H3C MSR Series Command Reference Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Router
  5. MSR Series
  6. Command reference manual

H3C MSR Series Command Reference Manual

Comware 7 security
Hide thumbs Also See for MSR Series:
1
2
3
4
5
Table Of Contents
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, User Manual
H3C MSR Router Series
Comware 7 Security Command Reference
New H3C Technologies Co., Ltd.
http://www.h3c.com.hk
Software version: MSR-CMW710-R0605
Document version: 6W200-20170608

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the MSR Series and is the answer not in the manual?

Questions and answers

Related Manuals for H3C MSR Series

Summary of Contents for H3C MSR Series

  • Page 1 H3C MSR Router Series Comware 7 Security Command Reference New H3C Technologies Co., Ltd. http://www.h3c.com.hk Software version: MSR-CMW710-R0605 Document version: 6W200-20170608...
  • Page 2 , H3CS, H3CIE, H3CNE, Aolynk, Care, , IRF, NetPilot, Netflow, SecEngine, SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of New H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice.
  • Page 3 This documentation is intended for: • Network planners. • Field technical support and servicing engineers. • Network administrators working with the H3C MSR Router series. Conventions The following information describes the conventions used in the documentation. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown.
  • Page 4 Convention Description Multi-level menus are separated by angle brackets. For > example, File > Create > Folder. Symbols Convention Description An alert that calls attention to important information that if not understood or followed WARNING! can result in personal injury. An alert that calls attention to important information that if not understood or followed CAUTION: can result in data loss, data corruption, or damage to hardware or software.

  • Page 5: Obtaining Documentation

    Obtaining documentation To access the most up-to-date H3C product documentation, go to the H3C website at http://www.h3c.com.hk To obtain information about installation, configuration, and maintenance, click http://www.h3c.com.hk/Technical_Documents...

  • Page 6: Table Of Contents

    Contents AAA commands ··············································································· 1 General AAA commands ············································································································· 1 aaa nas-id profile ················································································································· 1 aaa session-limit ················································································································· 2 accounting advpn ················································································································ 2 accounting command ··········································································································· 4 accounting default ··············································································································· 4 accounting ipoe ··················································································································· 5 accounting lan-access ·········································································································· 7 accounting login ·················································································································· 8 accounting portal ···············································································································...
  • Page 7 email ······························································································································ 66 full-name ························································································································· 67 group ······························································································································ 67 local-guest auto-delete enable ····························································································· 68 local-guest email format ······································································································ 68 local-guest email sender ····································································································· 69 local-guest email smtp-server ······························································································ 70 local-guest generate ·········································································································· 71 local-guest manager-email ·································································································· 72 local-guest send-email ········································································································ 73 local-guest timer ················································································································...
  • Page 8 display hwtacacs scheme ·································································································· 121 hwtacacs nas-ip ·············································································································· 123 hwtacacs scheme ············································································································ 124 key (HWTACACS scheme view) ························································································· 125 nas-ip (HWTACACS scheme view) ····················································································· 126 primary accounting (HWTACACS scheme view) ···································································· 127 primary authentication (HWTACACS scheme view) ································································ 128 primary authorization ········································································································ 130 reset hwtacacs statistics ···································································································...
  • Page 9 dot1x smarton retry ·········································································································· 182 dot1x smarton switchid ····································································································· 183 dot1x smarton timer supp-timeout ······················································································· 183 dot1x timer ····················································································································· 184 dot1x unicast-trigger ········································································································ 186 reset dot1x guest-vlan ······································································································ 187 reset dot1x statistics ········································································································ 187 MAC authentication commands ······················································· 189 display mac-authentication ································································································ 189 display mac-authentication connection ·················································································...
  • Page 10 display portal packet statistics ···························································································· 260 display portal redirect statistics ··························································································· 265 display portal rule ············································································································ 266 display portal safe-redirect statistics ···················································································· 277 display portal server ········································································································· 279 display portal user ··········································································································· 280 display portal user count ··································································································· 294 display portal web-server ·································································································· 295 display web-redirect rule ···································································································...
  • Page 11 portal logout-record export ································································································ 354 portal logout-record max ··································································································· 356 portal mac-trigger-server ··································································································· 357 portal max-user ··············································································································· 357 portal nas-id profile ·········································································································· 358 portal nas-port-id format ···································································································· 359 portal nas-port-type ·········································································································· 361 portal outbound-filter enable ······························································································ 363 portal pre-auth domain ····································································································· 363 portal packet log enable ····································································································...
  • Page 12 password-control enable ··································································································· 414 password-control expired-user-login ···················································································· 415 password-control history ··································································································· 416 password-control length ···································································································· 417 password-control login idle-time ························································································· 418 password-control login-attempt ··························································································· 419 password-control super aging ···························································································· 421 password-control super composition ···················································································· 421 password-control super length ··························································································· 422 password-control update-interval ························································································...
  • Page 13 pki domain ····················································································································· 479 pki entity ························································································································ 480 pki export ······················································································································· 481 pki import ······················································································································· 488 pki request-certificate ······································································································· 492 pki retrieve-certificate ······································································································· 493 pki retrieve-crl ················································································································· 494 pki storage ····················································································································· 495 pki validate-certificate ······································································································· 496 public-key dsa ················································································································ 498 public-key ecdsa ·············································································································...
  • Page 14 reset ipsec statistics ········································································································· 557 reverse-route dynamic ······································································································ 557 reverse-route preference ··································································································· 559 reverse-route tag ············································································································· 559 sa duration ····················································································································· 560 sa hex-key authentication ·································································································· 561 sa hex-key encryption ······································································································ 562 sa idle-time ···················································································································· 564 sa spi ···························································································································· 565 sa string-key ··················································································································· 566 security acl ·····················································································································...
  • Page 15 certificate domain ············································································································ 614 config-exchange ·············································································································· 615 display ikev2 policy ·········································································································· 616 display ikev2 profile ········································································································· 617 display ikev2 proposal ······································································································ 618 display ikev2 sa ·············································································································· 619 display ikev2 statistics ······································································································ 623 dh ································································································································ 624 dpd······························································································································· 625 encryption ······················································································································ 626 hostname ······················································································································...
  • Page 16 display ssh user-information ······························································································ 674 scp server enable ············································································································ 675 sftp server enable ············································································································ 676 sftp server idle-timeout ····································································································· 676 ssh ip alias ····················································································································· 677 ssh redirect disconnect ····································································································· 678 ssh redirect enable ·········································································································· 679 ssh redirect listen-port ······································································································ 680 ssh redirect timeout ·········································································································...
  • Page 17 pki-domain ····················································································································· 727 prefer-cipher ··················································································································· 728 server-verify enable ········································································································· 729 session ························································································································· 730 ssl client-policy ··············································································································· 731 ssl renegotiation disable ··································································································· 731 ssl server-policy ·············································································································· 732 ssl version ssl3.0 disable ·································································································· 733 version ·························································································································· 733 SSL VPN commands ···································································· 735 aaa domain ····················································································································...
  • Page 18 message-server ·············································································································· 780 mtu······························································································································· 781 new-content ··················································································································· 781 old-content ····················································································································· 782 policy-group ··················································································································· 783 port-forward ··················································································································· 783 port-forward-item ············································································································· 784 reset counters interface sslvpn-ac ······················································································· 785 resources port-forward ····································································································· 786 resources port-forward-item ······························································································· 786 resources shortcut ··········································································································· 787 resources shortcut-list ······································································································ 788 resources url-list ··············································································································...
  • Page 19 description (NBAR rule view) ····························································································· 833 destination ····················································································································· 834 direction ························································································································ 835 disable ·························································································································· 836 display app-group ············································································································ 837 display application ··········································································································· 839 display application statistics ······························································································· 842 display application statistics top ·························································································· 845 display apr signature information ························································································ 847 display port-mapping pre-defined ························································································...
  • Page 20 display connection-limit ipv6-stat-nodes ··············································································· 925 display connection-limit statistics ························································································ 929 display connection-limit stat-nodes ······················································································ 930 limit ······························································································································ 935 reset connection-limit statistics ··························································································· 938 Object group commands ································································ 940 description ····················································································································· 940 display object-group ········································································································· 941 network (IPv4 address object group view) ············································································· 942 network (IPv6 address object group view) ·············································································...
  • Page 21 display attack-defense policy ipv6 ······················································································ 1002 display attack-defense scan attacker ip ··············································································· 1005 display attack-defense scan attacker ipv6 ············································································ 1007 display attack-defense scan victim ip ·················································································· 1009 display attack-defense scan victim ipv6 ··············································································· 1011 display attack-defense statistics interface ············································································ 1013 display attack-defense statistics local··················································································...
  • Page 22 syn-flood threshold ········································································································· 1087 udp-flood action ············································································································· 1087 udp-flood detect ············································································································· 1088 udp-flood detect non-specific ···························································································· 1089 udp-flood threshold ········································································································· 1090 whitelist enable ·············································································································· 1091 whitelist global enable ····································································································· 1091 whitelist object-group ······································································································ 1092 IP source guard commands ··························································· 1094 display ip source binding ··································································································...
  • Page 23 Crypto engine commands ····························································· 1129 display crypto-engine ······································································································ 1129 display crypto-engine statistics ·························································································· 1131 reset crypto-engine statistics ····························································································· 1134 FIPS commands ········································································· 1136 display fips status ··········································································································· 1136 fips mode enable ············································································································ 1136 fips self-test ··················································································································· 1138 mGRE commands ······································································· 1142 display mgre session ·······································································································...

  • Page 24: Aaa Commands

    AAA commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. IPv6-related parameters are not supported on the following routers: •...

  • Page 25: Aaa Session-Limit

    aaa session-limit Use aaa session-limit to set the maximum number of concurrent users that can log on to the device through the specified method. Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified login method. Syntax In non-FIPS mode: aaa session-limit { ftp | http | https | ssh | telnet } max-sessions...
  • Page 26 Syntax In non-FIPS mode: accounting advpn { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting advpn In FIPS mode: accounting advpn { local | radius-scheme radius-scheme-name [ local ] } undo accounting advpn Default The default accounting methods of the ISP domain are used for ADVPN users.

  • Page 27: Accounting Command

    accounting command Use accounting command to specify the command line accounting method. Use undo accounting command to restore the default. Syntax accounting command hwtacacs-scheme hwtacacs-scheme-name undo accounting command Default The default accounting methods of the ISP domain are used for command line accounting. Views ISP domain view Predefined user roles...

  • Page 28: Accounting Ipoe

    accounting default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo accounting default Default The default accounting method of an ISP domain is local. Views ISP domain view Predefined user roles network-admin Parameters...
  • Page 29 Syntax In non-FIPS mode: accounting ipoe broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting ipoe In FIPS mode: accounting ipoe broadcast...

  • Page 30: Accounting Lan-Access

    [Sysname] domain test [Sysname-isp-test] accounting ipoe local # In ISP domain test, perform RADIUS accounting for IPoE users based on scheme rd and use local accounting as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting ipoe radius-scheme rd local # In ISP domain test, broadcast accounting requests of IPoE users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup.

  • Page 31: Accounting Login

    local: Performs local accounting. none: Does not perform accounting. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary accounting method and multiple backup accounting methods. When the primary method is invalid, the device attempts to use the backup methods in sequence.
  • Page 32 Syntax In non-FIPS mode: accounting login hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo accounting login In FIPS mode: accounting login...

  • Page 33: Accounting Portal

    Related commands accounting default hwtacacs scheme local-user radius scheme accounting portal Use accounting portal to specify accounting methods for portal users. Use undo accounting portal to restore the default. Syntax In non-FIPS mode: accounting portal broadcast radius-scheme radius-scheme-name1 radius-scheme radius-scheme-name2 [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo accounting portal In FIPS mode:...

  • Page 34: Accounting Ppp

    accounting when the RADIUS server is invalid. The device does not perform accounting when both of the previous methods are invalid. The following guidelines apply to broadcast accounting: • The device sends accounting requests to the primary accounting servers in the specified broadcast RADIUS schemes at the same time.
  • Page 35 undo accounting ppp Default The default accounting methods of the ISP domain are used for PPP users. Views ISP domain view Predefined user roles network-admin Parameters broadcast: Broadcasts accounting requests to servers in RADIUS schemes. radius-scheme radius-scheme-name1: Specifies the primary broadcast RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

  • Page 36: Accounting Quota-Out

    # In ISP domain test, broadcast accounting requests of PPP users to RADIUS servers in schemes rd1 and rd2, and use local accounting as the backup. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting ppp broadcast radius-scheme rd1 radius-scheme rd2 local Related commands accounting default hwtacacs scheme...

  • Page 37: Accounting Start-Fail

    undo accounting sslvpn In FIPS mode: accounting sslvpn { local | radius-scheme radius-scheme-name [ local ] } undo accounting sslvpn Default The default accounting methods of the ISP domain are used for SSL VPN users. Views ISP domain view Predefined user roles network-admin Parameters local: Performs local accounting.

  • Page 38: Accounting Update-Fail

    Syntax accounting start-fail { offline | online } undo accounting start-fail Default The device does not perform actions on users that encounter accounting-start failures. Views ISP domain view Predefined user roles network-admin Parameters offline: Logs off users that encounter accounting-start failures. online: Does not perform actions on users that encounter accounting-start failures.

  • Page 39: Authentication Advpn

    <Sysname> system-view [Sysname] domain test [Sysname-isp-test] accounting update-fail online authentication advpn Use authentication advpn to specify authentication methods for ADVPN users. Use undo authentication advpn to restore the default. Syntax In non-FIPS mode: authentication advpn { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication advpn In FIPS mode:...

  • Page 40: Authentication Default

    [Sysname-isp-test] authentication advpn radius-scheme rd local Related commands authentication default local-user radius scheme authentication default Use authentication default to specify default authentication methods for an ISP domain. Use undo authentication default to restore the default. Syntax In non-FIPS mode: authentication default hwtacacs-scheme hwtacacs-scheme-name...

  • Page 41: Authentication Ike

    When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid.

  • Page 42: Authentication Ipoe

    When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ike radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication). The device performs RADIUS authentication by default and performs local authentication when the RADIUS server is invalid.

  • Page 43: Authentication Lan-Access

    radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication ipoe radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication).

  • Page 44: Authentication Login

    Parameters ldap-scheme ldap-scheme-name: Specifies an LDAP scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authentication. none: Does not perform authentication. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines You can specify one primary authentication method and multiple backup authentication methods.
  • Page 45 authentication login hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] | ldap-scheme ldap-scheme-name [ local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] } undo authentication login Default The default authentication methods of the ISP domain are used for login users. Views ISP domain view Predefined user roles...

  • Page 46: Authentication Portal

    authentication portal Use authentication portal to specify authentication methods for portal users. Use undo authentication portal to restore the default. Syntax In non-FIPS mode: authentication portal { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authentication portal In FIPS mode:...

  • Page 47: Authentication Ppp

    [Sysname-isp-test] authentication portal radius-scheme rd local Related commands authentication default ldap scheme local-user radius scheme authentication ppp Use authentication ppp to specify authentication methods for PPP users. Use undo authentication ppp to restore the default. Syntax In non-FIPS mode: authentication hwtacacs-scheme hwtacacs-scheme-name radius-scheme...

  • Page 48: Authentication Sslvpn

    Examples # In ISP domain test, perform local authentication for PPP users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authentication ppp local # In ISP domain test, perform RADIUS authentication for PPP users based on scheme rd and use local authentication as the backup. <Sysname>...

  • Page 49: Authentication Super

    Usage guidelines You can specify one primary authentication method and multiple backup authentication methods. When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authentication sslvpn radius-scheme radius-scheme-name local none command specifies a primary RADIUS authentication method and two backup methods (local authentication and no authentication).

  • Page 50: Authorization Advpn

    Usage guidelines You can specify one authentication method and one backup authentication method to use in case that the previous authentication method is invalid. If you specify a scheme to provide the method for user role authentication, the following rules apply: •...

  • Page 51: Authorization Command

    Parameters local: Performs local authorization. none: Does not perform authorization. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The RADIUS authorization configuration takes effect only when authentication and authorization methods of the ISP domain use the same RADIUS scheme.
  • Page 52 Views ISP domain view Predefined user roles network-admin Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The authorization server does not verify whether the entered commands are permitted by the user role.

  • Page 53: Authorization Default

    authorization default Use authorization default to specify default authorization methods for an ISP domain. Use undo authorization default to restore the default. Syntax In non-FIPS mode: authorization default hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization default In FIPS mode:...

  • Page 54: Authorization Ike

    authorization by default and performs local authorization when the RADIUS server is invalid. The device does not perform authorization when both of the previous methods are invalid. Examples # In ISP domain test, use RADIUS scheme rd as the primary default authorization method and use local authorization as the backup.

  • Page 55: Authorization Ipoe

    Examples # In ISP domain test, perform local authorization for IKE extended authentication. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization ike local Related commands authorization default local-user authorization ipoe Use authorization ipoe to specify authorization methods for IPoE users. Use undo authorization ipoe to restore the default. Syntax In non-FIPS mode: authorization ipoe { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }...

  • Page 56: Authorization Lan-Access

    Examples # In ISP domain test, perform local authorization for IPoE users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization ipoe local # In ISP domain test, perform RADIUS authorization for IPoE users based on scheme rd and use local authorization as the backup. <Sysname>...

  • Page 57: Authorization Login

    When the primary method is invalid, the device attempts to use the backup methods in sequence. For example, the authorization lan-access radius-scheme radius-scheme-name local none command specifies a primary RADIUS authorization method and two backup methods (local authorization and no authorization). The device performs RADIUS authorization by default and performs local authorization when the RADIUS server is invalid.

  • Page 58: Authorization Portal

    Parameters hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a case-insensitive string of 1 to 32 characters. local: Performs local authorization. none: Does not perform authorization. The following default authorization information applies after users pass authentication: • Login users obtain the level-0 user role. For more information about the level-0 user role, see RBAC configuration in Fundamentals Configuration Guide.
  • Page 59 authorization portal { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] } undo authorization portal In FIPS mode: authorization portal { local | radius-scheme radius-scheme-name [ local ] } undo authorization portal Default The default authorization methods of the ISP domain are used for portal users.

  • Page 60: Authorization Ppp

    authorization ppp Use authorization ppp to specify authorization methods for PPP users. Use undo authorization ppp to restore the default. Syntax In non-FIPS mode: authorization hwtacacs-scheme hwtacacs-scheme-name radius-scheme radius-scheme-name ] [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ] [ local ] [ none ] } undo authorization ppp In FIPS mode:...

  • Page 61: Authorization Sslvpn

    [Sysname] domain test [Sysname-isp-test] authorization ppp radius-scheme rd local Related commands authorization default hwtacacs scheme local-user radius scheme authorization sslvpn Use authorization sslvpn to specify authorization methods for SSL VPN users. Use undo authorization sslvpn to restore the default. Syntax In non-FIPS mode: authorization sslvpn { ldap-scheme ldap-scheme-name [ local ] [ none ] | local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }...

  • Page 62: Authorization-Attribute (Isp Domain View)

    Examples # In ISP domain test, perform local authorization for SSL VPN users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] authorization sslvpn local # In ISP domain test, perform LDAP authorization for SSL VPN users based on scheme ldp and use local authorization as the backup.
  • Page 63 inbound: Specifies the upload rate of users. outbound: Specifies the download rate of users. cir committed-information-rate: Specifies the committed information rate in kbps, in the range of 1 to 4194303. pir peak-information-rate: Specifies the peak information rate in kbps, in the range of 1 to 4194303. If you do not specify this option, the CAR action does not restrict users by peak information rate.

  • Page 64: Basic-Service-Ip-Type

    you configure the attribute in a portal preauthentication domain, the user profile applies before portal authentication. This option is applicable only to IPoE, LAN, portal, and PPP users. vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the users belong. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

  • Page 65: Dhcpv6-Follow-Ipv6Cp

    Usage guidelines This command takes effect only when the device acts as a PPPoE server or L2TP LNS. A PPPoE or L2TP user might request multiple services of different IP address types. By default, the device logs off the user if the user does not obtain an IPv4 address. This command enables the device to allow the user to come online if the user has obtained IP addresses of all the specified types for the basic services.

  • Page 66: Display Domain

    Examples # In ISP domain test, set the DHCPv6 request timeout timer to 90 seconds for PPPoE and L2TP users. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] dhcpv6-follow-ipv6cp timeout 90 Related commands basic-service-ip-type display domain Use display domain to display ISP domain configuration. Syntax display domain [ isp-name ] Views...
  • Page 67 Login authentication scheme: RADIUS=rad Login authorization scheme: HWTACACS=hw Super authentication scheme: RADIUS=rad Command authorization scheme: HWTACACS=hw LAN access authentication scheme: RADIUS=r4 accounting scheme: RADIUS=r1, (RADIUS=r2), HWTACACS=tc, Local Portal authentication scheme: LDAP=ldp IPoE authentication scheme: RADIUS=rad, Local, None SSL VPN authentication scheme: LDAP=ldp, Local, None SSL VPN authorization scheme:...
  • Page 68 Field Description Default authentication scheme Default authentication method. Default authorization scheme Default authorization method. Default accounting scheme Default accounting method. Access control for users that encounter accounting-start failures: • Accounting start failure action Online—Does not perform actions on the users. •...
  • Page 69 Field Description User profile Name of the authorization user profile. Authorized inbound CAR: • Inbound CAR CIR—Committed information rate in bps. • PIR—Peak information rate in bps. Authorized outbound CAR: • Outbound CAR CIR—Committed information rate in bps. • PIR—Peak information rate in bps. ACL number Authorization ACL for users.

  • Page 70: Domain

    Field Description IKE authentication scheme IKE extended authentication methods. IKE authorization scheme Authorization methods for IKE extended authentication. IPoE authentication scheme Authentication methods for IPoE users. IPoE authorization scheme Authorization methods for IPoE users. IPoE accounting scheme Accounting methods for IPoE users. SSL VPN authentication scheme Authentication methods for SSL VPN users.

  • Page 71: Domain Default Enable

    Use short domain names to ensure that user names containing a domain name do not exceed the maximum name length required by different types of users. Examples # Create an ISP domain named test and enter ISP domain view. <Sysname> system-view [Sysname] domain test [Sysname-isp-test] Related commands...

  • Page 72: Domain If-Unknown

    domain domain if-unknown Use domain if-unknown to specify an ISP domain that accommodates users that are assigned to nonexistent domains. Use undo domain if-unknown to restore the default. Syntax domain if-unknown isp-domain-name undo domain if-unknown Default No ISP domain is specified to accommodate users that are assigned to nonexistent domains. Views System view Predefined user roles...

  • Page 73: Nas-Id Bind Vlan

    nas-id bind vlan Use nas-id bind vlan to bind a NAS-ID with a VLAN. Use undo nas-id bind vlan to remove a NAS-ID and VLAN binding. Syntax nas-id nas-identifier bind vlan vlan-id undo nas-id nas-identifier bind vlan vlan-id Default No NAS-ID and VLAN bindings exist. Views NAS-ID profile view Predefined user roles...

  • Page 74: Session-Time Include-Idle-Time

    Predefined user roles network-admin Parameters hsi: Specifies the High-Speed Internet (HSI) service. This service is applicable to PPP, 802.1X, and IPoE leased line users. stb: Specifies the Set Top Box (STB) service. This service is applicable to STB users. voip: Specifies the Voice over IP (VoIP) service. This service is applicable to IP phone users. Usage guidelines You can configure only one service type for one ISP domain.

  • Page 75: State (Isp Domain View)

    • If the session-time include-idle-time command is configured, the device adds the idle cut period or user online detection interval to the actual online duration. The user online detection period is supported only by portal authentication. The online duration sent to the server is longer than the actual online duration of the user.

  • Page 76: User-Address-Type

    user-address-type Use user-address-type to specify the user address type in the ISP domain. Use undo user-address-type to restore the default. Syntax user-address-type { ds-lite | ipv6 | nat64 | private-ds | private-ipv4 | public-ds | public-ipv4 } undo user-address-type Default No user address type is specified for the ISP domain.

  • Page 77: Authorization-Attribute (Local User View/User Group View)

    Default The number of concurrent logins using the local user name is not limited. Views Local user view Predefined user roles network-admin Parameters max-user-number: Specifies the maximum number of concurrent logins, in the range of 1 to 1024. Usage guidelines This command takes effect only when local accounting is configured for the local user.
  • Page 78 Predefined user roles network-admin Parameters acl acl-number: Specifies an authorization ACL. The value range for the acl-number argument is 2000 to 5999. After passing authentication, a local user can access the network resources specified by this ACL. callback-number callback-number: Specifies an authorized PPP callback number. The callback-number argument is a case-sensitive string of 1 to 64 characters.
  • Page 79 work-directory directory-name: Specifies an FTP, SFTP, or SCP working directory. The directory-name argument is a case-insensitive string of 1 to 255 characters. The directory must already exist. Usage guidelines Configure authorization attributes according to the application environments and purposes. Support for authorization attributes depends on the service types of users.

  • Page 80: Bind-Attribute

    [Sysname] local-user abc class network [Sysname-luser-network-abc] authorization-attribute vlan 2 # Configure the authorized VLAN of user group abc as VLAN 3. <Sysname> system-view [Sysname] user-group abc [Sysname-ugroup-abc] authorization-attribute vlan 3 # Assign the security-audit user role to device management user xyz as the authorized user role. <Sysname>...

  • Page 81: Company

    Usage guidelines To perform local authentication of a user, the device matches the actual user attributes with the configured binding attributes. If the user has a non-matching attribute or lacks a required attribute, the user will fail authentication. Binding attribute check takes effect on all access services. Configure the binding attributes for a user based on the access services and make sure the device can obtain all attributes to be checked from the user's packet.

  • Page 82: Description

    [Sysname] local-user abc class network guest [Sysname-luser-network(guest)-abc] company yyy Related commands display local-user description Use description to configure a description for a network access user. Use undo description to restore the default. Syntax description text undo description Default No description is configured for a network access user. Views Network access user view Predefined user roles...

  • Page 83: Display Local-User

    Parameters user-name user-name: Specifies a local guest by the user name, a case-sensitive string of 1 to 55 characters. The name cannot contain a domain name. If you do not specify a guest, this command displays pending registration requests for all local guests. Usage guidelines On the Web registration page, users submit local guest registration requests for approval.
  • Page 84 network-operator Parameters class: Specifies the local user type. manage: Device management user. network: Network access user. guest: Guest user account. idle-cut { disable | enable }: Specifies local users with the idle cut feature disabled or enabled. service-type: Specifies the local users that use a specific type of service. •...
  • Page 85 Password control configurations: Password aging: Enabled (3 days) Network access user jj: State: Active Service type: Lan-access User group: system Bind attributes: IP address: 2.2.2.2 Location bound: GigabitEthernet1/0/1 MAC address: 0001-0001-0001 VLAN ID: Calling number: Authorization attributes: Idle timeout: 33 minutes Work directory: flash: ACL number:...
  • Page 86 Field Description IP address IP address of the local user. Location bound Binding port of the local user. MAC address MAC address of the local user. VLAN ID Binding VLAN of the local user. Calling number Calling number of the ISDN user. Authorization attributes Authorization attributes of the local user.

  • Page 87: Display User-Group

    Field Description This field appears only when password complexity checking is enabled. The field also displays the following information in parentheses: • Password complexity Whether the password can contain the username or the reverse of the username. • Whether the password can contain any character repeated consecutively three or more times.
  • Page 88 User group: system Authorization attributes: Work directory: flash: User group: jj Authorization attributes: Idle timeout: 2 minutes Callback number: Work directory: flash:/ ACL number: 2000 VLAN ID: User profile: SSL VPN policy group: policygroup1 Password control configurations: Password aging: Enabled (2 days) Table 4 Command output Field Description...

  • Page 89: Email

    Field Description This field appears only when password composition checking is enabled. The field also displays the following information in parentheses: Password composition • Minimum number of character types that the password must contain. • Minimum number of characters from each type in the password. This field appears only when password complexity checking is enabled.

  • Page 90: Full-Name

    full-name Use full-name to configure the name of a local guest. Use undo full-name to restore the default. Syntax full-name name-string undo full-name Default No name is configured for a local guest. Views Local guest view Predefined user roles network-admin Parameters name-string: Specifies the local guest name, a case-sensitive string of 1 to 255 characters.

  • Page 91: Local-Guest Auto-Delete Enable

    <Sysname> system-view [Sysname] local-user 111 class manage [Sysname-luser-manage-111] group abc Related commands display local-user local-guest auto-delete enable Use local-guest auto-delete enable to enable the guest auto-delete feature. Use undo local-guest auto-delete enable to restore the default. Syntax local-guest auto-delete enable undo local-guest auto-delete enable Default The guest auto-delete feature is disabled.

  • Page 92: Local-Guest Email Sender

    Predefined user roles network-admin Parameters to: Specifies the email recipient. guest: Specifies the local guest. manager: Specifies the guest manager. sponsor: Specifies the guest sponsor. body body-string: Configures the body content. The body-string argument is a case-sensitive string of 1 to 255 characters. subject sub-string: Configures the email subject.

  • Page 93: Local-Guest Email Smtp-Server

    Predefined user roles network-admin Parameters email-address: Specifies the email sender address, a case-sensitive string of 1 to 255 characters. Usage guidelines If you do not specify the email sender address, the device cannot send email notifications. The device supports only one email sender address. If you execute this command multiple times, the most recent configuration takes effect.

  • Page 94: Local-Guest Generate

    Related commands local-guest email format local-guest email sender local-guest manager-email local-guest send-email local-guest generate Use local-guest generate to create local guests in batch. Syntax local-guest generate username-prefix name-prefix [ password-prefix password-prefix ] suffix suffix-number [ group group-name ] count user-count validity-datetime start-date start-time to expiration-date expiration-time Views System view...

  • Page 95: Local-Guest Manager-Email

    expiration-time: Specifies the expiration time in the format of hh:mm:ss. The value range for the hh argument is 0 to 23. The value range for the mm and ss arguments is 0 to 59. The mm and ss arguments are optional. For example, enter 1 to indicate 1:00:00. A value of 0 indicates 00:00:00. Usage guidelines Account names of batch created local guests start with the same string specified by the name prefix, and end with a different number as the suffix.

  • Page 96: Local-Guest Send-Email

    Examples # Configure the email address of the guest manager as xyz@yyy.com. <Sysname> system-view [Sysname] local-guest manager-email xyz@yyy.com Related commands local-guest email format local-guest email sender local-guest email smtp-server local-guest send-email local-guest send-email Use local-guest send-email to send emails to a local guest or guest sponsor. Syntax local-guest send-email user-name user-name to { guest | sponsor } Views...

  • Page 97: Local-User

    Default The setting is 24 hours. Views System view Predefined user roles network-admin Parameters time-value: Sets the waiting-approval timeout timer in the range of 1 to 720, in hours. Usage guidelines The waiting-approval timeout timer starts when the registration request of a local guest is sent for approval.

  • Page 98: Local-User-Export Class Network Guest

    all: Specifies all users. service-type: Specifies the local users that use a specific type of service. • advpn: ADVPN tunnel users. • ftp: FTP users. • http: HTTP users. • https: HTTPS users. • ike: IKE users that access the network through IKE extended authenticatio n. •...

  • Page 99: Local-User-Import Class Network Guest

    Views System view Predefined user roles network-admin Parameters url url-string: Specifies the URL of the destination file, a case-insensitive string of 1 to 255 characters. Usage guidelines You can import the user account information back to the device or to other devices that support the local-user-import class network guest command.
  • Page 100 Parameters url url-string: Specifies the source file path. The url-string argument is a case-insensitive string of 1 to 255 characters. validity-datetime: Specifies the guest validity period of the local guests. The expiration date and time must be later than the start date and time. start-date: Specifies the start date of the validity period, in the format of MM/DD/YYYY or YYYY/MM/DD.

  • Page 101: Password

    Jack,abc,visit,Jack Chen,ETP,jack@etp.com,1399899,"The manager of ETP, come from TP.",Sam Wang,Ministry of personnel,Sam@yy.com The device supports TFTP and FTP file transfer modes. Table 6 describes the valid URL formats of the .csv file. Table 6 URL formats Protocol URL format Description Specify a TFTP server by IP address or TFTP tftp://server/path/filename hostname.

  • Page 102: Phone

    Predefined user roles network-admin Parameters cipher: Specifies a password in encrypted form. hash: Specifies a password encrypted by the hash algorithm. simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form. string: Specifies the password string.

  • Page 103: Reset Local-Guest Waiting-Approval

    Syntax phone phone-number undo phone Default No phone number is specified for a local guest. Views Local guest view Predefined user roles network-admin Parameters phone-number: Specifies the phone number, a string of 1 to 32 characters that can contain only digits and hyphens (-).
  • Page 104 Use undo service-type to delete service types configured for a local user. Syntax In non-FIPS mode: service-type { advpn | ftp | ike | ipoe | lan-access | { http | https | pad | ssh | telnet | terminal } * | portal | ppp | sslvpn } undo service-type { advpn | ftp | ike | ipoe | lan-access | { http | https | pad | ssh | telnet | terminal } * | portal | ppp | sslvpn }...

  • Page 105: Sponsor-Department

    [Sysname] local-user user1 class manage [Sysname-luser-manage-user1] service-type telnet [Sysname-luser-manage-user1] service-type ftp Related commands display local-user sponsor-department Use sponsor-department to specify the department of the guest sponsor for a local guest. Use undo sponsor-department to restore the default. Syntax sponsor-department department-string undo sponsor-department Default No department is specified for the guest sponsor.

  • Page 106: Sponsor-Full-Name

    Predefined user roles network-admin Parameters email-string: Specifies the email address, a case-sensitive string of 1 to 255 characters. The address must comply with RFC 822. Examples # Specify the email address as Sam@a.com for the guest sponsor of local guest abc. <Sysname>...

  • Page 107: User-Group

    undo state Default A local user is in active state. Views Local user view Predefined user roles network-admin Parameters active: Places the local user in active state to allow the local user to request network services. block: Places the local user in blocked state to prevent the local user from requesting network services.

  • Page 108: Validity-Datetime

    You can modify settings for the system-defined user group system, but you cannot delete the user group. Examples # Create a user group named abc and enter user group view. <Sysname> system-view [Sysname] user-group abc [Sysname-ugroup-abc] Related commands display user-group validity-datetime Use validity-datetime to specify the validity period for a network access user.

  • Page 109: Radius Commands

    <Sysname> system-view [Sysname] local-user abc class network [Sysname-luser-network-abc] validity-datetime 2014/10/01 00:00:00 to 2015/10/02 12:00:00 Related commands display local-user RADIUS commands aaa device-id Use aaa device-id to configure the device ID. Use undo aaa device-id to restore the default. Syntax aaa device-id device-id undo aaa device-id Default The device ID is 0.

  • Page 110: Accounting-On Extended

    Default The accounting-on feature is disabled. Views RADIUS scheme view Predefined user roles network-admin Parameters interval interval: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value range for the interval argument is 1 to 15, and the default setting is 3 seconds. send send-times: Specifies the maximum number of accounting-on packet transmission attempts.

  • Page 111: Attribute 15 Check-Mode

    Usage guidelines The extended accounting-on feature enhances the accounting-on feature by applying to the scenario that an SPU reboots but the device does not reboot. For the extended accounting-on feature to take effect, you must enable the accounting-on feature. The extended accounting-on feature enables the device to automatically send an accounting-on packet to the RADIUS server after an SPU reboot.

  • Page 112: Attribute 25 Car

    Usage guidelines Use the loose check method only when the server does not issue Login-Service attribute values 50, 51, and 52 for SSH, FTP, and terminal users. Examples # Configure the Login-Service attribute check method as loose for SSH, FTP, and terminal users in RADIUS scheme radius1.

  • Page 113: Client

    Syntax attribute remanent-volume unit { byte | giga-byte | kilo-byte | mega-byte } undo attribute remanent-volume unit Default The data measurement unit is kilobyte for the Remanent_Volume attribute. Views RADIUS scheme view Predefined user roles network-admin network-operator Parameters byte: Specifies the unit as byte. giga-byte: Specifies the unit as gigabyte.

  • Page 114: Data-Flow-Format (Radius Scheme View)

    Parameters ip ipv4-address: Specifies a DAC by its IPv4 address. ipv6 ipv6-address: Specifies a DAC by its IPv6 address. key: Specifies the shared key for secure communication between the RADIUS DAC and DAS. Make sure the shared key is the same as the key configured on the RADIUS DAC. If the RADIUS DAC does not have any shared key, do not specify this option.

  • Page 115: Display Radius Scheme

    Predefined user roles network-admin Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
  • Page 116 State: Active Test profile: 132 Probe username: test Probe interval: 60 minutes Primary accounting server: IP : 1.1.1.1 Port: 1813 VPN : Not configured State: Active Second authentication server: IP : 3.3.3.3 Port: 1812 VPN : Not configured State: Block Test profile: Not configured Second accounting server: IP : 3.3.3.3...
  • Page 117 Field Description Service port number of the server. If no port number is specified, this field Port displays the default port number. MPLS L3VPN instance to which the server belongs. If no VPN instance is specified for the server, this field displays Not configured. Status of the server: •...

  • Page 118: Display Radius Statistics

    Field Description Attribute Remanent-Volume Data measurement unit for the RADIUS Remanent_Volume attribute. unit display radius statistics Use display radius statistics to display RADIUS packet statistics. Syntax display radius statistics Views Any view Predefined user roles network-admin network-operator Examples # Display RADIUS packet statistics. <Sysname>...

  • Page 119: Key (Radius Scheme View)

    Field Description Account Start Number of start-accounting packets. Account Update Number of accounting update packets. Account Stop Number of stop-accounting packets. Terminate Request Number of packets for logging off users forcibly. Set Policy Number of packets for updating user authorization information. Packet With Response Number of packets for which responses were received.

  • Page 120: Nas-Ip (Radius Scheme View)

    Usage guidelines The shared keys configured by using this command apply to all servers in the scheme. Make sure the settings match the shared keys configured on the RADIUS servers. The shared keys specified for specific RADIUS servers take precedence over the shared key specified with this command.

  • Page 121: Port

    As a best practice to avoid RADIUS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing RADIUS packets. If you use both the nas-ip command and radius nas-ip command, the following guidelines apply: •...

  • Page 122: Primary Accounting (Radius Scheme View)

    [Sysname] radius dynamic-author server [Sysname-radius-da-server] port 3790 Related commands client radius dynamic-author server primary accounting (RADIUS scheme view) Use primary accounting to specify the primary RADIUS accounting server. Use undo primary accounting to restore the default. Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary accounting Default...

  • Page 123: Primary Authentication (Radius Scheme View)

    The shared key configured by using this command takes precedence over the shared key configured with the key accounting command. If the specified server resides on an MPLS L3VPN, specify the VPN instance by using the vpn-instance vpn-instance-name option. The VPN instance specified by this command takes precedence over the VPN instance specified for the RADIUS scheme.
  • Page 124 key: Specifies the shared key for secure communication with the primary RADIUS authentication server. cipher: Specifies the key in encrypted form. simple: Specifies the key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form. string: Specifies the key.

  • Page 125: Radius Dscp

    radius dscp Use radius dscp to change the DSCP priority of RADIUS packets. Use undo radius dscp to restore the default. Syntax radius [ ipv6 ] dscp dscp-value undo radius [ ipv6 ] dscp Default The DSCP priority of RADIUS packets is 0. Views System view Predefined user roles...

  • Page 126: Radius Nas-Ip

    Usage guidelines When you enable the RADIUS DAS feature, the device listens to UDP port 3799 to receive DAE packets from specified DACs. Examples # Enable the RADIUS DAS feature and enter RADIUS DAS view. <Sysname> system-view [Sysname] radius dynamic-author server [Sysname-radius-da-server] Related commands client...

  • Page 127: Radius Scheme

    If you use both the nas-ip command and radius nas-ip command, the following guidelines apply: • The setting configured by the nas-ip command in RADIUS scheme view applies only to the RADIUS scheme. • The setting configured by the radius nas-ip command in system view applies to all RADIUS schemes.

  • Page 128: Radius Session-Control Client

    [Sysname] radius scheme radius1 [Sysname-radius-radius1] Related commands display radius scheme radius session-control client Use radius session-control client to specify a RADIUS session-control client. Use undo radius session-control client to remove the specified RADIUS session-control clients. Syntax radius session-control client { ip ipv4-address | ipv6 ipv6-address } [ key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo radius session-control client { all | { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] }...

  • Page 129: Radius Session-Control Enable

    The IP, VPN instance, and shared key settings of the session-control client must be the same as the settings of the RADIUS server. The system supports multiple RADIUS session-control clients. Examples # Specify a session-control client with IP address 10.110.1.2 and shared key 12345 in plaintext form. <Sysname>...

  • Page 130: Reset Radius Statistics

    Predefined user roles network-admin Parameters profile-name: Specifies the name of the test profile, which is a case-sensitive string of 1 to 31 characters. username name: Specifies the username in the detection packets. The name argument is a case-sensitive string of 1 to 253 characters. interval interval: Specifies the interval for sending a detection packet, in minutes.

  • Page 131: Retry

    retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default. Syntax retry retries undo retry Default The maximum number of RADIUS packet transmission attempts is 3. Views RADIUS scheme view Predefined user roles...

  • Page 132: Retry Realtime-Accounting

    retry realtime-accounting Use retry realtime-accounting to set the maximum number of accounting attempts. Use undo retry realtime-accounting to restore the default. Syntax retry realtime-accounting retries undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Predefined user roles network-admin Parameters...
  • Page 133 Use undo secondary accounting to remove a secondary RADIUS accounting server. Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] Default No secondary RADIUS accounting servers are specified.

  • Page 134: Secondary Authentication (Radius Scheme View)

    If you use the secondary accounting command to modify or delete a secondary accounting server to which the device is sending a start-accounting request, communication with the secondary server times out. The device tries to communicate with an active server that has the highest priority for accounting.
  • Page 135 port-number: Sets the service port number of the secondary RADIUS authentication server. The value range for the UDP port number is 1 to 65535. The default setting is 1812. key: Specifies the shared key for secure communication with the secondary RADIUS authentication server.

  • Page 136: Snmp-Agent Trap Enable Radius

    [Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 Related commands display radius scheme key (RADIUS scheme view) primary authentication (RADIUS scheme view) radius-server test-profile vpn-instance (RADIUS scheme view) snmp-agent trap enable radius Use snmp-agent trap enable radius to enable SNMP notifications for RADIUS. Use undo snmp-agent trap enable radius to disable SNMP notifications for RADIUS.

  • Page 137: State Primary

    • RADIUS server reachable notification—The RADIUS server can be reached. RADIUS generates this notification for a previously blocked RADIUS server after the quiet timer expires. • Excessive authentication failures notification—RADIUS generates this notification when the number of authentication failures to the total number of authentication attempts exceeds the specified threshold.

  • Page 138: State Secondary

    Examples # In RADIUS scheme radius1, set the primary authentication server to the blocked state. <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] state primary authentication block Related commands display radius scheme radius-server test-profile state secondary state secondary Use state secondary to set the status of a secondary RADIUS server. Syntax state secondary { accounting | authentication } [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ] { active | block }...

  • Page 139: Timer Quiet (Radius Scheme View)

    When the quiet timer of a server times out, the status of the server automatically changes to active. If you set the server status to blocked before the quiet timer times out, the server status cannot change back to active unless you manually set the status to active. If all configured secondary servers are unreachable, the device considers the authentication or accounting attempt a failure.

  • Page 140: Timer Realtime-Accounting (Radius Scheme View)

    [Sysname] radius scheme radius1 [Sysname-radius-radius1] timer quiet 10 Related commands display radius scheme timer realtime-accounting (RADIUS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default. Syntax timer realtime-accounting interval [ second ] undo timer realtime-accounting Default The real-time accounting interval is 12 minutes.

  • Page 141: Timer Response-Timeout (Radius Scheme View)

    Related commands retry realtime-accounting timer response-timeout (RADIUS scheme view) Use timer response-timeout to set the RADIUS server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout Default The RADIUS server response timeout period is 3 seconds. Views RADIUS scheme view Predefined user roles...

  • Page 142: User-Name-Format (Radius Scheme View)

    user-name-format (RADIUS scheme view) Use user-name-format to specify the format of the username to be sent to a RADIUS server. Use undo user-name-format to restore the default. Syntax user-name-format { keep-original | with-domain | without-domain } undo user-name-format Default The ISP domain name is included in the usernames sent to the RADIUS servers. Views RADIUS scheme view Predefined user roles...

  • Page 143: Hwtacacs Commands

    Use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The RADIUS scheme belongs to the public network. Views RADIUS scheme view Predefined user roles network-admin Parameters vpn-instance-name: Specifies an MPLS L3VPN instance by the name, a case-sensitive string of 1 to 31 characters.

  • Page 144: Display Hwtacacs Scheme

    Parameters data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte, kilobyte, megabyte, or gigabyte. packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets, which can be one-packet, kilo-packet, mega-packet, or giga-packet.
  • Page 145 Single-connection: Enabled Primary Author Server: : 2.2.2.2 Port: 49 State: Active VPN Instance: 2 Single-connection: Disabled Primary Acct Server: : Not Configured Port: 49 State: Block VPN Instance: Not configured Single-connection: Disabled VPN Instance NAS IP Address : 2.2.2.3 Server Quiet Period(minutes) Realtime Accounting Interval(minutes) : 12 Response Timeout Interval(seconds) Username Format...

  • Page 146: Hwtacacs Nas-Ip

    Field Description Response Timeout Interval(seconds) HWTACACS server response timeout period, in seconds. Format for the usernames sent to the HWTACACS server. Possible values include: • with-domain—Includes the domain name. Username Format • without-domain—Excludes the domain name. • keep-original—Forwards the username as the username is entered.

  • Page 147: Hwtacacs Scheme

    As a best practice to avoid HWTACACS packet loss caused by physical port errors, specify a loopback interface address as the source IP address for outgoing HWTACACS packets. If you use both the nas-ip command and hwtacacs nas-ip command, the following guidelines apply: •...

  • Page 148: Key (Hwtacacs Scheme View)

    Examples # Create an HWTACACS scheme named hwt1 and enter HWTACACS scheme view. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] Related commands display hwtacacs scheme key (HWTACACS scheme view) Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting communication.

  • Page 149: Nas-Ip (Hwtacacs Scheme View)

    [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] key authentication simple 123456TESTauth&! # Set the shared key to 123456TESTautr&! in plaintext form for secure HWTACACS authorization communication. [Sysname-hwtacacs-hwt1] key authorization simple 123456TESTautr&! # Set the shared key to 123456TESTacct&! in plaintext form for secure HWTACACS accounting communication.

  • Page 150: Primary Accounting (Hwtacacs Scheme View)

    • The setting configured by using the nas-ip command in HWTACACS scheme view applies only to the HWTACACS scheme. • The setting configured by using the hwtacacs nas-ip command in system view applies to all HWTACACS schemes. • The setting in HWTACACS scheme view takes precedence over the setting in system view. You can specify only one source IPv4 address and one source IPv6 address for an HWTACACS scheme.

  • Page 151: Primary Authentication (Hwtacacs Scheme View)

    • In non-FIPS mode, the encrypted form of the key is a string of 1 to 373 characters. The plaintext form of the key is a string of 1 to 255 characters. • In FIPS mode, the encrypted form of the key is a string of 15 to 373 characters. The plaintext form of the key is a string of 15 to 255 characters.
  • Page 152 Views HWTACACS scheme view Predefined user roles network-admin Parameters ipv4-address: Specifies the IPv4 address of the primary HWTACACS authentication server. ipv6 ipv6-address: Specifies the IPv6 address of the primary HWTACACS authentication server. port-number: Specifies the service port number of the primary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535.

  • Page 153: Primary Authorization

    Related commands display hwtacacs scheme key (HWTACACS scheme view) secondary authentication (HWTACACS scheme view) vpn-instance (HWTACACS scheme view) primary authorization Use primary authorization to specify the primary HWTACACS authorization server. Use undo primary authorization to restore the default. Syntax primary authorization { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo primary authorization Default...

  • Page 154: Reset Hwtacacs Statistics

    vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the primary HWTACACS authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option. Usage guidelines Make sure that the port number and shared key settings of the primary HWTACACS authorization server are the same as those configured on the server.

  • Page 155: Secondary Accounting (Hwtacacs Scheme View)

    Related commands display hwtacacs scheme secondary accounting (HWTACACS scheme view) Use secondary accounting to specify a secondary HWTACACS accounting server. Use undo secondary accounting to remove a secondary HWTACACS accounting server. Syntax secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo secondary accounting [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]...

  • Page 156: Secondary Authentication (Hwtacacs Scheme View)

    Usage guidelines Make sure that the port number and shared key settings of the secondary HWTACACS accounting server are the same as those configured on the server. An HWTACACS scheme supports a maximum of 16 secondary HWTACACS accounting servers. If the primary server fails, the device tries to communicate with a secondary server in active state.
  • Page 157 ipv6 ipv6-address: Specifies the IPv6 address of the secondary HWTACACS authentication server. port-number: Specifies the service port number of the secondary HWTACACS authentication server. The value range for the TCP port number is 1 to 65535. The default setting is 49. key: Specifies the shared key for secure communication with the secondary HWTACACS authentication server.

  • Page 158: Secondary Authorization

    key (HWTACACS scheme view) primary authentication (HWTACACS scheme view) vpn-instance (HWTACACS scheme view) secondary authorization Use secondary authorization to specify a secondary HWTACACS authorization server. Use undo secondary authorization to remove a secondary HWTACACS authorization server. Syntax secondary authorization { ipv4-address | ipv6 ipv6-address } [ port-number I key { cipher | simple } string | single-connection | vpn-instance vpn-instance-name ] * undo secondary authorization [ { ipv4-address | ipv6 ipv6-address } [ port-number | vpn-instance vpn-instance-name ] * ]...

  • Page 159: Timer Quiet (Hwtacacs Scheme View)

    Usage guidelines Make sure that the port number and shared key settings of the secondary HWTACACS authorization server are the same as those configured on the server. An HWTACACS scheme supports a maximum of 16 secondary HWTACACS authorization servers. If the primary server fails, the device tries to communicate with a secondary server in active state.

  • Page 160: Timer Realtime-Accounting (Hwtacacs Scheme View)

    Examples # In HWTACACS scheme hwt1, set the server quiet timer to 10 minutes. <Sysname> system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] timer quiet 10 Related commands display hwtacacs scheme timer realtime-accounting (HWTACACS scheme view) Use timer realtime-accounting to set the real-time accounting interval. Use undo timer realtime-accounting to restore the default.

  • Page 161: Timer Response-Timeout (Hwtacacs Scheme View)

    Related commands display hwtacacs scheme timer response-timeout (HWTACACS scheme view) Use timer response-timeout to set the HWTACACS server response timeout timer. Use undo timer response-timeout to restore the default. Syntax timer response-timeout seconds undo timer response-timeout Default The HWTACACS server response timeout time is 5 seconds. Views HWTACACS scheme view Predefined user roles...

  • Page 162: Vpn-Instance (Hwtacacs Scheme View)

    Views HWTACACS scheme view Predefined user roles network-admin Parameters keep-original: Sends the username to the HWTACACS server as the username is entered. with-domain: Includes the ISP domain name in the username sent to the HWTACACS server. without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

  • Page 163: Ldap Commands

    Parameters vpn-instance-name: Specifies an MPLS L3VPN instance by the name, a case-sensitive string of 1 to 31 characters. Usage guidelines The VPN instance specified for an HWTACACS scheme applies to all servers in that scheme. If a VPN instance is also configured for an individual HWTACACS server, the VPN instance specified for the HWTACACS scheme does not take effect on that server.

  • Page 164: Authentication-Server

    <Sysname> system-view [Sysname] ldap scheme test [Sysname-ldap-test] attribute-map map1 Related commands display ldap-scheme ldap attribute-map authentication-server Use authentication-server to specify the LDAP authentication server for an LDAP scheme. Use undo authentication-server to restore the default. Syntax authentication-server server-name undo authentication-server Default No LDAP authentication server is specified.

  • Page 165: Display Ldap Scheme

    Default No LDAP authorization server is specified. Views LDAP scheme view Predefined user roles network-admin Parameters server-name: Specifies the name of an existing LDAP server, a case-insensitive string of 1 to 64 characters. Usage guidelines You can specify only one LDAP authorization server in an LDAP scheme. If you execute this command multiple times, the most recent configuration takes effect.
  • Page 166 : 1.1.1.1 Port : 111 VPN instance : Not configured LDAP protocol version : LDAPv3 Server timeout interval : 10 seconds Login account DN : Not configured Base DN : Not configured Search scope : all-level User searching parameters: User object class : Not configured Username attribute : cn...
  • Page 167 Field Description User DN search scope, including: • all-level—All subdirectories. Search scope • single-level—Next lower level of subdirectories under the base User searching parameters User search parameters. User object class for user DN search. If no user object class is User object class configured, this field displays Not configured.

  • Page 168: Ipv6

    Related commands ldap server ipv6 Use ipv6 to configure the IPv6 address and port number of the LDAP server. Use undo ipv6 to restore the default. Syntax ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ipv6 Default An LDAP server does not have an IPv6 address or port number.

  • Page 169: Ldap Scheme

    undo ldap attribute-map map-name Default No LDAP attribute maps exist. Views System view Predefined user roles network-admin Parameters map-name: Specifies the name of the LDAP attribute map, a case-insensitive string of 1 to 31 characters. Usage guidelines Execute this command multiple times to create multiple LDAP attribute maps. You can add multiple mapping entries to an LDAP attribute map.

  • Page 170: Ldap Server

    Usage guidelines An LDAP scheme can be used by more than one ISP domain at the same time. You can configure a maximum of 16 LDAP schemes. Examples # Create an LDAP scheme named ldap1 and enter LDAP scheme view. <Sysname>...

  • Page 171: Login-Password

    Default No administrator DN is specified. Views LDAP server view Predefined user roles network-admin Parameters dn-string: Specifies the administrator DN for binding with the server, a case-insensitive string of 1 to 255 characters. Usage guidelines The administrator DN specified on the device must be consistent with the administrator DN configured on the LDAP server.

  • Page 172: Map

    Usage guidelines This command is effective only after the login-dn command is configured. Examples # Specify the administrator password as abcdefg in plaintext form for LDAP server ccc. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] login-password simple abcdefg Related commands display ldap scheme login-dn Use map to configure mapping entries in an LDAP attribute map.

  • Page 173: Protocol-Version

    Examples # In LDAP attribute map map1, map a partial value string of the LDAP attribute named memberof to AAA attribute named user-group. <Sysname> system-view [Sysname] ldap attribute-map map1 [Sysname-ldap-map-map1] map ldap-attribute memberof prefix cn= delimiter , aaa-attribute user-group Related commands ldap attribute-map user-group user-profile...

  • Page 174: Search-Base-Dn

    search-base-dn Use search-base-dn to specify the base DN for user search. Use undo search-base-dn to restore the default. Syntax search-base-dn base-dn undo search-base-dn Default No base DN is specified for user search. Views LDAP server view Predefined user roles network-admin Parameters base-dn: Specifies the base DN for user search, a case-insensitive string of 1 to 255 characters.

  • Page 175: Server-Timeout

    single-level: Specifies that the search goes through only the next lower level of subdirectories under the base DN. Examples # Specify the search scope for the LDAP authentication as all subdirectories of the base DN for LDAP server ccc. <Sysname> system-view [Sysname] ldap server ccc [Sysname-ldap-server-ccc] search-scope all-level Related commands...
  • Page 176 Use undo user-parameters to restore the default of an LDAP user attribute. Syntax user-parameters { user-name-attribute { name-attribute | cn | uid } | user-name-format { with-domain | without-domain } | user-object-class object-class-name } undo user-parameters { user-name-attribute | user-name-format | user-object-class } Default The LDAP username attribute is cn and the username format is without-domain.

  • Page 177: 802.1X Commands

    802.1X commands This feature is supported only on the following ports: • Layer 2 Ethernet ports on Ethernet switching modules. • Fixed Layer 2 Ethernet ports of the following routers: MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-LM-HK/810-W-LM-HK/810-10-PoE/81  0-LMS/810-LUS. MSR2600-10-X1.  MSR3600-28/3600-51.  MSR3600-28-SI/3600-51-SI.  Commands and descriptions for centralized devices apply to the following routers: •...
  • Page 178 Predefined user roles network-admin network-operator Parameters sessions: Displays 802.1X session information. statistics: Displays 802.1X statistics. ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).
  • Page 179 Handshake : Enabled Handshake reply : Disabled Handshake security : Disabled Unicast trigger : Disabled Periodic reauth : Disabled Port role : Authenticator Authorization mode : Auto Port access control : Port-based Multicast trigger : Enabled Mandatory auth domain : Not configured Guest VLAN Auth-Fail VLAN : Not configured...
  • Page 180 Error packets: 0 Online 802.1X users: 1 MAC address Auth state 0001-0000-0002 Authenticated Table 13 Command output Field Description Global 802.1X parameters Global 802.1X configuration. 802.1X authentication Whether 802.1X is enabled globally. Performs EAP termination and uses CHAP to communicate with the RADIUS server.
  • Page 181 Field Description 802.1X authentication Whether 802.1X is enabled on the port. Handshake Whether the online user handshake feature is enabled on the port. Whether the online user handshake reply feature is enabled on the Handshake reply port. Whether the online user handshake security feature is enabled on the Handshake security port.

  • Page 182: Display Dot1X Connection

    Field Description MAC address MAC addresses of the online 802.1X users. Auth state Authentication status of the online 802.1X users. AP name Name of the AP with which users are associated. Radio ID ID of the radio with which users are associated. SSID SSID with which users are associated.
  • Page 183 # (Centralized devices in standalone mode.) Display information about all online 802.1X users. <Sysname> display dot1x connection Total connections: 1 User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet1/0/1 Username: ias Authentication domain: h3c IPv4 address: 192.168.1.1 IPv6 address: 2000:0:0:0:1:2345:6789:abcd Authentication method: CHAP Initial VLAN: 1 Authorization untagged VLAN: 6...
  • Page 184 <Sysname> display dot1x connection Total connections: 1 Slot ID: 0 User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet1/0/1 Username: ias Authentication domain: h3c IPv4 address: 192.168.1.1 IPv6 address: 2000:0:0:0:1:2345:6789:abcd Authentication method: CHAP Initial VLAN: 1 Authorization untagged VLAN: 6 Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33...
  • Page 185 Total connections: 1 Chassis ID: 1 Slot ID: 0 User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet1/0/1 Username: ias Authentication domain: h3c IPv4 address: 192.168.1.1 IPv6 address: 2000:0:0:0:1:2345:6789:abcd Authentication method: CHAP Initial VLAN: 1 Authorization untagged VLAN: 6 Authorization tagged VLAN list: 1 to 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 29 31 33...
  • Page 186 Field Description Access interface Interface through which the user access the device. AP name Name of the AP with which the user is associated. Radio ID ID of the radio with which the user is associated. SSID SSID with which the user is associated. BSSID ID of the BSS with which the user is associated.

  • Page 187: Dot1X

    dot1x Use dot1x to enable 802.1X globally or on a port. Use undo dot1x to disable 802.1X globally or on a port. Syntax dot1x undo dot1x Default 802.1X is neither enabled globally nor enabled for any port. Views System view Ethernet interface view Predefined user roles network-admin...

  • Page 188: Dot1X Auth-Fail Vlan

    PAP transports usernames and passwords in plain text. The authentication method applies  to scenarios that do not require high security. To use PAP, the client can be an H3C iNode 802.1X client. CHAP transports username in plaintext and encrypted password over the network. CHAP is ...

  • Page 189: Dot1X Critical Vlan

    Default No 802.1X Auth-Fail VLAN exists. Views Ethernet interface view Predefined user roles network-admin Parameters authfail-vlan-id: Specifies the ID of the 802.1X Auth-Fail VLAN on the port. The value range for the VLAN ID is 1 to 4094. Make sure the VLAN has been created and is not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration Guide.

  • Page 190: Dot1X Domain-Delimiter

    Usage guidelines An 802.1X critical VLAN accommodates users that have failed 802.1X authentication because all the RADIUS servers in their ISP domains are unreachable. To delete a VLAN that has been configured as an 802.1X critical VLAN, you must first use the undo dot1x critical vlan command.

  • Page 191: Dot1X Ead-Assistant Enable

    Examples # Specify the at sign (@) and forward slash (/) as domain name delimiters. <Sysname> system-view [Sysname] dot1x domain-delimiter @/ Related commands display dot1x dot1x ead-assistant enable Use dot1x ead-assistant enable to enable the EAD assistant feature. Use undo dot1x ead-assistant enable to disable the EAD assistant feature. Syntax dot1x ead-assistant enable undo dot1x ead-assistant enable...

  • Page 192: Dot1X Ead-Assistant Free-Ip

    Examples # Enable the EAD assistant feature. <Sysname> system-view [Sysname] dot1x ead-assistant enable Related commands display dot1x dot1x ead-assistant free-ip dot1x ead-assistant url dot1x ead-assistant free-ip Use dot1x ead-assistant free-ip to configure a free IP. Use undo dot1x ead-assistant free-ip to remove the specified or all free IP addresses. Syntax dot1x ead-assistant free-ip ip-address { mask-address | mask-length } undo dot1x ead-assistant free-ip { ip-address { mask-address | mask-length } | all }...

  • Page 193: Dot1X Ead-Assistant Url

    Execute this command multiple times to configure multiple free IPs. With EAD assistant enabled on the device, unauthenticated 802.1X users can access the network resources in the free IP segments before they pass 802.1X authentication. Examples # Configure 192.168.1.1/16 as a free IP. <Sysname>...

  • Page 194: Dot1X Guest-Vlan

    When an unauthenticated user uses a Web browser to access networks other than the free IP, the device redirects the user to the redirect URL. The redirect URL must be on the free IP subnet. If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure the redirect URL as http://test.com.

  • Page 195: Dot1X Handshake

    Related commands display dot1x dot1x handshake Use dot1x handshake to enable the online user handshake feature. Use undo dot1x handshake to disable the online user handshake feature. Syntax dot1x handshake undo dot1x handshake Default The online user handshake feature is enabled. Views Ethernet interface view Predefined user roles...

  • Page 196: Dot1X Handshake Secure

    Views Ethernet interface view Predefined user roles network-admin Usage guidelines This command enables the device to reply to 802.1X clients' EAP-Response/Identity packets with EAP-Success packets during the online handshake process. As a best practice, use this command only if 802.1X clients will go offline without receiving EAP-Success packets from the device.

  • Page 197: Dot1X Mandatory-Domain

    Related commands display dot1x dot1x handshake dot1x mandatory-domain Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port. Use undo dot1x mandatory-domain to restore the default. Syntax dot1x mandatory-domain domain-name undo dot1x mandatory-domain Default No mandatory 802.1X authentication domain is specified on a port. Views Ethernet interface view Predefined user roles...

  • Page 198: Dot1X Multicast-Trigger

    Default The device allows a maximum of 4294967295 concurrent 802.1X users on a port. Views Ethernet interface view Predefined user roles network-admin Parameters max-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1 to 4294967295. Usage guidelines Set the maximum number of concurrent 802.1X users on a port to prevent the system resources from being overused.

  • Page 199: Dot1X Port-Control

    Examples # Enable the multicast trigger feature on GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] dot1x multicast-trigger Related commands display dot1x dot1x timer tx-period dot1x unicast-trigger dot1x port-control Use dot1x port-control to set the authorization state for the port. Use undo dot1x port-control to restore the default.

  • Page 200: Dot1X Port-Method

    dot1x port-method Use dot1x port-method to specify an access control method for the port. Use undo dot1x port-method to restore the default. Syntax dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies. Views Ethernet interface view Predefined user roles network-admin Parameters...

  • Page 201: Dot1X Re-Authenticate

    Syntax dot1x quiet-period undo dot1x quiet-period Default The quiet timer is disabled. Views System view Predefined user roles network-admin Usage guidelines When a client fails 802.1X authentication, the device must wait a period of time before it can process authentication requests from the client. You can use the dot1x timer quiet-period command to set the quiet timer.

  • Page 202: Dot1X Re-Authenticate Server-Unreachable Keep-Online

    Examples # Enable the 802.1X periodic online user reauthentication feature on GigabitEthernet 1/0/1, and set the periodic reauthentication interval to 1800 seconds. <Sysname> system-view [Sysname] dot1x timer reauth-period 1800 [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] dot1x re-authenticate Related commands display dot1x dot1x timer dot1x re-authenticate server-unreachable keep-online Use dot1x re-authenticate server-unreachable keep-online to enable the keep-online feature on...

  • Page 203: Dot1X Smarton

    Syntax dot1x retry retries undo dot1x retry Default A maximum of two attempts are made to send an authentication request to a client. Views System view Predefined user roles network-admin Parameters retries: Specifies the maximum number of attempts for sending an authentication request to a client. The value range is 1 to 10.

  • Page 204: Dot1X Smarton Password

    Predefined user roles network-admin Usage guidelines The SmartOn feature and the online user handshake feature are mutually exclusive. When a SmartOn-enabled port receives an EAPOL-Start packet from an 802.1X client, it sends a unicast EAP-Request/Notification packet to the client. The client will respond with an EAP-Response/Notification packet, which contains the SmartOn switch ID and the MD5 digest of the SmartOn password.

  • Page 205: Dot1X Smarton Retry

    If you execute this command multiple times, the most recent configuration takes effect. Examples # Set the SmartOn password to abc in plaintext form. <Sysname> system-view [Sysname] dot1x smarton password simple abc Related commands display dot1x dot1x smarton dot1x smarton switched dot1x smarton retry Use dot1x smarton retry to set the maximum number of attempts for retransmitting an EAP-Request/Notification packet to a client.

  • Page 206: Dot1X Smarton Switchid

    dot1x smarton switchid Use dot1x smarton switchid to set a SmartOn switch ID. Use undo dot1x smarton switchid to restore the default. Syntax dot1x smarton switchid switch-string undo dot1x smarton switchid Default No SmartOn switch ID exists. Views System view Predefined user roles network-admin Parameters...

  • Page 207: Dot1X Timer

    Parameters supp-timeout-value: Specifies the SmartOn client timeout timer in seconds. The value range is 10 to 120. Usage guidelines The SmartOn client timeout timer starts when the device sends an EAP-Request/Notification packet to the client. If the device does not receive any EAP-Response/Notification packets from the client within the timer interval, it retransmits the EAP-Request/Notification packet.
  • Page 208 Parameters ead-timeout ead-timeout-value: Specifies the EAD rule timer in minutes. The value range for the ead-timeout-value argument is 1 to 1440. The following matrix shows the ead-timeout ead-timeout-value option and hardware compatibility: Hardware Option compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM -HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC...

  • Page 209: Dot1X Unicast-Trigger

    • Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait the time period before it can process the authentication attempts from the client. • Periodic reauthentication timer (reauth-period)—Sets the interval at which the network device periodically reauthenticates online 802.1X users. To enable periodic online user reauthentication on a port, use the dot1x re-authenticate command.

  • Page 210: Reset Dot1X Guest-Vlan

    Examples # Enable the unicast trigger feature on GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] dot1x unicast-trigger Related commands display dot1x dot1x multicast-trigger dot1x retry dot1x timer reset dot1x guest-vlan Use reset dot1x guest-vlan to remove users from the 802.1X guest VLAN on a port. Syntax reset dot1x guest-vlan interface interface-type interface-number [ mac-address mac-address ] Views...
  • Page 211 Predefined user roles network-admin Parameters ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).If you do not specify an AP, this command clears statistics of 802.1X users for all APs. radio radio-id: Specifies a radio by its ID.

  • Page 212: Mac Authentication Commands

    MAC authentication commands MAC authentication commands are supported only on the following ports: • Layer 2 Ethernet ports on the following modules: HMIM-8GSW.  HMIM-24GSW.  HMIM-24GSWP.  SIC-4GSW.  • Fixed Layer 2 Ethernet ports on the following routers: MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-LM-HK/810-W-LM-HK/810-10-PoE/81 ...
  • Page 213 Wired devices: display mac-authentication [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin network-operator Parameters ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. The string can contain letters, digits, underscores (_), left brackets ([), right brackets (]), forward slashes (/), and hyphens (-).
  • Page 214 Authentication attempts : successful 2, failed 3 Current online users MAC address Auth state 0001-0000-0000 Authenticated 0001-0000-0001 Unauthenticated AP name: AP1 Radio ID: 1 SSID: wlan_maca_ssid BSSID : 1111-1111-1111 MAC authentication : Enabled Authentication domain : Not configured Max online users : 256 Authentication attempts : successful 1, failed 0...
  • Page 215 Field Description Number of wireless online MAC authentication users, including Online MAC-auth wireless users users that have passed MAC authentication and users that are performing MAC authentication. Silent MAC users Information about silent MAC addresses. MAC address Silent MAC address. VLAN ID ID of the VLAN to which the silent MAC address belongs.

  • Page 216: Display Mac-Authentication Connection

    display mac-authentication connection Use display mac-authentication connection to display information about online MAC authentication users. Syntax Wireless devices: Centralized devices in standalone mode: display mac-authentication connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | user-mac mac-address | user-name user-name ] Centralized devices in IRF mode: display mac-authentication connection [ ap ap-name [ radio radio-id ] | interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name user-name ]...
  • Page 217 <Sysname> display mac-authentication connection Total connections: 1 User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet1/0/1 Username: ias Authentication domain: h3c Initial VLAN: 1 Authorization untagged VLAN: 100 Authorization tagged VLAN: N/A Authorization ACL ID: 3001 Authorization user profile: N/A Termination action: Radius-request...
  • Page 218 <Sysname> display mac-authentication connection Total connections: 1 Slot ID: 0 User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet1/0/1 Username: ias Authentication domain: h3c Initial VLAN: 1 Authorization untagged VLAN: 100 Authorization tagged VLAN: N/A Authorization ACL ID: 3001 Authorization user profile: N/A...
  • Page 219 Total connections: 1 Chassis ID: 1 Slot ID: 0 User MAC address: 0015-e9a6-7cfe Access interface: GigabitEthernet1/0/1 Username: ias Authentication domain: h3c Initial VLAN: 1 Authorization untagged VLAN: 100 Authorization tagged VLAN : N/A Authorization ACL ID: 3001 Authorization user profile: N/A...

  • Page 220: Mac-Authentication

    Field Description Authorization ACL ID/number ACL authorized to the user. Authorization user profile User profile authorized to the user. Action attribute assigned by the server when the session timeout timer expires. The following server-assigned action attributes are available: • Default—Logs off the online authenticated user when the session Termination action timeout timer expires.

  • Page 221: Mac-Authentication Domain

    mac-authentication domain Use mac-authentication domain to specify a global or port-specific authentication domain. Use undo mac-authentication domain to restore the default. Syntax mac-authentication domain domain-name undo mac-authentication domain Default The system default authentication domain is used. For more information about the default authentication domain, see the domain default enable command in "AAA commands."...

  • Page 222: Mac-Authentication Max-User

    Syntax mac-authentication host-mode multi-vlan undo mac-authentication host-mode Default MAC authentication multi-VLAN mode is disabled on a port. When the port receives a packet sourced from an authenticated MAC address in a VLAN not matching the existing MAC-VLAN mapping, the device logs off and reauthenticates the user. Views Ethernet interface view Predefined user roles...

  • Page 223: Mac-Authentication Re-Authenticate Server-Unreachable Keep-Online

    Parameters max-number: Specifies the maximum number of concurrent MAC authentication users on the port. The value range for this argument is 1 to 4294967295. Usage guidelines Set the maximum number of concurrent MAC authentication users on a port to prevent the system resources from being overused.

  • Page 224: Mac-Authentication Timer

    [Sysname-GigabitEthernet1/0/1] mac-authentication re-authenticate server-unreachable keep-online Related commands display mac-authentication mac-authentication timer Use mac-authentication timer to set the MAC authentication timers. Use undo mac-authentication timer to restore the defaults. Syntax mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } undo mac-authentication timer { offline-detect | quiet | server-timeout } Default The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is...

  • Page 225: Mac-Authentication Timer Auth-Delay

    mac-authentication timer auth-delay Use mac-authentication timer auth-delay to enable MAC authentication delay and set the delay time. Use undo mac-authentication timer auth-delay to restore the default. Syntax mac-authentication timer auth-delay time undo mac-authentication timer auth-delay Default MAC authentication delay is disabled. MAC authentication starts immediately after it is triggered by a user packet.
  • Page 226 undo mac-authentication user-name-format Default Each user's MAC address is used as the username and password for MAC authentication. A MAC address is in the hexadecimal notation without hyphens, and letters are in lower case. Views System view Predefined user roles network-admin Parameters fixed: Uses a shared account for all MAC authentication users.

  • Page 227: Reset Mac-Authentication Statistics

    reset mac-authentication statistics Use reset mac-authentication statistics to clear MAC authentication statistics. Syntax Wireless devices: reset mac-authentication statistics [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ] Wired devices: reset mac-authentication statistics [ interface interface-type interface-number ] Views User view Predefined user roles...

  • Page 228: Port Security Commands

    Port security commands This feature is supported only on the following ports: • Layer 2 Ethernet ports on Ethernet switching modules. • Fixed Layer 2 Ethernet ports of the following routers: MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-LM-HK/810-W-LM-HK/810-10-PoE/81  0-LMS/810-LUS. MSR2600-10-X1.  MSR3600-28/3600-51.  MSR3600-28-SI/3600-51-SI.  Commands and descriptions for centralized devices apply to the following routers: •...
  • Page 229 Port security : Enabled AutoLearn aging time : 0 min Disableport timeout : 20 s MAC move : Denied Authorization fail : Online NAS-ID profile : Not configured Dot1x-failure trap : Disabled Dot1x-logon trap : Disabled Dot1x-logoff trap : Enabled Intrusion trap : Disabled Address-learned trap...
  • Page 230 Field Description Whether SNMP notifications for intrusion protection are enabled. If Intrusion trap they are enabled, the device sends SNMP notifications after illegal packets are detected. Whether SNMP notifications for MAC address learning are Address-learned trap enabled. If they are enabled, the device sends SNMP notifications after it learns a new MAC address.

  • Page 231: Display Port-Security Mac-Address Block

    Field Description Secure MAC address aging type: • Periodical—Timer aging only. Aging type • Inactivity—Inactivity aging feature together with the aging timer. Maximum number of secure MAC addresses (or online users) that Max secure MAC addresses port security allows on the port. Current secure MAC addresses Number of secure MAC addresses stored.
  • Page 232 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all blocked MAC addresses. <Sysname> display port-security mac-address block MAC ADDR Port VLAN ID --- On slot 0, no MAC address found --- MAC ADDR Port VLAN ID 000f-3d80-0d2d GE1/0/1 --- On slot 1, 1 MAC address(es) found ---...
  • Page 233 0002-0002-0002 GE1/0/1 000d-88f8-0577 GE1/0/1 2 mac address(es) found # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about all blocked MAC addresses in VLAN 30. <Sysname> display port-security mac-address block vlan 30 MAC ADDR Port VLAN ID --- On slot 0, no MAC address found --- MAC ADDR Port...
  • Page 234 000f-3d80-0d2d GE1/0/1 --- On slot 1 in chassis 1, 1 MAC address(es) found --- --- 1 mac address(es) found --- # (Centralized devices in standalone mode.) Display information about all blocked MAC addresses of GigabitEthernet 1/0/1 in VLAN 1. <Sysname> display port-security mac-address block interface gigabitethernet 1/0/1 vlan MAC ADDR Port VLAN ID...

  • Page 235: Display Port-Security Mac-Address Security

    Related commands port-security intrusion-mode display port-security mac-address security Use display port-security mac-address security to display information about secure MAC addresses. Syntax display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] Views Any view Predefined user roles network-admin network-operator...

  • Page 236: Port-Security Authorization Ignore

    <Sysname> display port-security mac-address security interface gigabitethernet 1/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 000d-88f8-0577 Security GE1/0/1 NOAGED 1 mac address(es) found # Display information about secure MAC addresses of GigabitEthernet 1/0/1 in VLAN 1. <Sysname> display port-security mac-address security interface gigabitethernet 1/0/1 vlan MAC ADDR VLAN ID STATE...

  • Page 237: Port-Security Authorization-Fail Offline

    Usage guidelines After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the port to use such authorization attributes for users, use this command to ignore the authorization information from the server.

  • Page 238: Port-Security Enable

    port-security enable Use port-security enable to enable port security. Use undo port-security enable to disable port security. Syntax port-security enable undo port-security enable Default Port security is disabled. Views System view Predefined user roles network-admin Usage guidelines You must disable global 802.1X and MAC authentication before you enable port security on a port. Enabling or disabling port security resets the following security settings to the default: •...

  • Page 239: Port-Security Mac-Address Aging-Type Inactivity

    Views Layer 2 Ethernet interface view Predefined user roles network-admin Parameters blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This action implements illegal traffic filtering on the port.

  • Page 240: Port-Security Mac-Address Dynamic

    Syntax port-security mac-address aging-type inactivity undo port-security mac-address aging-type inactivity Default The inactivity aging feature is disabled for secure MAC addresses. Views Layer 2 Ethernet interface view Predefined user roles network-admin Usage guidelines If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC addresses.

  • Page 241: Port-Security Mac-Address Security

    After you execute this command, you cannot manually configure sticky MAC addresses, and secure MAC addresses learned by a port in autoLearn mode are dynamic. All dynamic MAC addresses are lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot.

  • Page 242: Port-Security Mac-Move Permit

    Usage guidelines Secure MAC addresses are MAC addresses configured or learned in autoLearn mode, and if saved, can survive a device reboot. You can bind a secure MAC address only to one port in a VLAN. You can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure.

  • Page 243: Port-Security Max-Mac-Count

    Syntax port-security mac-move permit undo port-security mac-move permit Default MAC move is disabled on the device. Views System view Predefined user roles network-admin Usage guidelines This command takes effect on both 802.1X and MAC authentication users. MAC move allows 802.1X or MAC authenticated users to move between ports on a device. For example, if an 802.1X-authenticated user moves to another 802.1X-enabled port on the device, the authentication session is deleted from the first port.

  • Page 244: Port-Security Nas-Id-Profile

    Usage guidelines For autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port. In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals the smaller of the following values: •...

  • Page 245: Port-Security Ntk-Mode

    The NAS-ID profile applied globally. If no NAS-ID profile is applied or no matching binding is found in the selected profile, the device uses the device name as the NAS-ID. Examples # Apply the NAS-ID profile aaa to GigabitEthernet 1/0/1 for port security. <Sysname>...

  • Page 246: Port-Security Oui

    MSR2600-10-X1.  MSR3600-28/3600-51.  MSR3600-28-SI/3600-51-SI.  The NTK feature checks the destination MAC addresses in outbound frames. This feature allows frames to be sent only to devices passing authentication, preventing illegal devices from intercepting network traffic. Examples # Set the NTK mode of GigabitEthernet 1/0/1 to ntkonly, allowing the port to forward received packets only to devices passing authentication.

  • Page 247: Port-Security Port-Mode

    <Sysname> system-view [Sysname] port-security oui index 4 mac-address 000d-2a10-0033 Related commands display port-security port-security port-mode Use port-security port-mode to set the port security mode of a port. Use undo port-security port-mode to restore the default. Syntax port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } undo port-security port-mode...
  • Page 248 Keyword Security mode Description This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. mac-else-userlogin-se macAddressElseUse •...

  • Page 249: Port-Security Timer Autolearn Aging

    Usage guidelines The userLogin mode is supported on any Layer Ethernet ports. Other port security modes are supported only on the following ports: • Layer 2 Ethernet ports on the following modules: HMIM-8GSW.  HMIM-24GSW.  HMIM-24GSWP.  SIC-4GSW.  •...

  • Page 250: Port-Security Timer Disableport

    Syntax port-security timer autolearn aging time-value undo port-security timer autolearn aging Default Secure MAC addresses do not age out. Views System view Predefined user roles network-admin Parameters time-value: Specifies the aging timer in minutes for secure MAC addresses. The value is in the range of 0 to 129600.

  • Page 251: Snmp-Agent Trap Enable Port-Security

    Parameters time-value: Specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300. Usage guidelines If you configure the intrusion protection action as disabling the port temporarily, use this command to set the silence period.
  • Page 252 Usage guidelines To report critical port security events to an NMS, enable SNMP notifications for port security. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.

  • Page 253: Portal Commands

    Portal commands WLAN is not supported on the following routers: • MSR810-LMS/810-LUS. • MSR3600-28-SI/3600-51-SI. • MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC. • MSR5620/5560/5680. Commands and descriptions for centralized devices apply to the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR2600-10-X1. • MSR 2630. • MSR3600-28/3600-51. • MSR3600-28-SI/3600-51-SI.

  • Page 254: Aging-Time

    Usage guidelines If a portal user fails AAA in MAC-trigger authentication, the user cannot trigger authentication before the MAC-trigger entry of the user ages out. After the MAC-trigger entry ages out, the user triggers MAC-trigger authentication when it accesses the network. After this feature is enabled, the device sets the MAC-trigger entry state for a user to unbound immediately after the user fails AAA in MAC-trigger authentication.

  • Page 255: App-Id

    <Sysname> system-view [Sysname] portal mac-trigger-server mts [Sysname-portal-mac-trigger-server-mts] aging-time 300 Related commands display portal mac-trigger-server app-id Use app-id to specify the APP ID for QQ authentication. Use undo app-id to restore the default. Syntax app-id app-id undo app-id Default An APP ID for QQ authentication exists. Views QQ authentication server view Predefined user roles...

  • Page 256: App-Key

    app-key Use app-key to specify the APP key for QQ authentication. Use undo app-key to restore the default. Syntax app-key { cipher | simple } app-key undo app-key Default An APP key for QQ authentication exists. Views QQ authentication server view Predefined user roles network-admin Parameters...

  • Page 257: Authentication-Timeout

    authentication-timeout Use authentication-timeout to specify the authentication timeout, which is the maximum amount of time the device waits for portal authentication to complete after receiving the MAC binding query response. Use undo authentication-timeout to restore the default. Syntax authentication-timeout minutes undo authentication-timeout Default The authentication timeout time is 3 minutes.

  • Page 258: Binding-Retry

    Predefined user roles network-admin Parameters url-string: Specifies the URL of the QQ authentication server, a case-sensitive string of 1 to 256 characters. Make sure that you specify the actual URL of the QQ authentication server. Examples # Specify http://oauth.qq.com as the URL of the QQ authentication server. <Sysname>...

  • Page 259: Captive-Bypass Enable

    Related commands display portal mac-trigger-server captive-bypass enable Use captive-bypass enable to enable the captive-bypass feature. Use undo captive-bypass enable to disable the captive-bypass feature. Syntax captive-bypass [ android | ios [ optimize ] ] enable undo captive-bypass [ android | ios [ optimize ] ] enable Default The captive-bypass feature is disabled.

  • Page 260: Cloud-Binding Enable

    [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] captive-bypass android enable Related commands display portal web-server display portal captive-bypass statistics cloud-binding enable Use cloud-binding enable to enable cloud MAC-trigger authentication. Use undo cloud-binding enable to disable cloud MAC-trigger authentication. Syntax cloud-binding enable undo cloud-binding enable Default Cloud MAC-trigger authentication is disabled.

  • Page 261: Cloud-Server Url

    URL by using this command, and specify a different URL for the portal Web server. In this way, you can use a different portal Web server to provide customized authentication pages to users. Examples # In the view of MAC binding server mts, specify http://lvzhou.h3c.com as the URL of the cloud portal authentication server. <Sysname> system-view...

  • Page 262: Default-Logon-Page

    [Sysname] portal mac-trigger-server mts [Sysname-portal-mac-trigger-server-mts] cloud-server url http://lvzhou.h3c.com Related commands display portal mac-trigger-server default-logon-page Use default-logon-page to specify the default authentication page file for the local portal Web server. Use undo default-logon-page to restore the default. Syntax default-logon-page file-name undo default-logon-page Default No default authentication page file is specified for the local portal Web server.
  • Page 263 Syntax display portal { ap ap-name [ radio radio-id ] | interface interface-type interface-number } Views Any view Predefined user roles network-admin network-operator Parameters ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).
  • Page 264 Authentication type: Layer3 Portal VSRP status: M_Delay Portal Web server: wbs(active) Secondary portal Web server: wbs sec Portal mac-trigger-server: mts Authentication domain: my-domain Pre-auth domain: abc Extend-auth domain: abc User-dhcp-only: Enabled Pre-auth IP pool: ab Max portal users: Not configured Bas-ip: Not configured User detection: Type: ICMP Interval: 300s...
  • Page 265 Destination authentication subnet: IP address Prefix length # Display portal configuration and portal running state on AP ap1. (Wireless application.) <Sysname> display portal ap ap1 Portal information of ap1 Radio ID: 1 SSID: portal Authorization : Strict checking : Disable User profile : Disable Dual stack...
  • Page 266 # Display portal configuration and portal running state on VLAN-interface 30. <Sysname> display portal Vlan-interface 30 Portal information of Vlan-interface30 NAS-ID profile: Not configured Authorization : Strict checking : Disable User profile : Disable Dual stack : Disabled Dual traffic-separate: Disabled IPv4: Portal status: Enabled Authentication type: Direct...
  • Page 267 Layer3 source network: IP address Prefix length Destination authentication subnet: IP address Prefix length Table 20 Command output Field Description Portal information of interface Portal configuration on the interface. Radio ID ID of the radio. SSID Service set identifier. NAS-ID profile NAS-ID profile on the interface.
  • Page 268 Field Description Status of the portal VSRP on the interface: • M_Initial—The master device is in initial state. • M_Delay—The master device is in delayed state. (The device will switch to the master state after the delay time.) • M_Alone—The master device is in standalone state. This state occurs when the master device and the backup device cannot communicate with each other.

  • Page 269: Display Portal Auth-Error-Record

    Field Description Status of the user-dhcp-only feature: • Enabled: Only users with IP addresses obtained through DHCP can User-dhcp-only perform portal authentication. • Disabled: Both users with IP addresses obtained through DHCP and users with static IP addresses can pass authentication to get online. Name of the IP address pool specified for portal users before Pre-auth ip-pool authentication.
  • Page 270 network-operator Parameters all: Specifies all portal authentication error records. ipv4 ipv4-address: Specifies the IPv4 address of a portal user. ipv6 ipv6-address: Specifies the IPv6 address of a portal user. start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD.
  • Page 271 <Sysname> display portal auth-error-record ip 192.168.0.188 User MAC : 0016-ecb7-a879 Interface : WLAN-BSS1/0/1 User IP address : 192.168.0.188 : ap1 SSID : byod Auth error time : 2016-03-04 16:49:07 Auth error reason : The maximum number of users already reached. # Display portal authentication error records for the portal user whose IPv6 address is 2000::2.

  • Page 272: Display Portal Auth-Fail-Record

    Field Description Reason for the authentication error: • The maximum number of users already reached. • Failed to obtain user physical information. • Failed to receive the packet because packet length is 0. • Packet source unknown. Server IP:X.X.X.X, VRF index:0. •...
  • Page 273 Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/ 810-LM-HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 Examples # Display all portal authentication failure records. <Sysname> display portal auth-fail-record all Total authentication fail records: 2 User name : test@abc User MAC...
  • Page 274 <Sysname> display portal auth-fail-record ipv6 2000::2 User name : test@abc User MAC : 0016-ecb7-a879 Interface : WLAN-BSS1/0/1 User IP address : 2000::2 : ap1 SSID : byod Auth failure time : 2016-03-04 16:49:07 Auth failure reason : Authorization information does not exist. # Display portal authentication failure records for the portal user whose username is chap1.

  • Page 275: Display Portal Captive-Bypass Statistics

    Related commands portal auth-fail-record enable reset portal auth-fail-record display portal captive-bypass statistics Use display portal captive-bypass statistics to display packet statistics for portal captive-bypass. Syntax Centralized devices in standalone mode: display portal captive-bypass statistics Distributed devices in standalone mode/centralized devices in IRF mode: display portal captive-bypass statistics [ slot slot-number ] Distributed devices in IRF mode: display portal captive-bypass statistics [ chassis chassis-number slot slot-number ]...

  • Page 276: Display Portal Extend-Auth-Server

    Table 23 Command output Field Description Type of users: • User type iOS. • Android. Packets Number of portal captive-bypass packets sent to the users. Related commands captive-bypass enable display portal extend-auth-server Use display portal extend-auth-server to display information about third-party authentication servers.

  • Page 277: Display Portal Local-Binding Mac-Address

    Field Description Redirect URL Redirection URL for QQ authentication success. Mail protocol Protocols supported by the email authentication service. Email domain names supported by the email authentication Mail domain name service. Related commands portal extend-auth-server display portal local-binding mac-address Use display portal local-binding mac-address to display information about local MAC-account binding entries.

  • Page 278: Display Portal Logout-Record

    Related commands local-binding enable display portal logout-record Use display portal logout-record to display portal user offline records. Syntax display portal logout-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username } Views Any view Predefined user roles...
  • Page 279 Total logout records: 2 User name : test@abc User MAC : 0016-ecb7-a879 Interface : WLAN-BSS1/0/1 User IP address : 192.168.0.8 : ap1 SSID : byod User login time : 2016-03-04 14:20:19 User logout time : 2016-03-04 14:22:05 Logout reason : Admin Reset User name : coco User MAC...

  • Page 280: Display Portal Mac-Trigger-Server

    User IP address : 192.168.0.8 : ap1 SSID : byod User login time : 2016-03-04 14:20:19 User logout time : 2016-03-04 14:22:05 Logout reason : Admin Reset Table 26 Command output Field Description Total logout records Total number of portal user offline records. User name Username of the portal user.
  • Page 281 Views Any view Predefined user roles network-admin network-operator Parameters all: Specifies all MAC binding servers. name server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters. Examples # Display information about all MAC binding servers. <Sysname>...
  • Page 282 Type of the MAC binding server: • Server type CMCC—CMCC server. • IMC—H3C IMC server or H3C CAMS server. IP address of the MAC binding server. UDP port number on which the MAC binding server listens for MAC binding Port query packets.

  • Page 283: Display Portal Packet Statistics

    Field Description Maximum amount of time that the device waits for portal authentication to Authentication timeout complete after receiving the MAC binding query response. Excluded attribute list Numbers of attributes excluded from portal protocol packets. Status of local MAC-trigger authentication: •...
  • Page 284 Hardware Option compatibility MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620 /3620-DP/3640/3660 MSR5620/5660/5680 mac-trigger-server server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters. server server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.
  • Page 285 ACK_MACBIND NTF_MTUSER_LOGON NTF_MTUSER_LOGOUT REQ_MTUSER_OFFLINE # Display packet statistics for the lvzhou cloud authentication server. <Sysname> display portal packet statistics extend-auth-server cloud Extend-auth server: cloud Update interval: Pkt-Type Success Error Timeout Conn-failure REQ_ACCESSTOKEN REQ_USERINFO RESP_ACCESSTOKEN RESP_USERINFO POST_ONLINEDATA RESP_ONLINEDATA POST_OFFLINEUSER REPORT_ONLINEUSER REQ_CLOUDBIND RESP_CLOUDBIND REQ_BINDUSERINFO RESP_BINDUSERINFO...
  • Page 286 Field Description Forced logout notification packet the access device sent to the portal NTF_LOGOUT authentication server. REQ_INFO Information request packet. ACK_INFO Information acknowledgment packet. User discovery notification packet the portal authentication server sent NTF_USERDISCOVER to the access device. User IP change notification packet the access device sent to the portal NTF_USERIPCHANGE authentication server.
  • Page 287 Field Description Number of packets that timed out of establishing a connection to the Timeout third-party authentication server. Number of packets that failed to establish a connection to the third-party Conn-failure authentication server. Number of packets denied access to the third-party authentication server.

  • Page 288: Display Portal Redirect Statistics

    Field Description Cloud user offline packet the access device sent to the third-party authentication server. POST_OFFLINEUSER This field is displayed only if the third-party authentication server is the lvzhou cloud or WeChat authentication server. Cloud user online packet the access device sent to the third-party authentication server.

  • Page 289: Display Portal Rule

    Parameters slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays portal redirect packet statistics for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays portal redirect packet statistics for all member devices.
  • Page 290 Distributed devices in IRF mode: display portal rule { all | dynamic | static } { ap ap-name [ radio radio-id ] | interface interface-type interface-number [ chassis chassis-number slot slot-number ] } Views Any view Predefined user roles network-admin network-operator Parameters all: Displays all portal filtering rules, including dynamic and static portal filtering rules.
  • Page 291 Examples # (Centralized devices in standalone mode.) Display all portal filtering rules on GigabitEthernet 1/0/1. (Wired application). <Sysname> display portal rule all interface gigabitethernet 1/0/1 IPv4 portal rules on GigabitEthernet1/0/1: Rule 1 Type : Static Action : Permit Protocol : Any Status : Active Source:...
  • Page 292 Rule 4: Type : Static Action : Deny Status : Active Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : GigabitEthernet1/0/1 VLAN : Any Destination: : 0.0.0.0 Mask : 0.0.0.0 IPv6 portal rules on GigabitEthernet1/0/1: Rule 1 Type : Static Action : Permit Protocol : Any...
  • Page 293 Source: : :: Prefix length Interface : GigabitEthernet1/0/1 VLAN : Any Protocol : TCP Destination: : :: Prefix length Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: : :: Prefix length Interface : GigabitEthernet1/0/1 VLAN : Any Destination:...
  • Page 294 : 0000-0000-0000 Interface : WLAN-BSS1/0/1 VLAN : any Destination: : 192.168.0.111 Mask : 255.255.255.255 Port : Any Rule 2 Type : Dynamic Action : Permit Status : Active Source: : 2.2.2.2 : 000d-88f8-0eab Interface : WLAN-BSS1/0/1 VLAN Author ACL: Number : N/A Rule 3 Type...
  • Page 295 # (Distributed devices in standalone mode/centralized in IRF mode.) Display all portal filtering rules on GigabitEthernet 1/0/1 for the specified slot. (Wired application.) <Sysname> display portal rule all interface gigabitethernet 1/0/1 slot 1 Slot 1: IPv4 portal rules on GigabitEthernet1/0/1: Rule 1 Type : Static...
  • Page 296 Rule 4: Type : Static Action : Deny Status : Active Source: : 0.0.0.0 Mask : 0.0.0.0 Interface : GigabitEthernet1/0/1 VLAN : Any Destination: : 0.0.0.0 Mask : 0.0.0.0 IPv6 portal rules on GigabitEthernet1/0/1: Rule 1 Type : Static Action : Permit Protocol : Any...
  • Page 297 : :: Prefix length Interface : GigabitEthernet1/0/1 VLAN : Any Protocol : TCP Destination: : :: Prefix length Port : 80 Rule 4: Type : Static Action : Deny Status : Active Source: : :: Prefix length Interface : GigabitEthernet1/0/1 VLAN : Any Destination:...
  • Page 298 Interface : WLAN-BSS1/0/1 VLAN : any Destination: : 192.168.0.111 Mask : 255.255.255.255 Port : Any Rule 2 Type : Dynamic Action : Permit Status : Active Source: : 2.2.2.2 Mask : 255.255.255.255 : 000d-88f8-0eab Interface : WLAN-BSS1/0/1 VLAN Author ACL: Number : N/A Rule 3...
  • Page 299 Table 30 Command output Field Description Radio ID ID of the radio. SSID Service set identifier. Number of the portal rule. IPv4 portal filtering rules and IPv6 portal filtering Rule rules are numbered separately. Type of the portal rule: • Type Static—Static portal rule.

  • Page 300: Display Portal Safe-Redirect Statistics

    display portal safe-redirect statistics Use display portal safe-redirect statistics to display portal safe-redirect packet statistics. Syntax Centralized devices in standalone mode: display portal safe-redirect statistics Distributed devices in standalone mode/centralized devices in IRF mode: display portal safe-redirect statistics [ slot slot-number ] Distributed devices in IRF mode: display portal safe-redirect statistics [ chassis chassis-number slot slot-number ] Views...
  • Page 301 Forbidden filename extension statistics: .jpg: 0 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display portal safe-redirect packet statistics on the specified slot. <Sysname> display portal safe-redirect statistics slot 1 Slot 1: Redirect statistics: Success: 7 Failure: 8 Total : 15 Method statistics:...

  • Page 302: Display Portal Server

    Table 31 Command output Field Description Success Number of packets redirected successfully. Failure Number of packets failed redirection. Total Total number of packets. Method statistics Statistics of HTTP request methods. Number of packets with the GET request method. Post Number of packets with the POST request method. Other Number of packets with other request methods.

  • Page 303: Display Portal User

    Server detection : Timeout 60s Action: log User synchronization : Timeout 200s Status : Up Exclude-attribute : Not configured Logout notification : Retry 3 interval 5s Table 32 Command output Field Description Portal authentication server type: • CMCC—CMCC server. Type •...
  • Page 304 Views Any view Predefined user roles network-admin network-operator Parameters all: Displays information about all portal users. ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).
  • Page 305 Hardware Option compatibility MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 interface interface-type interface-number: Displays information about portal users on the specified interface. ip ipv4-address: Specifies the IPv4 address of a portal user. ipv6 ipv6-address: Specifies the IPv6 address of a portal user. mac mac-address: Specifies the MAC address of a portal user, in the format of H-H-H.
  • Page 306 authentication. If you do not specify the pre-auth keyword, this command displays information about authenticated portal users. brief: Displays brief information about portal users. verbose: Displays detailed information about portal users. Usage guidelines If you specify neither the brief nor the verbose keyword, this command displays portal authentication-related information for portal users.
  • Page 307 User profile: abc (active) Session group profile: cd (inactive) ACL number: N/A Inbound CAR: N/A Outbound CAR: N/A # Display information about the portal user whose MAC address is 000d-88f8-0eab. (Wired application.) <Sysname> display portal user mac 000d-88f8-0eab Username: abc Portal server: pts State: Online VPN instance: N/A...
  • Page 308 Field Description Total number of portal users whose authentication type is QQ Total QQ users authentication. Total number of portal users whose authentication type is WeChat Total WeChat users authentication. Username Name of the user. Portal server Name of the portal authentication server. Current state of the portal user: •...
  • Page 309 Current IP address: 50.50.50.3 Original IP address: 30.30.30.2 Username: user1@hrss User ID: 0x28000002 Access interface: eth3/2/2 Service-VLAN/Customer-VLAN: -/- MAC address: 0000-0000-0001 Authentication type: Normal Domain: hrss VPN instance: 123 Status: Online Portal server: test Vendor: Apple Authentication type: Direct AAA: Realtime accounting interval: 60s, retry times: 3 Idle-cut: 180 sec, 10240 bytes Session duration: 500 sec, remaining: 300 sec...
  • Page 310 Field Description Public VLAN/Private VLAN to which the portal user belongs. If no VLAN is Service-VLAN/Customer-VLAN configured for the portal user, this field displays -/-. MAC address MAC address of the portal user. Type of portal authentication: • Normal—Normal authentication. •...
  • Page 311 Field Description Authorized outbound CAR: • CIR—Committed information rate in bps. Outbound CAR • PIR—Peak information rate in bps. If no outbound CAR is authorized, this field displays N/A. Authorized ACL: • N/A—The AAA server authorizes no ACL. • ACL number active—The AAA server has authorized the ACL successfully.
  • Page 312 Radio ID: 1 SSID: portal Portal server: pts State: Online VPN instance: vpn1 VLAN Interface 000d-88f8-0eac 4.4.4.4 Bss1/2 Authorization information: DHCP IP pool: N/A User profile: N/A ACL number: 3000 Inbound CAR: CIR 3072 bps 3072 bps Outbound CAR: CIR 3072 bps 3072 bps # Display information about portal users that perform normal authentication.
  • Page 313 Portal server: pts State: Online VPN instance: N/A VLAN Interface 000d-88f8-0eab 2.2.2.2 WLAN-BSS1/0/1 Authorization information: DHCP IP pool: N/A User profile: abc (active) Session group profile: cd (inactive) ACL number: N/A Inbound CAR: N/A Outbound CAR: N/A Table 36 Command output Field Description Total portal users...
  • Page 314 Field Description Name of the authorized IP address pool. If no IP address pool is DHCP IP pool authorized for the portal user, this field displays N/A. Authorized user profile: • N/A—The AAA server authorizes no user profile. • User profile active—The AAA server has authorized the user profile successfully.
  • Page 315 Login time: 2014-12-25 10:47:53 UTC DHCP IP pool: N/A ACL&QoS&Multicast: Inbound CAR: N/A Outbound CAR: N/A ACL number: N/A User profile: N/A Max multicast addresses: 4 Traffic statistic: Uplink packets/bytes: 6/412 Downlink packets/bytes: 0/0 Dual-stack traffic statistics: IPv4 address: 18.18.0.20 Uplink packets/bytes: 3/200 Downlink packets/bytes: 0/0...
  • Page 316 Field Description Status of the portal user: • Authenticating—The user is being authenticated. • Authorizing—The user is being authorized. • Waiting SetRule—Deploying portal rules to the user. Status • Online—The user is online. • Waiting Traffic—Waiting for traffic from the user. •...

  • Page 317: Display Portal User Count

    Field Description Authorized user profile: • N/A—The AAA server authorizes no user profile. • User profile active—The AAA server has authorized the user profile successfully. • inactive—The AAA server failed to authorize the user profile or the user profile does not exist on the device. Max multicast addresses Maximum number of multicast groups the portal user can join.

  • Page 318: Display Portal Web-Server

    Examples # Display the number of portal users. <Sysname> display portal user count Total number of users: 1 Related commands portal enable portal delete-user display portal web-server Use display portal web-server to display information about portal Web servers. Syntax display portal web-server [ server-name ] Views Any view Predefined user roles...

  • Page 319: Display Web-Redirect Rule

    Table 39 Command output Field Description Portal Web server type: • Type CMCC—CMCC server. • IMC—IMC server. Portal Web server Name of the portal Web server. URL of the portal Web server. URL parameters URL parameters for the portal Web server. VPN instance Name of the MPLS L3VPN where the portal Web server resides.
  • Page 320 Views Any view Predefined user roles network-admin network-operator Parameters ap ap-name: Specifies an AP by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, underscores (_), left brackets ([), right brackets (]), slashes (/), and minus signs (-).
  • Page 321 VLAN : Any Rule 2: Type : Static Action : Redirect Status : Active Source: VLAN : Any Protocol : TCP Destination: Port : 80 IPv6 web-redirect rules on GigabitEthernet1/0/1: Rule 1: Type : Static Action : Redirect Status : Active Source: VLAN : Any...

  • Page 322: Exclude-Attribute (Mac Binding Server View)

    Field Description Type of the Web redirect rule: • Static—Static Web redirect rule, generated when the Web redirect Type feature takes effect. • Dynamic—Dynamic Web redirect rule, generated when a user visits a redirect webpage. Action in the Web redirect rule: •...
  • Page 323 To address this issue, you can configure this command to exclude the unsupported attributes from portal protocol packets sent to the portal authentication server. You can specify multiple excluded attributes. Table 41 describes all attributes of the portal protocol. Table 41 Portal attributes Name Number Description...

  • Page 324: Exclude-Attribute (Portal Authentication Server View)

    [Sysname-portal-mac-trigger-server-123] exclude-attribute 10 exclude-attribute (portal authentication server view) Use exclude-attribute to exclude an attribute from portal protocol packets. Use undo exclude-attribute to not exclude an attribute from portal protocol packets. Syntax exclude-attribute number { ack-auth | ack-logout | ntf-logout } undo exclude-attribute number { ack-auth | ack-logout | ntf-logout } Default No attributes are excluded from portal protocol packets.

  • Page 325: Free-Traffic Threshold

    Name Number Description UpLinkFlux Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB. DownLinkFlux Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB. Port A string excluding the end character '\0'. This attribute has different meanings in different types of packets. •...

  • Page 326: If-Match

    Views MAC binding server view Predefined user roles network-admin Parameters value: Specifies the free-traffic threshold in the range of 0 to 10240000 bytes. If the free-traffic threshold is set to 0, the device immediately triggers MAC-based quick portal authentication for a user once the user's traffic is deleted.
  • Page 327 Predefined user roles network-admin Parameters original-url url-string: Specifies a URL string to match the URL in HTTP or HTTPS requests of a portal user. The specified URL must be a complete URL starting with http:// or https://, a case-sensitive string of 1 to 256 characters. redirect-url url-string: Specifies the URL to which the user is redirected.

  • Page 328: If-Match Temp-Pass

    <Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] if-match original-url http://www.abc.com.cn redirect-url http://192.168.0.1 # Configure a match rule to redirect HTTP requests that carry the user agent string 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537. 36 to the URL http://192.168.0.1. <Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] if-match user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 redirect-url http://192.168.0.1 Related commands...
  • Page 329 Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/ 810-LM-HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 A match rule for temporary pass matches Web requests by URL or User-Agent information. Only the matching Web requests are temporarily permitted to pass.

  • Page 330: Ip (Mac Binding Server View)

    <Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] if-match original-url http://www.123.com.cn user-agent 5.0(WindowsNT6.1)AppleWebKit/537.36(KHTML,likeGecko)Chrome/36.0.1985.125Safari/537.36 temp-pass redirect-url http://192.168.0.1 Related commands display portal web-server portal free-rule portal temp-pass enable url-parameter ip (MAC binding server view) Use ip to specify the IP address of a MAC binding server. Use undo ip to restore the default.

  • Page 331: Ip (Portal Authentication Server View)

    Examples # Specify the IP address of the MAC binding server as 192.168.0.111 and the plaintext key as portal. <Sysname> system-view [Sysname] portal mac-trigger-server mts [Sysname-portal-mac-trigger-server-mts] ip 192.168.0.111 key simple portal Related commands display portal mac-trigger-server ip (portal authentication server view) Use ip to specify the IP address of an IPv4 portal authentication server.

  • Page 332: Ipv6

    <Sysname> system-view [Sysname] portal server pts [Sysname-portal-server-pts] ip 192.168.0.111 key simple portal Related commands display portal server portal server ipv6 Use ipv6 to specify the IP address of an IPv6 portal authentication server. Use undo ipv6 to restore the default. Syntax ipv6 ipv6-address [ vpn-instance ipv6-vpn-instance-name ] [ key { cipher | simple } string ] undo ipv6...

  • Page 333: Local-Binding Aging-Time

    [Sysname] portal server pts [Sysname-portal-server-pts] ipv6 2000::1 key simple portal Related commands display portal server portal server local-binding aging-time Use local-binding aging-time to set the aging time for local MAC-account binding entries. Use undo local-binding aging-time to restore the default. Syntax local-binding aging-time hours undo local-binding aging-time...

  • Page 334: Logon-Page Bind

    undo local-binding enable Default Local MAC-trigger authentication is disabled. Views MAC binding server view Predefined user roles network-admin Usage guidelines This feature enables the device to act as a local MAC binding server to provide local MAC-trigger authentication for local portal users. After a user passes portal authentication for the first time, the access device (local MAC binding server) generates a local MAC binding entry for the user.
  • Page 335 device-type: Specifies an endpoint type. computer: Specifies the endpoint type as computer. pad: Specifies the endpoint type as tablet. phone: Specifies the endpoint type as mobile phone. device-name device-name: Specify an endpoint by its name, a case-sensitive string of 1 to 127 characters.

  • Page 336: Logout-Notify

    Related commands default-logon-page portal local-web-server logout-notify Use logout-notify to set the maximum number of times and the interval for retransmitting a logout notification packet. Use undo logout-notify to restore the default. Syntax logout-notify retry retries interval interval undo logout-notify Default The device does not retransmit a logout notification packet.

  • Page 337: Mail-Domain-Name

    Examples # Set the maximum number of times for retransmitting a logout notification packet to 3 and the retry interval to 5 seconds. <Sysname> system-view [Sysname] portal server pt [Sysname-portal-server-pt] logout-notify retry 3 interval 5 Related commands display portal server mail-domain-name Use mail-domain-name to specify an email domain name for email authentication.

  • Page 338: Nas-Port-Type

    Syntax mail-protocol { imap | pop3 } * undo mail-protocol Default No protocols are specified for email authentication. Views Email authentication server view Predefined user roles network-admin Parameters imap: Specifies the Internet Message Access Protocol (IMAP). pop3: Specifies the Post Office Protocol 3 (POP3). Usage guidelines This command specifies email protocols that the device uses to interact with the email authentication server to perform authentication and authorization on portal users who uses email authentication.

  • Page 339: Port (Mac Binding Server View)

    Usage guidelines Some MAC binding servers identify MAC-based quick portal authentication by a specific NAS-Port-Type value in received RADIUS requests. To communicate with such a MAC binding server, you must configure the device to use the NAS-Port-Type value required by the MAC binding server.

  • Page 340: Port (Portal Authentication Server View)

    port (portal authentication server view) Use port to set the destination UDP port number used by the device to send unsolicited portal packets to the portal authentication server. Use undo port to restore the default. Syntax port port-number undo port Default The device uses 50100 as the destination UDP port number for unsolicited portal packets.

  • Page 341: Portal { Ipv4-Max-User | Ipv6-Max-User

    You must configure the BAS-IP or BAS-IPv6 attribute on a portal authentication-enabled interface or service template if the following conditions are met: • The portal authentication server is an H3C IMC server or the portal authentication mode is re-DHCP. •...

  • Page 342: Portal Apply Mac-Trigger-Server

    Use undo portal { ipv4-max-user | ipv6-max-user } to restore the default. Syntax portal { ipv4-max-user | ipv6-max-user } max-number undo portal { ipv4-max-user | ipv6-max-user } Default The maximum number of portal users allowed on an interface or a service template is not limited. Views Interface view Service template view...

  • Page 343: Portal Apply Web-Server

    Default No MAC binding server is specified. Views Interface view Service template view Predefined user roles network-admin Parameters server-name: Specifies a MAC binding server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines Only direct portal authentication supports MAC-based quick portal authentication. For MAC-based quick portal authentication to take effect, perform the following tasks: •...

  • Page 344: Portal Auth-Error-Record Enable

    Parameters ipv6: Specifies an IPv6 portal Web server. If the server is an IPv4 portal Web server, do not specify this keyword. secondary: Specifies the backup portal Web server. If you do not specify this keyword, the specified server is the primary portal Web server. server-name: Specifies a portal Web server to be specified on the interface by its name, a case-sensitive string of 1 to 32 characters.

  • Page 345: Portal Auth-Error-Record Export

    Views System view Predefined user roles network-admin Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/ 810-LM-HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 This feature enables the device to save all portal authentication error records and to periodically send the records to the lvzhou cloud server or other servers.
  • Page 346 2100. The start time and end time must be in the format of hh:mm. The value range for the start time and end time is 00:00 to 23:59. Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/ 810-LM-HK/810-W-LM-HK/810-LMS/810-LUS...

  • Page 347: Portal Auth-Error-Record Max

    portal auth-error-record enable reset portal auth-error-record portal auth-error-record max Use portal auth-error-record max to set the maximum number of portal authentication error records. Use undo portal auth-error-record max to restore the default. Syntax portal auth-error-record max number undo portal auth-error-record max Default The maximum number of portal authentication error records is 32000.

  • Page 348: Portal Auth-Fail-Record Enable

    portal auth-fail-record enable Use portal auth-fail-record enable to enable portal authentication failure recording. Use undo portal auth-fail-record enable to disable portal authentication failure recording. Syntax portal auth-fail-record enable undo portal auth-fail-record enable Default Portal authentication failure recording is disabled. Views System view Predefined user roles network-admin...
  • Page 349 Views System view Predefined user roles network-admin Parameters url url-string: Specifies the URL to which portal authentication failure records are exported. The URL is a case-insensitive string of 1 to 255 characters. start-time start-date start-time end-time end-date end-time: Specifies a time range. The start date and end date must be in the format of MM/DD/YYYY or YYYY/MM/DD.

  • Page 350: Portal Auth-Fail-Record Max

    Examples # Export all portal authentication failure records to path tftp://1.1.1.1/record/authfail/. <Sysname> system-view [Sysname] portal auth-fail-record export url tftp://1.1.1.1/record/authfail/ # Export portal authentication failure records in the time range from 2016/3/4 14:20 to 2016/3/4 15:00 to path tftp://1.1.1.1/record/authfail/. <Sysname> system-view [Sysname] portal auth-fail-record export tftp://1.1.1.1/record/authfail/ start-time 2016/3/4 14:20 end-time 2016/3/4 15:00 Related commands...

  • Page 351: Portal Authorization Strict-Checking

    Hardware Command compatibility MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 When the maximum number of portal authentication failure records is reached, the new record overwrites the oldest one. Examples # Set the maximum number of portal authentication failure records to 50. <Sysname> system-view [Sysname] portal auth-fail-record max 50 Related commands display portal auth-fail-record portal authorization strict-checking...

  • Page 352: Portal Captive-Bypass Optimize Delay

    [Sysname–GigabitEthernet1/0/1] portal authorization acl strict-checking # Enable strict checking on authorized ACLs on service template service1. (Wireless application.) <Sysname> system-view [Sysname] wlan service-template service1 [Sysname-wlan-st-service1] portal authorization acl strict-checking Related commands display portal portal captive-bypass optimize delay Use portal captive-bypass optimize delay to set the captive-bypass detection timeout time. Use undo portal captive-bypass optimize delay to restore the default.

  • Page 353: Portal Client-Gateway Interface

    portal client-gateway interface Use portal client-gateway interface to specify the AC’s interface for portal clients to access during third-party authentication. Use undo portal client-gateway interface to restore the default. Syntax portal client-gateway interface interface-type interface-number undo portal client-gateway interface Default No AC's interface is specified for portal clients to access during third-party authentication.

  • Page 354: Portal Delete-User

    Usage guidelines Before you execute this command, make sure the client traffic forwarding location is at APs. Examples # Set the interval at which an AP reports traffic statistic to the device to 120 seconds. <Sysname> system-view [Sysname] portal client-traffic-report interval 120 Related commands client forwarding-location (WLAN Command Reference) portal delete-user...
  • Page 355 Hardware Option compatibility MSR5620/5660/5680 interface interface-type interface-number: Specifies an interface by its type and number. If you specify this option, this command logs out all IPv4 and IPv6 online portal users on the interface. ipv6 ipv6-address: Specifies the IP address of an IPv6 online portal user. mac mac-address: Specifies the MAC address of an online portal user, in the format of H-H-H.

  • Page 356: Portal Device-Id

    <Sysname> system-view [Sysname] portal delete-user auth-type email # Log out the portal user whose username is abc. <Sysname> system-view [Sysname] portal delete-user username abc Related commands display portal user portal device-id Use portal device-id to specify the device ID. Use undo portal device-id to restore the default. Syntax portal device-id device-id undo portal device-id...

  • Page 357: Portal Dual-Stack Enable

    Default No portal authentication domain is configured on an interface or a service template. Views Interface view Service template view Predefined user roles network-admin Parameters ipv6: Specifies an authentication domain for IPv6 portal users. Do not specify this keyword for IPv4 portal users.

  • Page 358: Portal Dual-Stack Traffic-Separate Enable

    Predefined user roles network-admin Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/ 810-LM-HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 The portal dual-stack feature enables portal users to access both IPv4 and IPv6 networks after passing one type (IPv4 or IPv6) of portal authentication.

  • Page 359: Portal Enable

    Views Interface view Service template view Predefined user roles network-admin Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/ 810-LM-HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 This feature enables the device to separately collect IPv4 traffic statistics and IPv6 traffic statistics for a dual-stack portal user.
  • Page 360 Syntax Interface view: portal enable method { direct | layer3 | redhcp } portal ipv6 enable method { direct | layer3 } undo portal [ ipv6 ] enable Service template: portal [ ipv6 ] enable method direct undo portal [ ipv6 ] enable Default Portal authentication is disabled.

  • Page 361: Portal Extend-Auth Domain

    Related commands display portal portal extend-auth domain Use portal extend-auth domain to specify the authentication domain for third-party authentication. Use undo portal extend-auth domain to remove the authentication domain for third-party authentication. Syntax portal extend-auth domain domain-name undo portal extend-auth domain Default No authentication domain is specified for third-party authentication.

  • Page 362: Portal Fail-Permit Server

    undo portal extend-auth-server { qq | mail } Default No third-party authentication servers exist. Views System view Predefined user roles network-admin Parameters qq: Specifies the QQ authentication server. mail: Specifies the email authentication server. Usage guidelines The device supports using the QQ or email authentication server as a third-party portal authentication server for portal authentication.

  • Page 363: Portal Fail-Permit Web-Server

    Views Interface view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 portal authentication server. Do not specify this keyword for an IPv4 portal authentication server. server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters.

  • Page 364: Portal Free-All Except Destination

    Predefined user roles network-admin Parameters ipv6: Specifies IPv6 portal Web servers. To specify IPv4 portal Web servers, do not specify this keyword. Usage guidelines The following matrix shows the support of the MSR routers for this command in different views: Hardware Interface view Service template view...

  • Page 365: Portal Free-Rule

    Use undo portal free-all except destination to delete the IPv4 portal authentication destination subnets on the interface. Syntax portal free-all except destination ipv4-network-address { mask-length | mask } undo portal free-all except destination [ ipv4-network-address ] Default No IPv4 portal authentication destination subnet is configured on the interface. Portal users must pass portal authentication to access any subnet.
  • Page 366 Syntax portal free-rule rule-number { destination ip { ip-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] | source ip { ip-address { mask-length | mask } | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ] portal free-rule rule-number { destination ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] | source ipv6 { ipv6-address prefix-length | any } [ tcp tcp-port-number | udp udp-port-number ] } * [ interface interface-type interface-number ]...

  • Page 367: Portal Free-Rule Description

    • Specify the source IP address as 10.10.10.1/24, the destination IP address as 20.20.20.1, and the destination TCP port number as 23. • Specify the interface where the rule is applied as GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] portal free-rule 1 destination ip 20.20.20.1 32 tcp 23 source ip 10.10.10.1 24 interface gigabitethernet 1/0/1 With this rule, users in subnet 10.10.10.1/24 do not need to pass portal authentication through GigabitEthernet 1/0/1 when they access services provided on TCP port 23 of host 20.20.20.1.

  • Page 368: Portal Free-Rule Destination

    # Configure a destination-based portal-free rule: specify the rule number as 4 and host name as www.h3c.com.hk. This rule allows the portal user who sends the HTTP/HTTPS request that carries the host name www.h3c.com.hk to access network resources without authentication.

  • Page 369: Portal Free-Rule Source

    portal free-rule source Use portal free-rule source to configure a source-based portal-free rule. The filtering criteria include source MAC address, source interface, and source VLAN. Use undo portal free-rule to delete a specific or all portal-free rules. Syntax portal free-rule rule-number source { ap ap-name | { interface interface-type interface-number | mac mac-address | object-group object-group-name | vlan vlan-id } * } undo portal free-rule { rule-number | all } Default...

  • Page 370: Portal Host-Check Enable

    all: Specifies all portal-free rules. Usage guidelines If you specify both the source VLAN and the source Layer 2 interface, the interface must be in the VLAN. When you specify an object group in a source-based portal-free rule, make sure the specified object rule already exists.

  • Page 371: Portal Ipv6 Free-All Except Destination

    Hardware Command compatibility MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-D P-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 By default, the device checks wireless portal client validity according to ARP entries only. In wireless networks where the AP forwards client traffic, the AC does not have ARP entries for clients. Therefore, the AC cannot check the validity of portal clients by using ARP entries.

  • Page 372: Portal Ipv6 Layer3 Source

    Usage guidelines Portal users on the interface are authenticated when accessing the specified authentication destination subnet (except IP addresses and subnets specified in portal-free rules). The users can access other subnets without portal authentication. You can configure multiple authentication destination subnets. If you do not specify the ipv6-network-address argument in the undo portal ipv6 free-all except destination command, this command deletes all IPv6 portal authentication destination subnets on the interface.

  • Page 373: Portal Ipv6 User-Detect

    If you do not specify the ipv6-network-address argument in the undo portal ipv6 layer3 source command, this command deletes all IPv6 portal authentication source subnets on the interface. Only cross-subnet authentication supports authentication source subnets. If you configure both an authentication source subnet and an authentication destination subnet on an interface, only the authentication destination subnet takes effect.

  • Page 374: Portal Layer3 Source

    If the device receives a reply within the maximum number of detection attempts, it considers  that the user is online and stops sending detection packets. Then the device resets the idle timer and repeats the detection process when the timer expires. If the device receives no reply after the maximum number of detection attempts, the device ...

  • Page 375: Portal Local-Web-Server

    mask: Specifies the subnet mask in dotted decimal format. Usage guidelines With IPv4 authentication source subnets configured, only packets from IPv4 users on the authentication source subnets can trigger portal authentication. If an unauthenticated IPv4 user is not on any authentication source subnet, the access device discards all the user's packets that do not match any portal-free rule.

  • Page 376: Portal Logout-Record Enable

    Usage guidelines After a local portal Web server is configured on the access device, the access device also acts as the portal Web server and the portal authentication server. No external portal Web server and portal authentication server are needed. For an interface to use the local portal Web server, the URL of the portal Web server specified for the interface must meet the following requirements: •...

  • Page 377: Portal Logout-Record Export

    Predefined user roles network-admin Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/ 810-LM-HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 This feature enables the device to save all portal user offline records and to periodically send the records to the lvzhou cloud server or other servers.
  • Page 378 Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/ 810-LM-HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 The device supports FTP, TFTP, and HTTP file transfer methods. Table 45 describes the valid URL format for each method.

  • Page 379: Portal Logout-Record Max

    reset portal logout-record portal logout-record max Use portal logout-record max to set the maximum number of portal user offline records. Use undo portal logout-record max to restore the default. Syntax portal logout-record max number undo portal logout-record max Default The maximum number of portal user offline records is 32000. Views System view Predefined user roles...

  • Page 380: Portal Mac-Trigger-Server

    portal mac-trigger-server Use portal mac-trigger-server to create a MAC binding server and enter its view, or enter the view of an existing MAC binding server. Use undo portal mac-trigger-server to delete the MAC binding server. Syntax portal mac-trigger-server server-name undo portal mac-trigger-server server-name Default No MAC binding servers exist.

  • Page 381: Portal Nas-Id Profile

    Parameters max-number: Specifies the maximum number of total portal users in the system. The value range for this argument is 1 to 4294967295. Usage guidelines If you configure the maximum total number smaller than the number of current online portal users on the device, this command still takes effect.

  • Page 382: Portal Nas-Port-Id Format

    Examples # Specify the NAS-ID profile aaa for GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname–GigabitEthernet1/0/1] portal nas-id-profile aaa Related commands aaa nas-id profile portal nas-port-id format Use portal nas-port-id format to specify the NAS-Port-Id attribute format. Use undo portal nas-port-id format to restore the default. Syntax portal nas-port-id format { 1 | 2 | 3 | 4 } undo portal nas-port-id format...
  • Page 383 Field Description NAS_subslot Subslot number of the BRAS, in the range of 0 to 31. NAS_Port Port number of the BRAS, in the range of 0 to 63. For ATM interfaces: • XPI is VPI in the range of 0 to 255. •...

  • Page 384: Portal Nas-Port-Type

    NAS-Port-Id Description The subscriber interface type is an ATM interface. atm 31/31/7:255.65535 The slot number is 31, the BRAS subslot number is 31, the BRAS 0/0/0/0/0/0 port number is 7, the VPI is 255, and the VCI is 65535. The subscriber interface type is an Ethernet interface. eth 31/31/7:1234.2345 0/0/0/0/0/0 The slot number is 31, the subslot number is 31, the port number is 7, the PVLAN is 1234, and the CVLAN is 2345.
  • Page 385 Default The NAS-Port-Type value carried in RADIUS requests is the user's access interface type value obtained by the access device. Views Interface view Service template view Predefined user roles network-admin Parameters ethernet: Specifies the NAS-Port-Type attribute value as Ethernet (number 15). wireless: Specifies the NAS-Port-Type attribute value as WLAN-IEEE 802.11 (number 19).

  • Page 386: Portal Outbound-Filter Enable

    Related commands display portal interface portal outbound-filter enable Use portal [ ipv6 ] outbound-filter enable to enable outgoing packets filtering on a portal-enabled interface. Use undo portal [ ipv6 ] outbound-filter enable to disable outgoing packets filtering on a portal-enabled interface. Syntax portal [ ipv6 ] outbound-filter enable undo portal [ ipv6 ] outbound-filter enable...
  • Page 387 Views Interface view Predefined user roles network-admin Parameters ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users. domain-name: Specifies an existing ISP domain by its name, a case-insensitive string of 1 to 255 characters. The string cannot contain the following characters: slashes (/), backslashes (\), vertical bars (|), quotation marks ("), colons (:), asterisks (*), question marks (?), left angle brackets (<), right angle brackets (>), and at signs (@).

  • Page 388: Portal Packet Log Enable

    <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] portal pre-auth domain abc Related commands display portal portal packet log enable Use portal packet log enable to enable logging for portal protocol packets. Use undo portal packet log enable to disable logging for portal protocol packets. Syntax portal packet log enable undo portal packet log enable...

  • Page 389: Portal Redirect Log Enable

    Views Interface view Predefined user roles network-admin Parameters ipv6: Specifies IPv6 portal users. Do not specify this keyword for IPv4 portal users. pool-name: Specifies an IP address pool by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines You must use this command to specify a preauthentication IP address pool on a portal-enabled interface in the following situation: •...

  • Page 390: Portal Refresh Enable

    Usage guidelines This feature logs information about portal redirect packets, including the user IP address, MAC address, SSID, BAS IP, and Web server IP address. For portal log messages to be sent correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

  • Page 391: Portal Roaming Enable

    [Sysname] undo portal refresh arp enable portal roaming enable Use portal roaming enable to enable portal roaming. Use undo portal roaming enable to disable portal roaming. Syntax portal roaming enable undo portal roaming enable Default Portal roaming is disabled. An online portal user cannot roam in its VLAN. Views System view Predefined user roles...

  • Page 392: Portal Safe-Redirect Forbidden-File

    Usage guidelines Portal redirects all HTTP requests except HTTP requests that match portal-free rules to the portal Web server, which might overload the server. Portal safe-redirect filters HTTP requests by HTTP request method, browser type (in HTTP User Agent), and destination URL, and redirects only the permitted HTTP requests. As a best practice to avoid server overload and improve security, enable portal safe-redirect on the device.

  • Page 393: Portal Safe-Redirect Forbidden-Url

    Related commands display portal safe-redirect statistics portal safe-redirect enable portal safe-redirect forbidden-url Use portal safe-redirect forbidden-url to configure a URL forbidden by portal safe-redirect. Use undo portal safe-redirect forbidden-url to delete a portal safe-redirect forbidden URL. Syntax portal safe-redirect forbidden-url user-url-string undo portal safe-redirect forbidden-url user-url-string Default No forbidden URLs are configured.

  • Page 394: Portal Safe-Redirect User-Agent

    Default After portal safe-redirect is enabled, the device redirects only HTTP requests with the GET method. Views System view Predefined user roles network-admin Parameters get: Specifies the GET request method. post: Specifies the POST request method. Usage guidelines After you specify HTTP request methods for portal safe-redirect, the device redirects only the HTTP requests with the specified methods to the portal Web server.

  • Page 395: Portal Server

    Table 46 Browser types supported by portal safe-redirect Browser type Description Safari Apple browser Chrome Google browser Firefox Firefox browser UC browser QQBrowser QQ browser LBBROWSER Cheetah browser TaoBrowser Taobao browser Maxthon Maxthon browser BIDUBrowser Baidu browser MSIE 10.0 Microsoft IE 10.0 browser MSIE 9.0 Microsoft IE 9.0 browser MSIE 8.0...

  • Page 396: Portal Temp-Pass Enable

    Views System view Predefined user roles network-admin Parameters server-name: Specifies a portal authentication server by its name, a case-sensitive string of 1 to 32 characters. Usage guidelines In portal authentication server view, you can configure the following parameters and features for the portal authentication server: •...

  • Page 397: Portal Traffic-Accounting Disable

    Usage guidelines Typically, a portal user cannot access the network before passing portal authentication. This feature allows a user to access the Internet temporarily if the user uses a WeChat account to perform portal authentication. During the temporary pass period, the user provides WeChat authentication information to the WeChat server for the server to interact with the access device to finish portal authentication.

  • Page 398: Portal User-Detect

    portal user-detect Use portal user-detect to enable online detection of IPv4 portal users. Use undo portal user-detect to disable online detection of IPv4 portal users. Syntax portal user-detect type { arp | icmp } [ retry retries ] [ interval interval ] [ idle time ] undo portal user-detect Default Online detection of IPv4 portal users is disabled.

  • Page 399: Portal User-Dhcp-Only

    Examples # Enable online detection of IPv4 portal users on GigabitEthernet 1/0/1. Configure the detection type as ICMP, the maximum number of detection attempts as 5, the detection interval as 10 seconds, and the user idle timeout as 300 seconds. <Sysname>...

  • Page 400: Portal User-Logoff After-Client-Offline Enable

    [Sysname-wlan-st-service1] portal user-dhcp-only Related commands display portal portal user-logoff after-client-offline enable Use portal user-logoff after-client-offline enable to enable automatic logout for wireless portal users. Use undo portal user-logoff after-client-offline enable to disable automatic logout for wireless portal users. Syntax portal user-logoff after-client-offline enable undo portal user-logoff after-client-offline enable Default Automatic logout is disabled for wireless portal users.

  • Page 401: Portal User Log Enable

    portal user log enable Use portal user log enable to enable logging for portal user logins and logouts. Use undo portal user log enable to disable logging for portal user logins and logouts. Syntax portal user log enable undo portal user log enable Default Portal user login and logout logging is disabled.

  • Page 402: Redirect-Url

    Use redirect-url to specify the redirection URL for QQ authentication success. Use undo redirect-url to restore the default. Syntax redirect-url url-string undo redirect-url Default The redirection URL for QQ authentication success is http://lvzhou.h3c.com/portal/qqlogin.html. Views QQ authentication server view Predefined user roles network-admin Parameters url-string: Specifies the redirection URL for QQ authentication success, a case-sensitive string of 1 to 256 characters.

  • Page 403: Reset Portal Auth-Error-Record

    [Sysname-portal-extend-auth-server-qq] redirect-url http://www.abc.com/portal/qqlogin.html Related commands display portal extend-auth-server reset portal auth-error-record Use reset portal auth-error-record to clear portal authentication error records. Syntax reset portal auth-error-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time } Views User view Predefined user roles...

  • Page 404: Reset Portal Auth-Fail-Record

    # Clear portal authentication error records for the portal user whose IPv6 address is 2000::2. <Sysname> reset portal auth-error-record ipv6 2000::2 # Clear portal authentication error records with the error time in the range of 2016/3/4 14:20 to 2016/3/4 16:23. <Sysname>...

  • Page 405: Reset Portal Captive-Bypass Statistics

    Examples # Clear all portal authentication failure records. <Sysname> reset portal auth-fail-record all # Clear portal authentication failure records for the portal user whose IPv4 address is 11.1.0.1. <Sysname> reset portal auth-fail-record ipv4 11.1.0.1 # Clear portal authentication failure records for the portal user whose IPv6 address is 2000::2. <Sysname>...

  • Page 406: Reset Portal Logout-Record

    # (Distributed devices in standalone mode/Centralized devices in IRF mode.) Clear portal captive-bypass packet statistics on the specified slot. <Sysname> reset portal captive-bypass statistics slot 0 Related commands display portal captive-bypass statistics reset portal logout-record Use reset portal logout-record to clear portal user offline records. Syntax reset portal logout-record { all | ipv4 ipv4-address | ipv6 ipv6-address | start-time start-date start-time end-time end-date end-time | username username }...

  • Page 407: Reset Portal Packet Statistics

    # Clear offline records for the portal user whose IPv4 address is 11.1.0.1. <Sysname> reset portal logout-record ipv4 11.1.0.1 # Clear offline records for the portal user whose IPv6 address is 2000::2. <Sysname> reset portal logout-record ipv6 2000::2 # Clear offline records for the portal user whose username is abc. <Sysname>...

  • Page 408: Reset Portal Redirect Statistics

    Related commands display portal packet statistics reset portal redirect statistics Use reset portal redirect statistics to reset portal redirect packet statistics. Syntax Centralized devices in standalone mode: reset portal redirect statistics Distributed devices in standalone mode/centralized in IRF mode: reset portal redirect statistics [ slot slot-number ] Distributed devices in IRF mode: reset portal redirect statistics [ chassis chassis-number slot slot-number ] Views...

  • Page 409: Server-Detect (Portal Authentication Server View)

    reset portal safe-redirect statistics [ slot slot-number ] Distributed devices in IRF mode: reset portal safe-redirect statistics [ chassis chassis-number slot slot-number ] Views User view Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears statistics for all cards.

  • Page 410: Server-Detect (Portal Web Server View)

    log: Enables the device to send a log message when it detects a reachability status change of the portal authentication server. The log message contains the name, the original state, and the current state of the portal authentication server. Usage guidelines The portal authentication server detection feature takes effect only when the device has a portal-enabled interface.

  • Page 411: Server-Register

    log: Enables the device to send a log message when it detects a reachability status change of the portal Web server. The log message contains the name, the original state, and the current state of the portal Web server. Usage guidelines The access device performs server detection independently.

  • Page 412: Server-Type (Mac Binding Server View)

    receives the register packet, it records register information for the access device, including the device name, and the IP address and port number after NAT. The register information is used for subsequent authentication information exchanges between the server and the access device. The access device updates its register information on the server by sending register packets at regular intervals.

  • Page 413: Tcp-Port

    undo server-type Default The type of the portal authentication server and portal Web server is IMC. Views Portal authentication server view Portal Web server view Predefined user roles network-admin Parameters cmcc: Specifies the portal server type as CMCC. imc: Specifies the portal server type as IMC. oauth: Specifies the portal server type as Lvzhou.

  • Page 414: Url

    Parameters port-number: Specifies the listening TCP port number in the range of 1 to 65535. Usage guidelines To use the local portal Web server, make sure the port number in the portal Web server URL and the port number configured in this command are the same. For successful local portal authentication, follow these guidelines: •...

  • Page 415: Url-Parameter

    <Sysname> system-view [Sysname] portal web-server wbs [Sysname-portal-websvr-wbs] url http://www.test.com/portal Related commands display portal web-server url-parameter Use url-parameter to configure the parameters carried in the URL of a portal Web server. The access device redirects a portal user by sending the URL with the parameters to the user. Use undo url-parameter to delete the parameters carried in the URL of the portal Web server.
  • Page 416 Hardware Option compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-Po E/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 encryption: Specifies the encryption algorithm to encrypt the MAC address of the AP or user. aes: Specifies the AES algorithm. des: Specifies the DES algorithm. key: Specifies a key for encryption. cipher: Specifies a key in encrypted form.

  • Page 417: User-Password Modify Enable

    If you specify the encryption algorithm for a parameter, the redirection URL carries the encrypted value for the parameter. Execute the url-parameter usermac source-mac encryption des key simple 12345678 command. Then the access device sends to the user with MAC address 1111-1111-1111 the URL http://www.test.com/portal?usermac=xxxxxxxxx&userip=1.1.1.1&userurl= http://www.test.com/welcome, where xxxxxxxxx represents the encrypted user MAC address.

  • Page 418: User-Sync

    Examples # In local portal Web server view, enable local portal user password modification. <Sysname> system-view [Sysname] portal local-web-server http [Sysname-portal-local-websvr-http] user-password modify enable Related commands portal local-web-server user-sync Use user-sync to enable portal user synchronization for a portal authentication server. After this feature is enabled, the device replies to and periodically detects the synchronization packets from the portal authentication server.

  • Page 419: Version

    Examples # Enable portal user synchronization for the portal authentication server pts and set the detection timeout to 600 seconds. If a use has not appeared in the synchronization packets sent by the portal authentication server for 600 seconds, the access device logs out the user. <Sysname>...

  • Page 420: Web-Redirect Track

    Syntax vpn-instance vpn-instance-name undo vpn-instance Default A portal Web server belongs to the public network. Views Portal Web server view Predefined user roles network-admin Parameters vpn-instance-name: Specifies the MPLS L3VPN instance to which the portal Web server belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.

  • Page 421: Web-Redirect Url

    • The tracked interface receives 2G signal or no signal. In the current software version, this feature can track signal information only for Etherchannel interfaces. This feature applies only to IPv4 users. This feature requires that the webpage to which the redirect URL points must be configured on the device.
  • Page 422 • userip=%c—IP address of the user. • usermac=%m—MAC address of the user. • nasid=%n—NAS identifier of the device. • ssid=%E—SSID with which the user associates. • originalurl=%o—Original URL that the user enters in the browser. Make sure arrangement parameters conforms format http://XXXX/index.html?userip=%c&usermac=%m&nasid=%n&ssid=%E&originalurl=%o.

  • Page 423: User Profile Commands

    User profile commands The following matrix shows the feature and hardware compatibility: Hardware User profile compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/8 10-W-LM-HK MSR810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 Commands and descriptions for centralized devices apply to the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS/810-LMS/810-LUS.
  • Page 424 Views Any view Predefined user roles network-admin network-operator Parameters name profile-name: Specifies a user profile by its name, a case-sensitive string of 1 to 31 characters. Valid characters include English letters, digits, and underscores (_). The name must start with an English letter and must be unique.
  • Page 425 # (Distributed device in standalone mode.) Display configuration and online user information for all user profiles in slot 2. <Sysname> display user-profile slot 2 User-Profile: aaa Inbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps) Policy: p1 Outbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps) Policy: p2...
  • Page 426 User user_1: Authentication type: 802.1X Network attributes: Interface : GigabitEthernet1/2/0/1 MAC address : 0000-1111-2222 Failed action list: Inbound: Policy p1 Inbound: CIR 32 (kbps), CBS 2048 (Bytes), EBS 0 (Bytes), PIR 888 (kbps) User user_2: Authentication type: Portal Network attributes: Interface : GigabitEthernet1/2/0/3 IP address...
  • Page 427 Chassis 1 Slot 2: User user_1: Authentication type: 802.1X Network attributes: Interface : GigabitEthernet1/2/0/1 MAC address : 0000-1111-2222 Failed action list: Inbound: Policy p1 Chassis 1 Slot 5: User user_6: Authentication type: PPP Network attributes: Interface : GigabitEthernet1/2/0/3 User-Profile: bbb Inbound: CIR 512 (kbps), CBS 1024 (Bytes), EBS 0 (Bytes), PIR 888 (kbps) Policy: p3...

  • Page 428: User-Profile

    Field Description Authentication type: • 802.1X—802.1X authentication. • Authentication type Portal—Portal authentication. • PPP—PPP authentication. • MACA—MAC authentication. Network attributes Online user information. Failed action list Actions that failed to be applied to the user. user-profile Use user-profile to create a user profile and enter its view, or enter the view of an existing user profile.

  • Page 429: Password Control Commands

    Password control commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. IPv6-related parameters are not supported on the following routers: •...

  • Page 430: Display Password-Control Blacklist

    Password length: Enabled (10 characters) Password composition: Enabled (1 types, 1 characters per type) Table 48 Command output Field Description Password control Whether the password control feature is enabled. Whether password expiration is enabled and, if enabled, the Password aging expiration time.

  • Page 431: Password-Control { Aging | Composition | History | Length } Enable

    ipv6 ipv6-address: Specifies the IPv6 address of a user. Usage guidelines If you do not specify any parameters, this command displays information about all users in the password control blacklist. The users' IP addresses and user accounts are added to the password control blacklist when the users fail authentication.

  • Page 432: Password-Control Aging

    Predefined user roles network-admin Parameters aging: Enables the password expiration feature. composition: Enables the password composition restriction feature. history: Enables the password history feature. length: Enables the minimum password length restriction feature. Usage guidelines For a specific password control feature to take effect, make sure the global password control and the specific password control feature are both enabled.
  • Page 433 Default A password expires after 90 days. The password expiration time for a user group equals the global setting. The password expiration time for a local user equals that of the user group to which the local user belongs. Views System view User group view Local user view...

  • Page 434: Password-Control Alert-Before-Expire

    password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of the pending password expiration. Use undo password-control alert-before-expire to restore the default. Syntax password-control alert-before-expire alert-time undo password-control alert-before-expire Default The default is 7 days.

  • Page 435: Password-Control Composition

    User group view Local user view Predefined user roles network-admin Parameters same-character: Refuses a password that contains any character appearing consecutively three or more times. For example, the password aaabc is not complex enough. user-name: Refuses a password that contains the username or the reverse of the username. For example, if the username is 123, a password such as abc123 or 321df is not complex enough.
  • Page 436 In FIPS mode: The password using the global composition policy must contain a minimum of four character types and a minimum of one character for each type. In both non-FIPS and FIPS modes: The password composition policy for a user group is the same as the global policy. The password composition policy for a local user is the same as that of the user group to which the local user belongs.

  • Page 437: Password-Control Enable

    type-length type-length: Specifies the minimum number of characters that are from each type in the password. The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode. Usage guidelines The password composition policy depends on the view: •...

  • Page 438: Password-Control Expired-User-Login

    The password control feature is disabled globally. In FIPS mode: The password control feature is enabled globally and cannot be disabled. Views System view Predefined user roles network-admin Usage guidelines A specific password control feature takes effect only after the global password control feature is enabled.

  • Page 439: Password-Control History

    Usage guidelines This command is effective only on non-FTP login users. An FTP user cannot continue to log in after its password expires. Examples # Allow a user to log in five times within 60 days after the password expires. <Sysname>...

  • Page 440: Password-Control Length

    password-control history enable reset password-control blacklist password-control length Use password-control length to set the minimum password length. Use undo password-control length to restore the default. Syntax password-control length length undo password-control length Default In non-FIPS mode: The global minimum password length is 10 characters. In FIPS mode: The global minimum password length is 15 characters.

  • Page 441: Password-Control Login Idle-Time

    # Set the minimum password length to 16 characters for the user group test. [Sysname] user-group test [Sysname-ugroup-test] password-control length 16 [Sysname-ugroup-test] quit # Set the minimum password length to 16 characters for the device management user abc. [Sysname] local-user abc class manage [Sysname-luser-manage-abc] password-control length 16 Related commands display local-user...

  • Page 442: Password-Control Login-Attempt

    password-control login-attempt Use password-control login-attempt to configure the login attempt limit. The settings include the maximum number of consecutive login failures and the action to be taken when the maximum number is reached. Use undo password-control login-attempt to restore the default. Syntax password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] undo password-control login-attempt...
  • Page 443 Whether a blacklisted user and user account are locked depends on the locking setting: • If a user account is permanently locked for a user, the user cannot use this account unless this account is removed from the password control blacklist. To remove the user account, use the reset password-control blacklist command.

  • Page 444: Password-Control Super Aging

    Related commands display local-user display password-control display password-control blacklist display user-group reset password-control blacklist password-control super aging Use password-control super aging to set the expiration time for super passwords. Use undo password-control super aging to restore the default. Syntax password-control super aging aging-time undo password-control super aging Default A super password expires after 90 days.

  • Page 445: Password-Control Super Length

    A super password must contain a minimum of one character type and a minimum of one character for each type. In FIPS mode: A super password must contain a minimum of four character types and a minimum of one character for each type.

  • Page 446: Password-Control Update-Interval

    Predefined user roles network-admin Parameters length: Specifies the minimum length of super passwords in characters. The value range for this argument is 4 to 63 in non-FIPS mode, and 15 to 63 in FIPS mode. Examples # Set the minimum length of super passwords to 16 characters. <Sysname>...

  • Page 447: Reset Password-Control Blacklist

    reset password-control blacklist Use reset password-control blacklist to remove blacklisted users. Syntax reset password-control blacklist [ user-name user-name ] Views User view Predefined user roles network-admin Parameters user-name user-name: Specifies the username of a user account to be removed from the password control blacklist.
  • Page 448 <Sysname> reset password-control history-record Are you sure to delete all local user's history records? [Y/N]:y Related commands password-control history...

  • Page 449: Keychain Commands

    Keychain commands accept-lifetime utc Use accept-lifetime utc to set the receiving lifetime for a key of a keychain in absolute time mode. Use undo accept-lifetime to restore the default. Syntax accept-lifetime utc start-time start-date { duration { duration-value | infinite } | to end-time end-date } undo accept-lifetime Default...

  • Page 450: Authentication-Algorithm

    [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21 authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for a key. Use undo authentication-algorithm to restore the default. Syntax authentication-algorithm { hmac-md5 | md5 } undo authentication-algorithm Default No authentication algorithm is specified for a key.
  • Page 451 Parameters name keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63 characters. If you do not specify a keychain, this command displays information about all keychains. key key-id: Specifies a key by its ID in the range of 0 to 281474976710655. If you do not specify a key, this command displays information about all keys in a keychain.

  • Page 452: Key

    Field Description Algorithm Authentication algorithm for the key: hmac-md5 or md5. Send lifetime Sending lifetime for the key. Send status Status of the send key: Active or Inactive. Accept lifetime Receiving lifetime for the key. Accept status Status of the accept key: Active or Inactive. Use key to create a key for a keychain and enter its view, or enter the view of an existing key.

  • Page 453: Key-String

    Views System view Predefined user roles network-admin Parameters keychain-name: Specifies a keychain name, a case-sensitive string of 1 to 63 characters. mode: Specifies a time mode. absolute: Specifies the absolute time mode. In this mode, each time point during a key's lifetime is the UTC time and is not affected by the system's time zone or daylight saving time.

  • Page 454: Send-Lifetime Utc

    Examples # Set the key to 123456 in plaintext form for key 1. <Sysname> system-view [Sysname] keychain abc mode absolute [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] key-string plain 123456 send-lifetime utc Use send-lifetime utc to set the sending lifetime for a key of a keychain in absolute time mode. Use undo send-lifetime to restore the default.
  • Page 455 [Sysname-keychain-abc] key 1 [Sysname-keychain-abc-key-1] send-lifetime utc 12:30 2015/1/21 to 18:30 2015/1/21...

  • Page 456: Public Key Management Commands

    Public key management commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display public-key local public Use display public-key local public to display local public keys.
  • Page 457 Key code: 307C300D06092A864886F70D0101010500036B003068026100CAB4CACCA16442AD5F453442 762F03897E0D494FEDE69224F5C051A441D290976733A278C9F0C0F5A198E66143EAB54A64 DB608269CAE844B1E7CC64AD7E808972E7CF887F3B657F056E7930FC84FBF1AD83A01CC47E 9D85C13413996ECD093B0203010001 ============================================= Key name: rsa1 Key type: RSA Time when key pair created: 15:42:26 2011/05/12 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DEBC46F217DDF11D 426E7095AA45CD6BF1F87343D952569AC223A01365E0D8C91D49D347C143C5D8FAADA896AA 1A827E580F2502F1926F52197230E1DE391A64015C43DD79DC4E9E171BAEA1DEB4C71DAED7 9A6EDFD460D8945D27D39B7C9822D56AEA5B7C2CCFF1B6BC524AD498C3B87D4BD6EB36AF03 92D8C6D940890BF4290203010001 # Display all local DSA public keys. <Sysname> display public-key local dsa public ============================================= Key name: dsakey (default) Key type: DSA...
  • Page 458 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display all local ECDSA public keys. <Sysname> display public-key local ecdsa public ============================================= Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF 68F5DC877835A43009DB6135558A7FB8316C361B0690B4FD84A14C0779C76DD6145BF9362B ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12 Key code:...

  • Page 459: Display Public-Key Peer

    7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381850002818100A1E456C8DA2AD1BB83B1BDF2A1A6B5A6E8 3642B460402445DA7E4036715F468F76655E114D460B7112F57143EE020AEF4A5BFAD07B74 0FBCB1C64DA8A2BCE619283421445EEC77D3CF0D11866E9656AD6511F4926F8376967B0AB7 15F9FB7B514BC1174155DD6E073B1FCB3A2749E6C5FEA81003E16729497D0EAD9105E3E76A # Display the public key of local ECDSA key pair ecdsa1. <Sysname> display public-key local ecdsa public name ecdsa1 ============================================= Key name: ecdsa1 Key type: ECDSA Time when key pair created: 15:43:33 2011/05/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004A1FB84D92315B8DB72D1 AE672C7CFA5135D5F5B02377F2F092F182EC83B5819795BC94CCBD3EBA7D4F0F2B2EB20C58...
  • Page 460 Predefined user roles network-admin network-operator Parameters brief: Displays brief information about all peer host public keys. The brief information includes only the key type, key modulus, and key name. name publickey-name: Displays detailed information about a peer host public key, including its key code.

  • Page 461: Peer-Public-Key End

    Field Description Modulus Key modulus length in bits. Name Name of the peer host public key. Related commands public-key peer public-key peer import sshkey peer-public-key end Use peer-public-key end to exit public key view to system view and save the configured peer host public key.

  • Page 462: Public-Key Local Create

    public-key local create Use public-key local create to create local key pairs. Syntax In non-FIPS mode: public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 ] | rsa } [ name key-name ] In FIPS mode: public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 ] | rsa } [ name key-name ] Default No local key pairs exist.
  • Page 463 If you do not assign the key pair a name, the system assigns the default name to the key pair and marks the key pair as default. You can also assign the default name to another key pair, but the system does not mark the key pair as default.
  • Page 464 Generating Keys..++++++++++++++++++++++++++++++++++++++++++++++++++* ..+..+..+........+..+.......+..+....+.....+...+..+....+..+..+....+..+...+..+..+..+....+..+......+..+..+....+..+...+......+..+..+...+..+..+.......+++++++++++++++++++++++++++++++++++++++++++++++++++* Create the key pair successfully. # Create a local ECDSA key pair with the default name. <Sysname> system-view [Sysname] public-key local create ecdsa Generating Keys... Create the key pair successfully. # Create a local RSA key pair named rsa1. <Sysname>...

  • Page 465: Public-Key Local Destroy

    <Sysname> system-view [Sysname] public-key local create rsa The range of public key modulus is (2048 ~ 2048). It will take a few minutes.Press CTRL+C to abort. Input the modulus length [default = 2048]: Generating Keys..++++++ .++++++ ..++++++++ ..++++++++ Create the key pair successfully. # In FIPS mode, create a local DSA key pair with the default name.

  • Page 466: Public-Key Local Export Dsa

    name key-name: Specifies a local key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command destroys all key pairs of the specified type. Usage guidelines To avoid key compromise, destroy the local key pair and generate a new pair after any of the following conditions occurs:...
  • Page 467 Predefined user roles network-admin Parameters name key-name: Specifies a local DSA key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command exports the host public key of the local DSA key pair with the default name.

  • Page 468: Public-Key Local Export Ecdsa

    <Sysname> system-view [Sysname] public-key local export dsa openssh ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3 B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACAQZEs400SvNIVfnqxw vA7PvOVEA89tKni/f6GDBvWY9Z2Q499pAqUBtYcqQea8T4zBInxx2eF3lLaZJrIvAS205zXxSzQoU9190kakd MdasIjQLWYGyepFc3sTwmIflQeweUwLVAPaOesKaCERjxg+e4maYWlAvySGT4c9NJlxLo= dsa-key # Export the host public key of local DSA key pair dsa1 in OpenSSH format to a file named dsa1.pub. <Sysname> system-view [Sysname] public-key local export dsa name dsa1 openssh dsa1.pub # Display the host public key of local DSA key pair dsa1 in SSH2.0 format.
  • Page 469 Predefined user roles network-admin Parameters name key-name: Specifies a local ECDSA key pair by its name, a case-insensitive string of 1 to 64 characters. Valid characters are letters, digits, and hyphens (-). If you do not specify a key pair, this command exports the host public key of the local ECDSA key pair with the default name.

  • Page 470: Public-Key Local Export Rsa

    [Sysname] public-key local export ecdsa openssh ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBREw5tkARpbV+sYArt/xcW+UJEAevx7O ckTtTLPBiLP5bWkSdKbvo+3oHRuIyZqmNTIcxuBjuBap+pHc919C58= ecdsa-key Related commands public-key local create public-key peer import sshkey public-key local export rsa Use public-key local export rsa to export a local RSA host public key. Syntax In non-FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh1 | ssh2 } [ filename ] In FIPS mode: public-key local export rsa [ name key-name ] { openssh | ssh2 } [ filename ]...
  • Page 471 On the peer device, use the public-key peer import sshkey command to import the host public key from the file. SSH1.5, SSH2.0, and OpenSSH are different public key formats. Choose the correct public key format that is supported on the device where you import the host public key. In FIPS mode, the device only supports SSH2.0 and OpenSSH.

  • Page 472: Public-Key Peer

    Execute the peer-public-key end command to save the public key and return to system view. The public key you type in the public key view must be in a correct format. If the peer device is an H3C device, use the display public-key local public command to display and record its public key. Examples # Assign name key1 to the peer host public key and enter public key view.
  • Page 473 Syntax public-key peer keyname import sshkey filename undo public-key peer keyname Default No peer host public keys exist. Views System view Predefined user roles network-admin Parameters keyname: Specifies a name for a peer host public key, a case-sensitive string of 1 to 64 characters. filename: Specifies a public key file by its name, a case-insensitive string of 1 to 128 characters.

  • Page 474: Pki Commands

    PKI commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. IPv6-related parameters are not supported on the following routers: •...

  • Page 475: Ca Identifier

    • The subject name field and the issuer name field can contain a single DN, multiple FQDNs, and multiple IP addresses. • The alternative subject name field can contain multiple FQDNs and IP addresses but zero DNs. An attribute rule is a combination of an attribute-value pair with an operation keyword, as listed in Table Table 57 Combinations of attribute-value pairs and operation keywords Operation...

  • Page 476: Certificate Request Entity

    Default No trusted CA is specified. Views PKI domain view Predefined user roles network-admin Parameters name: Specifies the trusted CA by its name, a case-sensitive string of 1 to 63 characters. Usage guidelines To obtain a CA certificate in a PKI domain, you must specify the trusted CA name. The trusted CA name uniquely identifies the CA to be used if multiple CAs exist on the CA server specified for the PKI domain.

  • Page 477: Certificate Request From

    • State and country where the entity resides. • FQDN. • IP address. You can specify only one PKI entity for a PKI domain. If you execute this command multiple times, the most recent configuration takes effect. Examples # Specify PKI entity en1 for certificate request in PKI domain aaa. <Sysname>...
  • Page 478 Syntax certificate request mode { auto [ password { cipher | simple } string | renew-before-expire days [ reuse-public-key ] [ automatic-append common-name ] ] * | manual } undo certificate request mode Default The certificate request mode is manual. Views PKI domain view Predefined user roles...

  • Page 479: Certificate Request Polling

    Examples # Set the certificate request mode to auto. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request mode auto # Set the certificate request mode to auto, and set the certificate revocation password in plain text to 123456. <Sysname> system-view [Sysname] pki domain aaa [Sysname-pki-domain-aaa] certificate request mode auto password simple 123456 # Set the certificate request mode to auto, and set the certificate revocation password in plain text to...

  • Page 480: Certificate Request Url

    If the CA server automatically approves certificate requests, the PKI entity can obtain the certificate immediately after it submits a certificate request. In this case, the PKI entity does not send queries to the CA server. Examples # Set the polling interval to 15 minutes, and the maximum number of query attempts to 40. <Sysname>...

  • Page 481: Common-Name

    common-name Use common-name to set the common name for a PKI entity. Use undo common-name to restore the default. Syntax common-name common-name-sting undo common-name Default No common name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters common-name-sting: Specifies a common name, a case-sensitive string of 1 to 63 characters.

  • Page 482: Crl Check

    [Sysname] pki entity en [Sysname-pki-entity-en] country CN crl check Use crl check enable to enable CRL checking. Use undo crl check enable to disable CRL checking. Syntax crl check enable undo crl check enable Default CRL checking is enabled. Views PKI domain view Predefined user roles network-admin...

  • Page 483: Display Pki Certificate Access-Control-Policy

    Predefined user roles network-admin Parameters url-string: Specifies the URL of the CRL repository, a case-sensitive string of 1 to 511 characters. The URL format is ldap://server_location or http://server_location. The URL length is restricted by the CLI string limitation or the url-string parameter, whichever is smaller. Usage guidelines To use CRL checking, a CRL must be obtained from a CRL repository.

  • Page 484: Display Pki Certificate Attribute-Group

    Usage guidelines If you do not specify a policy name, this command displays information about all certificate-based access control policies. Examples # Display information about certificate-based access control policy mypolicy. <Sysname> display pki certificate access-control-policy mypolicy Access control policy name: mypolicy Rule 1 deny mygroup1...

  • Page 485: Display Pki Certificate Domain

    Usage guidelines If you do not specify a certificate attribute group, this command displays information about all certificate attribute groups. Examples # Display information about certificate attribute group mygroup. <Sysname> display pki certificate attribute-group mygroup Attribute group name: mygroup Attribute 1 subject-name Attribute 2 issuer-name...
  • Page 486 Syntax display pki certificate domain domain-name { ca | local | peer [ serial serial-num ] } Views Any view Predefined user roles network-admin network-operator Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 60 Special characters...
  • Page 487 Subject: C=cn, O=ccc, OU=ppp, CN=rootca Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c4:fd:97:2c:51:36:df:4c:ea:e8:c8:70:66:f0: 28:98:ec:5a:ee:d7:35:af:86:c4:49:76:6e:dd:40: 4a:9e:8d:c0:cb:d9:10:9b:61:eb:0c:e0:22:ce:f6: 57:7c:bb:bb:1b:1d:b6:81:ad:90:77:3d:25:21:e6: 7e:11:0a:d8:1d:3c:8e:a4:17:1e:8c:38:da:97:f6: 6d:be:09:e3:5f:21:c5:a0:6f:27:4b:e3:fb:9f:cd: c1:91:18:ff:16:ee:d8:cf:8c:e3:4c:a3:1b:08:5d: 84:7e:11:32:5f:1a:f8:35:25:c0:7e:10:bd:aa:0f: 52:db:7b:cd:5d:2b:66:5a:fb Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 6d:b1:4e:d7:ef:bb:1d:67:53:67:d0:8f:7c:96:1d:2a:03:98: 3b:48:41:08:a4:8f:a9:c1:98:e3:ac:7d:05:54:7c:34:d5:ee: 09:5a:11:e3:c8:7a:ab:3b:27:d7:62:a7:bb:bc:7e:12:5e:9e: 4c:1c:4a:9f:d7:89:ca:20:46:de:c5:b3:ce:36:ca:5e:6e:dc: e7:c6:fe:3f:c5:38:dd:d5:a3:36:ad:f4:3d:e6:32:7f:48:df: 07:f0:a2:32:89:86:72:22:cd:ed:e5:0f:95:df:9c:75:71:e7: fe:34:c5:a0:64:1c:f0:5c:e4:8f:d3:00:bd:fa:90:b6:64:d8: 88:a6 # Display information about local certificates in PKI domain aaa.
  • Page 488 bd:5c:ce:b6:17:2f:e0:fc:c0:3e:b7:c4:99:31:5b: 8a:f0:ea:02:fd:2d:44:7a:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, E-mail Protection, Microsoft Smartcardlogin Netscape Comment: User Certificate of OpenCA Labs X509v3 Subject Key Identifier: 91:95:51:DD:BF:4F:55:FA:E4:C4:D0:10:C2:A1:C2:99:AF:A5:CB:30...
  • Page 489 de:18:9d:c1 # Display brief information about all peer certificates in PKI domain aaa. <Sysname> display pki certificate domain aaa peer Total peer certificates: 1 Serial Number: 9a0337eb2156ba1f5476e4d754a5a9f7 Subject Name: CN=sldsslserver # Display detailed information about a peer certificate in PKI domain aaa. <Sysname>...

  • Page 490: Display Pki Certificate Renew-Status

    X509v3 CRL Distribution Points: Full Name: URI:http://s03130.ccc.sec.com:447/ssl.crl Signature Algorithm: sha1WithRSAEncryption 61:2d:79:c7:49:16:e3:be:25:bb:8b:70:37:31:32:e5:d3:e3: 31:2c:2d:c1:f9:bf:50:ad:35:4b:c1:90:8c:65:79:b6:5f:59: 36:24:c7:14:63:44:17:1e:e4:cf:10:69:fc:93:e9:70:53:3c: 85:aa:40:7e:b5:47:75:0f:f0:b2:da:b4:a5:50:dd:06:4a:d5: 17:a5:ca:20:19:2c:e9:78:02:bd:19:77:da:07:1a:42:df:72: ad:07:7d:e5:16:d6:75:eb:6e:06:58:ee:76:31:63:db:96:a2: ad:83:b6:bb:ba:4b:79:59:9d:59:6c:77:59:5b:d9:07:33:a8: f0:a5 Related commands pki domain pki retrieve-certificate display pki certificate renew-status Use display pki certificate renew-status to display the certificate renewal status for a PKI domain. Syntax display pki certificate renew-status [ domain domain-name ] Views...

  • Page 491: Display Pki Certificate Request-Status

    Domain Name: domain1 Renew Time : 03:12:05 2016-06-13 Renew public key: Key type: RSA Time when key pair created: 15:40:48 2016/06/13 Key code: 30819F300D06092A864886F70D010101050003818D0030818902818100DAA4AAFEFE04C2C9 667269BB8226E26331E30F41A8FF922C7338208097E84332610632B49F75DABF6D871B80CE C1BA2B75020077C74745C933E2F390DC0B39D35B88283D700A163BB309B19F8F87216A44AB FBF6A3D64DEB33E5CEBF2BCF26296778A26A84F4F4C5DBF8B656ACFA62CD96863474899BC1 2DA4C04EF5AE0835090203010001 The command output indicates that the reuse-public-key keyword was not configured for PKI domain domain1 and a new key pair was created for the new certificate.
  • Page 492 Views Any view Predefined user roles network-admin network-operator Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 63 Special characters Character name Symbol Character name...

  • Page 493: Display Pki Crl Domain

    Table 64 Command output Field Description Certificate Request Transaction number Certificate request transaction number, starting from 1. Certificate request status, including only the pending Status status. Certificate purposes: • General—Signature and encryption. Key usage • Signature—Signature only. • Encryption—Encryption only. Remaining number of attempts to query certificate Remain polling attempts request status.
  • Page 494 Usage guidelines Use this command to identify whether a certificate has been revoked. Examples # Display information about the CRL saved at the local for PKI domain aaa. <Sysname> display pki crl domain aaa Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=cn/O=docm/OU=sec/CN=therootca Last Update: Apr 28 01:42:13 2011 GMT...

  • Page 495: Fqdn

    Field Description Key ID. keyid This field identifies the key pair used to sign the CRL. Signature Algorithm: Signature algorithm and signature data. Related commands pki retrieve-crl fqdn Use fqdn to set the FQDN of an entity. Use undo fqdn to restore the default. Syntax fqdn fqdn-name-string undo fqdn...

  • Page 496: Ldap-Server

    Views PKI entity view Predefined user roles network-admin Parameters ip-address: Specifies an IPv4 address. interface interface-type interface-number: Specifies an interface by its type and number. The primary IPv4 address of the interface will be used as the IP address of the PKI entity. Usage guidelines Use this command to assign an IP address to a PKI entity or specify an interface for the entity.

  • Page 497: Locality

    • The CRL repository uses LDAP for CRL distribution. However, the CRL repository URL configured for the PKI domain does not contain the IP address or host name of the LDAP server. You can specify only one LDAP server for a PKI domain. If you execute this command multiple times, the most recent configuration takes effect.

  • Page 498: Organization-Unit

    Use undo organization to restore the default. Syntax organization org-name undo organization Default No organization name is set for a PKI entity. Views PKI entity view Predefined user roles network-admin Parameters org-name: Specifies an organization name, a case-sensitive string of 1 to 63 characters. No comma can be included.

  • Page 499: Pki Abort-Certificate-Request

    pki abort-certificate-request Use pki abort-certificate-request to abort the certificate request for a PKI domain. Syntax pki abort-certificate-request domain domain-name Views System view Predefined user roles network-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 67 Special characters...

  • Page 500: Pki Certificate Attribute-Group

    undo pki certificate access-control-policy policy-name Default No certificate-based access control policies exist. Views System view Predefined user roles network-admin Parameters policy-name: Specifies a policy name, a case-insensitive string of 1 to 31 characters. Usage guidelines A certificate-based access control policy contains a set of access control rules that permit or deny access to the device based on the attributes in the requesting client's certificate.

  • Page 501: Pki Delete-Certificate

    A certificate attribute group must be associated with an access control rule (a permit or deny statement configured by using the rule command). If a certificate attribute group does not have any attribute rules, the system determines that the all certificates match the associated access control rule.

  • Page 502: Pki Domain

    To delete a specific peer certificate in a PKI domain, perform the following steps: Execute the display pki certificate command to determine the serial number of the peer certificate. Execute the pki delete-certificate domain domain-name peer serial serial-num command. Examples # Remove the CA certificate in PKI domain aaa.

  • Page 503: Pki Entity

    Predefined user roles network-admin Parameters domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 69 Special characters Character name Symbol Character name Symbol Tilde Asterisk Left angle bracket...

  • Page 504: Pki Export

    Examples # Create a PKI entity named en and enter its view. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] Related commands pki domain pki export Use pki export to export the CA certificate and the local certificates in a PKI domain. Syntax pki export domain domain-name der { all | ca | local } filename filename pki export domain domain-name p12 { all | local } passphrase p12-key filename filename...
  • Page 505 aes-192-cbc: Specifies 192-bit AES_CBC for encrypting the private key of a local certificate. aes-256-cbc: Specifies 256-bit AES_CBC for encrypting the private key of a local certificate. des-cbc: Specifies DES_CBC for encrypting the private key of a local certificate. pem-key: Specifies a password for encrypting the private key of a local certificate in PEM format. filename filename: Specifies the name of the file for storing the certificate.
  • Page 506 The specified file name can contain an absolute path. If the specified path does not exist, the export operation fails. Examples # Export the CA certificate in the PKI domain to a file named cert-ca.der in DER format. <Sysname> system-view [Sysname] pki export domain domain1 der ca filename cert-ca.der # Export the local certificates in the PKI domain to a file named cert-lo.der in DER format.
  • Page 507 Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0 CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6 Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12 X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK 7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw== -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIAbfcE+KoYYoCAggA MBEGBSsOAwIHBAjB+UsJM07JRQSCAoABqtASbjGTQbdxL3n4wNHmyWLxbvL9v27C...
  • Page 508 A1UEBhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2Fy ZTENMAsGA1UEAwwEYWJjZDAeFw0xMTA0MjYxMzMxMjlaFw0xMjA0MjUxMzMxMjla ME0xCzAJBgNVBAYTAkNOMRQwEgYDVQQKDAtPcGVuQ0EgTGFiczEOMAwGA1UECwwF VXNlcnMxGDAWBgNVBAMMD2Noa3Rlc3QgY2hrdGVzdDCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEA54rUZ0Ux2kApceE4ATpQ437CU6ovuHS5eJKZyky8fhMoTHhE jE2KfBQIzOZSgo2mdgpkccjr9Ek6IUC03ed1lPn0IG/YaAl4Tjgkiv+w1NrlSvAy cnPaSUko2QbO9sg3ycye1zqpbbqj775ulGpcXyXYD9OY63/Cp5+DRQ92zGsCAwEA AaOCAhUwggIRMAkGA1UdEwQCMAAwUAYDVR0gBEkwRzAGBgQqAwMEMAYGBCoDAwUw NQYEKgMDBjAtMCsGCCsGAQUFBwIBFh9odHRwczovL3RpdGFuL3BraS9wdWIvY3Bz L2Jhc2ljMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBsAwKQYDVR0lBCIw IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMC4GCWCGSAGG+EIBDQQh Fh9Vc2VyIENlcnRpZmljYXRlIG9mIE9wZW5DQSBMYWJzMB0GA1UdDgQWBBTPw8FY ut7Xr2Ct/23zU/ybgU9dQjAfBgNVHSMEGDAWgBQzEQ58yIC54wxodp6JzZvn/gx0 CDAaBgNVHREEEzARgQ9jaGt0ZXN0QGgzYy5jb20wGQYDVR0SBBIwEIEOcGtpQG9w ZW5jYS5vcmcwgYEGCCsGAQUFBwEBBHUwczAyBggrBgEFBQcwAoYmaHR0cDovL3Rp dGFuL3BraS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwHgYIKwYBBQUHMAGGEmh0dHA6 Ly90aXRhbjoyNTYwLzAdBggrBgEFBQcwDIYRaHR0cDovL3RpdGFuOjgzMC8wPAYD VR0fBDUwMzAxoC+gLYYraHR0cDovLzE5Mi4xNjguNDAuMTI4L3BraS9wdWIvY3Js L2NhY3JsLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAGcMeSpBJiuRmsJW0iZK5nygB tgD8c0b+n4v/F36sJjY1fRFSr4gPLIxZhPWhTrqsCd+QMELRCDNHDxvt3/1NEG12 X6BVjLcKXKH/EQe0fnwK+7PegAJ15P56xDeACHz2oysvNQ0Ot6hGylMqaZ8pKUKv UDS8c+HgIBrhmxvXztI08N1imYHq27Wy9j6NpSS60mMFmI5whzCWfTSHzqlT2DNd no0id18SZidApfCZL8zoMWEFI163JZSarv+H5Kbb063dxXfbsqX9Noxggh0gD8dK 7X7/rTJuuhTWVof5gxSUJp+aCCdvSKg0lvJY+tJeXoaznrINVw3SuXJ+Ax8GEw== -----END CERTIFICATE----- Bag Attributes: <No Attributes> subject=/C=CN/O=OpenCA Labs/OU=software/CN=abcd issuer=/C=CN/O=OpenCA Labs/OU=software/CN=abcd -----BEGIN CERTIFICATE----- MIIEYTCCA0mgAwIBAgIBFzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDTjEU MBIGA1UECgwLT3BlbkNBIExhYnMxETAPBgNVBAsMCHNvZnR3YXJlMQ0wCwYDVQQD DARhYmNkMB4XDTExMDQxODExNDQ0N1oXDTEzMDQxNzExNDQ0N1owRTELMAkGA1UE BhMCQ04xFDASBgNVBAoMC09wZW5DQSBMYWJzMREwDwYDVQQLDAhzb2Z0d2FyZTEN MAsGA1UEAwwEYWJjZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1g vomMF8S4u6q51bOwjKFUBwxyvOy4D897LmOSedaCyDt6Lvp+PBEHfwWBYBpsHhk7 kmnSNhX5dZ6NxunHaARZ2VlcctsYKyvAQapuaThy1tuOcphAB+jQQL9dPoqdk0xp...
  • Page 509 Lk1zosyEVE7PLnii3bZ5khcGO3byyXfluAqRyOGVJcudaw7uIQqgv0AJQ+zaQSHi d4kQf5QWgYkQ55/C5puOmcMRgCbMpR2lYkqXLDjTIAZIHRZ/sTp6c+ie2bFxi/YT 3xYbO0wDMuGOKJJpsyKTKcbG9NdfbDyFgzEYAobyYqAUB3C0/bMfBduwhQWKSoYE 6vZsPGAEisCmAl3dIp49jPgVkixoShraYF1jLsWzJGlzem8QvWYzOqKEDwq3SV0Z cXK8gzDBcsobcUMkwIYPAmd1kAPX -----END CERTIFICATE----- Bag Attributes friendlyName: localKeyID: 99 0B C2 3B 8B D1 E4 33 42 2B 31 C3 37 C0 1D DF 0D 79 09 1D Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- MIICwzA9BgkqhkiG9w0BBQ0wMDAbBgkqhkiG9w0BBQwwDgQIcUSKSW9GVmICAggA MBEGBSsOAwIHBAi5QZM+lSYWPASCAoBKDYulE5f2BXL9ZhI9zWAJpx2cShz/9PsW 5Qm106D+xSj1eAzkx/m4Xb4xRU8oOAuzu1DlWfSHKXoaa0OoRSiOEX1eg0eo/2vv CHCvKHfTJr4gVSSa7i4I+aQ6AItrI6q99WlkN/e/IE5U1UE4ZhcsIiFJG+IvG7S8...
  • Page 510 [Sysname]pki export domain domain1 pem ca -----BEGIN CERTIFICATE----- MIIB7jCCAVcCEQCdSVShJFEMifVG8zRRoSsWMA0GCSqGSIb3DQEBBQUAMDcxCzAJ BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEMMAoGA1UEAxMD YWNhMB4XDTExMDEwNjAyNTc0NFoXDTEzMTIwMTAzMTMyMFowODELMAkGA1UEBhMC Y24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ0wCwYDVQQDEwRhYWNhMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcuJsWhAJXEDmowGb5z7VDVms54TKi xnaNJCWvBOrU64ftvpVB7xQekbkjgAS9FjDyXlLQ8IyIsYIp5ebJr8P+n9i9Pl7j lBx5mi4XeIldyv2OjfNx5oSQ+gWY9/m1R8uv13RS05r3rxPg+7EvKBjmiy0Giddw vu3Y3WrjBPp6GQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAJrQddzVQEiy4AcgtzUL ltkmlmWoz87+jUsgFB+H+xeyiZE4sancf2UwH8kXWqZ5AuReFCCBC2fkvvQvUGnV cso7JXAhfw8sUFok9eHz2R+GSoEk5BZFzZ8eCmNyGq9ln6mJsO1hAqMpsCW6G2zh 5mus7FTHhywXpJ22/fnHg61m -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB8DCCAVkCEQD2PBUx/rvslNw9uTrZB3DlMA0GCSqGSIb3DQEBBQUAMDoxCzAJ BgNVBAYTAmNuMQwwCgYDVQQKEwNoM2MxDDAKBgNVBAsTA2gzYzEPMA0GA1UEAxMG cm9mdcGNhMB4XDTExMDEwNjAyNTY1OFoXDTEzMTIwNDAzMTMxMFowNzELMAkGA1UE BhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQwwCgYDVQQDEwNhY2Ew gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOeklR7DpeEV72N1OLz+dydIDTx0 zVZDdPxF1gQYWSfIBwwFKJEyQ/4y8VIfDIm0EGTM4dsOX/QFwudhl/Czkio3dWLh Q1y5XCJy68vQKrB82WZ2mah5Nuekus3LSZZBoZKTAOY5MCCMFcULM858dtSq15Sh xF7tKSeAT7ARlJxTAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEADJQCo6m0RNup0ewa ItX4XK/tYcJXAQWMA0IuwaWpr+ofqVVgYBPwVpYglhJDOuIZxKdR2pfQOA4f35wM Vz6kAujLATsEA1GW9ACUWa5PHwVgJk9BDEXhKSJ2e7odmrg/iROhJjc1NMV3pvIs CuFiCLxRQcMGhCNHlOn4wuydssc= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIB8jCCAVsCEFxy3MSlQ835MrnBkI/dUPYwDQYJKoZIhvcNAQEFBQAwOjELMAkG A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDaDNjMQ8wDQYDVQQDEwZy b290Y2EwHhcNMTEwMTA2MDI1MTQxWhcNMTMxMjA3MDMxMjA1WjA6MQswCQYDVQQG EwJjbjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNoM2MxDzANBgNVBAMTBnJvb3Rj YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxP2XLFE230zq6MhwZvAomOxa...

  • Page 511: Pki Import

    Related commands pki domain pki import Use pki import to import the CA certificate, local certificates, or peer certificates for a PKI domain. Syntax pki import domain domain-name { der { ca | local | peer } filename filename | p12 local filename filename | pem { ca | local | peer } [ filename filename ] } Views System view...
  • Page 512 • For the local certificates or peer certificates to be imported, the correct CA certificate chain must exist. The CA certificate chain can be stored on the device, or carried in the local certificates or peer certificates. If the PKI domain, the local certificates, or the peer certificates do not have the CA certificate chain, you must import the CA certificate first.
  • Page 513 [Sysname] pki import domain aaa pem ca filename rootca_pem.cer The trusted CA's finger print is: fingerprint:FFFF 3EFF FFFF 37FF FFFF 137B FFFF 7535 SHA1 fingerprint:FFFF FF7F FF2B FFFF 7618 FF4C FFFF 0A7D FFFF FF69 Is the finger print correct?(Y/N):y [Sysname] # Import CA certificate file aca_pem.cer in PEM format to PKI domain bbb.
  • Page 514 Bag Attributes localKeyID: 01 00 00 00 subject=/CN=sldsslserver issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----BEGIN CERTIFICATE----- MIICjzCCAfigAwIBAgIRAJoDN+shVrofVHbk11SlqfcwDQYJKoZIhvcNAQEFBQAw NzELMAkGA1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYD VQQDEwNzc2wwHhcNMTAxMDE1MDEyMzA2WhcNMTIwNzI2MDYzMDU0WjAXMRUwEwYD VQQDEwxzbGRzc2xzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMLP N3aTKV7NDndIOk0PpiikYPgxVih/geMXR3iYaANbcvRX07/FMDINWHJnBAZhCDvp rFO552loGiPyl0wmFMK12TSL7sHvrxr0OdrFrqtWlbW+DsNGNcFSKZy3RvIngC2k ZZqBeFPUytP185JUhbOrVaUDlisZi6NNshcIjd2BAgMBAAGjgbowgbcwHwYDVR0j BBgwFoAUmoMpEynZYoPLQdR1LlKhZjg8kBEwDgYDVR0PAQH/BAQDAgP4MBEGCWCG SAGG+EIBAQQEAwIGQDASBgNVHREECzAJggdoM2MuY29tMB0GA1UdDgQWBBQ8dpWb 3cJ/X5iDt8eg+JkeS9cvJjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vczAzMTMw LmgzYy5odWF3ZWktM2NvbS5jb206NDQ3L3NzbC5jcmwwDQYJKoZIhvcNAQEFBQAD gYEAYS15x0kW474lu4twNzEy5dPjMSwtwfm/UK01S8GQjGV5tl9ZNiTHFGNEFx7k zxBp/JPpcFM8hapAfrVHdQ/wstq0pVDdBkrVF6XKIBks6XgCvRl32gcaQt9yrQd9 5RbWdetuBljudjFj25airYO2u7pLeVmdWWx3WVvZBzOo8KU= -----END CERTIFICATE----- Bag Attributes: <Empty Attributes> subject=/C=cn/O=ccc/OU=sec/CN=ssl issuer=/C=cn/O=ccc/OU=sec/CN=ssl -----BEGIN CERTIFICATE----- MIIB7DCCAVUCEG+jJTPxxiE67pl2ff0SnOMwDQYJKoZIhvcNAQEFBQAwNzELMAkG A1UEBhMCY24xDDAKBgNVBAoTA2gzYzEMMAoGA1UECxMDc2VjMQwwCgYDVQQDEwNz c2wwHhcNMDkwNzMxMDY0ODQ2WhcNMTIwNzI5MDYyODU4WjA3MQswCQYDVQQGEwJj bjEMMAoGA1UEChMDaDNjMQwwCgYDVQQLEwNzZWMxDDAKBgNVBAMTA3NzbDCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAt8QSMetQ70GONiFh7iJkvGQ8nC15zCF1 cqC/RcJhE/88LkKyQcu9j+Tz8Bk9Qj2UPaZdrk8fOrgtBsa7lZ+UO3j3l30q84l+ HjWq8yxVLRQahU3gqJze6pGR2l0s76u6GRyCX/zizGrHKqYlNnxK44NyRZx2klQ2 tKQAfpXCPIkCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBWsaMgRbBMtYNrrYCMjY6g...

  • Page 515: Pki Request-Certificate

    Please enter the key pair name: import-key Related commands display pki certificate public-key dsa public-key ecdsa public-key rsa pki request-certificate Use pki request-certificate to submit a local certificate request or generate a certificate request in PKCS#10 format. Syntax pki request-certificate domain domain-name [ password password ] [ pkcs10 [ filename filename ] ] Views System view...

  • Page 516: Pki Retrieve-Certificate

    This command is not saved in the configuration file. Examples # Display information about the certificate request in PKCS#10 format. <Sysname> system-view [Sysname] pki request-certificate domain aaa pkcs10 *** Request for general certificate *** -----BEGIN NEW CERTIFICATE REQUEST----- MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5 ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nmdcu5TED6iN8 4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw...

  • Page 517: Pki Retrieve-Crl

    ca: Specifies the CA certificate. local: Specifies the local certificates. peer entity-name: Specifies a peer entity by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines In online mode: • You can obtain the CA certificate through the SCEP protocol. If a CA certificate already exists locally, do not obtain the CA certificate again.

  • Page 518: Pki Storage

    Predefined user roles network-admin Parameters domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters. The domain name cannot contain the special characters listed in Table Table 74 Special characters Character name Symbol Character name Symbol Tilde Asterisk...

  • Page 519: Pki Validate-Certificate

    undo pki storage { certificates | crls } Default Certificates and CRLs are stored in the PKI directory on the storage media of the device. The PKI directory is automatically created when a certificate is successfully requested, obtained, or imported for the first time.
  • Page 520 Table 75 Special characters Character name Symbol Character name Symbol Tilde Asterisk Left angle bracket < Backslash Right angle bracket > Vertical bar Quotation marks " Colon Apostrophe ca: Specifies the CA certificate. local: Specifies the local certificates. Usage guidelines Generally, certificates are automatically verified when you request, obtain, or import them, or when an application uses PKI.

  • Page 521: Public-Key Dsa

    Issuer: C=cn O=ccc OU=ppp CN=rootca Subject: C=cn O=ccc OU=ppp CN=rootca Verify result: OK # Verify the local certificates in PKI domain aaa. <Sysname> system-view [Sysname] pki validate-certificate domain aaa local Verifying certificates..Serial Number: bc:05:70:1f:0e:da:0d:10:16:1e Issuer: C=CN O=sec OU=software CN=bca Subject: O=OpenCA Labs OU=Users...

  • Page 522: Public-Key Ecdsa

    Predefined user roles network-admin Parameters name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-). length key-length: Specifies the key length, in bits. In non-FIPS mode, the value range is 512 to 2048, and the default is 1024.
  • Page 523 public-key ecdsa name key-name [ secp256r1 | secp384r1 ] undo public-key Default No key pair is specified for certificate request. Views PKI domain view Predefined user roles network-admin Parameters name key-name: Specifies a key pair by its name, a case-insensitive string of 1 to 64 characters. The key pair name can contain only letters, digits, and hyphens (-).

  • Page 524: Public-Key Rsa

    public-key rsa Use public-key rsa to specify an RSA key pair for certificate request. Use undo public-key to restore the default. Syntax public-key rsa { { encryption name encryption-key-name [ length key-length ] | signature name signature-key-name [ length key-length ] } * | general name key-name [ length key-length ] } undo public-key Default No key pair is specified for certificate request.

  • Page 525: Root-Certificate Fingerprint

    The length key-length option takes effect only if you specify a nonexistent key pair. The device will automatically create the key pair by using the specified name and length before submitting a certificate request. The length key-length option is ignored if the specified key pair already exists or is already contained in an imported certificate.

  • Page 526: Rule

    Usage guidelines If you set the certificate request mode to auto for a PKI domain that does not have a CA certificate, you must configure the fingerprint for CA certificate verification. When an application, like IKE, triggers the device to request local certificates, the device automatically performs the following operations: Obtains the CA certificate from the CA server.

  • Page 527: Source

    Predefined user roles network-admin Parameters id: Assigns an ID to the access control rule, in the range of 1 to 16. The default setting is the smallest unused ID in this range. deny: Denies the certificates that match the associated attribute group. permit: Permits the certificates that match the associated attribute group.

  • Page 528: State

    Predefined user roles network-admin Parameters ip: Specifies a source IPv4 address. ipv6: Specifies a source IPv6 address. ip-address: Specifies the IPv4 or IPv6 address. interface interface-type interface-number: Specifies an interface by its type and number. The interface's primary IP address will be used as the source IP address for PKI protocol packets. Usage guidelines Use this command to specify the source IP address for PKI protocol packets.

  • Page 529: Subject-Dn

    Predefined user roles network-admin Parameters state-name: Specifies a state or province by its name, a case-sensitive string of 1 to 63 characters. No comma can be included. Examples # Set the state name to countryA for PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] state countryA subject-dn...

  • Page 530: Usage

    If you configure this command multiple times, the most recent configuration takes effect. Examples # Configure the DN for PKI entity en. <Sysname> system-view [Sysname] pki entity en [Sysname-pki-entity-en] subject-dn CN=test,C=CN,O=abc,OU=rdtest,OU=rstest,ST=countryA,L=pukras Related commands common-name country locality organization organization-unit state usage Use usage to specify the extensions for certificates.

  • Page 531: Vpn-Instance

    [Sysname-pki-domain-aaa] usage ike vpn-instance Use vpn-instance to specify the VPN instance where the certificate request reception authority and the CRL repository belong. Use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The certificate request reception authority and the CRL repository belong to the public network. Views PKI domain view Predefined user roles...

  • Page 532: Ipsec Commands

    IPsec commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The GDOI IPsec policy negotiation mode is not supported on the following routers: •...

  • Page 533: Description

    Hardware Keyword compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE /810-LM-HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 Usage guidelines In non-FIPS mode, you can specify multiple AH authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. For a manual or IKEv1-based IPsec policy, the first specified AH authentication algorithm takes effect.

  • Page 534: Display Ipsec { Ipv6-Policy | Policy

    Usage guidelines You can configure different descriptions for IPsec policies, IPsec policy templates, or IPsec profiles to distinguish them. Examples # Configure the description for IPsec policy 1 as CenterToA. <Sysname> system-view [Sysname] ipsec policy policy1 1 isakmp [Sysname-ipsec-policy-isakmp-policy1-1] description CenterToA display ipsec { ipv6-policy | policy } Use display ipsec { ipv6-policy | policy } to display information about IPsec policies.
  • Page 535 Security data flow: Remote address: 2.5.2.1 Transform set: transform Inbound AH setting: AH SPI: 1200 (0x000004b0) AH string-key: ****** AH authentication hex key: Inbound ESP setting: ESP SPI: 1400 (0x00000578) ESP string-key: ESP encryption hex key: ESP authentication hex key: Outbound AH setting: AH SPI: 1300 (0x00000514) AH string-key: ******...
  • Page 536 Interface: LoopBack2 ------------------------------------------- ----------------------------- Sequence number: 1 Mode: Manual ----------------------------- Description: This is my complete policy Security data flow: 3100 Remote address: 2.2.2.2 Transform set: completetransform Inbound AH setting: AH SPI: 5000 (0x00001388) AH string-key: ****** AH authentication hex key: Inbound ESP setting: ESP SPI: 7000 (0x00001b58) ESP string-key: ******...
  • Page 537 SA duration(traffic based): 1843200 kilobytes SA idle time: # Display information about all IPv6 IPsec policies. <Sysname> display ipsec ipv6-policy ------------------------------------------- IPsec Policy: mypolicy ------------------------------------------- ----------------------------- Sequence number: 1 Mode: Manual ----------------------------- Description: This is my first IPv6 policy Security data flow: 3600 Remote address: 1000::2 Transform set: mytransform Inbound AH setting:...
  • Page 538 Field Description Negotiation mode of the IPsec policy: • Manual—Manual mode. • Mode ISAKMP—IKE negotiation mode. • Template—IPsec policy template mode. • GDOI—GDOI mode. IPsec policy configuration incomplete. Possible causes include: • The ACL is not configured. • The IPsec transform set is not configured. •...

  • Page 539: Display Ipsec { Ipv6-Policy-Template | Policy-Template

    display ipsec { ipv6-policy-template | policy-template } Use display ipsec { ipv6-policy-template | policy-template } to display information about IPsec policy templates. Syntax display ipsec { ipv6-policy-template | policy-template } [ template-name [ seq-number ] ] Views Any view Predefined user roles network-admin network-operator Parameters...
  • Page 540 IPsec SA local duration(traffic based): 1843200 kilobytes SA idle time: # Display information about all IPv6 IPsec policy templates. <Sysname> display ipsec ipv6-policy-template ----------------------------------------------- IPsec Policy Template: template6 ----------------------------------------------- --------------------------------- Sequence number: 1 --------------------------------- Description: This is policy template Traffic Flow Confidentiality: Disabled Security data flow : Selector mode: standard Local address:...

  • Page 541: Display Ipsec Profile

    Related commands ipsec { ipv6-policy | policy } isakmp template display ipsec profile Use display ipsec profile to display information about IPsec profiles. Syntax display ipsec profile [ profile-name ] Views Any view Predefined user roles network-admin network-operator Parameters profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If you do not specify any parameters, this command displays information about all IPsec profiles.

  • Page 542: Display Ipsec Sa

    Table 78 Command output Field Description IPsec profile IPsec profile name. Mode Negotiation mode used by the IPsec profile, manual or IKE. Description Description of the IPsec profile. Transform set IPsec transform set used by the IPsec profile. Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about IPsec SAs.
  • Page 543 <Sysname> display ipsec sa brief ----------------------------------------------------------------------- Interface/Global Dst Address Protocol Status ----------------------------------------------------------------------- GE1/0/1 10.1.1.1 Active GE1/0/1 255.255.255.255 4294967295 Active GE1/0/1 100::1/64 Active Global Active Table 79 Command output Field Description Interface where the IPsec SA belongs to or global IPsec SA (created by using an Interface/Global IPsec profile).
  • Page 544 dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 3564837569 (0xd47b1ac1) Connection ID: 1 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 4294967295/604800 SA remaining duration (kilobytes/sec): 1843200/2686 Max received sequence-number: 5 Anti-replay check enable: Y Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs]...
  • Page 545 Field Description Sequence number Sequence number of the IPsec policy entry. Negotiation mode used by the IPsec policy: • Manual • Mode ISAKMP • Template • GDOI Tunnel id IPsec tunnel ID. Encapsulation mode Encapsulation mode, transport or tunnel. Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation: •...

  • Page 546: Display Ipsec Statistics

    Field Description Max sent sequence-number Max sequence number in the sent packets. Anti-replay check enable Whether anti-replay checking is enabled. UDP encapsulation used for NAT Whether NAT traversal is used by the IPsec SA. traversal Status of the IPsec SA: Active or Standby. In a VSRP scenario, this field displays either Active or Status Standby.
  • Page 547 Encapsulation failure: 0 Decapsulation failure: 0 Replayed packets: 0 ACL check failure: 45 MTU check failure: 0 Loopback limit exceeded: 0 Crypto speed limit exceeded: 0 # Display statistics for the packets of IPsec tunnel 1. <Sysname> display ipsec statistics tunnel-id 1 IPsec packet statistics: Received/sent packets: 5124/8231 Received/sent bytes: 52348/64356...

  • Page 548: Display Ipsec Transform-Set

    Related commands reset ipsec statistics display ipsec transform-set Use display ipsec transform-set to display information about IPsec transform sets. Syntax display ipsec transform-set [ transform-set-name ] Views Any view Predefined user roles network-admin network-operator Parameters transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters.

  • Page 549: Display Ipsec Tunnel

    Field Description State Whether the IPsec transform set is complete. Encapsulation mode Encapsulation mode used by the IPsec transform set: transport or tunnel. Whether Extended Sequence Number (ESN) is enabled. Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation: •...
  • Page 550 ---------------------------------------------------------------------------- Tunn-id Src Address Dst Address Inbound SPI Outbound SPI Status ---------------------------------------------------------------------------- 1000 2000 Active 3000 4000 1.2.3.1 2.2.2.2 5000 6000 Active 7000 8000 Table 83 Command output Field Description Source IP address of the IPsec tunnel. Src Address For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).
  • Page 551 Inside vpn-instance: SA's SPI: outbound: 6000 (0x00001770) [AH] inbound: 5000 (0x00001388) [AH] outbound: 8000 (0x00001f40) [ESP] inbound: 7000 (0x00001b58) [ESP] Tunnel: local address: 1.2.3.1 remote address: 2.2.2.2 Flow: as defined in ACL 3100 # Display detailed information about IPsec tunnel 1. <Sysname>...

  • Page 552: Encapsulation-Mode

    Field Description Information about the data flow protected by the IPsec tunnel, including Flow source IP address, destination IP address, source port, destination port, and protocol. Range of data flow protected by the IPsec tunnel that is established as defined in ACL 3001 manually.

  • Page 553: Esn Enable

    <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] encapsulation-mode transport Related commands ipsec transform-set esn enable Use esn enable to enable the Extended Sequence Number (ESN) feature. Use undo esn enable to disable the ESN feature. Syntax esn enable [ both ] undo esn enable Default ESN is disabled.
  • Page 554 undo esp authentication-algorithm In FIPS mode: esp authentication-algorithm { sha1| sha256 | sha384 | sha512 } * undo esp authentication-algorithm Default ESP does not use any authentication algorithms. Views IPsec transform set view Predefined user roles network-admin Parameters aes-xcbc-mac: Uses the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

  • Page 555: Esp Encryption-Algorithm

    <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1 Related commands ipsec transform-set esp encryption-algorithm Use esp encryption-algorithm to specify encryption algorithms for ESP. Use undo esp encryption-algorithm to restore the default. Syntax In non-FIPS mode: esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null | sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 | sm4-cbc } *...
  • Page 556 camellia-cbc-256: Uses the Camellia algorithm in CBC mode, which uses a 256-bit key. This keyword is available only for IKEv2. des-cbc: Uses the DES algorithm in CBC mode, which uses a 64-bit key. gmac-128: Uses the GMAC algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

  • Page 557: Ike-Profile

    Hardware Keyword compatibility MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 Usage guidelines You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority. For a manual or IKEv1-based IPsec policy, the first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.

  • Page 558: Ikev2-Profile

    Parameters profile-name: Specifies an IKE profile by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines The IKE profile specified for an IPsec policy, IPsec policy template, or IPsec profile defines the parameters used for IKE negotiation. You can specify only one IKE profile for an IPsec policy, IPsec policy template, or IPsec profile.

  • Page 559: Ipsec Anti-Replay Check

    Related commands display ipsec ipv6-policy display ipsec policy ikev2 profile ipsec anti-replay check Use ipsec anti-replay check to enable IPsec anti-replay checking. Use undo ipsec anti-replay check to disable IPsec anti-replay checking. Syntax ipsec anti-replay check undo ipsec anti-replay check Default IPsec anti-replay checking is enabled.

  • Page 560: Ipsec Apply

    Default The anti-replay window size is 64. Views System view Predefined user roles network-admin Parameters width: Specifies the size for the anti-replay window. It can be 64, 128, 256, 512, or 1024 packets. Usage guidelines Changing the anti-replay window size affects only the IPsec SAs negotiated later. Service data packets might be received in a very different order than their original order, and the IPsec anti-replay feature might drop them as replayed packets, affecting normal communications.

  • Page 561: Ipsec Decrypt-Check Enable

    An IKE-based IPsec policy can be applied to multiple interfaces. A manual IPsec policy can be applied to only one interface. Examples # Apply the IPsec policy policy1 to interface GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] ipsec apply policy policy1 Related commands display ipsec { ipv6-policy | policy } ipsec { ipv6-policy | policy }...

  • Page 562: Ipsec Fragmentation

    Default The DF bit is not configured for the outer IP header of IPsec packets on an interface. The global DF bit setting is used. Views Interface view Predefined user roles network-admin Parameters clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented. copy: Copies the DF bit setting of the original IP header to the outer IP header.

  • Page 563: Ipsec Global-Df-Bit

    Parameters after-encryption: Fragments packets after IPsec encapsulation. before-encryption: Fragments packets before IPsec encapsulation. Usage guidelines If you configure the device to fragment packets before IPsec encapsulation, the device predetermines the encapsulated packet size before the actual encapsulation. If the encapsulated packet size exceeds the MTU of the output interface, the device fragments the packets before encapsulation.

  • Page 564: Ipsec Limit Max-Tunnel

    Examples # Set the DF bit in the outer IP header of IPsec packets on all interfaces. <Sysname> system-view [Sysname] ipsec global-df-bit set Related commands ipsec df-bit ipsec limit max-tunnel Use ipsec limit max-tunnel to set the maximum number of IPsec tunnels. Use undo ipsec limit max-tunnel to restore the default.

  • Page 565: Ipsec Logging Packet Enable

    Predefined user roles network-admin Usage guidelines This command enables the device to output logs for the IPsec negotiation process. This command is available only in non-FIPS mode. Examples # Enable logging for IPsec negotiation. <Sysname> system-view [Sysname] ipsec logging negotiation enable ipsec logging packet enable Use ipsec logging packet enable to enable logging for IPsec packets.
  • Page 566 Default No IPsec policies exist. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: Specifies an IPv4 IPsec policy. policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters. seq-number: Specifies a sequence number for the IPsec policy entry, in the range of 1 to 65535.

  • Page 567: Ipsec { Ipv6-Policy | Policy } Isakmp Template

    ipsec apply ipsec { ipv6-policy | policy } isakmp template Use ipsec { ipv6-policy | policy } isakmp template to create an IKE-based IPsec policy entry by using an IPsec policy template. Use undo ipsec { ipv6-policy | policy } to delete the specified IPsec policy. Syntax ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name undo ipsec { ipv6-policy | policy } policy-name [ seq-number ]...

  • Page 568: Ipsec { Ipv6-Policy-Template | Policy-Template

    Use undo ipsec { ipv6-policy | policy } local-address to remove the binding between an IPsec policy and a source interface. Syntax ipsec { ipv6-policy | policy } policy-name local-address interface-type interface-number undo ipsec { ipv6-policy | policy } policy-name local-address Default No IPsec policy is bound to a source interface.

  • Page 569: Ipsec Profile

    Use undo ipsec { ipv6-policy-template | policy-template } to delete the specified IPsec policy template. Syntax ipsec { ipv6-policy-template | policy-template } template-name seq-number undo ipsec { ipv6-policy-template | policy-template } template-name [ seq-number ] Default No IPsec policy templates exist. Views System view Predefined user roles...

  • Page 570: Ipsec Redundancy Enable

    Syntax ipsec profile profile-name [ manual | isakmp ] undo ipsec profile profile-name Default No IPsec profiles exist. Views System view Predefined user roles network-admin Parameters profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 63 characters. manual: Specifies the IPsec SA setup mode as manual.

  • Page 571: Ipsec Sa Global-Duration

    Default IPsec redundancy is disabled. Views System view Predefined user roles network-admin Usage guidelines With IPsec redundancy enabled, the system synchronizes the following information from the active device to the standby device at configurable intervals: • Lower bound values of the IPsec anti-replay window for inbound packets. •...

  • Page 572: Ipsec Sa Idle-Time

    Usage guidelines You can also configure IPsec SA lifetimes in IPsec policy view or IPsec policy template view. The device prefers the IPsec SA lifetimes configured in IPsec policy view or IPsec policy template view over the global IPsec SA lifetimes. When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller.

  • Page 573: Ipsec Transform-Set

    Related commands display ipsec sa sa idle-time ipsec transform-set Use ipsec transform-set to create an IPsec transform set and enter its view, or enter the view of an existing IPsec transform set. Use undo ipsec transform-set to delete an IPsec transform set. Syntax ipsec transform-set transform-set-name undo ipsec transform-set transform-set-name...

  • Page 574: Pfs

    Default The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address. The first IPv6 address of the interface to which the IPsec policy is applied is used as the local IPv6 address. Views IPsec policy view IPsec policy template view...

  • Page 575: Protocol

    Predefined user roles network-admin Parameters dh-group1: Uses 768-bit Diffie-Hellman group. dh-group2: Uses 1024-bit Diffie-Hellman group. dh-group5: Uses 1536-bit Diffie-Hellman group. dh-group14: Uses 2048-bit Diffie-Hellman group. dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group. dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2. dh-group20: Uses 384-bit ECP Diffie-Hellman group.

  • Page 576: Qos Pre-Classify

    ah: Specifies the AH protocol. Usage guidelines The two tunnel ends must use the same security protocol in the IPsec transform set. Examples # Specify the AH protocol for the IPsec transform set. <Sysname> system-view [Sysname] ipsec transform-set tran1 [Sysname-ipsec-transform-set-tran1] protocol ah qos pre-classify Use qos pre-classify to enable the QoS pre-classify feature.

  • Page 577: Remote-Address

    Default The active device synchronizes the anti-replay window lower bound value every time it receives 1000 packets and synchronizes the sequence number every time it sends 100000 packets. Views IPsec policy view IPsec policy template view Predefined user roles network-admin Parameters inbound inbound-interval: Specifies the interval at which the active device synchronizes the lower bound value of the IPsec anti-replay window to the standby device.
  • Page 578 Views IPsec policy view IPsec policy template view Predefined user roles network-admin Parameters ipv6: Specifies the remote address or host name of an IPv6 IPsec tunnel. To specify the remote address or host name of an IPv4 IPsec tunnel, do not specify this keyword. hostname: Specifies the remote host name, a case-insensitive string of 1 to 253 characters.

  • Page 579: Reset Ipsec Sa

    local-address reset ipsec sa Use reset ipsec sa to clear IPsec SAs. Syntax reset ipsec sa [ { ipv6-policy | policy } policy-name [ seq-number ] | profile policy-name | remote { ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ] Views User view Predefined user roles...

  • Page 580: Reset Ipsec Statistics

    After a manual IPsec SA is cleared, the system automatically creates a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system creates new SAs only when IKE negotiation is triggered by packets. Examples # Clear all IPsec SAs.
  • Page 581 undo reverse-route dynamic Default IPsec RRI is disabled. Views IPsec policy view IPsec policy template view Predefined user roles network-admin Parameters next-hop: Specifies a next hop IP address for the IPsec PRI-created static route. If you do not specify a next hop IP address, the static route uses the remote IP address of the IPsec tunnel as the next hop IP address.

  • Page 582: Reverse-Route Preference

    # Display the routing table. You can see a created static route. (Other information is not shown.) [Sysname] display ip routing-table Destination/Mask Proto Cost NextHop Interface 4.0.0.0/24 Static 60 2.2.2.3 GE1/0/1 Related commands display ip routing-table (Layer 3—IP Routing Command Reference) ipsec policy ipsec policy-template reverse-route preference...

  • Page 583: Sa Duration

    Use undo reverse-route tag to restore the default. Syntax reverse-route tag tag-value undo reverse-route tag Default The route tag value is 0 for the static routes created by IPsec RRI. Views IPsec policy view IPsec policy template view Predefined user roles network-admin Parameters tag-value: Specifies a tag value.

  • Page 584: Sa Hex-Key Authentication

    Predefined user roles network-admin Parameters time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds. traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes. Usage guidelines IKE prefers the SA lifetime of the IPsec policy, IPsec policy template, or IPsec profile over the global SA lifetime configured by the ipsec sa global-duration command.

  • Page 585: Sa Hex-Key Encryption

    Parameters inbound: Specifies a hexadecimal authentication key for inbound SAs. outbound: Specifies a hexadecimal authentication key for outbound SAs. ah: Uses AH. esp: Uses ESP. cipher: Specifies a key in encrypted form. simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
  • Page 586 Views IPsec policy view IPsec profile view Predefined user roles network-admin Parameters inbound: Specifies a hexadecimal encryption key for inbound SAs. outbound: Specifies a hexadecimal encryption key for outbound SAs. esp: Uses ESP. cipher: Specifies a key in encrypted form. simple: Specifies a key in plaintext form.

  • Page 587: Sa Idle-Time

    [Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple 1234567890abcdef [Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple abcdefabcdef1234 Related commands display ipsec sa sa string-key sa idle-time Use sa idle-time to set the IPsec SA idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.

  • Page 588: Sa Spi

    sa spi Use sa spi to configure an SPI for IPsec SAs. Use undo sa spi to remove the SPI. Syntax sa spi { inbound | outbound } { ah | esp } spi-number undo sa spi { inbound | outbound } { ah | esp } Default No SPI is configured for IPsec SAs.

  • Page 589: Sa String-Key

    Related commands display ipsec sa sa string-key Use sa string-key to set a key string (a key in character format) for manual IPsec SAs. Use undo sa string-key to remove the key string. Syntax sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string undo sa string-key { inbound | outbound } { ah | esp } Default No key string is configured for manual IPsec SAs.

  • Page 590: Security Acl

    Examples # Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab, respectively. <Sysname> system-view [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef [Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab # In an IPv6 IPsec policy, configure the inbound and outbound SAs that use AH to use the plaintext key abcdef.

  • Page 591: Snmp-Agent Trap Enable Ipsec

    • Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL. This mode is only used to communicate with old-version devices. • Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it.

  • Page 592: Tfc Enable

    Views System view Predefined user roles network-admin Parameters auth-failure: Specifies notifications about authentication failures. decrypt-failure: Specifies notifications about decryption failures. encrypt-failure: Specifies notifications about encryption failures. global: Specifies notifications globally. invalid-sa-failure: Specifies notifications about invalid-SA failures. no-sa-failure: Specifies notifications about SA-not-found failures. policy-add: Specifies notifications about events of adding IPsec policies.

  • Page 593: Transform-Set

    Views IPsec policy view IPsec policy template view Predefined user roles network-admin Usage guidelines The TFC padding feature can hide the length of the original packet, and might affect the packet encapsulation and de-encapsulation performance. This feature takes effect on UDP packets encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel mode.

  • Page 594: Tunnel Protection Ipsec

    You can specify a maximum of six IPsec transform sets for an IKE-based IPsec policy. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped. If you do not specify the transform-set-name argument, the undo transform-set command removes all IPsec transform sets specified for the IPsec policy, IPsec policy template, or IPsec profile.
  • Page 595 Related commands interface tunnel (Layer 3—IP Services Command Reference) display interface tunnel (Layer 3—IP Services Command Reference) ipsec profile...

  • Page 596: Ike Commands

    IKE commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. aaa authorization Use aaa authorization to enable IKE AAA authorization.

  • Page 597: Authentication-Algorithm

    Examples # Create the IKE profile profile1. <Sysname> system-view [Sysname] ike profile profile1 # Enable AAA authorization. Specify the ISP domain abc and the username test. [Sysname-ike-profile-profile1] aaa authorization domain abc username test authentication-algorithm Use authentication-algorithm to specify an authentication algorithm for an IKE proposal. Use undo authentication-algorithm to restore the default.

  • Page 598: Authentication-Method

    Hardware Keyword compatibility MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 Examples # Specify HMAC-SHA1 as the authentication algorithm for IKE proposal 1. <Sysname> system-view [Sysname] ike proposal 1 [Sysname-ike-proposal-1] authentication-algorithm sha Related commands display ike proposal authentication-method Use authentication-method to specify an authentication method to be used in an IKE proposal. Use undo authentication-method to restore the default.

  • Page 599: Certificate Domain

    Examples # Specify pre-shared key authentication to be used in IKE proposal 1. <Sysname> system-view [Sysname] ike proposal 1 [Sysname-ike-proposal-1] authentication-method pre-share Related commands display ike proposal ike keychain pre-shared-key certificate domain Use certificate domain to specify a PKI domain for signature authentication. Use undo certificate domain to remove a PKI domain for signature authentication.

  • Page 600: Client-Authentication

    − The automatic certificate request mode is configured for the PKI domain. If the conditions are not met, you must manually obtain the CA certificate. IKE first automatically obtains the CA certificate, and then requests a local certificate. If the CA certificate already exists locally, IKE automatically requests a local certificate.

  • Page 601: Description

    Related commands local-user description Use description to configure a description for an IKE proposal. Use undo description to restore the default. Syntax description text undo description Default An IKE proposal does not have a description. Views IKE proposal view Predefined user roles network-admin Parameters text: Specifies the description, a case-sensitive string of 1 to 80 characters.

  • Page 602: Display Ike Proposal

    Views IKE proposal view Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group. group2: Uses the 1024-bit Diffie-Hellman group. group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup. group5: Uses the 1536-bit Diffie-Hellman group. Usage guidelines A DH group with a higher group number provides higher security but needs more time for processing.

  • Page 603: Display Ike Sa

    RSA-SIG SHA1 DES-CBC Group 1 5000 PRE-SHARED-KEY SHA1 DES-CBC Group 1 50000 default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400 Table 85 Command output Field Description Priority Priority of the IKE proposal Authentication method Authentication method used by the IKE proposal. Authentication algorithm used in the IKE proposal: •...
  • Page 604 remote-address: Displays detailed information about IKE SAs with the specified remote address. ipv6: Specifies an IPv6 address. remote-address: Remote IP address. vpn-instance vpn-instance-name: Displays detailed information about IKE SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
  • Page 605 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.5 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected Extend authentication: Enabled Assigned IP address: 192.168.2.1 # Display detailed information about the IKE SA with the remote address of 4.4.4.5.
  • Page 606 Table 87 Command output Field Description Connection ID Identifier of the IKE SA. VPN instance name of the MPLS L3VPN to which the receiving Outside VPN interface belongs. VPN instance name of the MPLS L3VPN to which the protected data Inside VPN belongs.

  • Page 607: Display Ike Statistics

    display ike statistics Use display ike statistics to display IKE statistics. Syntax display ike statistics Views Any view Predefined user roles network-admin network-operator Examples # Display IKE statistics. <Sysname> display ike statistics IKE statistics: No matching proposal: 0 Invalid ID information: 0 Unavailable certificate: 0 Unsupported DOI: 0 Unsupported situation: 0...

  • Page 608: Dpd

    Use dpd to configure IKE DPD. Use undo dpd to disable IKE DPD. Syntax dpd interval interval [ retry seconds ] { on-demand | periodic } undo dpd interval Default IKE DPD is disabled. Views IKE profile view Predefined user roles network-admin Parameters interval interval: Specifies a DPD triggering interval in the range of 1 to 300 seconds.
  • Page 609 encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 | sm4-cbc} undo encryption-algorithm In FIPS mode: encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 } undo encryption-algorithm Default In non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode. In FIPS mode, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode.

  • Page 610: Exchange-Mode

    Hardware Keyword compatibility MSR5620/5660/5680 sm4-cbc: Uses the SM4 algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv1. The following matrix shows the sm4-cbc keyword and hardware compatibility: Hardware Keyword compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-Po E/810-LM-HK/810-W-LM-HK/810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI...

  • Page 611: Ike Address-Group

    Predefined user roles network-admin Parameters aggressive: Specifies the aggressive mode. main: Specifies the main mode. Usage guidelines As a best practice, specify the aggressive mode at the local end if the following conditions are met: • The local end, for example, a dialup user, obtains an IP address automatically. •...

  • Page 612: Ike Dpd

    To modify or delete an address pool, you must delete all IKE SAs and IPsec SAs. Otherwise, the assigned IPv4 addresses might not be reclaimed. Examples # Configure an IKE IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2, and the mask 255.255.255.0.

  • Page 613: Ike Identity

    Examples # Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond. <Sysname> system-view [Sysname] ike dpd interval 10 retry 5 on-demand Related commands ike identity Use ike identity to specify the global identity used by the local end during IKE negotiations. Use undo ike identity to restore the default.

  • Page 614: Ike Invalid-Spi-Recovery Enable

    <sysname> system-view [sysname] ike identity address 2.2.2.2 Related commands local-identity ike signature-identity from-certificate ike invalid-spi-recovery enable Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery. Use undo ike invalid-spi-recovery enable to disable invalid SPI recovery. Syntax ike invalid-spi-recovery enable undo ike invalid-spi-recovery enable Default Invalid SPI recovery is disabled.

  • Page 615: Ike Keepalive Timeout

    Default No IKE keepalives are sent. Views System view Predefined user roles network-admin Parameters interval: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800. Usage guidelines To detect the status of the peer, configure IKE DPD instead of the IKE keepalive feature, unless IKE DPD is not supported on the peer.

  • Page 616: Ike Keychain

    The keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout time to three times as long as the keepalive interval. Examples # Set the keepalive timeout time to 20 seconds.

  • Page 617: Ike Limit

    ike limit Use ike limit to set the maximum number of half-open or established IKE SAs. Use undo ike limit to restore the default. Syntax ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit } undo ike limit { max-negotiating-sa | max-sa } Default There is no limit to the maximum number of half-open or established IKE SAs.

  • Page 618: Ike Nat-Keepalive

    Views System view Predefined user roles network-admin Usage guidelines This command enables the device to output logs for the IKE negotiation process. This command is available only in non-FIPS mode. Examples # Enable logging for IKE negotiation. <Sysname> system-view [Sysname] ike logging negotiation enable ike nat-keepalive Use ike nat-keepalive to set the NAT keepalive interval.

  • Page 619: Ike Proposal

    Syntax ike profile profile-name undo ike profile profile-name Default No IKE profiles exist. Views System view Predefined user roles network-admin Parameters profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters. Examples # Create IKE profile 1 and enter its view. <Sysname>...

  • Page 620: Ike Signature-Identity From-Certificate

    Usage guidelines During IKE negotiation: • The initiator sends its IKE proposals to the peer. If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals  specified for the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.

  • Page 621: Inside-Vpn

    Examples # Configure the local device to always obtain the identity information from the local certificate for signature authentication. <Sysname> system-view [sysname] ike signature-identity from-certificate Related commands local-identity ike identity inside-vpn Use inside-vpn to specify an inside VPN instance. Use undo inside-vpn to restore the default. Syntax inside-vpn vpn-instance vpn-instance-name undo inside-vpn...

  • Page 622: Local-Identity

    undo keychain keychain-name Default No IKE keychain is specified for pre-shared key authentication. Views IKE profile view Predefined user roles network-admin Parameters keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters. Usage guidelines You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority.

  • Page 623: Match Local Address (Ike Keychain View)

    fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN. user-fqdn user-fqdn-name: Uses a user FQDN as the local ID.

  • Page 624: Match Local Address (Ike Profile View)

    vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 or IPv6 address belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To specify an IP address on the public network, do not specify this option.

  • Page 625: Match Remote

    Usage guidelines Use this command to specify which address or interface can use the IKE profile for IKE negotiation. Specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that uses the IPsec policy.

  • Page 626: Pre-Shared-Key

    • address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address. • address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKE profile matching.
  • Page 627 In FIPS mode: pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key [ cipher string ] undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } Default No pre-shared key is configured.

  • Page 628: Priority (Ike Keychain View)

    [Sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456TESTplat&! Related commands authentication-method keychain priority (IKE keychain view) Use priority to specify a priority for an IKE keychain. Use undo priority to restore the default. Syntax priority priority undo priority Default The priority of an IKE keychain is 100. Views IKE keychain view Predefined user roles...

  • Page 629: Proposal

    Views IKE profile view Predefined user roles network-admin Parameters priority priority: Specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority. Usage guidelines To determine the priority of an IKE profile, the device examines the existence of the match local address command before examining the priority number.

  • Page 630: Reset Ike Sa

    [Sysname-ike-profile-prof1] proposal 10 Related commands ike proposal reset ike sa Use reset ike sa to delete IKE SAs. Syntax reset ike sa [ connection-id connection-id ] Views User view Predefined user roles network-admin Parameters connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000.

  • Page 631: Sa Duration

    Views User view Predefined user roles network-admin Examples # Clears IKE MIB statistics. <Sysname> reset ike statistics Related commands snmp-agent trap enable ike sa duration Use sa duration to set the IKE SA lifetime for an IKE proposal. Use undo sa duration to restore the default. Syntax sa duration seconds undo sa duration...
  • Page 632 Syntax snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | global | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] * undo snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | global | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add |...
  • Page 633 Examples # Enable SNMP notifications for IKE globally. <Sysname> system-view [Sysname] snmp-agent trap enable ike global # Enable SNMP notifications for events of creating IKE tunnels. [Sysname] snmp-agent trap enable ike tunnel-start...

  • Page 634: Ikev2 Commands

    IKEv2 commands aaa authorization Use aaa authorization to enable IKEv2 AAA authorization. Use undo aaa authorization to disable IKEv2 AAA authorization. Syntax aaa authorization domain domain-name username user-name undo aaa authorization Default IKEv2 AAA authorization is disabled. Views IKEv2 profile view Predefined user roles network-admin Parameters...

  • Page 635: Address

    [Sysname-ikev2-profile-profile1] aaa authorization domain abc username test Related commands display ikev2 profile address Use address to specify the IP address or IP address range of an IKEv2 peer. Use undo address to restore the default. Syntax address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } undo address Default The IKEv2 peer's IP address or IP address range is not specified.
  • Page 636 Use undo authentication-method to remove the local or remote identity authentication method. Syntax authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share | rsa-signature } undo authentication-method local undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share | rsa-signature } Default No local or remote identity authentication method is specified.

  • Page 637: Certificate Domain

    [Sysname-ikev2-profile-profile1] keychain keychain1 Related commands display ikev2 profile certificate domain (ikev2 profile view) keychain (ikev2 profile view) certificate domain Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation. Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2 negotiation.

  • Page 638: Config-Exchange

    pki domain config-exchange Use config-exchange to enable configuration exchange. Use undo config-exchange to disable configuration exchange. Syntax config-exchange { request | set { accept | send } } undo config-exchange { request | set { accept | send } } Default Configuration exchange is disabled.

  • Page 639: Display Ikev2 Policy

    display ikev2 profile display ikev2 policy Use display ikev2 policy to display the IKEv2 policy configuration. Syntax display ikev2 policy [ policy-name | default ] Views Any view Predefined user roles network-admin network-operator Parameters policy-name: Specifies an IKEv2 policy by its name, a case-insensitive string of 1 to 63 characters. default: Specifies the default IKEv2 policy.

  • Page 640: Display Ikev2 Profile

    display ikev2 profile Use display ikev2 profile to display the IKEv2 profile configuration. Syntax display ikev2 profile [ profile-name ] Views Any view Predefined user roles network-admin network-operator Parameters profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an IKEv2 profile, this command displays the configuration of all IKEv2 profiles.

  • Page 641: Display Ikev2 Proposal

    Field Description Match criteria Criteria for looking up the IKEv2 profile. Local identity ID of the local end. Local authentication method Method that the local end uses for authentication. Remote authentication methods Methods that the remote end uses for authentication. Keychain IKEv2 keychain that the IKEv2 profile uses.

  • Page 642: Display Ikev2 Sa

    Usage guidelines This command displays IKEv2 proposals in descending order of priorities. If you do not specify any parameters, this command displays the configuration of all IKEv2 proposals. Examples # Display the configuration of all IKEv2 proposals. <Sysname> display ikev2 proposal IKEv2 proposal : 1 Encryption: 3DES-CBC AES-CBC-128 AES-CTR-192 CAMELLIA-CBC-128 Integrity: MD5 SHA256 AES-XCBC-MAC...
  • Page 643 ipv4-address: Specifies a local or remote IPv4 address. ipv6 ipv6-address: Specifies a local or remote IPv6 address. vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in a VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
  • Page 644 Inside VRF: - Local SPI: 8f8af3dbf5023a00 Remote SPI: 0131565b9b3155fa Local ID type: FQDN Local ID: device_a Remote ID type: FQDN Remote ID: device_b Auth sign method: Pre-shared key Auth verify method: Pre-shared key Integrity algorithm: HMAC_MD5 PRF algorithm: HMAC_MD5 Encryption algorithm: AES-CBC-192 Life duration: 86400 secs Remaining key duration: 85604 secs Diffie-Hellman group: MODP1024/Group2...
  • Page 645 Auth verify method: Pre-shared key Integrity algorithm: HMAC_MD5 PRF algorithm: HMAC_MD5 Encryption algorithm: AES-CBC-192 Life duration: 86400 secs Remaining key duration: 85604 secs Diffie-Hellman group: MODP1024/Group2 NAT traversal: Not detected DPD: Interval 30 secs, retry interval 10 secs Transmitting entity: Initiator Local window: 1 Remote window: 1 Local request message ID: 2...

  • Page 646: Display Ikev2 Statistics

    Field Description PRF algorithm PRF algorithms that the IKEv2 proposal uses. Encryption algorithm Encryption algorithms that the IKEv2 proposal uses. Life duration Lifetime of the IKEv2 SA, in seconds. Remaining key duration Remaining lifetime of the IKEv2 SA, in seconds. Diffie-Hellman group DH groups used in IKEv2 key negotiation.
  • Page 647 Unsupported critical payload: 0 Invalid IKE SPI: 0 Invalid major version: 0 Invalid syntax: 0 Invalid message ID: 0 Invalid SPI: 0 No proposal chosen: 0 Invalid KE payload: 0 Authentication failed: 0 Single pair required: 0 TS unacceptable: 0 Invalid selectors: 0 Tempture failure: 0 No child SA: 0...

  • Page 648: Dpd

    Predefined user roles network-admin Parameters group1: Uses the 768-bit Diffie-Hellman group. group2: Uses the 1024-bit Diffie-Hellman group. group5: Uses the 1536-bit Diffie-Hellman group. group14: Uses the 2048-bit Diffie-Hellman group. group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup. group19: Uses 256-bit ECP Diffie-Hellman group.

  • Page 649: Encryption

    retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds. on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval. periodic: Triggers DPD at regular intervals.

  • Page 650: Hostname

    aes-cbc-256: Uses the AES algorithm in CBC mode, which uses a 256-bit key. aes-ctr-128: Uses the AES algorithm in CTR mode, which uses a 128-bit key. aes-ctr-192: Uses the AES algorithm in CTR mode, which uses a 192-bit key. aes-ctr-256: Uses the AES algorithm in CTR mode, which uses a 256-bit key. camellia-cbc-128: Uses the Camellia algorithm in CBC mode, which uses a 128-bit key.

  • Page 651: Identity

    [Sysname] ikev2 keychain key1 # Create an IKEv2 peer named peer1. [Sysname-ikev2-keychain-key1] peer peer1 # Specify the host name test of the IKEv2 peer. [Sysname-ikev2-keychain-key1-peer-peer1] hostname test Related commands ikev2 keychain peer identity Use identity to specify the ID of an IKEv2 peer. Use undo identity to restore the default.

  • Page 652: Identity Local

    # Specify the peer IPv4 address 1.1.1.2 as the ID of the IKEv2 peer. [Sysname-ikev2-keychain-key1-peer-peer1] identity address 1.1.1.2 Related commands ikev2 keychain peer identity local Use identity local to configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2 negotiation..

  • Page 653: Ikev2 Address-Group

    ikev2 address-group Use ikev2 address-group to configure an IKEv2 IPv4 address pool for assigning IPv4 addresses to remote peers. Use undo ikev2 address-group to delete an IKEv2 IPv4 address pool. Syntax ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ] undo ikev2 address-group group-name Default No IKEv2 IPv4 address pools exist.

  • Page 654: Ikev2 Dpd

    undo ikev2 cookie-challenge Default The cookie challenging feature is disabled. Views System view Predefined user roles network-admin Parameters number: Specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 1 to 1000 half-open IKE SAs. Usage guidelines When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism.

  • Page 655: Ikev2 Ipv6-Address-Group

    periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval. Usage guidelines DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.

  • Page 656: Ikev2 Keychain

    Usage guidelines Different from the IKEv2 IPv4 address pool, the device assigns an IPv6 subnet to a peer from the IKEv2 IPv6 address pool. The peer can use the assigned IPv6 subnet to assign IPv6 addresses to other devices. IKEv2 IPv6 address pools cannot overlap with each other. Examples # Configure an IKEv2 IPv6 address pool with the name ipv6group, prefix 1:1::/64, and the assigned prefix length 80.

  • Page 657: Ikev2 Policy

    Use undo ikev2 nat-keepalive to restore the default. Syntax ikev2 nat-keepalive seconds undo ikev2 nat-keepalive Default The NAT keepalive interval is 10 seconds. Views System view Predefined user roles network-admin Parameters seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600. Usage guidelines This command takes effect when the device resides in the private network behind a NAT device.

  • Page 658: Ikev2 Profile

    Usage guidelines Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs.

  • Page 659: Ikev2 Proposal

    <Sysname> system-view [Sysname] ikev2 profile profile1 [Sysname-ikev2-profile-profile1] Related commands display ikev2 profile ikev2 proposal Use ikev2 proposal to create an IKEv2 proposal and enter its view, or enter the view of an existing IKEv2 proposal. Use undo ikev2 proposal to delete an IKEv2 proposal. Syntax ikev2 proposal proposal-name undo ikev2 proposal proposal-name...

  • Page 660: Inside-Vrf

    Examples # Create an IKEv2 proposal named prop1. Specify the encryption algorithm AES-CBC-128, integrity protection algorithm SHA1, PRF algorithm SHA1, and DH group 2. <Sysname> system-view [Sysname] ikev2 proposal prop1 [Sysname-ikev2-proposal-prop1] encryption aes-cbc-128 [Sysname-ikev2-proposal-prop1] integrity sha1 [Sysname-ikev2-proposal-prop1] prf sha1 [Sysname-ikev2-proposal-prop1] dh group2 Related commands encryption-algorithm integrity...

  • Page 661: Integrity

    integrity Use integrity to specify integrity protection algorithms for an IKEv2 proposal. Use undo integrity to restore the default. Syntax In non-FIPS mode: integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } * undo integrity In FIPS mode: integrity { sha1 | sha256 | sha384 | sha512 } * undo integrity...

  • Page 662: Match Local (Ikev2 Profile View)

    Use undo keychain to restore the default. Syntax keychain keychain-name undo keychain Default No IKEv2 keychain is specified for an IKEv2 profile. Views IKEv2 profile view Predefined user roles network-admin Parameters keychain-name: Specifies an IKEv2 keychain by its name. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).

  • Page 663: Match Local Address (Ikev2 Policy View)

    Predefined user roles network-admin Parameters address: Specifies a local interface or IP address to which an IKEv2 profile can be applied. interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

  • Page 664: Match Remote

    Predefined user roles network-admin Parameters interface-type interface-number: Specifies a local interface by its type and number. It can be any Layer 3 interface. ipv4-address: Specifies the IPv4 address of a local interface. ipv6 ipv6-address: Specifies the IPv6 address of a local interface. Usage guidelines IKEv2 policies with this command configured are looked up before those that do not have this command configured.

  • Page 665: Match Vrf (Ikev2 Policy View)

    • address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKEv2 profile matching. The value range for the mask-length argument is 0 to 32. • address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKEv2 profile matching.

  • Page 666: Match Vrf (Ikev2 Profile View)

    undo match vrf Default No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public network. Views IKEv2 policy view Predefined user roles network-admin Parameters name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. any: Specifies the public network and all VPN instances.

  • Page 667: Nat-Keepalive

    Parameters name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters. any: Specifies the public network and all VPN instances. Usage guidelines If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2 profile for IKEv2 negotiation.

  • Page 668: Peer

    [Sysname-ikev2-profile-profile1]nat-keepalive 1200 Related commands display ikev2 profile ikev2 nat-keepalive peer Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer. Use undo peer to delete an IKEv2 peer. Syntax peer name undo peer name Default No IKEv2 peers exist.
  • Page 669 Syntax pre-shared-key [ local | remote ] { ciphertext | plaintext } string undo pre-shared-key [ local | remote ] Default No pre-shared key exists. Views IKEv2 peer view Predefined user roles network-admin Parameters local: Specifies a pre-shared key for certificate signing. remote: Specifies a pre-shared key for certificate authentication.

  • Page 670: Prf

    <Sysname> system-view [Sysname] ikev2 keychain telecom # Create an IKEv2 peer named peer1. [Sysname-ikev2-keychain-telecom] peer peer1 # Configure the symmetric plaintext pre-shared key 111-key. [Sysname-ikev2-keychain-telecom-peer-peer1] pre-shared-key plaintext 111-key [Sysname-ikev2-keychain-telecom-peer-peer1] quit # Create an IKEv2 peer named peer2. [Sysname-ikev2-keychain-telecom] peer peer2 # Configure asymmetric plaintext pre-shared keys.

  • Page 671: Priority (Ikev2 Policy View)

    sha512: Uses the HMAC-SHA512 algorithm. Usage guidelines You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority. Examples # Create an IKEv2 proposal named prop1. <Sysname> system-view [Sysname] ikev2 proposal prop1 # Specify HMAC-SHA1 and HMAC-MD5 as the PRF algorithms, with HMAC-SHA1 preferred. [Sysname-ikev2-proposal-prop1] prf sha1 md5 Related commands ikev2 proposal...

  • Page 672: Priority (Ikev2 Profile View)

    priority (IKEv2 profile view) Use priority to set a priority for an IKEv2 profile. Use undo priority to restore the default. Syntax priority priority undo priority Default The priority of an IKEv2 profile is 100. Views IKEv2 profile view Predefined user roles network-admin Parameters priority: Specifies the priority of the IKEv2 profile, in the range of 1 to 65535.

  • Page 673: Reset Ikev2 Sa

    Usage guidelines You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority. Examples # Specify the IKEv2 proposal proposal1 for the IKEv2 policy policy1. <Sysname> system-view [Sysname] ikev2 policy policy1 [Sysname-ikev2-policy-policy1] proposal proposal1 Related commands display ikev2 policy ikev2 proposal...

  • Page 674: Reset Ikev2 Statistics

    -------------------------------------------------------------------- 1.1.1.1/500 1.1.1.2/500 2.2.2.1/500 2.2.2.2/500 Status: IN-NEGO: Negotiating, EST: Established, DEL: Deleting # Delete the IKEv2 SA whose remote IP address is 1.1.1.2. <Sysname> reset ikev2 sa remote 1.1.1.2 <Sysname> display ikev2 sa Tunnel ID Local Remote Status -------------------------------------------------------------------- 2.2.2.1/500 2.2.2.2/500 Status: IN-NEGO: Negotiating, EST: Established, DEL: Deleting...
  • Page 675 Predefined user roles network-admin Parameters seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400. Usage guidelines An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot of negotiation time. However, the longer the lifetime, the higher the possibility that attackers collect enough information and initiate attacks.

  • Page 676: Group Domain Vpn Commands

    Group domain VPN commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The following matrix shows the feature and hardware compatibility: Hardware Group domain VPN compatibility...

  • Page 677: Client Registration

    Examples # Set the anti-replay window size to 50 seconds for GDOI GM group group1. <Sysname> system-view [Sysname] gdoi gm group group1 [Sysname-gdoi-gm-group-group1] client anti-replay window sec 50 Related commands display gdoi gm anti-replay client registration Use client registration to specify a registration interface for a GM in a GDOI GM group. The GM uses the registration interface to send packets to the KS.

  • Page 678: Client Rekey Encryption

    client rekey encryption Use client rekey encryption to specify KEK encryption algorithms supported by a GM. Use undo client rekey encryption to restore the default. Syntax In non-FIPS mode: client rekey encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } * undo client rekey encryption In FIPS mode: client rekey encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 } *...

  • Page 679: Client Transform-Sets

    client transform-sets Use client transform-sets to specify IPsec transform sets supported by a GM. Use undo client transform-sets to restore the default. Syntax client transform-sets transform-set-name&<1-6> undo client transform-sets Default A GM supports the IPsec transform set configured with the following security parameters: •...
  • Page 680 Syntax display gdoi gm [ group group-name ] Views Any view Predefined user roles network-admin network-operator Parameters group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays information about all GDOI GM groups.
  • Page 681 rule 1 deny ospf rule 2 permit icmp KEK: Rekey transport type : Multicast Remaining key lifetime : 159 sec Encryption algorithm : AES-CBC Key size : 128 Signature algorithm : RSA Signature hash algorithm : SHA1 Signature key length : 1024 bits TEK: : 0x9AE5951E(2598737182)
  • Page 682 Rekeys cumulative: Total received : 52 Rekeys after latest registration: 3 Total rekey ACKs sent : 23 ACL downloaded from KS 90.1.1.2: rule 0 deny udp source-port eq 848 destination-port eq 848 rule 1 deny ospf rule 2 permit icmp KEK: Rekey transport type : Unicast...
  • Page 683 Field Description Period of time after which the GM re-registers with a KS. Re-register in N/A indicates that the GM does not re-register with a KS. Succeeded registrations Number of successful registrations. Attempted registrations Number of registration attempts. KS from which the GM receives the last rekey message. Last rekey from N/A indicates that the GM does not receive any rekey messages.

  • Page 684: Display Gdoi Gm Acl

    Field Description TEK information. SPI of the IPsec SA. Transform Transform set list. Remaining key lifetime IPsec SA remaining lifetime in seconds. display gdoi gm acl Use display gdoi gm acl to display ACL information for the GM. Syntax display gdoi gm acl [ download | local ] [ group group-name ] Views Any view Predefined user roles...

  • Page 685: Display Gdoi Gm Anti-Replay

    Group name: ipv6 ACL configured locally: IPsec policy name: gdoi-group1 IPv6 ACL identifier: 3001 rule 0 permit ipv6 source 1::/64 destination 2::/64 # Display information about ACLs that the GM downloaded from the KS. <Sysname> display gdoi gm acl download Group name: abc ACL downloaded from KS 12.1.1.100: rule 0 permit ip...

  • Page 686: Display Gdoi Gm Ipsec Sa

    Examples # Display anti-replay information for all GDOI GM groups. <Sysname> display gdoi gm anti-replay Group name: abc Anti-replay timestamp type : POSIX-TIME Anti-replay window : 200.16 ms Related commands client anti-replay window display gdoi gm ipsec sa Use display gdoi gm ipsec sa to display IPsec SA information obtained by the GM. Syntax display gdoi gm ipsec sa [ group group-name ] Views...

  • Page 687: Display Gdoi Gm Members

    Field Description Transform Transform set. Remaining key lifetime Remaining lifetime of the IPsec SA, in seconds. display gdoi gm members Use display gdoi gm members to display brief information about the GM. Syntax display gdoi gm members [ group group-name ] Views Any view Predefined user roles...

  • Page 688: Display Gdoi Gm Pubkey

    Field Description IP address or host name of the KS with which the GM registers. Registered with If the host name is displayed, this field also displays the IP address of the host in brackets. Re-register in Period of time after which the GM re-registers with a KS. Succeeded registrations Number of successful registrations.

  • Page 689: Display Gdoi Gm Rekey

    D3721818 B66201F0 BD1987BE DD28D533 C38E7D42 939D2B71 3FAAA17A 128DF862 E45C531D A0C8593E D7D602E9 7A7E675A 94AF6B25 2972CF85 94E601BD 19020301 0001 Table 97 Command output Field Description Group name GDOI GM group name. KS address IPv4 or IPv6 address of the KS. Conn-ID ID of the rekey SA. My cookie Local cookie of the rekey SA.

  • Page 690: Gdoi Gm Group

    Group name: GDOI-GROUP1 (Multicast) Number of rekeys received (cumulative) : 1904 Number of rekeys received after registration : 889 Multicast destination address : 239.192.1.190 Rekey (KEK) SA information: Destination Source Conn-ID My cookie His cookie : 239.192.1.190 90.1.1.1 9646 14406D26 8C58E504 Current : 239.192.1.190...

  • Page 691: Group

    Parameters ipv6: Specifies an IPv6 GDOI GM group. If you do not specify this keyword, the command creates an IPv4 GDOI GM group. group-name: Specifies a name for the GDOI GM group, a case-insensitive string of 1 to 63 characters. Usage guidelines IPv4 GDOI GM groups and IPv6 GDOI GM groups share the same namespace.

  • Page 692: Identity

    [Sysname-ipsec-policy-gdoi-map-1] group abc Related commands gdoi gm group ipsec { ipv6-policy | policy } identity Use identity to configure an ID for a GDOI GM group. Use undo identity to restore the default. Syntax identity { address ip-address | number number } undo identity Default No ID is configured for a GDOI GM group.

  • Page 693: Server Address

    Views User view Predefined user roles network-admin Parameters group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command clears GDOI information for all GM groups.
  • Page 694 [Sysname-gdoi-gm-group-abc] server address 3.3.3.4...

  • Page 695: Ssh Commands

    SSH commands Commands and descriptions for centralized devices apply to the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR2600-10-X1. • MSR 2630. • MSR3600-28/3600-51. • MSR3600-28-SI/3600-51-SI. • MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC. • MSR 3610/3620/3620-DP/3640/3660. Commands and descriptions for distributed devices apply to the following routers: •...
  • Page 696 Parameters session: Displays SSH server session information. status: Displays the SSH server status. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays SSH server session information for the active MPU. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID.

  • Page 697: Display Ssh User-Information

    Table 100 Command output Field Description UserPid User process ID. SessID Session ID. Protocol version of the SSH server. Encrypt Encryption algorithm used on the SSH server. Session state: • Init—Initialization. • Ver-exchange—Version negotiation. • Keys-exchange—Key exchange. State • Auth-request—Authentication request. •...

  • Page 698: Scp Server Enable

    Total ssh users:2 Username Authentication-type User-public-key-name Service-type yemx password Stelnet|SFTP test publickey pubkey SFTP Table 101 Command output Field Description Total ssh users Total number of SSH users. Authentication methods: • Password authentication. • Authentication-type Publickey authentication. • Password-publickey authentication. •...

  • Page 699: Sftp Server Enable

    Related commands display ssh server sftp server enable Use sftp server enable to enable the SFTP server. Use undo sftp server enable to disable the SFTP server. Syntax sftp server enable undo sftp server enable Default The SFTP server is disabled. Views System view Predefined user roles...

  • Page 700: Ssh Ip Alias

    Usage guidelines If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. To promptly release connection resources, set the idle timeout timer to a small value when many SFTP connections concurrently exist. Examples # Set the idle timeout timer to 500 minutes for SFTP connections.

  • Page 701: Ssh Redirect Disconnect

    The SSH redirect server can provide the SSH redirect service after SSH redirect is enabled and an SSH redirect listening port is configured. The SSH client can use the ssh2 ip address port number command to access the destination device. The ip address argument and the port number argument specify the IP address of the SSH redirect server and the SSH redirect listening port, respectively.

  • Page 702: Ssh Redirect Enable

    <Sysname> system-view [Sysname] line tty 1 [Sysname-line-tty1] ssh redirect disconnect Related commands ssh redirect enable ssh redirect enable Use ssh redirect enable to enable SSH redirect for a user line. Use undo ssh redirect enable to disable SSH redirect for a user line. Syntax ssh redirect enable undo ssh redirect enable...

  • Page 703: Ssh Redirect Listen-Port

    Examples # Enable SSH redirect on TTY line 7. <Sysname> system-view [Sysname] line tty 7 [Sysname-line-tty7] ssh redirect enable Related commands ssh redirect listen-port ssh redirect disconnect ssh redirect listen-port Use ssh redirect listen-port to set a listening port of SSH redirect. Use undo ssh redirect listen-port to restore the default.

  • Page 704: Ssh Redirect Timeout

    Examples # Set the SSH redirect listening port number to 5000 on TTY line 1. <Sysname> system-view [Sysname] line tty 1 [Sysname-line-tty1] ssh redirect listen-port 5000 Related commands ssh redirect enable ssh redirect timeout Use ssh redirect timeout to set the idle-timeout timer for the redirected SSH connection. Use undo ssh redirect timeout to restore the default.

  • Page 705: Ssh Server Acl

    Examples # Set the idle-timeout timer to 200 seconds for the redirected SSH connection. <Sysname> system-view [Sysname] line tty 1 [Sysname-line-tty1] ssh redirect timeout 200 Related commands ssh redirect enable ssh server acl Use ssh server acl to specify an ACL to control IPv4 SSH connections. Use undo ssh server acl to restore the default.

  • Page 706: Ssh Server Authentication-Retries

    Related commands display ssh server ssh server authentication-retries Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users. Use undo ssh server authentication-retries to restore the default. Syntax ssh server authentication-retries retries undo ssh server authentication-retries Default The maximum number of authentication attempts is 3 for SSH users.

  • Page 707: Ssh Server Compatible-Ssh1X Enable

    Syntax ssh server authentication-timeout time-out-value undo ssh server authentication-timeout Default The SSH user authentication timeout timer is 60 seconds. Views System view Predefined user roles network-admin Parameters time-out-value: Specifies an authentication timeout timer in the range of 1 to 120 seconds. Usage guidelines If a user does not finish the authentication when the timeout timer expires, the connection cannot be established.

  • Page 708: Ssh Server Dscp

    Examples # Enable the SSH server to support SSH1 clients. <Sysname> system-view [Sysname] ssh server compatible-ssh1x enable Related commands display ssh server ssh server dscp Use ssh server dscp to set the DSCP value in the IPv4 SSH packets that the SSH server sends to SSH clients.

  • Page 709: Ssh Server Ipv6 Acl

    Views System view Predefined user roles network-admin Examples # Enable the Stelnet server. <Sysname> system-view [Sysname] ssh server enable Related commands display ssh server ssh server ipv6 acl Use ssh server ipv6 acl to specify an ACL to control IPv6 SSH connections to the server. Use undo ssh server ipv6 acl to restore the default.

  • Page 710: Ssh Server Ipv6 Dscp

    <Sysname> system-view [Sysname] acl ipv6 basic 2001 [Sysname-acl6-ipv6-basic-2001] rule permit source 1::1 64 [Sysname-acl6-ipv6-basic-2001] quit [Sysname] ssh server ipv6 acl ipv6 2001 Related commands display ssh server ssh server ipv6 dscp Use ssh server ipv6 dscp to set the DSCP value in the IPv6 SSH packets that the SSH server sends to SSH clients.

  • Page 711: Ssh Server Rekey-Interval

    Views System view Predefined user roles network-admin Parameters port-number: Specifies a port number in the range of 1 to 65535. Usage guidelines If you modify the SSH port number when the SSH service is enabled, the SSH service is restarted and all SSH connections are terminated after the modification.

  • Page 712: Ssh User

    Usage guidelines Periodically updating the RSA server key pair prevents malicious hacking to the key pair and enhances security of the SSH connections. This command takes effect only on SSH1 clients. The system starts to count down the configured minimum update interval after the first SSH1 user logs in to the server.
  • Page 713 service-type: Specifies a service type for the SSH user. • all: Specifies service types Stelnet, SFTP, SCP, and NETCONF. • scp: Specifies the service type SCP. • sftp: Specifies the service type SFTP. • stelnet: Specifies the service type Stelnet. •...
  • Page 714 You do not need to create an SSH user by using the ssh user command. However, if you want to display all SSH users, including the password-only SSH users, for centralized management, you can use this command to create them. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.

  • Page 715: Ssh Client Commands

    SSH client commands Use bye to terminate the connection with the SFTP server and return to user view. Syntax Views SFTP client view Predefined user roles network-admin Usage guidelines This command has the same function as the exit and quit commands. Examples # Terminate the connection with the SFTP server.

  • Page 716: Cdup

    cdup Use cdup to return to the upper-level directory. Syntax cdup Views SFTP client view Predefined user roles network-admin Example # Return to the upper-level directory from the current working directory /test1. sftp> cd test1 Current Directory is:/test1 sftp> pwd Remote working directory: /test1 sftp>...

  • Page 717: Display Sftp Client Source

    Syntax dir [ -a | -l ] [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters -a: Displays detailed information about files and subdirectories under a directory in a list, including the files and subdirectories with names starting with dots (.). -l: Displays detailed information about the files and subdirectories under a directory in a list, excluding the files and subdirectories with names starting with dots (.).

  • Page 718: Display Ssh Client Source

    Predefined user roles network-admin network-operator Examples # Display the source IP address configured for the SFTP client. <Sysname> display sftp client source The source IP address of the SFTP client is 192.168.0.1 The source IPv6 address of the SFTP client is 2:2::2:2. Related commands sftp client ipv6 source sftp client source...

  • Page 719: Get

    Usage guidelines This command has the same function as the bye and quit commands. Examples # Terminate the SFTP connection. sftp> exit <Sysname> Use get to download a file from the SFTP server and save it locally. Syntax get remote-file [ local-file ] Views SFTP client view Predefined user roles...
  • Page 720 cd [path] Change remote directory to 'path' cdup Change remote directory to the parent directory delete path Delete remote file dir [-a|-l][path] Display remote directory listing List all filenames List filename including the specific information of the file exit Quit sftp get remote-path [local-path] Download file help Display this help text...

  • Page 721: Mkdir

    Examples # Display detailed information about the files and subdirectories under the current directory, including the files and subdirectories with names starting with dots (.). sftp> ls -a drwxrwxrwx 512 Dec 18 14:12 . drwxrwxrwx 512 Dec 18 14:12 .. -rwxrwxrwx 301 Dec 18 14:11 010.pub -rwxrwxrwx...

  • Page 722: Pwd

    Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server. If you do not specify this argument, the file will be remotely saved with the same name as the local file. Examples # Upload the local file startup.bak to the SFTP server and save it as startup01.bak.

  • Page 723: Remove

    remove Use remove to delete a file from the SFTP server. Syntax remove remote-file Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies a file by its name. Usage guidelines This command has the same function as the delete command. Examples # Delete the file temp.c from the SFTP server.

  • Page 724: Scp

    Syntax rmdir remote-path Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies a directory. Examples # Delete the subdirectory temp1 under the current directory on the SFTP server. sftp> rmdir temp1 Use scp to establish a connection to an IPv4 SCP server and transfer files with the server. Syntax In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name...
  • Page 725 destination-file-name: Specifies the name of the target file. If you do not specify this argument, the target file uses the same file name as the source file. identity-key: Specifies a public key algorithm for the client. The default is dsa in non-FIPS mode and is rsa in FIPS mode.

  • Page 726: Scp Ipv6

    interface interface-type interface-number: Specifies a source interface by its type and number. The IPv4 address of this interface is the source IPv4 address of the SCP packets. ip ip-address: Specifies a source IPv4 address. Examples # Connect the SCP client to the SCP server 200.1.1.1. Specify the public key of the server as svkey, and download the file abc.txt from the server.
  • Page 727 -i interface-type interface-number: Specifies an output interface by its type and number for SCP packets. This option is used only when the server uses a link-local address to provide the SCP service for the client. The specified output interface on the SCP client must have a link-local address. get: Downloads the file.

  • Page 728: Sftp

    publickey keyname: Specifies the host public key of the server, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. source: Specifies a source IPv6 address or source interface for IPv6 SCP packets. By default, the device automatically selects a source IPv6 address for IPv6 SCP packets in compliance with RFC 3484.
  • Page 729 port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. identity-key: Specifies a public key algorithm for the client.

  • Page 730: Sftp Client Ipv6 Source

    source: Specifies a source IPv4 address or source interface for the SFTP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source IPv4 address of SFTP packets. As a best practice to ensure successful IPv4 SFTP connections, specify a loopback interface or dialer interface as the source interface or specify that interface's IPv4 address as the source IPv4 address.

  • Page 731: Sftp Client Source

    Examples # Specify 2:2::2:2 as the source IPv6 address for SFTP packets. <Sysname> system-view [Sysname] sftp client ipv6 source ipv6 2:2::2:2 Related commands display sftp client source sftp client source Use sftp client source to configure the source IPv4 address for SFTP packets. Use undo sftp client source to restore the default.
  • Page 732 Syntax In non-FIPS mode: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | public-key keyname | source { interface...
  • Page 733 prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithms sha1 and sha1-96 provide stronger security but cost more computation time than algorithms md5 and md5-96. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. •...

  • Page 734: Ssh Client Ipv6 Source

    ssh client ipv6 source Use ssh client ipv6 source to configure the source IPv6 address for SSH packets that are sent by the Stelnet client. Use undo ssh client ipv6 source to restore the default. Syntax ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address } undo ssh client ipv6 source Default The source IPv6 address for SSH packets is not configured.

  • Page 735: Ssh2

    Default The source IPv4 address for SSH packets is not configured. The Stelnet client uses the primary IPv4 address of the output interface in the routing entry as the source address of the SSH packets. Views System view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies a source interface by its type and number.
  • Page 736 Predefined user roles network-admin Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.

  • Page 737: Ssh2 Ipv6

    dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets. The value range for the dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet. escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).
  • Page 738 md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | escape character | public-key keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * In FIPS mode: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { ecdsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14-sha1 | prefer-stoc-cipher { aes128-cbc | aes256-cbc } | prefer-stoc-hmac { sha1 | sha1-96 } ] *...
  • Page 739 • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies preferred exchange algorithm. default dh-group-exchange-sha1 in non-FIPS mode and dh-group14-sha1 in FIPS mode. • dh-group-exchange-sha1: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. • dh-group1-sha1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. • dh-group14-sha1: Specifies the key exchange algorithm diffie-hellman-group14-sha1. The algorithm dh-group14-sha1 provides stronger security but costs more computation time than the algorithm dh-group1-sha1.

  • Page 740: Ssh2 Commands

    <Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey escape $ SSH2 commands display ssh2 algorithm Use display ssh2 algorithm to display algorithms used by SSH2 in the algorithm negotiation stage. Syntax display ssh2 algorithm Views Any view Predefined user roles...

  • Page 741: Ssh2 Algorithm Key-Exchange

    Syntax In non-FIPS mode: ssh2 algorithm cipher { aes128-cbc | aes256-cbc | 3des-cbc | des-cbc } * undo ssh2 algorithm cipher In FIPS mode: ssh2 algorithm cipher { aes128-cbc | aes256-cbc } * undo ssh2 algorithm cipher Default In non-FIPS mode: SSH2 uses the encryption algorithms aes128-cbc, aes256-cbc, 3des-cbc, and des-cbc in descending order of priority for algorithm negotiation.

  • Page 742: Ssh2 Algorithm Mac

    Syntax In non-FIPS mode: ssh2 algorithm key-exchange dh-group-exchange-sha1 dh-group14-sha1 dh-group1-sha1 } * undo ssh2 algorithm key-exchange In FIPS mode: ssh2 algorithm key-exchange dh-group14-sha1 undo ssh2 algorithm key-exchange Default In non-FIPS mode: SSH2 uses the key exchange algorithms dh-group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1 in descending order of priority for algorithm negotiation.

  • Page 743: Ssh2 Algorithm Public-Key

    Syntax In non-FIPS mode: ssh2 algorithm mac { sha1 | sha1-96 | md5 | md5-96 } * undo ssh2 algorithm mac In FIPS mode: ssh2 algorithm mac { sha1 | sha1-96 } * undo ssh2 algorithm mac Default In non-FIPS mode: SSH2 uses the MAC algorithms sha1, sha1-96, md5, and md5-96 in descending order of priority for algorithm negotiation.
  • Page 744 Syntax In non-FIPS mode: ssh2 algorithm public-key { ecdsa | dsa | rsa } * undo ssh2 algorithm public-key In FIPS mode: ssh2 algorithm public-key { ecdsa | rsa } * undo ssh2 algorithm public-key Default In non-FIPS mode: SSH2 uses the public key algorithms ecdsa, dsa, and rsa in descending order of priority for algorithm negotiation.

  • Page 745: Ssl Commands

    SSL commands The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. The following matrix shows the feature and hardware compatibility: Hardware SSL compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/8...

  • Page 746: Ciphersuite

    ciphersuite Use ciphersuite to specify the cipher suites supported by an SSL server policy. Use undo ciphersuite to restore the default. Syntax In non-FIPS mode: ciphersuite dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } * undo ciphersuite In FIPS mode:...

  • Page 747: Client-Verify

    Usage guidelines SSL employs the following algorithms: • Data encryption algorithms—Encrypt data to ensure privacy. Commonly used data encryption algorithms are usually symmetric key algorithms, such as DES_CBC, 3DES_EDE_CBC, AES_CBC, and RC4. When using a symmetric key algorithm, the SSL server and the SSL client must use the same key.

  • Page 748: Display Ssl Client-Policy

    optional: Enables optional SSL client authentication. Usage guidelines SSL uses digital certificates to authenticate communicating parties. For more information about digital certificates, see Security Configuration Guide. Mandatory SSL client authentication—The SSL server requires an SSL client to submit its digital certificate for identity authentication.

  • Page 749: Display Ssl Server-Policy

    Predefined user roles network-admin network-operator Parameters policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. If you do not specify a policy name, this command displays information about all SSL client policies. Examples # Display information about SSL client policy policy1.

  • Page 750: Pki-Domain

    Session cache size: 600 Caching timeout: 3600 seconds Client-verify: Enabled Table 105 Command output Field Description Caching timeout Session cache timeout time in seconds. SSL client authentication mode, including: • Disabled—SSL client authentication is disabled. Client-verify • Enabled—SSL client authentication is mandatory. •...

  • Page 751: Prefer-Cipher

    Related commands display ssl client-policy display ssl server-policy pki domain prefer-cipher Use prefer-cipher to specify a preferred cipher suite for an SSL client policy. Use undo prefer-cipher to restore the default. Syntax In non-FIPS mode: prefer-cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } undo prefer-cipher...

  • Page 752: Server-Verify Enable

    rsa_aes_256_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 256-bit AES_CBC, and MAC algorithm SHA. rsa_des_cbc_sha: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm DES_CBC, and MAC algorithm SHA. rsa_rc4_128_md5: Specifies the cipher suite that uses key exchange algorithm RSA, data encryption algorithm 128-bit RC4, and MAC algorithm MD5.

  • Page 753: Session

    Views SSL client policy view Predefined user roles network-admin Usage guidelines SSL uses digital certificates to authenticate communicating parties. For more information about digital certificates, see Security Configuration Guide. If you execute the server-verify enable command, an SSL server must send its digital certificate to the SSL client for authentication.

  • Page 754: Ssl Client-Policy

    Examples # Set the maximum number of cached sessions to 600, and the timeout time for cached sessions to 1800 seconds. <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] session cachesize 600 timeout 1800 Related commands display ssl server-policy ssl client-policy Use ssl client-policy to create an SSL client policy and enter its view, or enter the view of an existing SSL client policy.

  • Page 755: Ssl Server-Policy

    Syntax ssl renegotiation disable undo ssl renegotiation disable Default SSL session renegotiation is enabled. Views System view Predefined user roles network-admin Usage guidelines The SSL session renegotiation feature enables the SSL client and server to reuse a previously negotiated SSL session for an abbreviated handshake. Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks.

  • Page 756: Ssl Version Ssl3.0 Disable

    <Sysname> system-view [Sysname] ssl server-policy policy1 [Sysname-ssl-server-policy-policy1] Related commands display ssl server-policy ssl version ssl3.0 disable Use ssl version ssl3.0 disable to disable SSL 3.0 on the device. Use undo ssl version ssl3.0 disable restore the default. Syntax ssl version ssl3.0 disable undo ssl version ssl3.0 disable Default SSL 3.0 is enabled on the device.
  • Page 757 undo version Default The SSL protocol version for an SSL client policy is TLS 1.0. Views SSL client policy view Predefined user roles network-admin Parameters ssl3.0: Specifies SSL 3.0. tls1.0: Specifies TLS 1.0. Usage guidelines If you execute this command multiple times, the most recent configuration takes effect. You can specify SSL 3.0 or TLS 1.0 for an SSL client policy: •...

  • Page 758: Ssl Vpn Commands

    SSL VPN commands The following matrix shows the feature and hardware compatibility: Hardware SSL VPN compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/8 10-W-LM-HK MSR810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 aaa domain Use aaa domain to specify an ISP domain for authentication, authorization, and accounting of SSL VPN users in an SSL VPN context.

  • Page 759: Bandwidth

    Usage guidelines An SSL VPN username cannot carry ISP domain information. After this command is executed, an SSL VPN gateway uses the specified ISP domain for authentication, authorization, and accounting of SSL VPN users in the context. Examples # Specify ISP domain myserver for authentication, authorization, and accounting of SSL VPN users in SSL VPN context ctx1.

  • Page 760: Content-Type

    Default Certificate authentication is disabled. Views SSL VPN context view Predefined user roles network-admin Usage guidelines After you enable certificate authentication, you must also execute the client-verify command in SSL server policy view. The SSL VPN gateway uses the digital certificate sent by an SSL VPN client to authenticate the client's identity.

  • Page 761: Default

    Usage guidelines A file policy rewrites a file carried in an HTTP response to a file of the type specified by this command. If the specified file type is different from that indicated by the content-type field in the HTTP response, users might not be able to read the file correctly. If you execute this command multiple times, the most recent configuration takes effect.

  • Page 762: Description (Shortcut View)

    Default No policy group is specified as the default policy group. Views SSL VPN context view Predefined user roles network-admin Parameters group-name: Specifies the name of a policy group, a case-insensitive string of 1 to 31 characters. The specified policy group must have been created by using the policy-group command. Usage guidelines You can configure multiple policy groups for an SSL VPN context.

  • Page 763: Description (Ssl Vpn Ac Interface View)

    Usage guidelines If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure a description for shortcut shortcut1. <Sysname> system-view [Sysname] sslvpn context ctx1 [Sysname-sslvpn-context-ctx1] shortcut shortcut1 [Sysname-sslvpn-context-ctx1-shortcut-shortcut1] description shortcut1 description (SSL VPN AC interface view) Use description to configure a description for an SSL VPN AC interface.
  • Page 764 Predefined user roles network-admin network-operator Parameters sslvpn-ac interface-number: Specifies an SSL VPN AC interface by its number in the range of 0 to 4095. If you specify the sslvpn-ac keyword without the interface-number argument, this command displays information about all SSL VPN AC interfaces. brief: Displays brief interface information.
  • Page 765 Field Description Bandwidth Expected bandwidth for the interface. Maximum transmission unit MTU of the interface. IP address of the interface. If no IP address is assigned to the interface, this field displays Internet protocol processing: Disabled, and the interface cannot Internet protocol processing process packets.

  • Page 766: Display Sslvpn Context

    Field Description Interface Abbreviated interface name. Physical link state of the interface: • UP—The link is physically up. • DOWN—The link is physically down. Link • ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command.
  • Page 767 Operation state: Up AAA domain: domain1 Certificate authentication: Enabled Dynamic password: Enabled Code verification: Enabled Default policy group not configured Associated SSL VPN gateway: gw1 Domain name: 1 Associated SSL VPN gateway: gw2 Virtual host: abc.com Associated SSL VPN gateway: gw3 SSL client policy configured: ssl1 SSL client policy in use: ssl Maximum users allowed: 200...

  • Page 768: Display Sslvpn Gateway

    Field Description Code verification Whether code verification is enabled for the SSL VPN context. Default policy group Default policy group used by the SSL VPN context. Associated SSL VPN gateway SSL VPN gateway associated with the SSL VPN context. Domain name Domain name specified for the SSL VPN context.
  • Page 769 Predefined user roles network-admin network-operator Parameters brief: Displays brief SSL VPN gateway information. If you do not specify this keyword, the command displays detailed SSL VPN gateway information. name gateway-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_).

  • Page 770: Display Sslvpn Policy-Group

    Field Description Causes for the Down operation status: • Administratively down—The SSL VPN gateway is disabled. To enable the gateway, use the service enable command. • Down reason VPN instance not exist—The VPN instance to which the SSL VPN gateway belongs does not exist. •...

  • Page 771: Display Sslvpn Port-Forward Connection

    Views Any view Predefined user roles network-admin network-operator Parameters group-name: Specifies a policy group by its name, a case-insensitive string of 1 to 31 characters. context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_).
  • Page 772 slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays TCP port forwarding connection information for all member devices. (Centralized devices in IRF mode.) Examples # (Centralized devices in standalone mode.) Display TCP port forwarding connection information for all SSL VPN contexts <Sysname>...

  • Page 773: Display Sslvpn Session

    display sslvpn session Use display sslvpn session to display SSL VPN session information. Syntax display sslvpn session [ context context-name ] [ user user-name | verbose ] Views Any view Predefined user roles network-admin network-operator Parameters context context-name: Specifies an SSL VPN context by its name. An SSL VPN context name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_).
  • Page 774 Field Description Conn Number of connections in the SSL VPN session. Idle Time Duration that the SSL VPN session has been idle. Created Creation time of the SSL VPN session. User IP address IPv4 or IPv6 address used by the SSL VPN session. # Display detailed information about the SSL VPN session for SSL VPN user user1.

  • Page 775: Dynamic-Password Enable

    Table 115 Command output Field Description User SSL VPN username. Context Context to which the user belongs. Policy group Policy group used by the user. Idle timeout Idle timeout time of the SSL VPN session, in seconds. Created at Creation time of the SSL VPN session. Most recent time when the SSL VPN user accessed resources through the Lastest SSL VPN session.

  • Page 776: Exclude

    Syntax emo-server address { host-name | ipv4-address } port port-number undo emo-server Default No EMO server is specified for mobile clients. Views SSL VPN context view Predefined user roles network-admin Parameters address: Specifies the host name or IPv4 address of the EMO server. host-name: Specifies the host name of the EMO server, a case-insensitive string of 1 to 127 characters.

  • Page 777: Execution (Port Forwarding Item View)

    Parameters ip-address: Specifies the destination IP address of the route. It cannot be a multicast, broadcast, or loopback address. mask: Specifies the subnet mask of the destination IP address. mask-length: Specifies the mask length of the destination IP address, an integer in the range of 0 to Usage guidelines To deny user access to specific network nodes or segments behind an SSL VPN gateway, configure exclude routes for those nodes or segments.

  • Page 778: Execution (Shortcut View)

    Usage guidelines After you configure a resource link for a port forwarding item, you can click the port forwarding name on the SSL VPN Web page to access the resource. If you execute this command for a port forwarding item multiple times, the most recent configuration takes effect.

  • Page 779: Filter Ip-Tunnel Acl

    Syntax file-policy policy-name undo file-policy policy-name Default No file policies exist. Views SSL VPN context view Predefined user roles network-admin Parameters policy-name: Specifies a file policy name, a case-insensitive string of 1 to 31 characters. Usage guidelines The SSL VPN gateway uses a file policy to rewrite the content of Web page files before forwarding them to requesting Web access users.

  • Page 780: Filter Ip-Tunnel Uri-Acl

    Usage guidelines You can specify both an advanced ACL and a URI ACL for IP access filtering. The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request: Matches the request against rules in the URI ACL: If the request matches a permit rule, the gateway forwards the request.

  • Page 781: Filter Tcp-Access Acl

    Usage guidelines You can specify both an advanced ACL and a URI ACL for IP access filtering. The SSL VPN gateway uses the following procedure to determine whether to forward an IP access request: Matches the request against rules in the URI ACL: If the request matches a permit rule, the gateway forwards the request.

  • Page 782: Filter Tcp-Access Uri-Acl

    Usage guidelines You can specify both an advanced ACL and a URI ACL for TCP access filtering. For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request: Matches the request against the authorized port forwarding list. If the request matches a port forwarding entry in the list, the gateway forwards the request.

  • Page 783: Filter Web-Access Acl

    Predefined user roles network-admin Parameters uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist. Usage guidelines You can specify both an advanced ACL and a URI ACL for TCP access filtering. For mobile client users, the SSL VPN gateway uses the following procedure to determine whether to forward a TCP access request: Matches the request against the authorized port forwarding list.

  • Page 784: Filter Web-Access Uri-Acl

    Default A user can access only the Web resources in the URL list authorized to the user. Views SSL VPN policy group view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 ACL. Do not configure this keyword if you want to specify an IPv4 ACL. acl advanced-acl-number: Specifies an advanced ACL by its number in the range of 3000 to 3999.

  • Page 785: Force-Logout

    Syntax filter web-access uri-acl uri-acl-name undo filter web-access uri-acl Default Users can access only the Web resources authorized to them through the URL list. Views SSL VPN policy group view Predefined user roles network-admin Parameters uri-acl-name: Specifies a URI ACL by its name, a case-insensitive string of 1 to 31 characters. The specified URI ACL must already exist.

  • Page 786: Force-Logout Max-Onlines Enable

    Views SSL VPN context view Predefined user roles network-admin Parameters all: Logs out all users. session session-id: Logs out all users in a session. The session-id argument specifies the session ID in the range of 1 to 4294967295. user user-name: Logs out a user. The user-name argument specifies the username, a case-sensitive string of 1 to 63 characters.

  • Page 787: Heading

    Use undo gateway to delete associated SSL VPN gateways. Syntax gateway gateway-name [ domain domain-name | virtual-host virtual-host-name ] undo gateway [ gateway-name ] Default An SSL VPN context is not associated with an SSL VPN gateway. Views SSL VPN context view Predefined user roles network-admin Parameters...

  • Page 788: Http-Redirect

    Default The heading of a URL list is Web. Views URL list view Predefined user roles network-admin Parameters string: Specifies a URL list heading, a case-insensitive string of 1 to 31 characters. Examples # Configure the heading of URL list url as urlhead. <Sysname>...

  • Page 789: Include

    <Sysname> system-view [Sysname] sslvpn gateway gateway1 [Sysname-sslvpn-gateway-gateway1] http-redirect port 1025 include Use include to add an include route to a route list. Use undo include to delete an include route from a route list. Syntax include ip-address { mask | mask-length } undo include ip-address { mask | mask-length } Default No include routes exist.

  • Page 790: Interface Sslvpn-Ac

    interface sslvpn-ac Use interface sslvpn-ac to create an SSL VPN AC interface and enter its view, or enter the view of an existing SSL VPN AC interface. Use undo interface sslvpn-ac to delete an SSL VPN AC interface. Syntax interface sslvpn-ac interface-number undo interface sslvpn-ac interface-number Default No SSL VPN AC interfaces exist.

  • Page 791: Ip-Route-List

    Usage guidelines A remote user uses the IPv4 address and port number configured by this command to access an SSL VPN gateway. For remote users to access the SSL VPN gateway correctly, you must specify an IPv4 address other than the default address (0.0.0.0) or the management address for the gateway. The specified IPv4 address must be the IP address of an interface on the gateway device and is reachable from clients and internal servers.

  • Page 792: Ip-Tunnel Access-Route

    Related commands ip-tunnel access-route ip-tunnel access-route Use ip-tunnel access-route to specify the routes to be issued to clients. Use undo ip-tunnel access-route to restore the default. Syntax ip-tunnel access-route { ip-address { mask-length | mask } | force-all | ip-route-list list-name } undo ip-tunnel access-route Default No routes to be issued to clients are specified.

  • Page 793: Ip-Tunnel Address-Pool

    [Sysname-sslvpn-context-ctx1-route-list-rtlist] quit [Sysname-sslvpn-context-ctx1] policy-group pg1 [Sysname-sslvpn-context-ctx1-policy-group-pg1] ip-tunnel access-route ip-route-list rtlist Related commands ip-route-list ip-tunnel address-pool Use ip-tunnel address-pool to specify an address pool for IP access. Use undo ip-tunnel address-pool to restore the default. Syntax ip-tunnel address-pool pool-name mask { mask-length | mask } undo ip-tunnel address-pool Default No address pool is specified for IP access.

  • Page 794: Ip-Tunnel Interface

    Syntax ip-tunnel dns-server { primary | secondary } ip-address undo ip-tunnel dns-server { primary | secondary } Default No DNS servers are specified for IP access. Views SSL VPN context view Predefined user roles network-admin Parameters primary: Specifies the primary DNS server. secondary: Specifies the secondary DNS server.

  • Page 795: Ip-Tunnel Keepalive

    Examples # Specify SSL VPN AC 100 for IP access. <Sysname> system-view [Sysname] sslvpn context ctx [Sysname-sslvpn-context-ctx] ip-tunnel interface sslvpn-ac 100 Related commands interface sslvpn-ac ip-tunnel keepalive Use ip-tunnel keepalive to set the keepalive interval for IP access. Use undo ip-tunnel keepalive to restore the default. Syntax ip-tunnel keepalive seconds undo ip-tunnel keepalive...

  • Page 796: Ipv6 Address

    Default No WINS servers are specified for IP access. Views SSL VPN context view Predefined user roles network-admin Parameters primary: Specifies the primary WINS server. secondary: Specifies the secondary WINS server. ip-address: Specifies the IPv4 address of the WINS server. It cannot be a multicast, broadcast, or loopback address.

  • Page 797: Local-Port

    Examples # Configure the IPv6 address of SSL VPN gateway gw1 as 200::1 and the port number as 8000. <Sysname> system-view [Sysname] sslvpn gateway gw1 [Sysname-sslvpn-gateway-gw1] ipv6 address 200::1 port 8000 Related commands display sslvpn gateway local-port Use local-port to configure a port forwarding instance for a port forwarding item. Use undo local-port to remove the configuration.

  • Page 798: Log Resource-Access Enable

    local-port 80 local-name 127.0.0.1 remote-server 192.168.0.213 remote-port 80 The port forwarding instance will be displayed together with the port forwarding item name on the SSL VPN Web page. In this example, tcp1 (127.0.0.1:80 -> 192.168.0.213) will be displayed. If you map a TCP service to a local host name, the TCP access client software will add the IP address corresponding to the host name to the host file hosts.

  • Page 799: Log Enable User-Log

    Examples # Enable resource access logging. <Sysname> system-view [Sysname] sslvpn context ctx1 [Sysname-sslvpn-context-ctx1] log resource-access enable log enable user-log Use log enable user-log to enable logging for user online status changes. Use undo log enable user-log to disable logging for user online status changes. Syntax log enable user-log undo log enable user-log...

  • Page 800: Log User-Login Enable

    Parameters filtering: Enables resource access log filtering. With this keyword specified, the device generates only one log for accesses of the same user to the same resource in a minute. If this keyword is not specified, the device generates a log for each resource access. Usage guidelines This feature logs resource accesses of SSL VPN users.

  • Page 801: Logo

    Use logo to specify a logo to be displayed on SSL VPN webpages. Use undo logo to restore the default. Syntax logo { file file-name | none } undo logo Default The logo displayed on SSL VPN webpages is H3C. Views SSL VPN context view Predefined user roles network-admin Parameters file file-name: Specifies a logo file by its name, a case-insensitive string of 1 to 255 characters.

  • Page 802: Max-Onlines

    Examples # Specify the logo in the file flash:/mylogo.gif as the logo displayed on SSL VPN webpages. <Sysname> system-view [Sysname] sslvpn context ctx1 [Sysname-sslvpn-context-ctx1] logo file flash:/mylogo.gif max-onlines Use max-onlines to set the maximum number of concurrent logins for each account. Use undo max-onlines to restore the default.

  • Page 803: Message-Server

    Predefined user roles network-admin Parameters max-number: Specifies the maximum number of sessions, in the range of 1 to 1048575 Examples # Set the maximum number of sessions to 500 for SSL VPN context ctx1. <Sysname> system-view [Sysname] sslvpn context ctx1 [Sysname-sslvpn-context-ctx1] max-users 500 Related commands display sslvpn context...

  • Page 804: Mtu

    Related commands sslvpn context Use mtu to set the MTU of an SSL VPN AC interface. Use undo mtu to restore the default. Syntax mtu size undo mtu Default The MTU is 1500 bytes. Views SSL VPN AC interface view Predefined user roles network-admin Parameters...

  • Page 805: Old-Content

    Usage guidelines During file content rewriting, the new content will replace the old content specified by using the old-content command. If the new content contains spaces, enclose the content in double quotation marks. Examples # Specify the new content in rewrite rule rule1 of file policy fp. <Sysname>...

  • Page 806: Policy-Group

    Related commands new-content policy-group Use policy-group to create an SSL VPN policy group and enter its view, or enter the view of an existing SSL VPN policy group. Use undo policy-group to delete a policy group. Syntax policy-group group-name undo policy-group group-name Default No SSL VPN policy groups exist.

  • Page 807: Port-Forward-Item

    Default No port forwarding lists exist. Views SSL VPN context view Predefined user roles network-admin Parameters port-forward-name: Specifies a name for the port forwarding list, a case-insensitive string of 1 to 31 characters. Usage guidelines Port forwarding lists provide TCP access services for SSL VPN users. A port forwarding list can contain multiple port forwarding items.

  • Page 808: Reset Counters Interface Sslvpn-Ac

    Parameters item-name: Specifies a name for the port forwarding item, a case-insensitive string of 1 to 31 characters. Usage guidelines A port forwarding item defines an accessible TCP service provided on an internal server. It contains the following settings: • A port forwarding instance.

  • Page 809: Resources Port-Forward

    • If you specify the sslvpn-ac keyword without the interface-number argument, this command clears statistics for all existing SSL VPN AC interfaces. • If you specify both the sslvpn-ac keyword and the interface-number argument, this command clears statistics for the specified SSL VPN AC interface. Examples # Clear statistics for SSL VPN AC 1000.

  • Page 810: Resources Shortcut

    Use undo resources port-forward-item to remove a port forwarding item from a port forwarding list. Syntax resources port-forward-item item-name undo resources port-forward-item item-name Default A port forwarding list does not contain any port forwarding items. Views Port forwarding list view Predefined user roles network-admin Parameters...

  • Page 811: Resources Shortcut-List

    Parameters shortcut-name: Specifies a shortcut by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines You can assign multiple shortcuts to a shortcut list. Examples # Assign shortcut list1 to shortcut list shortcut1. <Sysname> system-view [Sysname] sslvpn context ctx1 [Sysname-sslvpn-context-ctx1] shortcut shortcut1 [Sysname-sslvpn-context-ctx1-shortcut-shortcut1] quit [Sysname-sslvpn-context-ctx1] shortcut-list list1...

  • Page 812: Resources Url-List

    resources url-list Use resources url-list to specify a URL list for an SSL VPN policy group. Use undo resources url-list to remove the configuration. Syntax resources url-list url-list-name undo resources url-list Default No URL list is specified for an SSL VPN policy group. Views SSL VPN policy group view Predefined user roles...

  • Page 813: Rule

    Views File policy view Predefined user roles network-admin Parameters rule-name: Specifies a rule name, a case-insensitive string of 1 to 31 characters. Usage guidelines You can configure multiple rewrite rules in a file policy. Examples # Create a rewrite rule named rule1 and enter its view. <Sysname>...
  • Page 814 Table 116 URI field descriptions Field Description Protocol name. Options are: • http. • https. • protocol tcp. • udp. • icmp. • Domain name or address of a host. • Valid host address formats: IPv4 or IPv6 address. For example, 192.168.1.1. ...

  • Page 815: Service Enable (Ssl Vpn Context View)

    service enable (SSL VPN context view) Use service enable to enable an SSL VPN context. Use undo service enable to disable an SSL VPN context. Syntax service enable undo service enable Default An SSL VPN context is disabled. Views SSL VPN context view Predefined user roles network-admin Examples...

  • Page 816: Session-Connections

    session-connections Use session-connections to set the maximum number of connections allowed per session. Use undo session-connections to restore the default. Syntax session-connections number undo session-connections Default A maximum of 64 connections are allowed per session. Views SSL VPN context view Predefined user roles network-admin Parameters...

  • Page 817: Shortcut-List

    Usage guidelines After you create a shortcut, use the execution command to configure a resource link for it. Users can then click the shortcut name on the SSL VPN Web page to access the associated resource. Examples # Create a shortcut named shortcut1 and enter its view. <Sysname>...

  • Page 818: Sms-Imc Address

    Views SSL VPN AC interface view Predefined user roles network-admin Examples # Shut down SSL VPN AC 1000. <Sysname> system-view [Sysname] interface sslvpn-ac 1000 [Sysname-SSLVPN-AC1000] shutdown sms-imc address Use sms-imc address to specify an IMC server for SMS message authentication. Use undo sms-imc address to restore the default.

  • Page 819: Ssl Client-Policy

    Syntax sms-imc enable undo sms-imc enable Default IMC SMS message authentication is disabled. Views SSL VPN context view Predefined user roles network-admin Usage guidelines Before you execute this command, make sure SMS message authentication has been configured on the IMC server. In IP access mode, the authentication process for an SSL VPN user using an iNode client is as follows: The iNode client sends a user login request to the SSL VPN gateway.

  • Page 820: Ssl Server-Policy

    Views SSL VPN context view Predefined user roles network-admin Parameters policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters. Usage guidelines You can apply only one SSL client policy to an SSL VPN context. For the applied SSL client policy to take effect, you must enable the SSL VPN context by using the service enable command.

  • Page 821: Sslvpn Context

    If you execute this command multiple times, the new configuration overwrites the previous configuration, but does not take effect. For the new configuration to take effect, disable the SSL VPN gateway and then enable the SSL VPN gateway. Examples # Apply SSL server policy CA_CERT to SSL VPN gateway gw1. <Sysname>...

  • Page 822: Sslvpn Gateway

    sslvpn gateway Use sslvpn gateway to create an SSL VPN gateway and enter its view, or enter the view of an existing SSL VPN gateway. Use undo sslvpn gateway to delete an SSL VPN gateway. Syntax sslvpn gateway gateway-name undo sslvpn gateway gateway-name Default No SSL VPN gateways exist.

  • Page 823: Timeout Idle

    Syntax sslvpn ip address-pool pool-name start-ip-address end-ip-address undo sslvpn ip address-pool pool-name Default No address pools exist. Views System view Predefined user roles network-admin Parameters pool-name: Specifies a name for the address pool, a case-insensitive string of 1 to 31 characters. start-ip-address end-ip-address: Specifies the start IP address and end IP address for the pool.

  • Page 824: Title

    Examples # Set the idle timeout timer to 50 minutes for SSL VPN sessions. <Sysname> system-view [Sysname] sslvpn context ctx1 [Sysname-sslvpn-context-ctx1] timeout idle 50 Related commands display sslvpn policy-group title Use title to configure a title to be displayed on SSL VPN webpages. Use undo title to restore the default.

  • Page 825: Url (File Policy View)

    Predefined user roles network-admin Parameters uri-acl-name: Specifies a name for the URI ACL, a case-insensitive string of 1 to 31 characters. Usage guidelines A URI ACL is a set of rules that permit or deny access to resources. You can use URI ACLs for IP, TCP, and Web access filtering of SSL VPN users.

  • Page 826: Url (Url List View)

    Field Description Host name or IP address of the server where the file resides. host To specify an IPv6 address, enclose the IPv6 address in brackets. For example, http://[1234::5678]:8080/a.html. Port number on which the server listens for resource access requests. port If you do not specify a port number, the default port number of the protocol is used, which is 80 for HTTP and 443 for HTTPS.

  • Page 827: Url-List

    Field Description Domain name or IP address of a host. host To specify an IPv6 address, enclose the IPv6 address in brackets. For example. http://[1234::5678]:8080. Port number. port If you do not specify a port number, the default port number of the protocol is used, which is 80 for HTTP and 443 for HTTPS.

  • Page 828: Verify-Code

    Default No URL lists exist. Views SSL VPN context view Predefined user roles network-admin Parameters name: Specifies a name for the URL list, a case-insensitive string of 1 to 31 characters. Examples # Create a URL list named url1 and enter URL list view. <Sysname>...

  • Page 829: Vpn-Instance (Ssl Vpn Gateway View)

    Use undo vpn-instance to restore the default. Syntax vpn-instance vpn-instance-name undo vpn-instance Default An SSL VPN context is associated with the public network. Views SSL VPN context view Predefined user roles network-admin Parameters vpn-instance-name: Specifies the name of a VPN instance, a case-sensitive string of 1 to 31 characters.
  • Page 830 Usage guidelines The VPN instance specified for an SSL VPN gateway is called a front VPN instance. You can specify only one VPN instance for an SSL VPN gateway. You can specify a nonexistent VPN instance for an SSL VPN gateway. The SSL VPN gateway does not take effect until the VPN instance is created.

  • Page 831: Aspf Commands

    ASPF commands IPv6-related parameters are not supported on the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR3600-28-SI/3600-51-SI. Commands and descriptions for centralized devices apply to the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR2600-10-X1. • MSR 2630. • MSR3600-28/3600-51. • MSR3600-28-SI/3600-51-SI. • MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

  • Page 832: Aspf Apply Policy (Zone Pair View)

    You can apply an ASPF policy to both the inbound and outbound directions of an interface. Examples # Apply ASPF policy 1 to the outbound direction of GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] aspf apply policy 1 outbound Related commands aspf policy display aspf all...

  • Page 833: Aspf Icmp-Error Reply

    [Sysname-zone-pair-security-Trust-Untrust] aspf apply policy 1 Related commands aspf policy display aspf all zone-pair security (Fundamentals Command Reference) aspf icmp-error reply Use aspf icmp-error reply to enable the device to send ICMP error messages for packet dropping by security policies applied to zone pairs. Use undo aspf icmp-error reply to restore the default.

  • Page 834: Detect

    Views System view Predefined user roles network-admin Parameters aspf-policy-number: Assigns a number to the ASPF policy. The value range for this argument is 1 to 256. Examples # Create ASPF policy 1 and enter its view. <Sysname> system-view [Sysname] aspf policy 1 [Sysname-aspf-policy-1] Related commands display aspf all...
  • Page 835 rsh: Specifies Remote Shell (RSH), an application layer protocol. rtsp: Specifies Real Time Streaming Protocol (RTSP), an application layer protocol. sccp: Specifies Skinny Client Control Protocol (SCCP), an application layer protocol. sip: Specifies Session Initiation Protocol (SIP), an application layer protocol. smtp: Specifies SMTP, an application layer protocol.

  • Page 836: Display Aspf All

    display aspf all Use display aspf all to display the configuration of all ASPF policies and their applications. Syntax display aspf all Views Any view Predefined user roles network-admin network-operator Examples # Display the configuration of all ASPF policies and their applications. <Sysname>...

  • Page 837: Display Aspf Interface

    Related commands aspf apply policy aspf policy display aspf policy display aspf interface Use display aspf interface to display ASPF policy application on interfaces. Syntax display aspf interface Views Any view Predefined user roles network-admin network-operator Examples # Display ASPF policy application on interfaces. <Sysname>...

  • Page 838: Display Aspf Session

    network-operator Parameters aspf-policy-number: Specifies the number of an ASPF policy. The value range for this argument is 1 to 256. default: Specifies the predefined ASPF policy. Examples # Display the configuration of ASPF policy 1. <Sysname> display aspf policy 1 ASPF policy configuration: Policy number: 1 ICMP error message check: Disabled...
  • Page 839 Predefined user roles network-admin network-operator Parameters ipv4: Displays IPv4 ASPF sessions. ipv6: Displays IPv6 ASPF sessions. slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays ASPF sessions on all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID.
  • Page 840 Source IP/port: 192.168.1.18/1877 Destination IP/port: 192.168.1.55/22 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/1/0/1 Source security zone: SrcZone Initiator: Source IP/port: 192.168.1.18/1792 Destination IP/port: 192.168.1.55/2048 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: ICMP(1) Inbound interface: GigabitEthernet1/1/0/1 Source security zone: SrcZone...
  • Page 841 Responder: Source IP/port: 192.168.1.55/22 Destination IP/port: 192.168.1.18/1877 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/2 Source security zone: DestZone State: TCP_SYN_SENT Application: SSH Start time: 2011-07-29 19:12:36 TTL: 28s Initiator->Responder: 1 packets 48 bytes Responder->Initiator: 0 packets 0 bytes...
  • Page 842 Source security zone: SrcZone Responder: Source IP/port: 192.168.1.55/22 Destination IP/port: 192.168.1.18/1877 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/1/0/2 Source security zone: DestZone State: TCP_SYN_SENT Application: SSH Start time: 2011-07-29 19:12:36 TTL: 28s Initiator->Responder: 1 packets 48 bytes Responder->Initiator:...
  • Page 843 Source security zone: SrcZone Responder: Source IP/port: 192.168.1.55/22 Destination IP/port: 192.168.1.18/1877 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/1/0/2 Source security zone: DestZone State: TCP_SYN_SENT Application: SSH Start time: 2011-07-29 19:12:36 TTL: 28s Initiator->Responder: 1 packets 48 bytes Responder->Initiator:...

  • Page 844: Icmp-Error Drop

    Field Description • VPN-instance—MPLS L3VPN instance where the session is initiated. • VLAN ID—VLAN to which the session belongs during Layer 2 forwarding. VPN-instance/VLAN ID/Inline ID • Inline ID—Inline to which the session belongs during Layer 2 forwarding. If no VPN instance, VLAN ID, or Inline ID is specified, a hyphen (-) is displayed for each field.

  • Page 845: Reset Aspf Session

    Examples # Enable ICMP error message check for ASPF policy 1. <Sysname> system-view [Sysname] aspf policy 1 [Sysname-aspf-policy-1] icmp-error drop Related commands aspf policy display aspf policy reset aspf session Use reset aspf session to clear ASPF session statistics. Syntax Centralized devices in standalone mode: reset aspf session [ ipv4 | ipv6 ] Distributed devices in standalone mode/centralized devices in IRF mode:...

  • Page 846: Tcp Syn-Check

    tcp syn-check Use tcp syn-check to enable TCP SYN check. Use undo tcp syn-check to disable TCP SYN check. Syntax tcp syn-check undo tcp syn-check Default TCP SYN check is disabled. Views ASPF policy view Predefined user roles network-admin Usage guidelines TCP SYN check checks the first packet to establish a TCP connection whether it is a SYN packet.

  • Page 847: Apr Commands

    APR commands IPv6-related parameters are not supported on the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR3600-28-SI/3600-51-SI. Commands and descriptions for centralized devices apply to the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR2600-10-X1. • MSR 2630. • MSR3600-28/3600-51. • MSR3600-28-SI/3600-51-SI. • MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC.

  • Page 848: Application Statistics Enable

    <Sysname> system-view [Sysname] app-group aaa [Sysname-app-group-aaa] Related commands copy app-group description include application application statistics enable Use application statistics enable to enable the application statistics feature on the specified direction of an interface. Use undo application statistics enable to disable the application statistics feature on the specified direction of an interface.

  • Page 849: Apr Set Detectlen

    <Sysname> system-view [Sysname] interface gigabitethernet 1/0/2 [Sysname-GigabitEthernet1/0/2] application statistics enable outbound # Enable application statistics in the inbound and outbound directions of GigabitEthernet 1/0/3. <Sysname> system-view [Sysname] interface gigabitethernet 1/0/3 [Sysname-GigabitEthernet1/0/3] application statistics enable Related commands display application statistics apr set detectlen Use apr set detectlen to set the maximum detected length for an NBAR rule.

  • Page 850: Apr Signature Auto-Update

    The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM -HK/810-W-LM-HK MSR810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 Use this command to update the APR signature database if the device can access the signature database services at the H3C website.

  • Page 851: Apr Signature Auto-Update-Now

    APR signature file. This command is independent of the apr signature auto-update command. Use this command to update the APR signature database if you find a new version of APR signature database at the H3C website. Examples # Manually trigger an automatic update for the APR signature database.

  • Page 852: Apr Signature Rollback

    apr signature rollback Use apr signature rollback to roll back the APR signature database. Syntax apr signature rollback { factory | last } Views System view Predefined user roles network-admin Parameters factory: Rolls back the APR signature database to the factory version. last: Rolls back the APR signature database to the last version.
  • Page 853 MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 Use this command to update APR signature database if the device cannot access the signature database services at the H3C website. You can use either of the following methods to manually update the APR signature database: •...
  • Page 854 Update scenario Format of file-path Remarks The update file is stored in a different directory on the same path/filename storage medium. Before updating the signature database, you must first use the cd command to open the root directory of the storage medium where the file is The update file is stored on a path/filename stored.

  • Page 855: Copy App-Group

    <Sysname> system-view [Sysname] apr signature update ftp://user%3A123:user%40abc%2F123@192.168.0.10/apr-1.0.2-en.dat # Manually update the APR signature database by using an APR signature file stored on the device, The file is stored in directory cfa0:/apr-1.0.23-en.dat. In this example, the working directory is cfa0:. <Sysname> system [Sysname] apr signature update apr-1.0.23-en.dat # Manually update the APR signature database by using an APR signature file stored on the device, The file is stored in directory cfa0:/dpi/apr-1.0.23-en.dat.

  • Page 856: Description (Application Group View)

    description (application group view) Use description to configure a description for an application group. Use undo description to restore the default. Syntax description text undo description Default An application group is described as "User-defined application group". Views Application group view Predefined user roles network-admin Parameters...

  • Page 857: Destination

    Parameters text: Specifies a description, a case-sensitive string of 1 to 127 characters. Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM -HK/810-W-LM-HK MSR810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 Configure descriptions for different user-defined NBAR rules for identification and management purposes.

  • Page 858: Direction

    Parameters ip ipv4-address: Specifies a destination IPv4 address or IPv4 subnet, in dotted decimal notation. mask-length: Specifies the mask length for IPv4 addresses, in the range of 0 to 32. ipv6 ipv6-address: Specifies a destination IPv6 address or IPv6 subnet. prefix-length: Specifies the prefix length for IPv6 addresses, in the range of 0 to 128.

  • Page 859: Disable

    Views NBAR rule view Predefined user roles network-admin Parameters to-client: Specifies the direction from server to client. to-server: Specifies the direction from client to server. Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM -HK/810-W-LM-HK MSR810-LMS/810-LUS MSR2600-10-X1...

  • Page 860: Display App-Group

    Views NBAR rule view Predefined user roles network-admin Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM -HK/810-W-LM-HK MSR810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 Use this command to disable a user-defined NBAR rule if the following conditions exist: •...
  • Page 861 Parameters name group-name: Specifies an application group by its name. The group-name argument is a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. If you do not specify any parameters, this command displays information about all application groups. Examples # Display information about all application groups.

  • Page 862: Display Application

    Field Description Number of predefined application groups in the application group. pre-defined app-group count This field is not supported in the current software version. List of predefined application groups. Include pre-defined app-group list This field is not supported in the current software version.
  • Page 863 12530WAP_Application_We Pre-defined 0x000003ac b_HTTP 12580_Application_HTTP Pre-defined 0x00000312 126_Web_Email_Download_ Pre-defined 0x000002b7 HTTP 126_Web_Email_Login_HTT Pre-defined 0x000002b3 126_Web_Email_Read_Emai Pre-defined 0x000002b4 l_HTTP 126_Web_Email_Receive_E Pre-defined 0x000002b6 mail_HTTP 126_Web_Email_Send_Emai Pre-defined 0x000002b5 l_HTTP 126_Web_Email_Upload_HT Pre-defined 0x000002b8 139_mobile_weibo_commen Pre-defined 0x000001da t_HTTP 139_mobile_weibo_login_ Pre-defined 0x000001d9 HTTP 139_mobile_weibo_login_ Pre-defined 0x00000444 ---- More ---- # Display information about all user-defined application protocols.
  • Page 864 126_Web_Email_Send_Emai Pre-defined 0x000002b5 l_HTTP 126_Web_Email_Upload_HT Pre-defined 0x000002b8 139_mobile_weibo_commen Pre-defined 0x000001da t_HTTP 139_mobile_weibo_login_ Pre-defined 0x000001d9 HTTP 139_mobile_weibo_login_ Pre-defined 0x00000444 HTTPS 139Mail_Login_HTTP Pre-defined 0x000001cb 139Mail_Login_HTTPS Pre-defined 0x0000038c 139Mail_Login_TCP Pre-defined 0x0000044b 163TV_HTTP Pre-defined 0x000004c3 17173_Application_HTTP Pre-defined 0x00000350 178Game_Application_HTT Pre-defined 0x00000222 17K_fiction_Application Pre-defined 0x00000330 _HTTP 19lou_Login_http_stream Pre-defined...

  • Page 865: Display Application Statistics

    Field Description Application protocol type: • Type Pre-defined. • User-defined. App ID/Application ID ID of the application protocol. Whether or not the protocol is a tunnel protocol: • Tunnel Yes. • Whether or not the protocol is a cryptographic protocol: •...
  • Page 866 slot slot-number: Specifies a card by its slot number. This option is available only for global interfaces, such as VLAN and tunnel interface. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member by its member ID. This option is available only for global interfaces, such as VLAN and tunnel interface.
  • Page 867 Application In/Out Packets Bytes appaaaaasg 190023111111111111 252334402111111111 2342222222 3411222222 170034 270011351 3211 451134 app2 2195 18560000 654222 21986666666 655555555123123101 55551 5454125111 APP3 2195 17560000 45161 21986666666 5555555551231231 55551 5454125111 # Display application statistics in the inbound direction of GigabitEthernet 1/0/1. <Sysname>...

  • Page 868: Display Application Statistics Top

    Field Description Bytes Number of bytes received or sent by the interface. Packets received or sent per second. Bytes received or sent per second. Related commands app-group application statistics enable display application statistics top Use display application statistics top to display statistics for application protocols on an interface in descending order, based on the specified criteria.
  • Page 869 argument represents the slot number of the card. This option is available only for global interfaces, such as VLAN and tunnel interface. (Distributed devices in IRF mode.) Usage guidelines This command displays application statistics only after the application statistics feature is enabled on the specified interface.

  • Page 870: Display Apr Signature Information

    # Display the top three application protocols that have received and sent the most bytes per second on GigabitEthernet 1/0/1. <Sysname> display application statistics top 3 bps interface gigabitethernet 1/0/1 Interface : GigabitEthernet1/0/1 Application In/Out Packets Bytes appaaaaasg 190023111111111111 252334402111111111 2342222222 9411222222 170034...

  • Page 871: Display Port-Mapping Pre-Defined

    Hardware Command compatibility MSR810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 Examples # Display APR signature database information. <Sysname> display apr signature information APR signature library information: Type SigVersion ReleaseTime Size Current 1.0.49 Tue Sep 13 06:54:01 2016 659744 Last 1.0.52...

  • Page 872: Display Port-Mapping User-Defined

    Application Protocol Port tacacs-ds net-bios-dgm 137, 138, 139 137, 138, 139 tftp Table 128 Command output Field Description Application Application protocol using the port mapping. Protocol Transport layer protocol. Port Port number of the application protocol. Related commands display port-mapping port-mapping display port-mapping user-defined Use display port-mapping user-defined to display information about the user-defined port...

  • Page 873: Include Application

    IPv4 subnet 10.10.10.1/24 SCTP IPv6 host 2000:fdb8::1:00ab:853c:39ab HTTP IPv4 ACL 2002 HTTP SCTP IPv6 ACL 2002 Table 129 Command output Field Description Application Application protocol using port mapping. Port Port number to which the application protocol is mapped. Protocol Transport layer protocol. Match types: •...

  • Page 874: Nbar Application

    Predefined user roles network-admin Parameters application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. Usage guidelines Execute this command multiple times to add multiple predefined or user-defined application protocols to an application group.

  • Page 875: Override-Current

    http: Specifies HTTP packets to which the NBAR rule is applied. tcp: Specifies TCP packets to which the NBAR rule is applied. udp: Specifies UDP packets to which the NBAR rule is applied. Usage guidelines The following matrix shows the command and hardware compatibility: Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM...

  • Page 876: Port-Mapping

    Default If the APR signature database is automatically updated at a regular basis, the current APR signature file is not overwritten for an update operation. Instead, the device will back up the current APR signature file. Views Auto-update configuration view Predefined user roles network-admin Usage guidelines...

  • Page 877: Port-Mapping Acl

    Default An application protocol is mapped to a well-known port. Views System view Predefined user roles network-admin Parameters application application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. port port-number: Specifies a port by its number, in the range of 0 to 65535.

  • Page 878: Port-Mapping Host

    Default An application protocol is mapped to a well-known port. Views System view Predefined user roles network-admin Parameters application application-name: Specifies an application protocol by its name, a case-insensitive string of 1 to 63 characters. The names invalid and other are not allowed. port port-number: Specifies a port by its number in the range of 0 to 65535.
  • Page 879 undo port-mapping application application-name port port-number [ protocol protocol-name ] host { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ] Default An application protocol is mapped to a well-known port. Views System view Predefined user roles network-admin Parameters application application-name: Specifies an application protocol by its name, a case-insensitive...

  • Page 880: Port-Mapping Subnet

    <Sysname> system-view [Sysname] port-mapping application ftp port 3456 host ipv6 1::1 Related commands display port-mapping user-defined port-mapping subnet Use port-mapping subnet to configure a subnet-based host-port mapping. Use undo port-mapping subnet to remove a subnet-based host-port mapping. Syntax port-mapping application application-name port port-number [ protocol protocol-name ] subnet { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ] undo port-mapping application application-name port port-number [ protocol protocol-name ]...

  • Page 881: Reset Application Statistics

    Usage guidelines APR uses subnet-based host-port mappings to recognize packets. A packet is recognized as an application protocol packet when it matches all the following conditions in a mapping: • The packet is destined for the specified IP subnet in the mapping. •...

  • Page 882: Service-Port

    service-port Use service-port to specify a port number or a port range as a match criterion in a user-defined NBAR rule. Use undo service-port to restore the default. Syntax service-port { port-num | range start-port end-port } undo service-port Default A user-defined NBAR rule matches packets of all port numbers.

  • Page 883: Signature

    <Sysname> system-view [Sysname] nbar application abcd protocol http [Sysname-nbar-application-abcd] service-port range 2001 2004 Related commands direction signature Use signature to configure a signature for a user-defined NBAR rule. Use undo signature to cancel the signature configuration. Syntax signature [ signature-id ] [ field field-name ] [ offset offset-value ] { hex hex-vector | regex regex-pattern | string string } undo signature signature-id Default...

  • Page 884: Source

    Hardware Command compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM -HK/810-W-LM-HK MSR810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 You can repeat this command to configure multiple signatures of different match patterns in a user-defined NBAR rule, and all signatures take effect. The logical relation of these signatures is OR, which indicates that a packet that matches any signature matches the NBAR rule.

  • Page 885: Update Schedule

    Parameters ip ipv4-address: Specifies a source IPv4 address or IPv4 subnet, in dotted decimal notation. mask-length: Specifies the mask length for IPv4 addresses, in the range of 0 to 32. ipv6 ipv6-address: Specifies a source IPv6 address or IPv6 subnet. prefix-length: Specifies the prefix length for IPv6 addresses, in the range of 0 to 128.
  • Page 886 Default The device automatically updates the APR signature database between 02:01:00 to 04:01:00 every day. Views Auto-update configuration view Predefined user roles network-admin Parameters daily: Specifies the daily update interval. weekly: Specifies the weekly update interval. You can specify one day in a week for the update: •...
  • Page 887 Examples # Configure the device to automatically update the APR signature database at 23:10:00 every Monday with a tolerance time of 10 minutes. <Sysname> system-view [Sysname] apr signature auto-update [Sysname-apr-autoupdate] update schedule weekly mon start-time 23:10:00 tingle 10 Related commands apr signature auto-update...

  • Page 888: Session Management Commands

    Session management commands IPv6-related parameters are not supported on the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR3600-28-SI/3600-51-SI. Commands and descriptions for centralized devices apply to the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR2600-10-X1. • MSR 2630. • MSR3600-28/3600-51. • MSR3600-28-SI/3600-51-SI. •...

  • Page 889: Display Session Aging-Time State

    gtp-user h225 3600 h245 3600 https 3600 l2tp mgcp-callagent mgcp-gateway netbios-dgm 3600 netbios-ns 3600 netbios-ssn 3600 pptp 3600 rtsp 3600 sccp 3600 snmp snmptrap sqlnet stun syslog tacacs-ds tftp xdmcp 3600 others: 1200 Table 130 Command output Field Description Application Name of an application layer protocol or an application.

  • Page 890: Display Session Relation-Table

    Views Any view Predefined user roles network-admin network-operator Examples # Display the aging time for sessions in different protocol states. <Sysname> display session aging-time state State Aging Time(s) TCP-EST 3600 UDP-OPEN UDP-READY ICMP-REQUEST ICMP-REPLY RAWIP-OPEN RAWIP-READY UDPLITE-OPEN UDPLITE-READY DCCP-REQUEST DCCP-EST 3600 DCCP-CLOSEREQ SCTP-INIT...
  • Page 891 Distributed devices in standalone mode/centralized devices in IRF mode: display session relation-table { ipv4 | ipv6 } [ slot slot-number ] Distributed devices in IRF mode: display session relation-table { ipv4 | ipv6 } [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles...
  • Page 892 Protocol: TCP(6) TTL: 1234s App: FTP-DATA Source IP/port: Destination IP/port: 192.168.2.200/1212 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) TTL: 3100s App: H225 Total entries found: # (Centralized devices in standalone mode.) Display all IPv6 relation entries. <Sysname>...

  • Page 893: Display Session Statistics Ipv4

    Field Description Total entries found Total number of found relation entries. display session statistics ipv4 Use display session statistics ipv4 to display IPv4 unicast session statistics. Syntax Centralized devices in standalone mode: display session statistics ipv4 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * Distributed devices in standalone mode/centralized devices in IRF mode:...
  • Page 894 argument represents the slot number of the card. If you do not specify a card, this command displays IPv4 unicast session statistics for all cards. (Distributed devices in IRF mode.) Examples # Display statistics for unicast sessions from IP address 111.15.111.66. <Sysname>...

  • Page 895: Display Session Statistics Ipv6

    display session statistics ipv6 Use display session statistics ipv6 to display IPv6 unicast session statistics. Syntax Centralized devices in standalone mode: display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } | source-port source-port | destination-port destination-port } * Distributed devices in standalone mode/centralized devices in IRF mode: display session statistics ipv6 { source-ip source-ip | destination-ip destination-ip | protocol...

  • Page 896: Display Session Statistics

    Slot 1: Current sessions: 3 TCP sessions: UDP sessions: ICMP sessions: ICMPv6 sessions: UDP-Lite sessions: SCTP sessions: DCCP sessions: RAWIP sessions: # Display statistics for IPv6 unicast TCP sessions. <Sysname> display session statistics ipv6 protocol tcp Slot 1: Current sessions: 3 TCP sessions: UDP sessions: ICMP sessions:...
  • Page 897 Syntax Centralized devices in standalone mode: display session statistics [ summary ] Distributed devices in standalone mode/centralized devices in IRF mode: display session statistics [ summary ] [ slot slot-number ] Distributed devices in IRF mode: display session statistics [ summary ] [ chassis chassis-number slot slot-number ] Views Any view Predefined user roles...
  • Page 898 Past 30 days: 0/s Current relation-table entries: 0 Session establishment rate: 0/s TCP: UDP: ICMP: ICMPv6: UDP-Lite: SCTP: DCCP: RAWIP: Received TCP 0 packets 0 bytes Received UDP 118 packets 13568 bytes Received ICMP 105 packets 8652 bytes Received ICMPv6 0 packets 0 bytes Received UDP-Lite :...
  • Page 899 Field Description The average number of sessions per second in the most recent Past 30 days 30 days. History average session establishment History statistics of average session establishment rates. rate The average session establishment rate in the most recent Past hour hour.

  • Page 900: Display Session Statistics Multicast

    Field Description Sessions Total number of unicast sessions. Number of TCP unicast sessions. Number of UDP unicast sessions. Rate Rate of unicast session creation. TCP rate Rate of TCP unicast session creation. UDP rate Rate of UDP unicast session creation. display session statistics multicast Use display session statistics multicast to display multicast session statistics.

  • Page 901: Display Session Table Ipv4

    # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display information about multicast session statistics. <Sysname> display session statistics multicast Slot 0: Current sessions: 0 Session establishment rate: 0/s Received: 0 packets 0 bytes Sent 0 packets 0 bytes Slot 2: Current sessions: 0 Session establishment rate: 0/s...
  • Page 902 Syntax Centralized devices in standalone mode: display session table ipv4 [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-name ] [ verbose ] Distributed devices in standalone mode/centralized devices in IRF mode: display session table ipv4 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ]...
  • Page 903 verbose: Displays detailed information about IPv4 unicast session entries. If you do not specify this keyword, the command displays brief information about IPv4 unicast session entries. Usage guidelines If you do not specify any parameters, this command displays all IPv4 unicast session entries. Examples # (Centralized devices in standalone mode.) Display brief information about all IPv4 unicast session entries.
  • Page 904 Source security zone: Trust Total sessions found: 2 # (Centralized devices in standalone mode.) Display detailed information about all IPv4 unicast session entries. <Sysname> display session table ipv4 verbose Slot 0: Initiator: Source IP/port: 192.168.1.18/1877 Destination IP/port: 192.168.1.55/22 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1...
  • Page 905 Initiator->Responder: 1 packets 60 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 2 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about all IPv4 unicast session entries. <Sysname> display session table ipv4 verbose Slot 1: Initiator: Source IP/port: 192.168.1.18/1877...

  • Page 906: Display Session Table Ipv6

    Start time: 2011-07-29 19:12:33 TTL: 55s Initiator->Responder: 1 packets 60 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 2 Table 138 Command output Field Description Initiator Information about the unicast session from the initiator to the responder. Responder Information about the unicast session from the responder to the initiator. Address of the DS-Lite tunnel peer.
  • Page 907 display session table ipv6 [ source-ip start-source-ip [ end-source-ip ] ] [ destination-ip start-destination-ip [ end-destination-ip ] ] [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-name ] [ verbose ] Distributed devices in standalone mode/centralized devices in IRF mode: display session table ipv6 [ slot slot-number ] [ source-ip start-source-ip [ end-source-ip ] ]...
  • Page 908 Usage guidelines If you do not specify any parameters, this command displays all IPv6 unicast session entries. Examples # (Centralized devices in standalone mode.) Display brief information about all IPv6 unicast session entries. <Sysname> display session table ipv6 Slot 0: Initiator: Source IP/port: 2011::2/58473...
  • Page 909 Inbound interface: GigabitEthernet1/0/2 Source security zone: Local State: ICMPV6_REQUEST Application: OTHER Start time: 2011-07-29 19:23:41 TTL: 55s Initiator->Responder: 1 packets 104 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 1 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display detailed information about all IPv6 unicast session entries.

  • Page 910: Display Session Table Multicast Ipv4

    Field Description MPLS L3VPN instance to which the unicast session belongs. VLAN and inline to which the unicast session belongs during Layer 2 VPN instance/VLAN ID/Inline forwarding. If a parameter is not specified, a hyphens (-) is displayed for the proper field.
  • Page 911 [ protocol { dccp | icmp | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ verbose ] Views Any view Predefined user roles network-admin network-operator Parameters slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards.
  • Page 912 Inbound interface: GigabitEthernet1/0/1 Outbound interface list: GigabitEthernet1/0/2 GigabitEthernet1/0/3 Total sessions found: 3 # (Distributed devices in standalone mode/centralized devices in IRF mode.) Display brief information about all IPv4 multicast session entries. <Sysname> display session table multicast ipv4 Slot 0: Total sessions found: 0 Slot 1: Total sessions found: 0 Slot 2:...
  • Page 913 Start time: 2014-03-03 15:59:22 TTL: 18s Initiator->Responder: 1 packets 84 bytes Outbound initiator: Source IP/port: 3.3.3.4/1609 Destination IP/port: 232.0.0.1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound responder: Source IP/port: 232.0.0.1/1025 Destination IP/port: 3.3.3.4/1609 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound interface: GigabitEthernet1/0/2...
  • Page 914 Slot 1: Total sessions found: 0 Slot 2: Inbound initiator: Source IP/port: 3.3.3.4/1609 Destination IP/port: 232.0.0.1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound responder: Source IP/port: 232.0.0.1/1025 Destination IP/port: 3.3.3.4/1609 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound interface: GigabitEthernet1/0/1 Source security zone: Trust...
  • Page 915 Outbound responder: Source IP/port: 232.0.0.1/1025 Destination IP/port: 3.3.3.4/1609 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound interface: GigabitEthernet1/0/3 Destination security zone: bbb State: UDP_OPEN Application: OTHER Start time: 2014-03-03 15:59:22 TTL: 18s Initiator->Responder: 1 packets 84 bytes Total sessions found: 3 Table 140 Command output Field...

  • Page 916: Display Session Table Multicast Ipv6

    Field Description Inbound interface Inbound interface of the first packet from the initiator to responder. Outbound interface Outbound interface of the first packet from the initiator to responder. Outbound interface list Outbound interfaces of the first packet from the initiator to responder. Security zone to which the inbound interface belongs.
  • Page 917 argument represents the slot number of the card. If you do not specify a card, this command displays information for all cards. (Distributed devices in IRF mode.) source-ip start-source-ip [ end-source-ip ]: Specifies a source IPv6 address or IPv6 address range for a multicast session from the initiator to the responder.
  • Page 918 Inbound initiator: Source IP/port: 3::4/1617 Destination IP/port: FF0E::1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound interface: GigabitEthernet1/0/1 Outbound interface list: GigabitEthernet1/0/2 GigabitEthernet1/0/3 Total sessions found: 3 # (Centralized devices in standalone mode.) Display detailed information about all IPv6 multicast session entries.
  • Page 919 Destination security zone: bbb State: UDP_OPEN Application: OTHER Start time: 2014-03-03 16:10:58 TTL: 23s Initiator->Responder: 5 packets 520 bytes Outbound initiator: Source IP/port: 3::4/1617 Destination IP/port: FF0E::1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound responder: Source IP/port: FF0E::1/1025 Destination IP/port: 3::4/1617...
  • Page 920 Inbound interface: GigabitEthernet1/0/1 Source security zone: Trust State: UDP_OPEN Application: OTHER Start time: 2014-03-03 16:10:58 TTL: 23s Initiator->Responder: 5 packets 520 bytes Outbound initiator: Source IP/port: 3::4/1617 Destination IP/port: FF0E::1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound responder: Source IP/port: FF0E::1/1025...
  • Page 921 <Sysname> display session table multicast ipv6 verbose Slot 0 in chassis 1: Total sessions found: 0 Slot 1 in chassis 1: Total sessions found: 0 Slot 2 in chassis 1: Inbound initiator: Source IP/port: 3::4/1617 Destination IP/port: FF0E::1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Inbound responder:...
  • Page 922 Destination IP/port: FF0E::1/1025 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound responder: Source IP/port: FF0E::1/1025 Destination IP/port: 3::4/1617 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: UDP(17) Outbound interface: GigabitEthernet1/0/3 Destination security zone: ccc State: UDP_OPEN Application: OTHER Start time: 2014-03-03 16:10:58...

  • Page 923: Reset Session Relation-Table

    Field Description Application layer protocol, FTP or DNS. Application If it is an unknown protocol identified by an unknown port, this field displays OTHER. Start time Time when the multicast session was created. Remaining lifetime of the multicast session, in seconds. Inbound interface Inbound interface of the first packet from the initiator to responder.

  • Page 924: Reset Session Statistics

    argument represents the slot number of the card. If you do not specify a card, this command clears relation entries for all cards. (Distributed devices in IRF mode.) Usage guidelines If you do not specify the IPv4 keyword or the IPv6 keyword, this command clears all IPv4 and IPv6 relation entries.

  • Page 925: Reset Session Statistics Multicast

    reset session statistics multicast Use reset session statistics multicast to clear multicast session statistics. Syntax Centralized devices in standalone mode: reset session statistics multicast Distributed devices in standalone mode/centralized devices in IRF mode: reset session statistics multicast [ slot slot-number ] Distributed devices in IRF mode: reset session statistics multicast [ chassis chassis-number slot slot-number ] Views...

  • Page 926: Reset Session Table Ipv4

    Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears unicast session entries for all cards. (Distributed devices in standalone mode.) slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears unicast session entries for all member devices.

  • Page 927: Reset Session Table Ipv6

    slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command clears information for all member devices. (Centralized devices in IRF mode.) chassis chassis-number slot slot-number: Specifies a card on a member device. The chassis-number argument represents the member ID of the IRF member device.

  • Page 928: Reset Session Table Multicast

    reset session table ipv6 [ chassis chassis-number slot slot-number ] [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] source-port source-port destination-port destination-port vpn-instance vpn-instance-name ] Views...

  • Page 929: Reset Session Table Multicast Ipv4

    Syntax Centralized devices in standalone mode: reset session table multicast Distributed devices in standalone mode/centralized devices in IRF mode: reset session table multicast [ slot slot-number ] Distributed devices in IRF mode: reset session table multicast [ chassis chassis-number slot slot-number ] Views User view Predefined user roles...

  • Page 930: Reset Session Table Multicast Ipv6

    udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Views User view Predefined user roles network-admin Parameters slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command clears information for all cards.
  • Page 931 Syntax Centralized devices in standalone mode: reset session table multicast ipv6 [ source-ip source-ip ] [ destination-ip destination-ip ] [ protocol { dccp | icmpv6 | raw-ip | sctp | tcp | udp | udp-lite } ] [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] Distributed devices in standalone mode/centralized devices in IRF mode: reset session table multicast ipv6 [ slot slot-number ] [ source-ip source-ip ] [ destination-ip...

  • Page 932: Session Aging-Time Application

    Examples # Clear all IPv6 multicast session entries. <Sysname> reset session table multicast ipv6 # Clear the IPv6 multicast session entries with the source IP address of 2011::0002. <Sysname> reset session table multicast ipv6 source-ip 2011::0002 Related commands display session table multicast ipv6 session aging-time application Use session aging-time application to set the aging time for sessions of an application layer protocol or an application.
  • Page 933 • RAS sessions: 300 seconds. • RIP sessions: 120 seconds. • RSH sessions: 60 seconds. • RTSP sessions: 3600 seconds. • SCCP sessions: 3600 seconds. • SIP sessions: 300 seconds. • SNMP sessions: 120 seconds. • SNMPTRAP sessions: 120 seconds. •...

  • Page 934: Session Aging-Time State

    nbar application port-mapping port-mapping acl port-mapping host port-mapping subnet session aging-time state session persistent acl session aging-time state Use session aging-time state to set the aging time for the sessions in a protocol state. Use undo session aging-time state to restore the default for the sessions in a protocol state. If you do not specify a protocol state, this command restores all aging time for sessions in different protocol states to the default.

  • Page 935: Session Log { Bytes-Active | Packets-Active

    syn: Specifies the TCP SYN-SENT and SYN-RCV states. tcp-close: Specifies the TCP CLOSE state. tcp-est: Specifies the TCP ESTABLISHED state. tcp-time-wait: Specifies the TCP TIME-WAIT state. udp-open: Specifies the UDP OPEN state. udp-ready: Specifies the UDP READY state. time-value: Specifies the aging time in seconds. The value range is 1 to 100000. Usage guidelines This command sets the aging time for stable sessions of the application layer protocols that are not supported by the session aging-time application command.

  • Page 936: Session Log Enable

    If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure the device to output session logs on a per-10-mega-packet basis. <Sysname> system-view [Sysname] session statistics enable [Sysname] session log packets-active 10 Related commands session log enable session statistics enable session log enable Use session log enable to enable session logging.

  • Page 937: Session Log Flow-Begin

    Examples # Enable IPv4 session logging in the inbound direction of GigabitEthernet 1/0/1. <Sysname> system-view [Sysname] session log flow-begin [Sysname] session log flow-end [Sysname] interface gigabitethernet 1/0/1 [Sysname-GigabitEthernet1/0/1] session log enable ipv4 inbound # Enable session logging on GigabitEthernet 1/0/2 for IPv4 sessions that match ACL 2050 in the outbound direction.

  • Page 938: Session Log Flow-End

    Usage guidelines For the device to output a session log when a session entry is created, make sure both session logging and logging for session creation are enabled. Examples # Enable logging for session creation. <Sysname> system-view [Sysname] session log flow-begin Related commands session log enable session log flow-end...

  • Page 939: Session Persistent Acl

    Views System view Predefined user roles network-admin Parameters time-value: Specifies the interval in minutes. The value range for the time-value argument is 10 to 120 and the value must be integer times of 10. Usage guidelines If you set both time-based and traffic-based logging, the device outputs a session log when whichever is reached.

  • Page 940: Session State-Machine Mode Loose

    For a TCP session in ESTABLISHED state, the priority of the aging time is as follows: • Aging time for persistent sessions. • Aging time for sessions of application layer protocols. • Aging time for sessions in different protocol states. A never-age-out session is not removed until the device receives a connection close request from the initiator or responder, or you manually clear the session entries.

  • Page 941: Session Statistics Enable

    session statistics enable Use session statistics enable to enable session statistics collection for software fast forwarding. Use undo session statistics enable to disable session statistics collection for software fast forwarding. Syntax session statistics enable undo session statistics enable Default Session statistics collection is disabled for software fast forwarding. Views System view Predefined user roles...

  • Page 942: Connection Limit Commands

    Connection limit commands IPv6-related parameters are not supported on the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR3600-28-SI/3600-51-SI. Commands and descriptions for centralized devices apply to the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR2600-10-X1. • MSR 2630. • MSR3600-28/3600-51. • MSR3600-28-SI/3600-51-SI. •...

  • Page 943: Connection-Limit Apply

    <Sysname> system-view [Sysname] connection-limit policy 1 [Sysname-connlmt-policy-1] # Create IPv6 connection limit policy 12 and enter its view. <Sysname> system-view [Sysname] connection-limit ipv6-policy 12 [Sysname-connlmt-ipv6-policy-12] Related commands connection-limit apply connection-limit apply global display connection-limit limit connection-limit apply Use connection-limit apply to apply a connection limit policy to an interface. Use undo connection-limit apply to remove the application.

  • Page 944: Connection-Limit Apply Global

    Related commands connection-limit limit connection-limit apply global Use connection-limit apply global to apply a connection limit policy globally. Use undo connection-limit apply global to remove the application. Syntax connection-limit apply global { ipv6-policy | policy } policy-id undo connection-limit apply global { ipv6-policy | policy } Default No connection limit policy is applied globally.

  • Page 945: Display Connection-Limit

    undo description Default A connection limit policy does not have a description. Views IPv4 connection limit policy view IPv6 connection limit policy view Predefined user roles network-admin Parameters text: Specifies a description, a case-sensitive string of 1 to 127 characters. Usage guidelines If you execute this command multiple times, the most recent configuration takes effect.
  • Page 946 Src-Dst-Port 2000 1800 3000 Src-Dst 3001 1000000 980000 2001 Dst-Port 3010 Src-Dst 3000 Src-Dst-Port 3003 3004 500000 498000 2002 Port 1500 1400 3100 3000 3101 Src-Dst 3102 Src-Port 3200 Description list: Policy Description -------------------------------------------------------------------------------- IPv4Description1 Description for IPv4 28 # Display information about IPv4 connection limit policy 1. <Sysname>...
  • Page 947 Policy Description -------------------------------------------------------------------------------- IPv6Description3 Description for IPv6 4 # Display information about IPv6 connection limit policy 3. <Sysname> display connection-limit ipv6-policy 3 IPv6 connection limit policy 3 has been applied 3 times, and has 2 limit rules. Description: IPv6Description3 Limit rule list: Policy Rule Stat Type...

  • Page 948: Display Connection-Limit Ipv6-Stat-Nodes

    Related commands connection-limit connection-limit apply connection-limit apply global limit display connection-limit ipv6-stat-nodes Use display connection-limit ipv6-stat-nodes to display statistics about IPv6 connections that match connection limit rules globally or on an interface. Syntax Centralized devices in standalone mode: display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number } [ destination destination-ip | service-port port-number | source source-ip ] * [ count ] Distributed devices in standalone mode/centralized devices in IRF mode: display connection-limit ipv6-stat-nodes { global | interface interface-type interface-number }...
  • Page 949 count: Displays only the number of limit rule-based statistics sets. Detailed information about the specified IPv6 connections is not displayed. If you do not specify this keyword, the command displays detailed information about the specified IPv6 connections that match connection limit rules. Usage guidelines The statistics for connections that match connection limit rules include the following information: •...
  • Page 950 DS-Lite tunnel peer : 9876543210 Service : tcp/12345 Limit rule ID : 12345(ACL: 3184) Sessions threshold Hi/Lo: 1000000/90000 Sessions count : 150000 Sessions limit rate New session flag : Permit # (Distributed devices in standalone mode.) Display statistics about all IPv6 connections that match the connection limit rule on VLAN-interface 10 on the card in slot 2.
  • Page 951 Sessions threshold Hi/Lo: 2000/1500 Sessions count : 1988 Sessions limit rate New session flag : Permit # (Centralized devices in standalone mode.) Display the number of limit rule-based statistics sets by source IP address 2::1. <Sysname> display connection-limit ipv6-stat-nodes global source 2::1 count Current limit statistic nodes count is 16.

  • Page 952: Display Connection-Limit Statistics

    Field Description Whether or not new connections can be created: • Permit—New connections can be created. • Deny—New connections cannot be created. New session flag NOTE: When the number of connections reaches the upper limit, this field displays Permit although new connections are not allowed. This field displays Deny only when the number of connections exceeds the upper limit.

  • Page 953: Display Connection-Limit Stat-Nodes

    argument represents the slot number of the card. This option is available only when you specify the global keyword or specify a virtual interface, such as a VLAN interface or tunnel interface. (Distributed devices in IRF mode.) Examples # (Centralized devices in standalone mode.) Display the global connection limit statistics. <Sysname>...
  • Page 954 Syntax Centralized devices in standalone mode: display connection-limit stat-nodes { global | interface interface-type interface-number } [ destination destination-ip | service-port port-number | source source-ip ] * [ count ] display connection-limit stat-nodes { global | interface interface-type interface-number } dslite-peer b4-address [ count ] Distributed devices in standalone mode/centralized devices in IRF mode: display connection-limit stat-nodes { global | interface interface-type interface-number } [ slot...
  • Page 955 Hardware Option compatibility MSR810/810-W/810-W-DB/810-LM/810-LMS/810-LUS /810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK MSR810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 count: Displays only the number of limit rule-based statistics sets. Detailed information about the specified IPv4 connections is not displayed. If you do not specify this keyword, the command displays detailed information about the specified IPv4 connections that match connection limit rules.
  • Page 956 Service : tcp/12345 Limit rule ID : 12345(ACL: 3001) Sessions threshold Hi/Lo: 1100000/980000 Sessions count : 1050000 Sessions limit rate New session flag : Permit # (Centralized devices in standalone mode.) Display statistics about all IPv4 connections that match the connection limit rule on VLAN-interface 2. <Sysname>...
  • Page 957 DS-Lite tunnel peer : -- Service : icmp/0 Limit rule ID : 7(ACL: 3102) Sessions threshold Hi/Lo: 4000/3800 Sessions count : 1001 Sessions limit rate New session flag : Permit # (Distributed devices in IRF mode.) Display statistics about IPv4 connections that match the connection limit rule on GigabitEthernet 1/2/0/2.

  • Page 958: Limit

    Field Description MPLS L3VPN instance to which the IP address belongs. Two hyphens (--) VPN instance indicates that the IP address is on the public network. Peer IP address of the DS-Lite tunnel. Two hyphens (--) indicates that the DS-Lite tunnel peer connection does not belong to a DS-Lite tunnel.
  • Page 959 Views IPv4 connection limit policy view IPv6 connection limit policy view Predefined user roles network-admin Parameters limit-id: Specifies a connection limit rule by its ID. The value range for this argument is 1 to 256. acl: Specifies the ACL that matches the user range. Only the user connections that match the ACL are limited.
  • Page 960 description text: Specifies a description for the connection limit rule, a case-sensitive string of 1 to 127 characters. By default, a connection limit rule does not have a description. Usage guidelines Each connection limit policy can define multiple rules. Each rule must specify the used ACL, rule type, and either of upper/lower connection limit and connection establishment rate limit.

  • Page 961: Reset Connection-Limit Statistics

    [Sysname-connlmt-ipv6-policy-12] limit 2 acl ipv6 2001 per-destination amount 200 100 rate 10 Verify that when the connection number exceeds 200, new connections cannot be established until the connection number goes below 100. (Details not shown.) Related commands connection-limit display connection-limit reset connection-limit statistics Use reset connection-limit statistics to clear the connection limit statistics globally or on an interface.
  • Page 962 # (Centralized devices in standalone mode.) Clear the connection limit statistics on VLAN-interface <Sysname> reset connection-limit statistics interface vlan-interface 2 # (Distributed devices in standalone mode.) Clear the global connection limit statistics on the card in slot 2. <Sysname> reset connection-limit statistics global slot 2 # (Centralized devices in IRF mode.) Clear the global connection limit statistics on IRF member device 2.

  • Page 963: Object Group Commands

    Object group commands The following matrix shows the feature and hardware compatibility: Hardware Object group compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810- 10-PoE/810-LM-HK/810-W-LM-HK MSR810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-D P-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 IPv6-related parameters are not supported on the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK. •...

  • Page 964: Display Object-Group

    display object-group Use display object-group to display information about object groups. Syntax display object-group [ { { ip | ipv6 } address | service | port } [ default ] [ name object-group-name ] | name object-group-name ] Views Any view Predefined user roles network-admin network-operator...

  • Page 965: Network (Ipv4 Address Object Group View)

    10 port range 20 30 20 port group-object obj7 Service object-group obj5: 0 object(in use) Service object-group obj6: 6 objects(out of use) 0 service 200 10 service tcp source lt 50 destination range 30 40 20 service udp source range 30 40 destination gt 30 30 service icmp 20 20 40 service icmpv6 20 20 50 service group-object obj5...
  • Page 966 Use undo network to delete an IPv4 address object. Syntax [ object-id ] network { host { address ip-address | name host-name } | subnet ip-address { mask-length | mask } | range ip-address1 ip-address2 | group-object object-group-name } undo network { host { address ip-address | name host-name } | subnet ip-address { mask-length | mask } | range ip-address1 ip-address2 | group-object object-group-name } undo object-id Default...

  • Page 967: Network (Ipv6 Address Object Group View)

    • The system supports a maximum of five object group hierarchy layers. For example, if groups 1, 2, 3, and 4 use groups 2, 3, 4, and 5, respectively, group 5 cannot use another group and group 1 cannot be used by another group. Examples # Configure an IPv4 address object with the host address of 192.168.0.1.
  • Page 968 Predefined user roles network-admin Parameters object-id: Specifies an object ID in the range of 0 to 4294967294. If you do not configure an object ID, the system automatically assigns the object a multiple of 10 next to the greatest ID being used. For example, if the greatest ID is 22, the system automatically assigns 30.

  • Page 969: Network Exclude

    # Configure an IPv6 address object with the IPv6 address of 1:1:1::1 and prefix length of 24. <Sysname> system-view [Sysname] object-group ipv6 address ipv6group [Sysname-obj-grp-ipv6-ipv6group] network subnet 1:1:1::1 24 # Configure an IPv6 address object with the address range of 1:1:1::1 to 1:1:1::100 <Sysname>...

  • Page 970: Object-Group

    Hardware Command compatibility MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 You can execute this command multiple times to exclude multiple IPv4 or IPv6 addresses from an address object. Examples # Configure an IPv4 address object with the IPv4 address of 192.166.0.0 and mask of 255.255.0.0, and exclude IPv4 address 192.166.0.10 from the address object.

  • Page 971: Object-Group Rename

    • If the specified group does not exist, the system creates a new object group and enters the object group view. • If the specified group exists but the group type is different from that in the command, the command fails. The undo object-group command execution results vary with the specified object group.

  • Page 972: Port (Port Object Group View)

    Examples # Rename object group ipgroup1 to ipgroup2. <Sysname> system-view [Sysname] object-group rename ipgroup1 ipgroup2 Related commands object-group port (port object group view) Use port to configure a port object. Use undo port to delete a port object. Syntax [ object-id ] port { { eq | lt | gt } port | range port1 port2 | group-object object-group-name } undo port { { eq | lt | gt } port | range port1 port2 | group-object object-group-name } undo object-id Default...
  • Page 973 • If the value of port is in the range of 2 to 65535, the system configures the object with a port number range of [0, port–1]. When you use the gt port option, follow these guidelines: • The value of port cannot be 65535. •...

  • Page 974: Service (Service Object Group View)

    service (service object group view) Use service to configure a service object. Use undo service to delete a service object. Syntax [ object-id ] service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt | gt } port | range port1 port2 } } * | icmp-type icmp-code | icmpv6-type icmpv6-code ] | group-object object-group-name } undo service { protocol [ { source { { eq | lt | gt } port | range port1 port2 } | destination { { eq | lt |...
  • Page 975 When you use the lt port option, follow these guidelines: • The value of port cannot be 0. • If the value of port is 1, the system configures the object with a port number of 0. • If the value of port is in the range of 2 to 65535, the system configures the object with a port number range of [0, port–1].

  • Page 976: Object Policy Commands

    Object policy commands The following matrix shows the feature and hardware compatibility: Hardware Object group compatibility MSR810/810-W/810-W-DB/810-LM/810-W-LM/810- 10-PoE/810-LM-HK/810-W-LM-HK MSR810-LMS/810-LUS MSR2600-10-X1 MSR 2630 MSR3600-28/3600-51 MSR3600-28-SI/3600-51-SI MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-D P-DC MSR 3610/3620/3620-DP/3640/3660 MSR5620/5660/5680 IPv6-related parameters are not supported on the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK. •...

  • Page 977: Description

    Default Rule matching acceleration is disabled for an object policy. Views Object policy view Predefined user roles network-admin Usage guidelines Insufficient hardware resources cause acceleration failures. When the system has sufficient hardware resources, acceleration can take effect again under either of the following conditions: •...

  • Page 978: Display Object-Policy Accelerate

    Examples # Configure the description as zone-pair security office to library for an IPv4 address object policy. <Sysname> system-view [Sysname] object-policy ip permit [Sysname-object-policy-ip-permit] description zone-pair security office to library Related commands display object-policy ip display object-policy ipv6 display object-policy accelerate Use display object-policy accelerate to display acceleration information for object policies.

  • Page 979: Display Object-Policy Ip

    Object-policy ip a Object-policy ip c # Display detailed acceleration information for IPv4 object policy a. <Sysname> display object-policy accelerate verbose ip a Object-policy ip a rule 1 drop rule 0 pass (failed) Table 147 Command output Field Description failed Rule matching acceleration and rule matching failed.

  • Page 980: Display Object-Policy Ipv6

    Field Description Rule matching acceleration is enabled for the IPv4 object Object-policy accelerated policy. Statement of rule 5. The value of sourceip is the name of the rule 5 pass source-ip sourceip source IPv4 address object group. rule 5 comment This rule is used for Description of rule 5.

  • Page 981: Display Object-Policy Statistics Zone-Pair Security

    Field Description rule 5 comment This rule is used for Description of rule 5. source-ip sourceipv6 display object-policy statistics zone-pair security Use display object-policy statistics zone-pair security to display statistics for the object policies applied to a zone pair. Syntax display object-policy statistics zone-pair security source source-zone-name destination destination-zone-name [ ip | ipv6 ] Views...

  • Page 982: Display Object-Policy Zone-Pair Security

    Field Description The rule has matched x packets, a total of y bytes. This field is displayed only when the following conditions exist: • x packets,y bytes The counting or logging keyword is specified in the rule command. • The rule has been matched. Related commands reset object-policy statistics display object-policy zone-pair security...

  • Page 983: Move Rule

    move rule Use move rule to change the rule match order of a rule in an object policy. Syntax move rule rule-id before insert-rule-id Views Object policy view Predefined user roles network-admin Parameters rule-id: Specifies a rule by its ID in the range of 0 to 65534. insert-rule-id: Specifies the ID of the target rule before which a rule is inserted.

  • Page 984: Object-Policy Apply Ipv6

    Predefined user roles network-admin Parameters object-policy-name: Specifies an IPv4 object policy by its name, a case-insensitive string of 1 to 63 characters. Usage guidelines If the specified object policy does not exist, this command fails. You can apply only one IPv4 object policy to each zone pair. To apply a new IPv4 object policy to an instance, remove the application of the existing IPv4 object policy.

  • Page 985: Object-Policy Ip

    Examples # Configure an IPv6 object policy and apply it to a zone pair. <Sysname> system-view [Sysname] object-policy ipv6 permit [Sysname-object-policy-ipv6-permit] quit [Sysname] zone-pair security source office destination library [Sysname-zone-pair-security-office-library] object-policy apply ipv6 permit Related commands display object-policy zone-pair security object-policy apply ip object-policy ipv6 object-policy ip...

  • Page 986: Object-Policy Ipv6

    object-policy ipv6 Use object-policy ipv6 to configure an IPv6 object policy and enter its view, or enter the view of an existing IPv6 object policy. Use undo object-policy ipv6 to delete an IPv6 object policy. Syntax object-policy ipv6 object-policy-name undo object-policy ipv6 object-policy-name Default No IPv6 object policies exist.

  • Page 987: Rule (Ipv4 Object Policy View)

    Parameters source source-zone-name: Specifies the source security zone name, a case-insensitive string of 1 to 31 characters. destination destination-zone-name: Specifies destination security zone name, case-insensitive string of 1 to 31 characters. ip: Clears statistics for IPv4 object policies. ipv6: Clears statistics for IPv6 object policies. Usage guidelines If you do not specify a zone pair, the system clears statistics for the object policies applied to all zone pairs.
  • Page 988 inspect app-profile-name: Applies a DPI application profile to the packets that match the rule. The app-profile-name argument represents the DPI profile name, a case-insensitive string of 1 to 100 characters. The string can contain only letters, digits, and underscores (_). The following matrix shows the inspect app-profile-name option and hardware compatibility: Hardware Option compatibility...

  • Page 989: Rule (Ipv6 Object Policy View)

    If you specify a nonexistent object group in a rule, the command creates the specified object group with empty configuration. A rule that contains an object group with empty configuration does not match any packets. If you do not specify any options in the undo rule command, the command deletes the entire rule. Otherwise, the command deletes only the specified part of the rule statement.
  • Page 990 Default No rules are configured for an IPv6 object policy. Views IPv6 object policy view Predefined user roles network-admin Parameters rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify an ID for the rule, the system automatically assigns the rule an integer next to the greatest ID being used.
  • Page 991 app-group app-group-name: Specifies an application group by its name, a case-insensitive string of 1 to 63 characters. The invalid and other application groups are not supported. counting: Enables match counting for the rule in an IPv6 object policy. By default, rule match counting is disabled.

  • Page 992: Rule Append

    time-range (ACL and QoS Command Reference) track (High Availability Command Reference) rule append Use rule append to append a criterion to a rule for packet matching. Use undo rule append to delete a criterion appended to a rule. Syntax rule rule-id append { application application-name | app-group app-group-name | destination-ip object-group-name | service object-group-name | source-ip object-group-name } undo rule rule-id append { application [ application-name ] | app-group [ app-group-name ] | destination-ip...

  • Page 993: Rule Comment

    [Sysname-object-policy-ip-permit] rule 1 append source-ip sourceip2 [Sysname-object-policy-ip-permit] rule 1 append source-ip sourceip3 Related commands app-group display object-policy ip display object-policy ipv6 nbar application object-group object-policy ip object-policy ipv6 rule (IPv4 object policy view) rule (IPv6 object policy view) rule comment Use rule comment to configure a description for a rule.
  • Page 994 display object-policy ipv6...

  • Page 995: Attack Detection And Prevention Commands

    Attack detection and prevention commands Commands and descriptions for centralized devices apply to the following routers: • MSR810/810-W/810-W-DB/810-LM/810-W-LM/810-10-PoE/810-LM-HK/810-W-LM-HK/810-L MS/810-LUS. • MSR2600-10-X1. • MSR 2630. • MSR3600-28/3600-51. • MSR3600-28-SI/3600-51-SI. • MSR3610-X1/3610-X1-DP/3610-X1-DC/3610-X1-DP-DC. • MSR 3610/3620/3620-DP/3640/3660. Commands and descriptions for distributed devices apply to the following routers: •...

  • Page 996: Ack-Flood Detect

    Examples # Specify drop as the global action against ACK flood attacks in the attack defense policy atk-policy-1. <Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] ack-flood action drop Related commands ack-flood threshold ack-flood detect ack-flood detect non-specific client-verify tcp enable ack-flood detect Use ack-flood detect to configure IP address-specific ACK flood attack detection.

  • Page 997: Ack-Flood Detect Non-Specific

    Usage guidelines With ACK flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of ACK packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

  • Page 998: Ack-Flood Threshold

    ack-flood threshold Use ack-flood threshold to set the global threshold for triggering ACK flood attack prevention. Use undo ack-flood threshold to restore the default. Syntax ack-flood threshold threshold-value undo ack-flood threshold Default The global threshold is 1000 for triggering ACK flood attack prevention. Views Attack defense policy view Predefined user roles...

  • Page 999: Attack-Defense Local Apply Policy

    Default No attack defense policy is applied to an interface. Views Interface view Predefined user roles network-admin Parameters policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-).

  • Page 1000: Attack-Defense Login Reauthentication-Delay

    Usage guidelines An attack defense policy applied to the device itself detects packets destined for the device and prevents attacks targeted at the device. Applying an attack defense policy to the device can improve the efficiency of processing attack packets destined for the device. Each device can have only one attack defense policy applied.

Table of Contents