuration commands display ip source binding Syntax display ip source binding [ static ] [ interface interface-type interface-number | ip-address ip-address | mac-address mac-address ] [ slot slot-number ] [ | { begin | exclude | include } regular-expression ] View Any view Default level...
Page 256: Ip Source Binding
MAC Address IP Address VLAN Interface Type 040a-0000-4000 10.1.0.9 GE1/0/1 Static 040a-0000-3000 10.1.0.8 GE1/0/2 DHCP-SNP 040a-0000-2000 10.1.0.7 GE1/0/2 DHCP-SNP # Display all static IPv4 source guard entries. <Sysname> display ip source binding static Total entries found: 2 MAC Address IP Address VLAN Interface Type...
Page 257: Ip Verify Source
vlan vlan-id: Specifies the VLAN for the static binding. vlan-id is the ID of the VLAN to be bound, in the range of 1 to 4094. Description Use ip source binding to configure a static IPv4 source guard entry on a port. Use undo ip source binding to delete a static IPv4 source guard entry from a port.
Page 258: Ip Verify Source Max-Entries
By default, the IPv4 source guard function is disabled on a port. After you configure the IPv4 source guard function on a port, IPv4 source guard dynamically generates IPv4 source guard entries based on the DHCP snooping entries (on a Layer 2 Ethernet port) or the DHCP-relay entries (on a VLAN interface), and all static IPv4 source guard entries on the port become effective.
Page 259 Examples # Set the maximum number of IPv4 source guard entries to 100 on port GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] ip verify source max-entries 100...
Page 260: Arp Attack Protection Configuration Commands
ARP attack protection configuration commands ARP defense against IP packet attacks configuration commands arp resolving-route enable Syntax arp resolving-route enable undo arp resolving-route enable View System view Default level 2: System level Parameters None Description Use arp resolving-route enable to enable ARP black hole routing. Use undo arp resolving-route enable to disable the function.
Page 261: Arp Source-Suppression Limit
Description Use arp source-suppression enable to enable the ARP source suppression function. Use undo arp source-suppression enable to disable the function. By default, the ARP source suppression function is disabled. Related commands: display arp source-suppression. Examples # Enable the ARP source suppression function. <Sysname>...
Page 262: Arp Packet Rate Limit Configuration Commands
View Any view Default level 2: System level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 263: Source Mac Address Based Arp Attack Detection Configuration Commands
Parameters disable: Disables ARP packet rate limit. rate pps: Specifies the ARP packet rate in pps, in the range of 50 to 500. drop: Discards the exceeded packets. Description Use arp rate-limit to configure or disable ARP packet rate limit on an interface. Use undo arp rate-limit to restore the default.
Page 264: Arp Anti-Attack Source-Mac Aging-Time
In filter detection mode, the device generates a log message and filters out the ARP packets from the • MAC address. In monitor detection mode, the device only generates a log message. • If no detection mode is specified in the undo arp anti-attack source-mac command, both detection modes are disabled.
Page 265: Arp Anti-Attack Source-Mac Threshold
Parameters mac-address&<1- 1 0>: Specifies a MAC address list. The mac-address argument indicates a protected MAC address in the format H-H-H. &<1- 1 0> indicates the number of protected MAC addresses that you can configure. Description Use arp anti-attack source-mac exclude-mac to configure protected MAC addresses that are excluded from ARP packet detection.
Page 266: Display Arp Anti-Attack Source-Mac
display arp anti-attack source-mac Syntax display arp anti-attack source-mac { slot slot-number | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters interface interface-type interface-number: Displays attacking MAC addresses detected on the interface. slot slot-number: Displays attacking MAC addresses detected on a specified IRF member switch.
Page 267: Arp Packet Source Mac Address Consistency Check Configuration Commands
ARP packet source mac address consistency check configuration commands arp anti-attack valid-check enable Syntax arp anti-attack valid-check enable undo arp anti-attack valid-check enable View System view Default level 2: System level Parameters None Description Use arp anti-attack valid-check enable to enable ARP packet source MAC address consistency check on the gateway.
Page 268: Arp Detection Configuration Commands
Parameters None Description Use arp anti-attack active-ack enable to enable the ARP active acknowledgement function. Use undo arp anti-attack active-ack enable to restore the default. By default, the ARP active acknowledgement function is disabled. This feature is configured on gateway devices to identify invalid ARP packets. Examples # Enable the ARP active acknowledgement function.
Page 269: Arp Detection Enable
vlan vlan-id: Specifies the VLAN where the rule applies. The vlan-id argument is in the range of 1 to 4094. Description Use arp detection to set a rule for user validity check. Use undo arp detection to restore the default. By default, no rule is set for user validity check.
Page 270: Arp Detection Trust
arp detection trust Syntax arp detection trust undo arp detection trust View Layer 2 Ethernet interface view, Layer 2 aggregate interface view Default level 2: System level Parameters None Description Use arp detection trust to configure the port as an ARP trusted port. Use undo arp detection trust to restore the default.
Page 271: Arp Restricted-Forwarding Enable
Description Use arp detection validate to configure ARP detection based on specified objects. You can specify one or more objects in one command line. Use undo arp detection validate to remove detected objects. If no keyword is specified, all the detected objects are removed.
Page 272: Display Arp Detection Statistics
Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression. include: Displays all lines that match the specified regular expression.
Page 273: Reset Arp Detection Statistics
Description Use display arp detection statistics to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all the interfaces will be displayed. Examples # Display the ARP detection statistics of all the interfaces. <Sysname>...
Page 274: Arp Automatic Scanning And Fixed Arp Configuration Commands
ARP automatic scanning and fixed ARP configuration commands arp fixup Syntax arp fixup View System view Default level 2: System level Parameters None Description Use arp fixup to change the existing dynamic ARP entries into static ARP entries. You can use this command again to change the dynamic ARP entries learned later into static ARP entries.
Page 275: Arp Gateway Protection Configuration Commands
Default level 2: System level Parameters start-ip-address: Specifies the start IP address of the scanning range. end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address. Description Use arp scan to enable ARP automatic scanning in the specified address range for neighbors.
Page 276: Arp Filtering Configuration Commands
Default level 2: System level Parameters ip-address: Specifies the IP address of a protected gateway. Description Use arp filter source to enable ARP gateway protection for a specified gateway. Use undo arp filter source to disable ARP gateway protection for a specified gateway. By default, ARP gateway protection is disabled.
Page 277 Examples # Configure an ARP filtering entry with permitted sender IP address 1.1.1.1 and MAC address 2-2-2. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] arp filter binding 1.1.1.1 2-2-2...
Page 278: Nd Attack Defense Configuration Commands
ND attack defense configuration commands ipv6 nd mac-check enable Syntax ipv6 nd mac-check enable undo ipv6 nd mac-check enable View System view Default level 2: System level Parameters None Description Use ipv6 nd mac-check enable to enable source MAC consistency check for ND packets. Use undo ipv6 nd mac-check enable to disable source MAC consistency check for ND packets.
Page 279: Urpf Configuration Commands
URPF configuration commands ip urpf strict Syntax ip urpf strict undo ip urpf View System view Default level 2: System level Parameters None Description Use ip urpf strict to enable URPF check to prevent source address spoofing attacks. Use undo ip urpf to disable URPF check. By default, URPF check is disabled.
Page 280: Mff Configuration Commands
MFF configuration commands display mac-forced-forwarding interface Syntax display mac-forced-forwarding interface [ | { begin | exclude | include } regular-expression ] View Any view Default level 1: Monitor level Parameters |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
Page 281 View Any view Default level 1: Monitor level Parameters vlan-id: Specifies a VLAN by its number. |: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide. begin: Displays the first line that matches the specified regular expression and all lines that follow. exclude: Displays all lines that do not match the specified regular expression.
Page 282: Mac-Forced-Forwarding
mac-forced-forwarding Syntax mac-forced-forwarding { auto | default-gateway gateway-ip } undo mac-forced-forwarding View VLAN view Default level 2: System level Parameters auto: Specifies the automatic mode. default-gateway gateway-ip: Specifies the IP address of the default gateway in the manual mode. Description Use mac-forced-forwarding to enable MFF and specify an MFF operating mode.
Page 283: Mac-Forced-Forwarding Network-Port
Parameters None Description Use mac-forced-forwarding gateway probe to enable periodic gateway MAC address probe. The probe interval is 30 seconds, and the probe mode can be manual or automatic. Use undo mac-forced-forwarding gateway probe to restore the default. By default, periodic gateway MAC address probe is disabled. Make sure you have enabled MFF before enabling periodic gateway MAC address probe.
Page 284: Mac-Forced-Forwarding Server
<Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] mac-forced-forwarding network-port mac-forced-forwarding server Syntax mac-forced-forwarding server server-ip&<1- 1 0> undo mac-forced-forwarding server [ server-ip&<1- 1 0> ] View VLAN view Default level 2: System level Parameters server-ip&<1- 1 0>: Specifies the IP address of a server in the network. &<1- 1 0> means you can specify up to ten server IP addresses in one command line.
Page 285: Support And Other Resources
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers • • Technical support registration number (if applicable) Product serial numbers •...
Page 286: Conventions
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. Square brackets enclose syntax choices (keywords or arguments) that are optional. Braces enclose a set of required syntax choices separated by vertical bars, from which { x | y | ...
Page 287 Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features.
Page 288: Index
Index A B C D E F G H I K L M N O P Q R S T U V authorization login,12 authorization-attribute (local user view/user group aaa nas-id profile,1 view),24 access-limit,23 authorization-attribute user-profile,13 access-limit enable,1 accounting command,2 bind-attribute,25 accounting default,3...
Page 289 display dot1x,90 dot1x max-user,103 display hwtacacs,70 dot1x multicast-trigger,104 display ip source binding,246 dot1x port-control,105 display local-user,26 dot1x port-method,106 display mac-authentication,1 15 dot1x quiet-period,107 display mac-forced-forwarding interface,271 dot1x re-authenticate,107 display mac-forced-forwarding vlan,271 dot1x retry,108 display password-control,145 dot1x timer,109 display password-control blacklist,146 dot1x timer ead-timeout,1 12 display pki...
Page 290 entity,191 import-certificate,192 mac-authentication,1 17 pki request-certificate domain,192 mac-authentication domain,1 18 retrieval-certificate,193 mac-authentication max-user,1 19 pki retrieval-crl domain,194 mac-authentication timer,120 validate-certificate,194 mac-authentication user-name-format,120 pki-domain,239 mac-forced-forwarding,273 port-security authorization ignore,129 mac-forced-forwarding gateway probe,273 port-security enable,130 mac-forced-forwarding network-port,274 port-security intrusion-mode,130 mac-forced-forwarding server,275 port-security mac-address aging-type inactivity,131 mkdir,222 port-security mac-address...
Page 291 radius trap,54 ssh client ipv6 dscp,210 remove,224 ssh client ipv6 source,210 rename,224 ssh client source,21 1 reset arp detection statistics,264 ssh server authentication-retries,200 reset dot1x statistics,1 1 1 ssh server authentication-timeout,201 reset hwtacacs statistics,81 ssh server compatible-ssh1x,202 reset mac-authentication statistics,122 ssh server dscp,202 reset password-control...

This manual is also suitable for:

6125 blade switch series

HP 6125G Command Reference Manual

AAA Configuration Commands

802.1X Configuration Commands

EAD Fast Deployment Configuration Commands

MAC Authentication Configuration Commands

Port Security Configuration Commands

User Profile Configuration Commands

Password Control Configuration Commands

Public Key Configuration Commands

PKI Configuration Commands

SSH2.0 Configuration Commands

SFTP Configuration Commands

SCP Configuration Commands

SSL Configuration Commands

TCP Attack Protection Configuration Commands

IP Source Guard Configuration Commands

Quick Links

Command Reference

Related Manuals for HP 6125G

Summary of Contents for HP 6125G