HP MSR Router Series

Security
Command Reference(V5)

Part number: 5998-8209

Software version: CMW520-R2513
Document version: 6PW106-20150808
Legal and notice information

© Copyright 2015 Hewlett-Packard Development Company, L.P.

No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or use
of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Contents

AAA configuration commands ···································································································································· 1

General AAA configuration commands ························································································································· 1
aaa nas-id profile ····················································································································································· 1
access-limit enable ··················································································································································· 2
accounting command··············································································································································· 2
accounting default ···················································································································································· 3
accounting dvpn ······················································································································································· 4
accounting lan-access ·············································································································································· 5
accounting login ······················································································································································· 6
accounting optional ················································································································································· 7
accounting portal ····················································································································································· 8
accounting ppp························································································································································· 9
accounting ssl-vpn ················································································································································· 10
accounting voip ····················································································································································· 11
authentication default ············································································································································ 12
authentication dvpn ··············································································································································· 13
authentication lan-access ······································································································································ 14
authentication login ··············································································································································· 15
authentication portal ············································································································································· 16
authentication ppp ················································································································································ 17
authentication ssl-vpn ············································································································································ 18
authentication voip ················································································································································ 19
authentication super ·············································································································································· 19
authorization command ········································································································································ 20
authorization default ············································································································································· 21
authorization dvpn ················································································································································ 22
authorization lan-access ······································································································································· 23
authorization login ················································································································································ 25
authorization portal ··············································································································································· 26
authorization ppp ·················································································································································· 27
authorization ssl-vpn·············································································································································· 28
authorization voip ················································································································································· 29
authorization-attribute user-profile ······················································································································· 30
cut connection ························································································································································ 30
display connection ················································································································································ 32
display domain ······················································································································································ 33
domain ··································································································································································· 35
domain default enable ·········································································································································· 36
domain if-unknown ················································································································································ 37
idle-cut enable························································································································································ 38
ip pool ···································································································································································· 39
nas-id bind vlan ····················································································································································· 40
self-service-url enable ············································································································································ 40
session-time include-idle-time ································································································································ 41
state (ISP domain view)········································································································································· 42
Local user configuration commands ····························································································································· 42
access-limit ····························································································································································· 42
authorization-attribute (local user view/user group view) ················································································ 43
bind-attribute ·························································································································································· 45

i
 display local-user ··················································································································································· 46
display user-group ················································································································································· 48
expiration-date (local user view) ·························································································································· 49
group ······································································································································································ 50
local-user ································································································································································ 51
password (local user view) ··································································································································· 52
service-type····························································································································································· 53
state (local user view)············································································································································ 54
user-group ······························································································································································ 55
validity-date ···························································································································································· 55
RADIUS configuration commands ································································································································ 56
accounting-on enable ············································································································································ 56
attribute 25 car ······················································································································································ 57
data-flow-format (RADIUS scheme view) ············································································································· 58
display radius scheme ·········································································································································· 59
display radius statistics ········································································································································· 61
display stop-accounting-buffer (for RADIUS) ······································································································· 64
key (RADIUS scheme view)··································································································································· 66
nas-ip (RADIUS scheme view) ······························································································································ 67
primary accounting (RADIUS scheme view) ······································································································· 68
primary authentication (RADIUS scheme view) ·································································································· 69
radius client ···························································································································································· 71
radius nas-ip··························································································································································· 72
radius scheme ························································································································································ 73
radius trap ······························································································································································ 74
reset radius statistics ·············································································································································· 75
reset stop-accounting-buffer (for RADIUS) ··········································································································· 75
retry ········································································································································································· 76
retry realtime-accounting ······································································································································ 77
retry stop-accounting (RADIUS scheme view) ····································································································· 78
secondary accounting (RADIUS scheme view) ··································································································· 78
secondary authentication (RADIUS scheme view) ····························································································· 80
security-policy-server ············································································································································· 83
server-type (RADIUS scheme view) ······················································································································ 83
state primary ·························································································································································· 84
state secondary ······················································································································································ 85
stop-accounting-buffer enable (RADIUS scheme view) ······················································································ 86
timer quiet (RADIUS scheme view) ······················································································································ 86
timer realtime-accounting (RADIUS scheme view) ····························································································· 87
timer response-timeout (RADIUS scheme view) ·································································································· 88
user-name-format (RADIUS scheme view) ··········································································································· 89
vpn-instance (RADIUS scheme view) ··················································································································· 90
HWTACACS configuration commands ······················································································································· 91
data-flow-format (HWTACACS scheme view) ···································································································· 91
display hwtacacs ··················································································································································· 91
display stop-accounting-buffer (for HWTACACS) ······························································································ 95
hwtacacs nas-ip ····················································································································································· 96
hwtacacs scheme··················································································································································· 97
key (HWTACACS scheme view)·························································································································· 97
nas-ip (HWTACACS scheme view) ····················································································································· 98
primary accounting (HWTACACS scheme view) ······························································································ 99
primary authentication (HWTACACS scheme view) ······················································································· 101
primary authorization ········································································································································· 102
reset hwtacacs statistics ······································································································································ 103

ii
 reset stop-accounting-buffer (for HWTACACS) ································································································ 104
retry stop-accounting (HWTACACS scheme view) ·························································································· 104
secondary accounting (HWTACACS scheme view) ························································································ 105
secondary authentication (HWTACACS scheme view)··················································································· 106
secondary authorization ····································································································································· 108
stop-accounting-buffer enable (HWTACACS scheme view) ··········································································· 109
timer quiet (HWTACACS scheme view) ··········································································································· 110
timer realtime-accounting (HWTACACS scheme view)··················································································· 111
timer response-timeout (HWTACACS scheme view) ······················································································· 111
user-name-format (HWTACACS scheme view) ································································································ 112
vpn-instance (HWTACACS scheme view) ········································································································ 113
RADIUS server configuration commands ··················································································································· 114
authorization-attribute (RADIUS-server user view) ···························································································· 114
description (RADIUS-server user view) ·············································································································· 115
expiration-date (RADIUS-server user view) ······································································································· 115
password (RADIUS-server user view)················································································································· 116
radius-server client-ip ··········································································································································· 117
radius-server user ················································································································································· 118

802.1X commands ················································································································································· 119

display dot1x ······················································································································································· 119
dot1x····································································································································································· 122
dot1x authentication-method ······························································································································ 124
dot1x auth-fail vlan·············································································································································· 125
dot1x critical vlan ················································································································································ 126
dot1x critical recovery-action ····························································································································· 127
dot1x domain-delimiter ······································································································································· 127
dot1x guest-vlan ·················································································································································· 128
dot1x handshake ················································································································································· 130
dot1x handshake secure····································································································································· 130
dot1x mandatory-domain ··································································································································· 131
dot1x max-user ···················································································································································· 132
dot1x multicast-trigger········································································································································· 133
dot1x port-control ················································································································································ 134
dot1x port-method ··············································································································································· 135
dot1x quiet-period ··············································································································································· 136
dot1x re-authenticate ·········································································································································· 137
dot1x retry ···························································································································································· 137
dot1x supp-proxy-check ······································································································································ 138
dot1x timer ··························································································································································· 139
dot1x unicast-trigger ··········································································································································· 141
reset dot1x statistics ············································································································································ 141

EAD fast deployment commands ··························································································································· 143

dot1x free-ip ························································································································································· 143
dot1x timer ead-timeout ······································································································································ 144
dot1x url ······························································································································································· 145

MAC authentication configuration commands ····································································································· 146

display mac-authentication ································································································································· 146
mac-authentication ·············································································································································· 148
mac-authentication domain ································································································································ 149
mac-authentication host-mode multi-vlan ··········································································································· 150
mac-authentication max-user ······························································································································ 151
mac-authentication timer ····································································································································· 151
mac-authentication timer auth-delay ·················································································································· 152

iii
 mac-authentication user-name-format ················································································································ 153
reset mac-authentication statistics ······················································································································ 154

Port security configuration commands ··················································································································· 156

display port-security ············································································································································ 156
display port-security mac-address block ··········································································································· 158
display port-security mac-address security ········································································································ 160
display port-security preshared-key user ··········································································································· 162
port-security authorization ignore ······················································································································ 163
port-security enable ············································································································································· 163
port-security intrusion-mode ································································································································ 164
port-security mac-address aging-type inactivity ································································································ 165
port-security mac-address dynamic···················································································································· 166
port-security mac-address security ····················································································································· 166
port-security max-mac-count ······························································································································· 168
port-security ntk-mode ········································································································································· 169
port-security oui ··················································································································································· 170
port-security port-mode········································································································································ 171
port-security timer autolearn aging ···················································································································· 174
port-security preshared-key ································································································································· 175
port-security timer disableport ···························································································································· 176
port-security trap ·················································································································································· 177
port-security tx-key-type 11key ··························································································································· 178

IPsec configuration commands ······························································································································· 179

ah authentication-algorithm ································································································································ 179
connection-name·················································································································································· 180
cryptoengine enable ··········································································································································· 180
display ipsec policy ············································································································································ 181
display ipsec policy-template ····························································································································· 185
display ipsec profile ············································································································································ 187
display ipsec sa ··················································································································································· 190
display ipsec session ··········································································································································· 191
display ipsec statistics ········································································································································· 193
display ipsec transform-set ································································································································· 194
display ipsec tunnel ············································································································································· 196
encapsulation-mode ············································································································································ 197
esn enable ···························································································································································· 198
esp authentication-algorithm ······························································································································ 199
esp encryption-algorithm ···································································································································· 200
ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view) ················································· 201
ikev2 profile (IPsec policy view/IPsec policy template view/IPsec profile view) ········································· 202
ipsec anti-replay check ······································································································································· 203
ipsec anti-replay window ··································································································································· 203
ipsec binding policy ············································································································································ 204
ipsec cpu-backup enable ···································································································································· 206
ipsec decrypt check············································································································································· 206
ipsec fragmentation before-encryption ·············································································································· 207
ipsec invalid-spi-recovery enable ······················································································································· 207
ipsec no-nat-process enable ······························································································································· 208
ipsec policy (interface view) ······························································································································· 209
ipsec policy (system view) ·································································································································· 209
ipsec policy isakmp template ····························································································································· 210
ipsec policy local-address ·································································································································· 211
ipsec policy-template ··········································································································································· 212

iv
 ipsec profile (system view) ·································································································································· 213
ipsec profile (tunnel interface view) ··················································································································· 214
ipsec sa global-duration ····································································································································· 214
ipsec session idle-time ········································································································································· 215
ipsec transform-set ··············································································································································· 216
local-address ························································································································································ 216
pfs ········································································································································································· 217
policy enable ······················································································································································· 218
qos pre-classify ···················································································································································· 219
remote-address····················································································································································· 219
reset ipsec sa ······················································································································································· 220
reset ipsec session ··············································································································································· 221
reset ipsec statistics ············································································································································· 222
reverse-route ························································································································································· 222
reverse-route preference ····································································································································· 226
reverse-route tag ·················································································································································· 226
sa authentication-hex ·········································································································································· 227
sa duration ··························································································································································· 228
sa encryption-hex ················································································································································ 229
sa spi ···································································································································································· 230
sa string-key ························································································································································· 232
security acl ··························································································································································· 233
tfc enable (IPsec policy view/ IPsec policy template view/IPsec profile view) ············································· 234
transform······························································································································································· 235
transform-set ························································································································································· 236
tunnel local ··························································································································································· 237
tunnel remote ······················································································································································· 237

IKE configuration commands ·································································································································· 239

authentication-algorithm ····································································································································· 239
authentication-method ········································································································································· 240
certificate domain ················································································································································ 240
dh ·········································································································································································· 241
display ike dpd ···················································································································································· 242
display ike peer ··················································································································································· 243
display ike proposal············································································································································ 244
display ike sa ······················································································································································· 245
dpd········································································································································································ 249
encryption-algorithm············································································································································ 249
exchange-mode ··················································································································································· 250
id-type ··································································································································································· 251
ike dpd ································································································································································· 252
ike local-name ······················································································································································ 253
ike next-payload check disabled ······················································································································· 254
ike peer (system view) ········································································································································· 254
ike proposal ························································································································································· 255
ike sa keepalive-timer interval ···························································································································· 255
ike sa keepalive-timer timeout ···························································································································· 256
ike sa nat-keepalive-timer interval ······················································································································ 257
interval-time ·························································································································································· 257
local ······································································································································································ 258
local-address ························································································································································ 258
local-name ···························································································································································· 259
nat traversal ························································································································································· 260
peer ······································································································································································· 260

v
 pre-shared-key······················································································································································ 261
proposal (IKE peer view) ···································································································································· 262
remote-address····················································································································································· 262
remote-name ························································································································································ 263
reset ike sa ··························································································································································· 264
sa duration ··························································································································································· 265
time-out ································································································································································· 266

IKEv2 configuration commands ····························································································································· 267

address ································································································································································· 267
authentication (ikev2 profile view) ···················································································································· 267
client configuration address respond ················································································································ 269
connect auto························································································································································· 269
display ikev2 policy ············································································································································ 270
display ikev2 profile············································································································································ 271
display ikev2 proposal ······································································································································· 272
display ikev2 sa··················································································································································· 274
display ikev2 statistics········································································································································· 276
dpd (IKEv2 profile view) ····································································································································· 277
encryption····························································································································································· 278
group (ikev2 proposal view) ······························································································································ 279
hostname ······························································································································································ 280
identity (IKEv2 peer view) ··································································································································· 281
identity local ························································································································································· 282
ikev2 { ip-pool | ipv6-pool } ······························································································································ 283
ikev2 cookie-challenge ······································································································································· 284
ikev2 dpd ····························································································································································· 284
ikev2 keyring ······················································································································································· 285
ikev2 limit ····························································································································································· 286
ikev2 policy ·························································································································································· 287
ikev2 profile (system view) ································································································································· 288
ikev2 proposal ····················································································································································· 289
integrity ································································································································································· 291
ip-mask·································································································································································· 292
ip-pool ··································································································································································· 293
ipv6-mask ····························································································································································· 293
ipv6-pool ······························································································································································ 294
keyring ·································································································································································· 295
lifetime ·································································································································································· 295
match ···································································································································································· 296
match address local ············································································································································ 298
nat keepalive························································································································································ 298
peer (IKEv2 keyring view) ·································································································································· 299
pki domain (IKEv2 profile view)························································································································· 300
pre-shared-key (IKEv2 peer view) ······················································································································ 301
prf (IKEv2 proposal view) ··································································································································· 302
proposal (IKEv2 policy view) ····························································································································· 303
reset ikev2 sa ······················································································································································· 304
reset ikev2 statistics ············································································································································· 304

PKI configuration commands ·································································································································· 306

attribute································································································································································· 306
ca identifier ·························································································································································· 307
certificate request entity ······································································································································ 308
certificate request from ······································································································································· 308

vi
 certificate request mode······································································································································ 309
certificate request polling ··································································································································· 310
certificate request url ··········································································································································· 311
common-name ······················································································································································ 311
country ·································································································································································· 312
crl check ······························································································································································· 313
crl update-period ················································································································································· 313
crl url ····································································································································································· 314
display pki certificate ·········································································································································· 314
display pki certificate access-control-policy ······································································································ 316
display pki certificate attribute-group ················································································································ 317
display pki crl domain ········································································································································ 318
fqdn ······································································································································································· 319
ip (PKI entity view) ··············································································································································· 320
ldap-server ···························································································································································· 320
locality ·································································································································································· 321
organization························································································································································· 322
organization-unit·················································································································································· 322
pki certificate access-control-policy ··················································································································· 323
pki certificate attribute-group ····························································································································· 323
pki delete-certificate ············································································································································ 324
pki domain ··························································································································································· 324
pki entity ······························································································································································· 325
pki import-certificate ············································································································································ 326
pki request-certificate domain ···························································································································· 326
pki retrieval-certificate ········································································································································· 327
pki retrieval-crl domain ······································································································································· 328
pki validate-certificate ········································································································································· 328
root-certificate fingerprint···································································································································· 329
rule (PKI CERT ACP view) ··································································································································· 330
state······································································································································································· 330

Public key configuration commands ······················································································································ 332

display public-key local public ··························································································································· 332
display public-key peer ······································································································································· 334
peer-public-key end ············································································································································· 335
public-key-code begin ········································································································································· 336
public-key-code end ············································································································································ 336
public-key local create ········································································································································ 337
public-key local destroy ······································································································································ 339
public-key local export ········································································································································ 340
public-key local export public dsa ····················································································································· 341
public-key local export public rsa ······················································································································ 343
public-key local import ········································································································································ 344
public-key peer ···················································································································································· 345
public-key peer import sshkey ···························································································································· 346
public-key rsa ······················································································································································· 346

RSH configuration commands ································································································································ 348

rsh ········································································································································································· 348

Portal configuration commands······························································································································ 350

access-user detect ················································································································································ 350
display portal acl················································································································································· 351
display portal connection statistics ···················································································································· 353
display portal free-rule ········································································································································ 356

vii
 display portal interface ······································································································································· 357
display portal local-server ·································································································································· 358
display portal server ··········································································································································· 359
display portal server statistics ···························································································································· 360
display portal tcp-cheat statistics ······················································································································· 363
display portal user ··············································································································································· 365
portal auth-network·············································································································································· 366
portal auth-network destination ·························································································································· 367
portal delete-user ················································································································································· 368
portal domain ······················································································································································ 368
portal free-rule······················································································································································ 369
portal local-server ················································································································································ 370
portal local-server bind ······································································································································· 371
portal local-server enable ··································································································································· 372
portal local-server ip············································································································································ 373
portal max-user ···················································································································································· 374
portal move-mode auto ······································································································································· 375
portal nas-id-profile ············································································································································· 376
portal nas-ip ························································································································································· 377
portal nas-port-id·················································································································································· 377
portal nas-port-type·············································································································································· 378
portal offline-detect interval ································································································································ 379
portal redirect-url ················································································································································· 379
portal server ························································································································································· 380
portal server banner ············································································································································ 381
portal server method ··········································································································································· 382
portal server server-detect ··································································································································· 383
portal server user-sync········································································································································· 385
portal web-proxy port ········································································································································· 386
reset portal connection statistics ························································································································ 387
reset portal server statistics ································································································································· 387
reset portal tcp-cheat statistics ···························································································································· 388
web-redirect ························································································································································· 388

Firewall configuration commands ·························································································································· 390

Packet-filter firewall configuration commands ··········································································································· 390
display firewall ethernet-frame-filter ··················································································································· 390
display firewall ipv6 statistics ···························································································································· 391
display firewall-statistics ······································································································································ 392
firewall default ····················································································································································· 393
firewall enable ····················································································································································· 394
firewall ethernet-frame-filter ································································································································ 394
firewall fragments-inspect ··································································································································· 395
firewall fragments-inspect { high | low }··········································································································· 396
firewall ipv6 default ············································································································································ 397
firewall ipv6 enable ············································································································································ 397
firewall ipv6 fragments-inspect ·························································································································· 398
firewall packet-filter ············································································································································· 398
firewall packet-filter ipv6 ···································································································································· 399
reset firewall ethernet-frame-filter ······················································································································· 400
reset firewall ipv6 statistics ································································································································· 400
reset firewall-statistics ·········································································································································· 401
ASPF configuration commands ··································································································································· 401
aging-time····························································································································································· 401
aspf-policy ···························································································································································· 402

viii
 detect ···································································································································································· 403
display aspf all ···················································································································································· 404
display aspf interface ·········································································································································· 405
display aspf policy ·············································································································································· 406
display aspf session ············································································································································ 407
display port-mapping ·········································································································································· 409
firewall aspf ························································································································································· 410
log enable ···························································································································································· 410
port-mapping ······················································································································································· 411
reset aspf session················································································································································· 412

SSH configuration commands ································································································································ 413

SSH server configuration commands ························································································································· 413
display ssh server ················································································································································ 413
display ssh user-information ······························································································································· 415
sftp server enable ················································································································································ 416
sftp server idle-timeout········································································································································· 417
ssh server authentication-retries ························································································································· 417
ssh server authentication-timeout························································································································ 418
ssh server compatible-ssh1x enable ·················································································································· 419
ssh server enable ················································································································································· 419
ssh server rekey-interval ······································································································································ 420
ssh user ································································································································································· 421
SSH client configuration commands ·························································································································· 423
bye ········································································································································································ 423
cd ·········································································································································································· 423
cdup ······································································································································································ 424
delete ···································································································································································· 424
dir ·········································································································································································· 424
display sftp client source····································································································································· 425
display ssh client source ····································································································································· 426
display ssh server-info ········································································································································· 427
exit ········································································································································································ 427
get ········································································································································································· 428
help ······································································································································································· 428
ls ············································································································································································ 429
mkdir ····································································································································································· 430
put ········································································································································································· 430
pwd ······································································································································································· 430
quit ········································································································································································ 431
remove ·································································································································································· 431
rename·································································································································································· 432
rmdir ····································································································································································· 432
scp ········································································································································································· 433
sftp········································································································································································· 435
sftp client ipv6 source ········································································································································· 437
sftp client source ·················································································································································· 437
sftp ipv6 ································································································································································ 438
ssh client authentication server ·························································································································· 440
ssh client first-time enable ··································································································································· 441
ssh client ipv6 source ·········································································································································· 442
ssh client source ··················································································································································· 442
ssh2 ······································································································································································· 443
ssh2 ipv6 ······························································································································································ 445

ix
SSL configuration commands ································································································································· 448
ciphersuite ···························································································································································· 448
client-verify enable ·············································································································································· 449
client-verify weaken ············································································································································· 450
close-mode wait ··················································································································································· 451
display ssl client-policy········································································································································ 451
display ssl server-policy ······································································································································ 452
handshake timeout ·············································································································································· 453
pki-domain ··························································································································································· 454
prefer-cipher ························································································································································· 455
server-verify enable ············································································································································· 456
session ·································································································································································· 457
ssl client-policy ····················································································································································· 457
ssl server-policy ···················································································································································· 458
version ·································································································································································· 459

SSL VPN configuration commands ························································································································ 460

ssl-vpn enable ······················································································································································ 460
ssl-vpn server-policy ············································································································································· 460

User profile configuration commands···················································································································· 462

display user-profile ·············································································································································· 462
user-profile enable ··············································································································································· 462
user-profile ···························································································································································· 463

ARP attack protection configuration commands ··································································································· 465

IP flood protection configuration commands············································································································· 465
arp source-suppression enable ·························································································································· 465
arp source-suppression limit ······························································································································· 465
display arp source-suppression ·························································································································· 466
Source MAC-based ARP attack detection configuration commands ······································································ 467
arp anti-attack source-mac·································································································································· 467
arp anti-attack source-mac aging-time ·············································································································· 468
arp anti-attack source-mac exclude-mac ··········································································································· 468
arp anti-attack source-mac threshold ················································································································· 469
display arp anti-attack source-mac ···················································································································· 469
ARP packet source MAC consistency check configuration commands ·································································· 470
arp anti-attack valid-ack enable························································································································· 470
ARP active acknowledgement configuration commands ························································································· 471
arp anti-attack active-ack enable ······················································································································· 471
ARP automatic scanning and fixed ARP configuration commands ········································································· 472
arp fixup ······························································································································································· 472
arp scan ······························································································································································· 472

IP source guard configuration commands ············································································································· 474

display ip source binding ··································································································································· 474
ip source binding ················································································································································ 476
ip verify source ···················································································································································· 477
ip verify source max-entries ································································································································ 478

Attack detection and protection configuration commands··················································································· 480

attack-defense apply policy ································································································································ 480
attack-defense policy ··········································································································································· 480
blacklist enable ···················································································································································· 481
blacklist ip ···························································································································································· 482
defense icmp-flood action drop-packet ············································································································· 483

x
 defense icmp-flood enable ································································································································· 483
defense icmp-flood ip ·········································································································································· 484
defense icmp-flood rate-threshold ······················································································································ 485
defense scan add-to-blacklist······························································································································ 486
defense scan blacklist-timeout ···························································································································· 487
defense scan enable ··········································································································································· 488
defense scan max-rate ········································································································································ 488
defense syn-flood action ····································································································································· 489
defense syn-flood enable ···································································································································· 490
defense syn-flood ip ············································································································································ 490
defense syn-flood rate-threshold ························································································································· 492
defense udp-flood action drop-packet ··············································································································· 493
defense udp-flood enable ··································································································································· 493
defense udp-flood ip ··········································································································································· 494
defense udp-flood rate-threshold ························································································································ 495
display attack-defense policy ····························································································································· 496
display attack-defense statistics interface·········································································································· 499
display blacklist ··················································································································································· 501
display flow-statistics statistics ···························································································································· 503
display flow-statistics statistics interface ············································································································ 504
flow-statistics enable ············································································································································ 505
reset attack-defense statistics interface ·············································································································· 506
signature-detect ···················································································································································· 507
signature-detect action drop-packet··················································································································· 508
signature-detect large-icmp max-length ············································································································· 508

TCP attack protection configuration commands ··································································································· 510

display tcp status ················································································································································· 510
tcp anti-naptha enable ········································································································································ 510
tcp state ································································································································································ 511
tcp syn-cookie enable ········································································································································· 512
tcp timer check-state ············································································································································ 512

Connection limit configuration commands ············································································································ 514

connection-limit default action···························································································································· 514
connection-limit default amount ························································································································· 514
connection-limit policy········································································································································· 515
display connection-limit policy ··························································································································· 516
display connection-limit statistics ······················································································································· 516
display nat connection-limit ································································································································ 518
limit acl ································································································································································· 519
nat connection-limit-policy ·································································································································· 520

Password control configuration commands··········································································································· 522

display password-control ···································································································································· 522
display password-control blacklist ····················································································································· 524
password ······························································································································································ 525
password-control { aging | composition | history | length } enable ···························································· 526
password-control aging ······································································································································ 527
password-control alert-before-expire ················································································································· 528
password-control authentication-timeout ··········································································································· 529
password-control complexity ······························································································································ 529
password-control composition···························································································································· 530
password-control enable····································································································································· 531
password-control expired-user-login ·················································································································· 532
password-control history ····································································································································· 533

xi
 password-control length ······································································································································ 533
password-control login idle-time ························································································································ 534
password-control login-attempt ·························································································································· 535
password-control password update interval ····································································································· 537
password-control super aging ···························································································································· 537
password-control super composition ················································································································· 538
password-control super length ··························································································································· 539
reset password-control blacklist ························································································································· 539
reset password-control history-record ················································································································ 540

HABP configuration commands ····························································································································· 542

display habp ························································································································································ 542
display habp table ·············································································································································· 543
display habp traffic ············································································································································· 543
habp client vlan ··················································································································································· 544
habp enable························································································································································· 545
habp server vlan ·················································································································································· 545
habp timer ···························································································································································· 546

URPF configuration commands ······························································································································ 547

ip urpf ··································································································································································· 547

WLAN client isolation commands·························································································································· 548

wlan-client-isolation enable ································································································································ 548

Group domain VPN commands ····························································································································· 549

KS configuration commands ······································································································································· 549
display gdoi ks ···················································································································································· 549
display gdoi ks acl ·············································································································································· 551
display gdoi ks members ···································································································································· 552
display gdoi ks policy ········································································································································· 554
display gdoi ks redundancy ······························································································································· 555
display gdoi ks rekey ·········································································································································· 556
gdoi ks group······················································································································································· 558
gdoi ks redundancy port ···································································································································· 558
gdoi ks rekey ······················································································································································· 559
identity address ··················································································································································· 560
identity number ···················································································································································· 560
ipsec······································································································································································ 561
local priority ························································································································································· 562
peer address ························································································································································ 563
profile (GDOI KS group IPsec policy view) ······································································································ 563
redundancy enable ············································································································································· 564
redundancy hello ················································································································································· 565
redundancy retransmit ········································································································································ 566
rekey acl ······························································································································································· 567
rekey authentication ············································································································································ 567
rekey encryption ·················································································································································· 568
rekey lifetime ························································································································································ 569
rekey retransmit ··················································································································································· 569
rekey transport unicast ········································································································································ 570
reset gdoi ks ························································································································································· 571
reset gdoi ks members ········································································································································ 571
reset gdoi ks redundancy role ··························································································································· 572
security acl (GDOI KS group IPsec policy view) ······························································································ 572
source address ····················································································································································· 573

xii
 GM configuration commands ····································································································································· 574
client registration interface ································································································································· 574
display gdoi gm ·················································································································································· 574
display gdoi gm acl ············································································································································ 578
display gdoi gm ipsec sa ··································································································································· 579
display gdoi gm members ·································································································································· 581
display gdoi gm pubkey ····································································································································· 582
display gdoi gm rekey ········································································································································ 583
gdoi gm group ····················································································································································· 585
group ···································································································································································· 586
identity ·································································································································································· 586
reset gdoi gm ······················································································································································· 587
server address ······················································································································································ 588

FIPS commands ······················································································································································· 589

display fips status ················································································································································ 589
fips mode enable ················································································································································· 589
fips self-test ··························································································································································· 591

Support and other resources ·································································································································· 592

Contacting HP ······························································································································································ 592
Subscription service ············································································································································ 592
Related information ······················································································································································ 592
Documents ···························································································································································· 592
Websites······························································································································································· 592
Conventions ·································································································································································· 593

Index ········································································································································································ 595

xiii
AAA configuration commands

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about
FIPS mode, see Security Configuration Guide.
The following matrix shows the FIPS and hardware compatibility:

Hardware FIPS mode

MSR900 No.

MSR93X No.

MSR20-1X No.

MSR20 Yes.

MSR30 Yes (except the MSR30-16).

MSR50 Yes.

MSR1000 Yes.

General AAA configuration commands

aaa nas-id profile
Use aaa nas-id profile to create a NAS ID profile and enter its view. A NAS ID profile maintains the
bindings between NAS IDs and VLANs.
Use undo aaa nas-id profile to remove a NAS ID profile.
Syntax
aaa nas-id profile profile-name
undo aaa nas-id profile profile-name
Views
System view
Default command level
2: System level
Parameters
profile-name: Specifies the name of the NAS ID profile, a case-insensitive string of 1 to 16 characters.
Examples
# Create a NAS ID profile named aaa.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa]

1
Related commands
nas-id bind vlan

access-limit enable
Use access-limit enable to set the maximum number of online users in an ISP domain. After the number
of online users reaches the allowed maximum number, no more users are accepted.
Use undo access-limit enable to restore the default.
Syntax
access-limit enable max-user-number
undo access-limit enable
Default
There is no limit to the number of online users in an ISP domain.
Views
ISP domain view
Default command level
2: System level
Parameters
max-user-number: Specifies the maximum number of online users that the ISP domain can accommodate.
The value range is 1 to 2147483646.
Usage guidelines
System resources are limited, and user connections might compete for network resources when there are
many users. Setting a proper limit to the number of online users helps provide reliable system
performance.
Examples
# Set a limit of 500 user connections for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] access-limit enable 500

Related commands
display domain

accounting command
Use accounting command to specify the command line accounting method.
Use undo accounting command to restore the default.
Syntax
accounting command hwtacacs-scheme hwtacacs-scheme-name
undo accounting command

2
Default
The default accounting method for the ISP domain is used for command line accounting.
Views
ISP domain view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
Usage guidelines
The specified HWTACACS scheme must have been configured.
Command line accounting can use only an HWTACACS scheme.
Examples
# Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands
• accounting default
• hwtacacs scheme

accounting default
Use accounting default to configure the default accounting method for an ISP domain.
Use undo accounting default to restore the default.
Syntax
In non-FIPS mode:
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme
radius-scheme-name [ local ] }
undo accounting default
In FIPS mode:
accounting default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme
radius-scheme-name [ local ] }
undo accounting default
Default
The default accounting method of an ISP domain is local.
Views
ISP domain view

3
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS or HWTACACS scheme must have been configured.
The default accounting method is used for all users who support the specified accounting method and
have no specific accounting method configured.
Local accounting is only used for monitoring and controlling the number of local user connections. It does
not provide the statistics function that the accounting feature generally provides.
Examples
# Configure the default accounting method for ISP domain test to use RADIUS accounting scheme rd and
use local accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting default radius-scheme rd local

Related commands
• local-user
• hwtacacs scheme
• radius scheme

accounting dvpn
Use accounting dvpn to configure the accounting method for DVPN users.
Use undo accounting dvpn to restore the default.
Syntax
In non-FIPS mode:
accounting dvpn { local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting dvpn
In FIPS mode:
accounting dvpn { local | radius-scheme radius-scheme-name [ local ] }
undo accounting dvpn
Default
The default accounting method for the ISP domain is used for DVPN users.

4
Views
ISP domain view
Default command level
2: System level
Parameters
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
Examples
# Configure ISP domain test to use local accounting for DVPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting dvpn local

# Configure ISP domain test to use RADIUS accounting scheme rd for DVPN users and use local
accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting dvpn radius-scheme rd local

Related commands
• local-user
• accounting default
• radius scheme

accounting lan-access
Use accounting lan-access to configure the accounting method for LAN users.
Use undo accounting lan-access to restore the default.
Syntax
In non-FIPS mode:
accounting lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }
undo accounting lan-access
In FIPS mode:
accounting lan-access { local | radius-scheme radius-scheme-name [ local ] }
undo accounting lan-access
Default
The default accounting method for the ISP domain is used for LAN users.

5
Views
ISP domain view
Default command level
2: System level
Parameters
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
Examples
# Configure ISP domain test to use local accounting for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access local

# Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local
accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting lan-access radius-scheme rd local

Related commands
• local-user
• accounting default
• radius scheme

accounting login
Use accounting login to configure the accounting method for login users through the console, AUX, or
Asyn port or through Telnet.
Use undo accounting login to restore the default.
Syntax
In non-FIPS mode:
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme
radius-scheme-name [ local ] }
undo accounting login
In FIPS mode:
accounting login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme
radius-scheme-name [ local ] }
undo accounting login

6
Default
The default accounting method for the ISP domain is used for login users.
Views
ISP domain view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS or HWTACACS scheme must have been configured.
Accounting is not supported for login users who use FTP.
Examples
# Configure ISP domain test to use local accounting for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login local

# Configure ISP domain test to use RADIUS accounting scheme rd for login users and use local
accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting login radius-scheme rd local

Related commands
• local-user
• accounting default
• hwtacacs scheme
• radius scheme

accounting optional
Use accounting optional to enable the accounting optional feature.
Use undo accounting optional to disable the feature.
Syntax
accounting optional
undo accounting optional

7
Default
The feature is disabled.
Views
ISP domain view
Default command level
2: System level
Usage guidelines
After you configure the accounting optional command for a domain, a user who would otherwise be
disconnected can continue to use the network resources when no accounting server is available or when
communication with the current accounting server fails. However, the device no longer sends real-time
accounting updates for the user. The accounting optional feature applies to scenarios where accounting
is not important.
After you configure the accounting optional command, the setting configured by the access-limit
command in local user view has no effect.
Examples
# Enable the accounting optional feature for users in domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting optional

accounting portal
Use accounting portal to configure the accounting method for portal users.
Use undo accounting portal to restore the default.
Syntax
In non-FIPS mode:
accounting portal { local | none | radius-scheme radius-scheme-name [ local ] }
undo accounting portal
In FIPS mode:
accounting portal { local | radius-scheme radius-scheme-name [ local ] }
undo accounting portal
Default
The default accounting method for the ISP domain is used for portal users.
Views
ISP domain view
Default command level
2: System level
Parameters
local: Performs local accounting.
none: Does not perform any accounting.

8
 radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
Examples
# Configure ISP domain test to use local accounting for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal local

# Configure ISP domain test to use RADIUS scheme rd for accounting on portal users and use local
accounting as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting portal radius-scheme rd local

Related commands
• local-user
• accounting default
• radius scheme

accounting ppp
Use accounting ppp to configure the accounting method for PPP users.
Use undo accounting ppp to restore the default.
Syntax
In non-FIPS mode:
accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme
radius-scheme-name [ local ] }
undo accounting ppp
In FIPS mode:
accounting ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme
radius-scheme-name [ local ] }
undo accounting ppp
Default
The default accounting method for the ISP domain is used for PPP users.
Views
ISP domain view
Default command level
2: System level

9
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local accounting.
none: Does not perform any accounting.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS or HWTACACS scheme must have been configured.
Examples
# Configure ISP domain test to use local accounting for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp local

# Configure ISP domain test to use RADIUS accounting scheme rd for PPP users and use local accounting
as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ppp radius-scheme rd local

Related commands
• local-user
• accounting default
• hwtacacs scheme
• radius scheme

accounting ssl-vpn
Use accounting ssl-vpn to configure the accounting method for SSL VPN user.
Use undo accounting ssl-vpn to restore the default.
Syntax
accounting ssl-vpn radius-scheme radius-scheme-name
undo accounting ssl-vpn
Default
The default accounting method for the ISP domain is used for SSL VPN users.
Views
ISP domain view
Default command level
2: System level

10
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters
Usage guidelines
The specified RADIUS scheme must have been configured.
Examples
# Configure ISP domain test to use RADIUS accounting scheme rd for SSL VPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] accounting ssl-vpn radius-scheme rd

Related commands
• accounting default
• radius scheme

accounting voip
Use accounting voip to configure the RADIUS accounting method for VoIP users.
Use undo accounting voip to restore the default.
Syntax
accounting voip radius-scheme radius-scheme-name
undo accounting voip
Default
The default accounting method for the ISP domain is used for VoIP users.
Views
ISP domain view
Default command level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters
Usage guidelines
The specified RADIUS scheme must have been configured.
To implement VoIP user accounting, you must complete these tasks:
• Enable the accounting function for VoIP service.
• Configure an accounting method for VoIP users.
For more information about the commands to be used to enable accounting for VoIP service, see Voice
Command Reference.
Examples
# Configure ISP domain test to use RADIUS accounting scheme rd for VoIP users.
<Sysname> system-view

11
 [Sysname] domain test
[Sysname-isp-test] accounting voip radius-scheme rd

Related commands
• accounting default
• radius scheme

authentication default
Use authentication default to configure the default authentication method for an ISP domain.
Use undo authentication default to restore the default.
Syntax
In non-FIPS mode:
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none |
radius-scheme radius-scheme-name [ local ] }
undo authentication default
In FIPS mode:
authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme
radius-scheme-name [ local ] }
undo authentication default
Default
The default authentication method of an ISP domain is local.
Views
ISP domain view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS or HWTACACS scheme must have been configured.
The default authentication method is used for all users who support the specified authentication method
and have no specific authentication method configured.
Examples
# Configure the default authentication method for ISP domain test to use RADIUS authentication scheme
rd and use local authentication as the backup.
<Sysname> system-view

12
 [Sysname] domain test
[Sysname-isp-test] authentication default radius-scheme rd local

Related commands
• local-user
• hwtacacs scheme
• radius scheme

authentication dvpn
Use authentication dvpn to configure the authentication method for DVPN users.
Use undo authentication dvpn to restore the default.
Syntax
In non-FIPS mode:
authentication dvpn { local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication dvpn
In FIPS mode:
authentication dvpn { local | radius-scheme radius-scheme-name [ local ] }
undo authentication dvpn
Default
The default authentication method for the ISP domain is used for DVPN users.
Views
ISP domain view
Default command level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
Examples
# Configure ISP domain test to use local authentication for DVPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication dvpn local

# Configure ISP domain test to use RADIUS authentication scheme rd for DVPN users and use local
authentication as the backup.
<Sysname> system-view
[Sysname] domain test

13
 [Sysname-isp-test] authentication dvpn radius-scheme rd local

Related commands
• local-user
• authentication default
• radius scheme

authentication lan-access
Use authentication lan-access to configure the authentication method for LAN users.
Use undo authentication lan-access to restore the default.
Syntax
In non-FIPS mode:
authentication lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }
undo authentication lan-access
In FIPS mode:
authentication lan-access { local | radius-scheme radius-scheme-name [ local ] }
undo authentication lan-access
Default
The default authentication method for the ISP domain is used for LAN users.
Views
ISP domain view
Default command level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
Examples
# Configure ISP domain test to use local authentication for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access local

# Configure ISP domain test to use RADIUS authentication scheme rd for LAN users and use local
authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication lan-access radius-scheme rd local

14
Related commands
• local-user
• authentication default
• radius scheme

authentication login
Use authentication login to configure the authentication method for login users through the console, AUX,
or Asyn port, Telnet, or FTP.
Use undo authentication login to restore the default.
Syntax
In non-FIPS mode:
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme
radius-scheme-name [ local ] }
undo authentication login
In FIPS mode:
authentication login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme
radius-scheme-name [ local ] }
undo authentication login
Default
The default authentication method for the ISP domain is used for login users.
Views
ISP domain view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS or HWTACACS scheme must have been configured.
Examples
# Configure ISP domain test to use local authentication for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login local

15
 # Configure ISP domain test to use RADIUS authentication scheme rd for login users and use local
authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication login radius-scheme rd local

Related commands
• local-user
• authentication default
• hwtacacs scheme
• radius scheme

authentication portal
Use authentication portal to configure the authentication method for portal users.
Use undo authentication portal to restore the default.
Syntax
In non-FIPS mode:
authentication portal { local | none | radius-scheme radius-scheme-name [ local ] }
undo authentication portal
In FIPS mode:
authentication portal { local | radius-scheme radius-scheme-name [ local ] }
undo authentication portal
Default
The default authentication method for the ISP domain is used for portal users.
Views
ISP domain view
Default command level
2: System level
Parameters
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
Examples
# Configure ISP domain test to use local authentication for portal users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication portal local

16
 # Configure ISP domain test to use RADIUS scheme rd for authentication of portal users and use local
authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication portal radius-scheme rd local

Related commands
• local-user
• authentication default
• radius scheme

authentication ppp
Use authentication ppp to configure the authentication method for PPP users.
Use undo authentication ppp to restore the default.
Syntax
In non-FIPS mode:
authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme
radius-scheme-name [ local ] }
undo authentication ppp
In FIPS mode:
authentication ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme
radius-scheme-name [ local ] }
undo authentication ppp
Default
The default authentication method for the ISP domain is used for PPP users.
Views
ISP domain view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local authentication.
none: Does not perform any authentication.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS or HWTACACS scheme must have been configured.
Examples
# Configure ISP domain test to use local authentication for PPP users.

17
 <Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ppp local

# Configure ISP domain test to use RADIUS authentication scheme rd for PPP users and use local
authentication as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication ppp radius-scheme rd local

Related commands
• local-user
• authentication default
• hwtacacs scheme
• radius scheme

authentication ssl-vpn
Use authentication ssl-vpn to configure the authentication RADIUS method for SSL VPN users.
Use undo authentication ssl-vpn to restore the default.
Syntax
authentication ssl-vpn radius-scheme radius-scheme-name
undo authentication ssl-vpn
Default
The default authentication method for the ISP domain is used for SSL VPN users.
Views
ISP domain view
Default command level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
Examples
# Configure ISP domain test to use RADIUS authentication scheme rd for SSL VPN users.
<Sysname> system-view
[Sysname] domain system
[Sysname-isp-system] authentication ssl-vpn radius-scheme rd

Related commands
• authentication default
• radius scheme

18
authentication voip
Use authentication voip to configure the authentication method for VoIP users.
Use undo authentication voip to restore the default.
Syntax
authentication voip radius-scheme radius-scheme-name
undo authentication voip
Default
The default authentication method for the ISP domain is used for VoIP users.
Views
ISP domain view
Default command level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
To implement VoIP user authentication, you must complete the following tasks:
• Enable the authentication function for VoIP service.
• Configure an authentication method for VoIP users.
For more information about the commands to be used to enable authentication for VoIP service, see Voice
Command Reference.
Examples
# Configure ISP domain test to use RADIUS authentication scheme rd for VoIP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authentication voip radius-scheme rd

Related commands
• authentication default
• radius scheme

authentication super
Use authentication super to configure the authentication method for user privilege level switching.
Use undo authentication super to restore the default.
Syntax
authentication super { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme
radius-scheme-name }
undo authentication super

19
Default
The default authentication method for the ISP domain is used for user privilege level switching
authentication.
Views
ISP domain view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS or HWTACACS authentication scheme must have been configured.
Examples
# Configure ISP domain test to use HWTACACS scheme tac for user privilege level switching
authentication.
<Sysname> system-view
[Sysname] super authentication-mode scheme
[Sysname] domain test
[Sysname-domain-test] authentication super hwtacacs-scheme tac

Related commands
• hwtacacs scheme
• radius scheme
• super authentication-mode (Fundamentals Command Reference)

authorization command
Use authorization command to configure the command line authorization method.
Use undo authorization command to restore the default.
Syntax
In non-FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local | none ] | local | none }
undo authorization command
In FIPS mode:
authorization command { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local }
undo authorization command
Default
The default authorization method for the ISP domain is used for command line authorization.

20
Views
ISP domain view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization exchange. In this case, an authenticated user can access only
commands of Level 0.
Usage guidelines
The specified HWTACACS scheme must have been configured.
With command line authorization configured, a user who has logged in to the device can execute only
the commands with a level lower than or equal to that of the local user.
Examples
# Configure ISP domain test to use local command line authorization.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command local

# Configure ISP domain test to use HWTACACS scheme hwtac for command line authorization and use
local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization command hwtacacs-scheme hwtac local

Related commands
• local-user
• authorization default
• hwtacacs scheme

authorization default
Use authorization default to configure the default authorization method for an ISP domain.
Use undo authorization default to restore the default.
Syntax
In non-FIPS mode:
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none |
radius-scheme radius-scheme-name [ local ] }
undo authorization default
In FIPS mode:
authorization default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme
radius-scheme-name [ local ] }

21
 undo authorization default
Default
The default authorization method for the ISP domain of an ISP domain is local.
Views
ISP domain view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization exchange. After passing authentication, non-login users can
access the network, FTP users can access the root directory of the device, and other login users can
access only the commands of Level 0.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS or HWTACACS scheme must have been configured.
The default authorization method is used for all users who support the specified authorization method
and have no specific authorization method configured.
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
Examples
# Configure the default authorization method for ISP domain test to use RADIUS authorization scheme rd
and use local authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization default radius-scheme rd local

Related commands
• local-user
• hwtacacs scheme
• radius scheme

authorization dvpn
Use authorization dvpn to configure the authorization method for DVPN users.
Use undo authorization dvpn to restore the default.
Syntax
In non-FIPS mode:
authorization dvpn { local | none | radius-scheme radius-scheme-name [ local ] }

22
 undo authorization dvpn
In FIPS mode:
authorization dvpn { local | radius-scheme radius-scheme-name [ local ] }
undo authorization dvpn
Default
The default authorization method for the ISP domain is used for DVPN users.
Views
ISP domain view
Default command level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access
the network directly.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
Examples
# Configure ISP domain test to use local authorization for DVPN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization dvpn local

# Configure ISP domain test to use RADIUS authorization scheme rd for DVPN users and use local
authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization dvpn radius-scheme rd local

Related commands
• local-user
• authorization default
• radius scheme

authorization lan-access
Use authorization lan-access to configure the authorization method for LAN users.
Use undo authorization lan-access to restore the default.

23
Syntax
In non-FIPS mode:
authorization lan-access { local | none | radius-scheme radius-scheme-name [ local | none ] }
undo authorization lan-access
In FIPS mode:
authorization lan-access { local | radius-scheme radius-scheme-name [ local ] }
undo authorization lan-access
Default
The default authorization method for the ISP domain is used for LAN users.
Views
ISP domain view
Default command level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization exchange. In this case, an authenticated LAN user can access
the network directly.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
Examples
# Configure ISP domain test to use local authorization for LAN users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access local

# Configure ISP domain test to use RADIUS authorization scheme rd for LAN users and use local
authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization lan-access radius-scheme rd local

Related commands
• local-user
• authorization default
• radius scheme

24
authorization login
Use authorization login to configure the authorization method for login users through the console, AUX,
or Asyn port, Telnet, or FTP.
Use undo authorization login to restore the default.
Syntax
In non-FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme
radius-scheme-name [ local ] }
undo authorization login
In FIPS mode:
authorization login { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme
radius-scheme-name [ local ] }
undo authorization login
Default
The default authorization method for the ISP domain is used for login users.
Views
ISP domain view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization exchange. After passing authentication, FTP users can access
the root directory of the device, and other login users can access only the commands of Level 0.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS or HWTACACS scheme must have been configured.
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
Examples
# Configure ISP domain test to use local authorization for login users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization login local

# Configure ISP domain test to use RADIUS authorization scheme rd for login users and use local
authorization as the backup.
<Sysname> system-view

25
 [Sysname] domain test
[Sysname-isp-test] authorization login radius-scheme rd local

Related commands
• local-user
• authorization default
• hwtacacs scheme
• radius scheme

authorization portal
Use authorization portal to configure the authorization method for portal users.
Use undo authorization portal to restore the default.
Syntax
In non-FIPS mode:
authorization portal { local | none | radius-scheme radius-scheme-name [ local ] }
undo authorization portal
In FIPS mode:
authorization portal { local | radius-scheme radius-scheme-name [ local ] }
undo authorization portal
Default
The default authorization method for the ISP domain is used for portal users.
Views
ISP domain view
Default command level
2: System level
Parameters
local: Performs local authorization.
none: Does not perform any authorization exchange. In this case, an authenticated portal user can
access the network directly.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
Examples
# Configure ISP domain test to use local authorization for portal users.
<Sysname> system-view
[Sysname] domain test

26
 [Sysname-isp-test] authorization portal local

# Configure ISP domain test to use RADIUS scheme rd for authorization of portal users and use local
authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization portal radius-scheme rd local

Related commands
• local-user
• authorization default
• radius scheme

authorization ppp
Use authorization ppp to configure the authorization method for PPP users.
Use undo authorization ppp to restore the default.
Syntax
In non-FIPS mode:
authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme
radius-scheme-name [ local ] }
undo authorization ppp
In FIPS mode:
authorization ppp { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | radius-scheme
radius-scheme-name [ local ] }
undo authorization ppp
Default
The default authorization method for the ISP domain is used for PPP users.
Views
ISP domain view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a
case-insensitive string of 1 to 32 characters.
local: Performs local authorization.
none: Does not perform any authorization exchange. In this case, an authenticated PPP user can access
the network directly.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS or HWTACACS scheme must have been configured.

27
 The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
Examples
# Configure ISP domain test to use local authorization for PPP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ppp local

# Configure ISP domain test to use RADIUS authorization scheme rd for PPP users and use local
authorization as the backup.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ppp radius-scheme rd local

Related commands
• local-user
• authorization default
• hwtacacs scheme
• radius scheme

authorization ssl-vpn
Use authorization ssl-vpn to configure the authorization method for SSL VPN users.
Use undo authorization ssl-vpn to restore the default.
Syntax
authorization ssl-vpn radius-scheme radius-scheme-name
undo authorization ssl-vpn
Default
The default authorization method for the ISP domain is used for SSL VPN users.
Views
ISP domain view
Default command level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
Examples
# Configure ISP domain test to use RADIUS authorization scheme rd for SSL VPN users.
<Sysname> system-view

28
 [Sysname] domain test
[Sysname-isp-test] authorization ssl-vpn radius-scheme rd

Related commands
• authorization default
• radius scheme

authorization voip
Use authorization voip to configure the authorization method for VoIP users.
Use undo authorization voip to restore the default.
Syntax
authorization voip radius-scheme radius-scheme-name
undo authorization voip
Default
The default authorization method for the ISP domain is used for VoIP users.
Views
ISP domain view
Default command level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of
1 to 32 characters.
Usage guidelines
The specified RADIUS scheme must have been configured.
The RADIUS authorization configuration takes effect only when the authentication method and
authorization method of the ISP domain use the same RADIUS scheme.
To implement VoIP user authorization, you must complete the following tasks:
• Enable the authorization function for VoIP service.
• Configure an authorization method for VoIP users.
For more information about the commands to be used to enable authorization for VoIP service, see Voice
Command Reference.
Examples
# Configure ISP domain test to use RADIUS authorization scheme rd for VoIP users.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization voip radius-scheme rd

Related commands
• authorization default
• radius scheme

29
authorization-attribute user-profile
Use authorization-attribute user-profile to specify the default authorization user profile for an ISP
domain.
Use undo authorization-attribute user-profile to restore the default.
Syntax
authorization-attribute user-profile profile-name
undo authorization-attribute user-profile
Default
An ISP domain has no default authorization user profile.
Views
ISP domain view
Default command level
3: Manage level
Parameters
profile-name: Specifies the name of the user profile, a case-sensitive string of 1 to 31 characters. For more
information about user profile configuration, see Security Configuration Guide.
Usage guidelines
After a user of an ISP domain passes authentication, if the server (or the access device in the case of local
authentication) does not authorize any user profile to the ISP domain, the system uses the user profile
specified by the authorization-attribute user-profile command as that of the ISP domain.
If you execute the command multiple times, the most recent configuration takes effect.
Examples
# Specify the default authorization user profile for domain test as profile1.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization-attribute user-profile profile1

cut connection
Use cut connection to tear down the specified user connections forcibly.
Syntax
cut connection { access-type { dot1x | mac-authentication | portal } | all | domain isp-name | interface
interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name
user-name | vlan vlan-id }
Views
System view
Default command level
2: System level

30
Parameters
access-type: Specifies the user connections of the specified access type.
• dot1x: Indicates 802.1X authentication.
• mac-authentication: Indicates MAC address authentication.
• portal: Indicates portal authentication.
all: Specifies all user connections.
domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument represents
the name of an existing ISP domain and is a string of 1 to 24 characters.
interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2
Ethernet interfaces and WLAN virtual interfaces are supported.
ip ip-address: Specifies the user connections for an IP address.
mac mac-address: Specifies the user connections for a MAC address, with mac-address in the format
H-H-H.
ucibindex ucib-index: Specifies the user connection that uses the connection index. The value range for
the ucib-index argument is 0 to 4294967295.
user-name user-name: Specifies the user connections that use the username. The user-name argument is
a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system
assumes that the user is in the default domain or the mandatory authentication domain.
vlan vlan-id: Specifies the user connections of a VLAN. The value range for the vlan-id argument is 1 to
4094.
Usage guidelines
This command applies to LAN, portal, and PPP user connections.
For 802.1X users whose usernames carry the version number or contain spaces, you cannot cut the
connections by username.
For 802.1X users whose usernames include a forward slash (/) or backward slash (\) as the domain
name delimiter, you cannot cut their connections by username. For example, the cut connection
user-name aaa\bbb command cannot cut the connections of the user aaa\bbb.
An interface that is configured with a mandatory authentication domain treats users of the corresponding
access type as users in the mandatory authentication domain. For example, if you configure an 802.1X
mandatory authentication domain on an interface, the interface uses the domain's AAA methods for all
its 802.1X users. To cut connections of such users, use the cut connection domain isp-name command,
and specify the mandatory authentication domain.
Examples
# Tear down all connections of ISP domain test.
<Sysname> system-view
[Sysname] cut connection domain test

Related commands
• display connection
• service-type

31
display connection
Use display connection to display information about AAA user connections.
Syntax
display connection [ access-type { dot1x | mac-authentication | portal } | domain isp-name | interface
interface-type interface-number | ip ip-address | mac mac-address | ucibindex ucib-index | user-name
user-name | vlan vlan-id ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
access-type: Specifies the user connections of the specified access type.
• dot1x: Indicates 802.1X authentication.
• mac-authentication: Indicates MAC address authentication.
• portal: Indicates portal authentication.
domain isp-name: Specifies the user connections of an ISP domain. The isp-name argument represents
the name of an existing ISP domain and is a case-insensitive string of 1 to 24 characters.
interface interface-type interface-number: Specifies the user connections on an interface. Only Layer 2
Ethernet interfaces and WLAN virtual interfaces are supported.
ip ip-address: Specifies the user connections of an IP address.
mac mac-address: Specifies the user connections of a MAC address, with mac-address in the format
H-H-H.
ucibindex ucib-index: Specifies the user connection that uses the connection index. The value range for
the ucib-index argument is 0 to 4294967295.
user-name user-name: Specifies the user connections that use the username. The user-name argument is
a case-sensitive string of 1 to 80 characters. For a username entered without a domain name, the system
assumes that the user is in the default domain name or the mandatory authentication domain.
vlan vlan-id: Specifies the user connections of a VLAN. The value range for the vlan-id argument is 1 to
4094.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
This command does not display information about FTP user connections.
With no parameter specified, this command displays brief information about all AAA user connections.

32
 If you specify the ucibindex ucib-index option, this command displays detailed information. Otherwise,
this command displays brief information.
If an interface is configured with a mandatory authentication domain (for example, an 802.1X
mandatory authentication domain), the device uses the mandatory authentication domain to perform
authentication, authorization, and accounting for users who access the interface through the specified
access type. To display connections of such users, use the display connection domain isp-name
command and specify the mandatory authentication domain.
How the device displays the username of a user on an interface configured with a mandatory
authentication domain depends on the format of the username entered by the user at login:
• If the username does not contain the at sign (@), the device displays the username in the format
username@mandatory authentication domain name.
• If the username contains the at sign (@), the device displays the entered username. For example, if
a user entered the username aaa@123 at login and the name of the mandatory authentication
domain is dom, the device displays the username aaa@123, rather than aaa@123@dom.
For 802.1X users whose usernames use a forward slash (/) or backward slash (\) as the domain name
delimiter, you cannot query the connections by username. For example, the display connection
user-name aaa\bbb command cannot display the connections of the user aaa\bbb.
Examples
# Display information about all AAA user connections.
<Sysname> display connection

Index=1 ,Username=telnet@system
IP=10.0.0.1
IPv6=N/A
Total 1 connection(s) matched.

Table 1 Command output

Field Description
Username Username of the connection, in the format username@domain.

IP IPv4 address of the user.

IPv6 IPv6 address of the user.

Related commands
cut connection

display domain
Use display domain to display the configuration of ISP domains.
Syntax
display domain [ isp-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level

33
Parameters
isp-name: Specifies the name of an existing ISP domain, a string of 1 to 24 characters.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any ISP domain, the command displays the configuration of all ISP domains.
Examples
# Display the configuration of all ISP domains.
<Sysname> display domain
0 Domain : system
State : Active
Access-limit : Disabled
Accounting method : Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Idle-cut : Disabled
Self-service : Disabled
Authorization attributes :

1 Domain : test
State : Active
Access-limit : Disabled
Accounting method : Required
Default authentication scheme : local
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Idle-cut : Disabled
Session-time : exclude-idle-time
Self-service : Disabled
Authorization attributes :

Default Domain Name: system

Total 2 domain(s).

Table 2 Command output

Field Description
Domain ISP domain name.

34
 Field Description
Status of the ISP domain: active or blocked. Users in an active ISP
State domain can request network services, and users in a blocked ISP
domain cannot.

Limit on the number of user connections. If there is no limit on the

Access-limit
number, this field displays Disabled.

Indicates whether accounting is required. If accounting is required,

when no accounting server is available or when communication
Accounting method
with the accounting server fails, user connections are torn down.
Otherwise, users can continue to use network services.

Default authentication scheme Default authentication method.

Default authorization scheme Default authorization method.

Default accounting scheme Default accounting method.

Domain User Template Indicates some functions and attributes set for users in the domain.

Indicates whether the idle cut function is enabled. With the idle cut
function enabled for a domain, the system logs out any user in the
Idle-cut
domain whose traffic is less than the specified minimum traffic
during the idle timeout period.

Indicates whether the idle cut time is included in the user online time
to be uploaded to the server. Options include:
• Exclude-idle-time—The idle cut time is excluded from the user
Session-time
online time.
• Include-idle-time—The idle cut time is included in the user
online time.

Indicates whether the self-service function is enabled. With the

self-service function enabled, users can launch a browser and enter
Self-service
the self-service URL in the address bar to access the self-service
pages and perform self-service operations.

Authorization attributes Default authorization attributes for the ISP domain.

Related commands
• access-limit enable
• domain
• state

domain
Use domain to create an ISP domain and enter ISP domain view.
Use undo domain to remove an ISP domain.
Syntax
domain isp-name
undo domain isp-name
Default
There is a system predefined ISP domain named system in the system.

35
Views
System view
Default command level
3: Manage level
Parameters
isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot
contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<),
vertical bar (|), right angle bracket (>), quotation marks ("), and at sign (@).
Usage guidelines
All ISP domains are in active state when they are created.
The system predefined ISP domain system cannot be deleted, but you can modify its configuration.
To delete the ISP domain that is used as the default ISP domain, you must first change it to a non-default
ISP domain by using the undo domain default enable command.
Examples
# Create ISP domain test, and enter ISP domain view.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test]

Related commands
• state
• display domain

domain default enable

Use domain default enable to specify the default ISP domain. Users without any domain name carried in
the usernames are considered to be in the default domain.
Use undo domain default enable to restore the default.
Syntax
domain default enable isp-name
undo domain default enable
Default
The default ISP domain is the system predefined ISP domain system.
Views
System view
Default command level
3: Manage level
Parameters
isp-name: Specifies the name of the ISP domain, a case-insensitive string of 1 to 24 characters.
Usage guidelines
There can be only one default ISP domain.

36
 The specified domain must already exist. Otherwise, users without a domain name in the username
cannot pass authentication.
To delete the ISP domain that is used as the default ISP domain, you must first change it to a non-default
ISP domain by using the undo domain default enable command.
Examples
# Create a new ISP domain named test, and configure it as the default ISP domain.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] quit
[Sysname] domain default enable test

Related commands
• domain
• state
• display domain

domain if-unknown
Use domain if-unknown to specify an ISP domain for users with unknown domain names.
Use undo domain if-unknown to restore the default.
Syntax
domain if-unknown isp-name
undo domain if-unknown
Default
No ISP domain is specified for users with unknown domain names.
Views
System view
Default command level
3: Manage level
Parameters
isp-name: Specifies an ISP domain name, a case-insensitive string of 1 to 24 characters that cannot
contain the slash (/), backslash (\), colon (:), asterisk (*), question mark (?), left angle bracket (<), right
angle bracket (>), quotation marks ("), and at sign (@).
Usage guidelines
The device chooses an authentication domain for each user in the following order:
• The authentication domain specified for the access module
• The ISP domain in the username
• The default ISP domain of the device
• The ISP domain specified for users with unknown domain names
If all the domains are unavailable, user authentication fails.

37
 NOTE:
Support for the authentication domain configuration depends on the access module. You can specify an
authentication domain for 802.1X, portal, or MAC address authentication.

Examples
# Specify the ISP domain test for users with unknown domain names.
<Sysname> system-view
[Sysname] domain if-unknown test

Related commands
domain default enable

idle-cut enable
Use idle-cut enable to enable the idle cut function and set the relevant parameters.
Use undo idle-cut enable to restore the default.
Syntax
idle-cut enable minute [ flow ]
undo idle-cut enable
Default
The function is disabled.
Views
ISP domain view
Default command level
2: System level
Parameters
minute: Specifies the idle timeout period in the range of 1 to 600 minutes.
flow: Specifies the minimum traffic during the idle timeout period in bytes. The value range is 1 to
10240000, and the default is 10240.
Usage guidelines
With the idle cut function enabled for a domain, the device checks the traffic of each online user in the
domain at the idle timeout interval, and it logs out any user in the domain whose traffic during the idle
timeout period is less than the specified minimum traffic.
You can also set the idle timeout period on the server to make the server log out users whose traffic during
the idle timeout period is less than 10240 bytes. However, your setting on the server takes effect only
when you disable the idle cut function on the device.
Examples
# Enable the idle cut function and set the idle timeout period to 50 minutes and the traffic threshold to
1024 bytes for ISP domain test.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] idle-cut enable 50 1024

38
Related commands
domain

ip pool
Use ip pool to configure an address pool for assigning addresses to PPP users.
Use undo ip pool to delete an address pool.
Syntax
ip pool pool-number low-ip-address [ high-ip-address ]
undo ip pool pool-number
Default
No IP address pool is configured for PPP users.
Views
ISP domain view
Default command level
2: System level
Parameters
pool-number: Specifies the address pool number in the range of 0 to 99.
low-ip-address and high-ip-address: Specifies the start and end IP addresses of the address pool. Up to
1024 addresses are allowed for an address pool. If you do not specify the end IP address, there is only
one IP address in the pool, which is the start IP address.
Usage guidelines
You can also configure an address pool for PPP users in system view. An IP address pool configured in
system view is used to assign IP addresses to PPP users who do not need to be authenticated. To specify
the address pool used for assigning an IP address to the peer device, use the remote address command
in interface view.
An IP address pool configured in ISP domain view is used to assign IP addresses to the ISP domain's PPP
users who must be authenticated. Configure IP address pools for ISP domains in scenarios where an
interface serves a great amount of PPP users but the address resources are inadequate. For example, an
Ethernet interface running PPPoE can accommodate up to 4096 users. However, only one address pool
with up to 1024 addresses can be configured on its VT. This is far from what is required. To address the
issue, configure address pools for ISP domains and assign addresses from them to the PPP users by
domain.
Examples
# Configure the IP address pool 0 with the address range of 129.102.0.1 to 129.102.0.10.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] ip pool 0 129.102.0.1 129.102.0.10

Related commands
• ip pool (Layer 2—WAN Command Reference)
• remote address (Layer 2—WAN Command Reference)

39
nas-id bind vlan
Use nas-id bind vlan to bind a NAS ID with a VLAN.
Use undo nas-id bind vlan to remove a NAS ID-VLAN binding.
Syntax
nas-id nas-identifier bind vlan vlan-id
undo nas-id nas-identifier bind vlan vlan-id
Default
No NAS ID-VLAN binding exists.
Views
NAS ID profile view
Default command level
2: System level
Parameters
nas-identifier: Specifies the NAS ID, a case-sensitive string of 1 to 20 characters
vlan-id: Specifies the ID of the VLAN to be bound with the NAS ID. The value range is 1 to 4094.
Usage guidelines
In a NAS ID profile view, you can configure multiple NAS ID–VLAN bindings.
A NAS ID can be bound with more than one VLAN, but one VLAN can be bound with only one NAS ID.
If you bind a VLAN with different NAS IDs, only the last binding takes effect.
Examples
# Bind NAS ID 222 with VLAN 2.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa] nas-id 222 bind vlan 2

Related commands
aaa nas-id profile

self-service-url enable
Use self-service-url enable to enable the self-service server location function and specify the URL of the
self-service server.
Use undo self-service-url enable to restore the default.
Syntax
self-service-url enable url-string
undo self-service-url enable
Default
The self-service server location function is disabled.

40
Views
ISP domain view
Default command level
2: System level
Parameters
url-string: Specifies the URL of the self-service server, a string of 1 to 64 characters that starts with http://
and contains no question mark. This URL was specified by the RADIUS server administrator during
RADIUS server installation.
Usage guidelines
With the self-service function, users can manage and control their accounts and passwords. Only the
RADIUS server systems provided by IMC support the self-service function.
Examples
# For ISP domain test, enable the self-service server location function, and specify the URL of the
self-service server for changing user password to http://10.153.89.94/selfservice.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] self-service-url enable http://10.153.89.94/selfservice

session-time include-idle-time
Use session-time include-idle-time to include the idle cut time in the user online time to be uploaded to
the server.
Use undo session-time include-idle-time to restore the default.
Syntax
session-time include-idle-time
undo session-time include-idle-time
Default
The user online time uploaded to the server excludes the idle cut time.
Views
ISP domain view
Default command level
2: System level
Usage guidelines
The device uploads to the server the online user time when a user is logged off. However, the online user
time of an abnormally logged-off user can contain an idle timeout interval or a detection interval when
the idle cut function or online portal user detection is enabled. You can configure the device to include or
exclude the idle cut time before the device uploads the online user time to the server according to your
accounting policy.
Examples
# Configure the device to include the idle cut time in the user online time uploaded to the server for ISP
domain test.

41
 <Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] session-time include-idle-time

Related commands
idle-cut enable

state (ISP domain view)

Use state to set the status of an ISP domain.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
An ISP domain is in active state.
Views
ISP domain view
Default command level
2: System level
Parameters
active: Places the ISP domain in active state to allow the users in the ISP domain to request network
services.
block: Places the ISP domain in blocked state to prevent users in the ISP domain from requesting network
services.
Usage guidelines
By blocking an ISP domain, you disable offline users of the domain from requesting network services. The
online users are not affected.
Examples
# Place the ISP domain test in blocked state.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block

Local user configuration commands

access-limit
Use access-limit to limit the number of concurrent users of the same local user account.
Use undo access-limit to remove the limitation.
Syntax
access-limit max-user-number

42
 undo access-limit
Default
There is no limit to the number of users who concurrently use the same local user account.
Views
Local user view
Default command level
3: Manage level
Parameters
max-user-number: Specifies the maximum number of concurrent users of the same local user account. The
value range is 1 to 1024.
Usage guidelines
This command takes effect only when local accounting is used for the user account.
This limit has no effect on FTP users because accounting is not available for FTP users.
Examples
# Limit the maximum number of concurrent users of local user account abc to 5.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] access-limit 5

Related commands
display local-user

authorization-attribute (local user view/user group view)

Use authorization-attribute to configure authorization attributes for the local user or user group. After the
local user or a local user of the user group passes authentication, the device assigns these attributes to
the user.
Use undo authorization-attribute to remove authorization attributes and restore the defaults.
Syntax
authorization-attribute { acl acl-number | callback-number callback-number | idle-cut minute | level
level | user-profile profile-name | user-role { guest | guest-manager | security-audit } | vlan vlan-id |
work-directory directory-name } *
undo authorization-attribute { acl | callback-number | idle-cut | level | user-profile | user-role | vlan
| work-directory } *
Default
No authorization attribute is configured for a local user or user group.
Views
Local user view, user group view
Default command level
3: Manage level

43
Parameters
acl acl-number: Specifies the authorization ACL. The ACL number is in the range of 2000 to 5999. After
passing authentication, a local user is authorized to access the network resources specified by this ACL.
callback-number callback-number: Specifies the authorized PPP callback number. The callback-number
argument is a case-sensitive string of 1 to 64 characters. After a local user passes authentication, the
device uses this number to call the user.
idle-cut minute: Sets the idle timeout period. With the idle cut function enabled, an online user whose idle
period exceeds the specified idle timeout period is logged out. The minute argument indicates the idle
timeout period in the range of 1 to 120 minutes.
level level: Specifies the user level, which can be 0 for visit level, 1 for monitor level, 2 for system level,
and 3 for manage level. A smaller number means a lower level. This parameter determines the command
level for login users whose user interfaces perform AAA authentication. By default, the user level is 0, and
users can use only commands of level 0 after login.
user-profile profile-name: Specifies the authorization user profile. The profile-name argument is a
case-sensitive string of 1 to 32 characters. It can contain letters, digits, and underscores (_), and must
start with a letter. After a user passes authentication and gets online, the device uses the settings in the
user profile to restrict the access behavior of the user. For more information about user profiles, see
Security Configuration Guide.
user-role: Specifies the role for the local user. This keyword is available in only local user view. Users
playing different roles can access different levels of commands. If you specify no role for a local user, the
access right of the user after login depends on other authorization attributes. Supported roles include:
• guest: A guest user account is usually created through the Web interface.
• guest-manager: An authenticated guest manager can manage guest user accounts on Web pages.
• security-audit: An authenticated security log administrator can manage security log files. The
commands that a security log administrator can use are described in the information center
commands. For more information, see Network Management and Monitoring Command
Reference.
vlan vlan-id: Specifies the authorized VLAN. The value range for the vlan-id argument is 1 to 4094. After
passing authentication, a local user can access the resources in this VLAN.
work-directory directory-name: Specifies the work directory, if the user or users use the FTP or SFTP
service. The directory-name argument is a case-insensitive string of 1 to 135 characters. The directory
must already exist. By default, an FTP or SFTP user can access the root directory of the device.
Usage guidelines
Every configurable authorization attribute has its definite application environments and purposes.
Consider the service types of users when assigning authorization attributes.
Authorization attributes configured for a user group are effective for all local users in the group. You can
group local users to improve configuration and management efficiency.
An authorization attribute configured in local user view takes precedence over the same attribute
configured in user group view. If an authorization attribute is configured in user group view but not in
local user view, the setting in user group view takes effect.
To make sure that FTP and SFTP users can access the directory after a switchover between the main card
and the backup card, do not specify slot information for the work directory.

44
 If only one user is playing the role of security log administrator in the system, you cannot delete the user
account or remove or change the user's role, unless you first configure another user as a security log
administrator.
A local user can play only one role at a time. If you execute the command multiple times, the most recent
configuration takes effect.
Examples
# Configure the authorized VLAN of local user abc as VLAN 2.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] authorization-attribute vlan 2

# Configure the authorized VLAN of user group abc as VLAN 3.

<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc] authorization-attribute vlan 3

bind-attribute
Use bind-attribute to configure binding attributes for a local user.
Use undo bind-attribute to remove binding attributes of a local user.
Syntax
bind-attribute { call-number call-number [ : subcall-number ] | ip ip-address | location port slot-number
subslot-number port-number | mac mac-address | vlan vlan-id } *
undo bind-attribute { call-number | ip | location | mac | vlan } *
Default
No binding attribute is configured for a local user.
Views
Local user view
Default command level
3: Manage level
Parameters
call-number call-number: Specifies a calling number for ISDN user authentication. The call-number
argument is a string of 1 to 64 characters. This option applies only to PPP users.
subcall-number: Specifies the sub-calling number. The total length of the calling number and the
sub-calling number cannot be more than 62 characters.
ip ip-address: Specifies the IP address of the user.
location port slot-number subslot-number port-number: Specifies the port to which the user is bound. The
value range for the slot-number argument is 0 to 255, the value range for the subslot-number argument
is 0 to 15, and the value range for the port-number argument is 0 to 255.
mac mac-address: Specifies the MAC address of the user in the format H-H-H.
vlan vlan-id: Specifies the VLAN to which the user belongs. The value range for the vlan-id argument is
1 to 4094.

45
Usage guidelines
Binding attributes are checked upon authentication of a local user. If the binding attributes of a local user
do not match the configured ones, the user fails checking and authentication.
Binding attribute checking does not take the service types of users into account. A configured binding
attribute is effective for all types of users. Configure binding attributes for different types of local users
with caution. For example, an IP address binding applies only to 802.1X authentication that supports IP
address upload. If the authentication method such as MAC authentication does not support IP address
upload, do not configure an IP address binding for the authentication method. Otherwise, local
authentication fails.
Examples
# Configure the bound IP of local user abc as 3.3.3.3.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] bind-attribute ip 3.3.3.3

display local-user
Use display local-user to display configuration and statistics information about local users.
Syntax
In non-FIPS mode:
display local-user [ idle-cut { disable | enable } | service-type { dvpn | ftp | lan-access | pad | portal
| ppp | ssh | telnet | terminal | web } | state { active | block } | user-name user-name | vlan vlan-id ]
[ | { begin | exclude | include } regular-expression ]
In FIPS mode:
display local-user [ idle-cut { disable | enable } | service-type { lan-access | portal | ssh | terminal |
web } | state { active | block } | user-name user-name | vlan vlan-id ] [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
idle-cut { disable | enable }: Specifies local users with the idle cut function disabled or enabled.
service-type: Specifies the local users who use a specified type of service.
• dvpn: DVPN tunnel users.
• ftp: FTP users.
• lan-access: Users accessing the network through Ethernet, such as 802.1X users.
• pad: X.25 PAD users.
• portal: Portal users.
• ppp: PPP users.
• ssh: SSH users.
• telnet: Telnet users.

46
 • terminal: Users logging in through the console port, AUX port, or Asyn port.
• web: Web users.
state { active | block }: Specifies local users in active or blocked state. A local user in active state can
access network services, but a local user in blocked state cannot.
user-name user-name: Specifies all local users using the specified username. The username is a
case-sensitive string of 1 to 55 characters, and it does not contain the domain name.
vlan vlan-id: Specifies all local users in a VLAN. The value range for the vlan-id argument is 1 to 4094.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameter, the command displays information about all local users.
Examples
# Display information about all local users.
<Sysname> display local-user
The contents of local user abc:
State: Active
ServiceType: lan-access
Access-limit: Enabled Current AccessNum: 0
Max AccessNum: 300
User-group: system
Bind attributes:
IP address: 1.2.3.4
Bind location: 0/4/1 (SLOT/SUBSLOT/PORT)
MAC address: 00-01-00-02-00-03
Vlan ID: 100
Authorization attributes:
Idle TimeOut: 10(min)
Work Directory: cfa0:/
User Privilege: 3
Acl ID: 2000
Vlan ID: 100
User Profile: prof1
Expiration date: 12:12:12-2018/09/16
Password aging: Enabled (30 days)
Password length: Enabled (4 characters)
Password composition: Enabled (4 types, 2 characters per type)
Total 1 local user(s) matched.

47
 Table 3 Command output

Field Description
State Status of the local user: active or blocked.

Service types that the local user can use, including DVPN, FTP, LAN access, PAD,
ServiceType
PPP, portal, SSH, Telnet, terminal, and Web.

Access-limit Whether or not to limit the number of concurrent connections of the username.

Current AccessNum Number of connections that use the username.

Max AccessNum Maximum number of concurrent connections of the username.

Bind attributes Binding attributes of the local user.

VLAN ID VLAN to which the user is bound.

Calling Number Calling number bound for the ISDN user.

Authorization attributes Authorization attributes of the local user.

Idle TimeOut Idle timeout period of the user, in minutes.

Callback-number Authorized PPP callback number of the local user.

Work Directory Directory that the FTP user can access.

VLAN ID Authorized VLAN of the local user.

User Profile User profile for local user authorization.

Expiration date Expiration time of the local user.

Password aging Aging time of the local user password.

Password length Minimum length of the local user password.

Password composition Password composition policy of the local user.

Related commands
local-user

display user-group
Use display user-group to display the configuration of user groups.
Syntax
display user-group [ group-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
group-name: Specifies a user group name, a case-insensitive string of 1 to 32 characters.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.

48
 exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any user group name, the command displays the configuration of all user groups.
Examples
# Display the configuration of user group abc.
<Sysname> display user-group abc
The contents of user group abc:
Authorization attributes:
Idle-cut: 120(min)
Work Directory: cfa0:
Level: 1
Acl Number: 2000
Vlan ID: 1
User-Profile: 1
Callback-number: 1
Password aging: Enabled (1 days)
Password length: Enabled (4 characters)
Password composition: Enabled (1 types, 1 characters per type)
Total 1 user group(s) matched.

Table 4 Command output

Field Description
Idle-cut Idle timeout interval, in minutes.

Work Directory Directory that FTP/SFTP users in the group can access.

Level Level of the local users in the group.

ACL Number Authorization ACL for the local users in the group.

VLAN ID Authorized VLAN for the local users in the group.

User-Profile User profile for local user authorization.

Callback-number Authorized PPP callback number for the local users in the group.

Password aging Password aging time for the local users in the group.

Password length Minimum password length for the local users in the group.

Password composition Password composition policy of the local users in the group.

Related commands
user-group

expiration-date (local user view)

Use expiration-date to set the expiration time of a local user.
Use undo expiration-date to remove the configuration.

49
Syntax
expiration-date time
undo expiration-date
Default
A local user has no expiration time, and no time validity checking is performed.
Views
Local user view
Default command level
3: Manage level
Parameters
time: Specifies the expiration time of the local user, in the format HH:MM:SS-MM/DD/YYYY,
HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS
indicates the time, where HH is in the range of 0 to 23, and MM and SS are in the range of 0 to 59.
MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY is in the range of 2000 to 2035,
MM is in the range of 1 to 12, and the range of DD depends on the month. Except for the zeros in
00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals
02:02:00-2008/02/02.
Usage guidelines
For temporary network access requirements, create a guest account, and specify a validity time and an
expiration time for the account to control the validity of the account. When a user uses the guest account
for local authentication and passes the authentication, the access device checks whether the current
system time is between the validity time and the expiration time. If it is, the device permits the user to
access the network. Otherwise, the device denies the access request of the user.
Examples
# Set the expiration time of user abc to 12:10:20 on May 31, 2008.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] expiration-date 12:10:20-2008/05/31

Related commands
validity-date

group
Use group to assign a local user to a user group.
Use undo group to restore the default.
Syntax
group group-name
undo group
Default
A local user belongs to the system default user group system.

50
Views
Local user view
Default command level
3: Manage level
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Examples
# Assign local user 111 to user group abc.
<Sysname> system-view
[Sysname] local-user 111
[Sysname-luser-111] group abc

local-user
Use local-user to add a local user and enter local user view.
Use undo local-user to remove the specified local users.
Syntax
local-user user-name
undo local-user { user-name | all [ service-type { dvpn | ftp | lan-access | pad | portal | ppp | ssh |
telnet | terminal | web } ] }
Default
A local user exists.
Views
System view
Default command level
3: Manage level
Parameters
user-name: Specifies the name for the local user, a case-sensitive string of 1 to 55 characters that does
not contain the domain name. It cannot contain any backward slash (\), forward slash (/), vertical bar
(|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), and at sign
(@), and cannot be a, al, or all.
all: Specifies all users.
service-type: Specifies the users of a type.
• dvpn: Users using DVPN tunnel.
• ftp: FTP users. This parameter is not supported in FIPS mode.
• lan-access: Users accessing the network through an Ethernet, such as 802.1X users.
• pad: Users using x.25 PAD.
• portal: Portal users.
• ppp: PPP users.
• ssh: SSH users.

51
 • telnet: Telnet users. This parameter is not supported in FIPS mode.
• terminal: Users logging in through the console, AUX, or Asyn port. This parameter is required in
FIPS mode.
• web: Web users.
Examples
# Add a local user named user1.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1]

Related commands
• display local-user
• service-type
Related commands
• display local-user
• password

password (local user view)

Use password to configure a password for a local user.
Use undo password to delete the password of a local user.
Syntax
password [ [ hash ] { cipher | simple } password ]
undo password
Views
Local user view
Default command level
2: System level
Parameters
hash: Enables hash encryption. If you do not specify this keyword, all passwords, including passwords
configured in plain text, are saved in ciphertext.
cipher: Sets a ciphertext password.
simple: Sets a plaintext password.
password: Specifies the password string. This argument is case sensitive.
• In non-FIPS mode, a ciphertext password is a string of 1 to 117 characters, and a plaintext password
is a string of 1 to 63 characters.
• In FIPS mode, the password is a plaintext string of 8 to 63 characters and must contain digits,
uppercase letters, lowercase letters, and special characters (see "Password control configuration
commands").

52
Usage guidelines
If you do not specify any parameter, you enter the interactive mode to set a plaintext password. The
interactive mode is available only on devices that support the password control feature. For more
information about password control commands, see "Password control configuration commands."
When the password control feature is enabled globally by using the password-control enable command,
local user passwords, such as the length and complexity, are under the restriction of the password control
feature and are not displayed.
In FIPS mode, you can configure passwords for local users only in interactive mode.
Examples
# Set the password to 123456 in plain text for local user user1.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] password simple 123456

# Set a plaintext password 123456 in interactive mode for local user user1.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] password
Password:******
Confirm :******

Related commands
display local-user

service-type
Use service-type to specify the service types that a user can use.
Use undo service-type to delete one or all service types configured for a user.
Syntax
In non-FIPS mode:
service-type { dvpn | ftp | lan-access | { pad | ssh | telnet | terminal } * | portal | ppp | web }
undo service-type { dvpn | ftp | lan-access | { pad | ssh | telnet | terminal } * | portal | ppp | web }
In FIPS mode:
service-type { lan-access | { ssh | terminal } * | portal | ppp | web }
undo service-type { lan-access | { ssh | terminal } * | portal | ppp | web }
Default
A user is authorized with no service.
Views
Local user view
Default command level
3: Manage level
Parameters
dvpn: Authorizes the user to use the DVPN service.

53
 ftp: Authorizes the user to use the FTP service. The user can use the root directory of the FTP server by
default.
lan-access: Authorizes the user to use the LAN access service. The users are mainly Ethernet users such
as 802.1X users.
pad: Authorizes the user to use the PAD service.
ssh: Authorizes the user to use the SSH service.
telnet: Authorizes the user to use the Telnet service.
terminal: Authorizes the user to use the terminal service, allowing the user to log in from the console, AUX
or Asyn port.
portal: Authorizes the user to use the portal service.
ppp: Authorizes the user to use the PPP service.
web: Authorizes the user to use the Web service.
Usage guidelines
You can assign multiple service types to the same user.
Examples
# Authorize user user1 to use the Telnet service.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] service-type telnet

state (local user view)

Use state to set the status of a local user.
Use undo state to restore the default.
Syntax
state { active | block }
undo state
Default
A local user is in active state.
Views
Local user view
Default command level
2: System level
Parameters
active: Places the local user in active state to allow the local user to request network services.
block: Places the local user in blocked state to prevent the local user from requesting network services.
Usage guidelines
By blocking a user, you disable the user from requesting network services. No other users are affected.

54
Examples
# Place local user user1 in blocked state.
<Sysname> system-view
[Sysname] local-user user1
[Sysname-luser-user1] state block

Related commands
local-user

user-group
Use user-group to create a user group and enter its view.
Use undo user-group to remove a user group.
Syntax
user-group group-name
undo user-group group-name
Views
System view
Default command level
3: Manage level
Parameters
group-name: Specifies the user group name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A user group consists of a group of local users and has a set of local user attributes. You can configure
local user attributes for a user group to implement centralized management of user attributes for the local
users in the group. Configurable user attributes include password control attributes and authorization
attributes.
A user group with one or more local users cannot be removed.
The system predefined user group system cannot be removed, but you can modify its configuration.
Examples
# Create a user group named abc, and enter its view.
<Sysname> system-view
[Sysname] user-group abc
[Sysname-ugroup-abc]

Related commands
display user-group

validity-date
Use validity-date to set the validity time of a local user.
Use undo validity-date to remove the configuration.

55
Syntax
validity-date time
undo validity-date
Default
A local user has no validity time and no time validity checking is performed.
Views
Local user view
Default command level
3: Manage level
Parameters
time: Specifies the validity time of the local user, in the format HH:MM:SS-MM/DD/YYYY,
HH:MM:SS-YYYY/MM/DD, MM/DD/YYYY-HH:MM:SS, or YYYY/MM/DD-HH:MM:SS. HH:MM:SS
indicates the time, where HH is in the range of 0 to 23, and MM and SS are in the range of 0 to 59.
MM/DD/YYYY or YYYY/MM/DD indicates the date, where YYYY is in the range of 2000 to 2035,
MM is in the range of 1 to 12, and the range of DD depends on the month. Except for the zeros in
00:00:00, leading zeros can be omitted. For example, 2:2:0-2008/2/2 equals
02:02:00-2008/02/02.
Usage guidelines
For temporary network access requirements, create a guest account, and specify a validity time and an
expiration time for the account to control the validity of the account. When a user uses the guest account
for local authentication and passes the authentication, the access device checks whether the current
system time is between the validity time and the expiration time. If it is, the device permits the user to
access the network. Otherwise, the device denies the access request of the user.
Examples
# Set the validity time of user abc to 12:10:20 on April 30, 2008, and set the expiration time to 12:10:20
on May 31, 2008.
<Sysname> system-view
[Sysname] local-user abc
[Sysname-luser-abc] validity-date 12:10:20-2008/04/30
[Sysname-luser-abc] expiration-date 12:10:20-2008/05/31

Related commands
expiration-date

RADIUS configuration commands

accounting-on enable
Use accounting-on enable to configure the accounting-on feature.
Use undo accounting-on enable to disable the accounting-on feature.
Syntax
accounting-on enable [ interval seconds | send send-times ] *
undo accounting-on enable

56
Default
The accounting-on feature is disabled.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
seconds: Specifies the time interval for retransmitting an accounting-on packet in seconds. The value
range is 1 to 15, and the default is 3.
send-times: Specifies the maximum number of accounting-on packet transmission attempts. The value
range is 1 to 255, and the default is 50.
Usage guidelines
The accounting-on feature enables the device, after rebooting, to automatically send an accounting-on
message to the RADIUS accounting server indicated by the RADIUS scheme to stop accounting for and
log out online users.
Parameters set with the accounting-on enable command take effect immediately.
After executing the accounting-on enable command, issue the save command to make sure that the
command takes effect after the device reboots.
Examples
# Enable the accounting-on feature for RADIUS authentication scheme radius1, and set the
retransmission interval to 5 seconds and the transmission attempts to 15.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] accounting-on enable interval 5 send 15

Related commands
radius scheme

attribute 25 car
Use attribute 25 car to specify the device to interpret the RADIUS class attribute (attribute 25) as CAR
parameters.
Use undo attribute 25 car to restore the default.
Syntax
attribute 25 car
undo attribute 25 car
Default
RADIUS attribute 25 is not interpreted as CAR parameters.
Views
RADIUS scheme view

57
Default command level
2: System level
Examples
# Specify the device to interpret RADIUS attribute 25 as CAR parameters.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] attribute 25 car

Related commands
• display radius scheme
• display connection

data-flow-format (RADIUS scheme view)

Use data-flow-format to set the traffic statistics unit for data flows or packets.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet |
kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
The unit for data flows is byte and that for data packets is one-packet.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte,
kilobyte, megabyte, or gigabyte.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets,
which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Usage guidelines
The unit for data flows and that for packets must be consistent with those on the RADIUS server.
Otherwise, accounting cannot be performed correctly.
Examples
# Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets, respectively,
in RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

Related commands
display radius scheme

58
display radius scheme
Use display radius scheme to display the configuration of RADIUS schemes.
Syntax
display radius scheme [ radius-scheme-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
radius-scheme-name: Specifies the RADIUS scheme name.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any RADIUS scheme, the command displays the configuration of all RADIUS
schemes.
Examples
# Display the configuration of all RADIUS schemes.
<Sysname> display radius scheme
------------------------------------------------------------------
SchemeName : radius1
Index : 0 Type : extended
Primary Auth Server:
IP: 1.1.1.1 Port: 1812 State: active
Encryption Key : ******
VPN instance : 1
Probe username : test
Probe interval : 60 min
Primary Acct Server:
IP: 1.1.1.1 Port: 1813 State: active
Encryption Key : ******
VPN instance : 1
Second Auth Server:
IP: 1.1.2.1 Port: 1812 State: active
Encryption Key : N/A
VPN instance : N/A
Probe username : test
Probe interval : 60 min
IP: 1.1.3.1 Port: 1812 State: active

59
 Encryption Key : N/A
VPN instance : N/A
Probe username : N/A
Probe interval : N/A
Second Acct Server:
IP: 1.1.2.1 Port: 1813 State: block
Encryption Key : N/A
VPN instance : N/A
Auth Server Encryption Key : ******
Acct Server Encryption Key : N/A
VPN instance : 1
Accounting-On packet disable, send times : 50 , interval : 3s
Interval for timeout(second) : 3
Retransmission times for timeout : 3
Interval for realtime accounting(minute) : 12
Retransmission times of realtime-accounting packet : 5
Retransmission times of stop-accounting packet : 500
Quiet-interval(min) : 5
Username format : without-domain
Data flow unit : Byte
Packet unit : one

------------------------------------------------------------------
Total 1 RADIUS scheme(s).

Table 5 Command output

Field Description
SchemeName Name of the RADIUS scheme.

Index Index number of the RADIUS scheme.

Type of the RADIUS server that the device supports. Options include:
• Extended—The RADIUS server uses the proprietary RADIUS protocol of
HP for packet exchange.
Type
• Standard—The RADIUS server uses the standard RADIUS protocol for
packet exchange. The protocol is compliant to RFC 2865 and RFC 2866
or later.

Primary Auth Server Information about the primary authentication server.

Primary Acct Server Information about the primary accounting server.

Second Auth Server Information about the secondary authentication server.

Second Acct Server Information about the secondary accounting server.

IP IP address of the server.

Service port of the server. If no port configuration is performed, the default

Port
port number is displayed.

State Status of the server: active or blocked.

60
 Field Description
Shared key for secure authentication or accounting communication,
Encryption Key displayed as a series of asterisks (******). If no shared key is configured, this
field displays N/A.

MPLS L3VPN to which the server belongs. If no VPN instance is specified for
VPN instance
the server, this field does not appear.

Probe username Username used for server status detection.

Probe interval Server status detection interval, in minutes.

Shared key for secure authentication communication, displayed as a series

Auth Server Encryption Key
of asterisks (******). If no shared key is configured, this field displays N/A.

Shared key for secure accounting communication, displayed as a series of

Acct Server Encryption Key
asterisks (******). If no shared key is configured, this field displays N/A.

MPLS L3VPN to which the scheme belongs. If no VPN instance is specified

VPN instance
for the scheme, this field displays N/A.

The accounting-on feature is disabled.

Accounting-On packet disable
Output information of the accounting-on feature varies by device.

send times Retransmission times of accounting-on packets.

interval Interval at which the device retransmits accounting-on packets.

Interval for timeout(second) RADIUS server response timeout period, in seconds.

Maximum number of attempts for transmitting a RADIUS packet to a single

Retransmission times for timeout
RADIUS server.

Interval for realtime

Interval for real-time accounting, in minutes.
accounting(minute)

Retransmission times of
Maximum number of accounting attempts.
realtime-accounting packet

Retransmission times of
Maximum number of stop-accounting attempts.
stop-accounting packet

Quiet-interval(min) Quiet interval for the primary server.

Username format Format of the usernames to be sent to the RADIUS server.

Data flow unit Unit for data flows sent to the RADIUS server.

Packet unit Unit for packets sent to the RADIUS server.

NAS-IP address Source IP address for RADIUS packets to be sent.

Attribute 25 Interprets RADIUS attribute 25 as the CAR parameters.

Related commands
radius scheme

display radius statistics

Use display radius statistics to display statistics about RADIUS packets.
Syntax
display radius statistics [ | { begin | exclude | include } regular-expression ]

61
Views
Any view
Default command level
2: System level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display statistics about RADIUS packets.
<Sysname> display radius statistics
state statistic(total=1024):
DEAD = 1024 AuthProc = 0 AuthSucc = 0
AcctStart = 0 RLTSend = 0 RLTWait = 0
AcctStop = 0 OnLine = 0 Stop = 0
Received and Sent packets statistic:
Sent PKT total = 1547 Received PKT total = 23
RADIUS received packets statistic:
Code = 2 Num = 15 Err = 0
Code = 3 Num = 4 Err = 0
Code = 5 Num = 4 Err = 0
Code = 11 Num = 0 Err = 0
Running statistic:
RADIUS received messages statistic:
Auth request Num = 24 Err = 0 Succ = 24
Account request Num = 4 Err = 0 Succ = 4
Account off request Num = 503 Err = 0 Succ = 503
PKT auth timeout Num = 15 Err = 5 Succ = 10
PKT acct_timeout Num = 1509 Err = 503 Succ = 1006
Realtime Account timer Num = 0 Err = 0 Succ = 0
PKT response Num = 23 Err = 0 Succ = 23
Session ctrl pkt Num = 0 Err = 0 Succ = 0
Normal author request Num = 0 Err = 0 Succ = 0
Set policy result Num = 0 Err = 0 Succ = 0
Accounting on request Num = 1 Err = 0 Succ = 1
Accounting on response Num = 0 Err = 0 Succ = 0
Dynamic Author Ext request Num = 0 Err = 0 Succ = 0
RADIUS sent messages statistic:
Auth accept Num = 0
Auth reject Num = 0
Auth continue Num = 0
Account success Num = 4

62
Account failure Num = 3
Server ctrl req Num = 0
RecError_MSG_sum = 0
SndMSG_Fail_sum = 0
Timer_Err = 0
Alloc_Mem_Err = 0
State Mismatch = 0
Other_Error = 0
No-response-acct-stop packet = 1
Discarded No-response-acct-stop packet for buffer overflow = 0

Table 6 Command output

Field Description
User statistics, by state.
state statistic
The value range is 0 to 1024.

Number of idle users.

DEAD
The value range is 0 to 1024.

AuthProc Number of users waiting for authentication.

AuthSucc Number of users who have passed authentication.

AcctStart Number of users for whom accounting has been started.

Number of users for whom the system sends real-time accounting

RLTSend
packets.

RLTWait Number of users waiting for real-time accounting.

AcctStop Number of users in the state of accounting waiting stopped.

OnLine Number of online users.

Stop Number of users in the state of stop.

Received and Sent packets statistic Statistics for packets received and sent by the RADIUS module.

Sent PKT total Number of packets sent.

Received PKT total Number of packets received.

Resend Times Number of transmission attempts.

Resend total Number of packets retransmitted.

Total Total number of packets retransmitted.

RADIUS received packets statistic Statistics for packets received by the RADIUS module.

Code Packet type.

Num Total number of packets.

Err Number of packets that the device failed to process.

Succ Number of messages that the device successfully processed.

Statistics for RADIUS messages received and sent by the RADIUS

Running statistic
module.

RADIUS received messages statistic Statistics for received RADIUS messages.

Auth request Counts of authentication requests.

63
 Field Description
Account request Counts of accounting requests.

Account off request Counts of stop-accounting requests.

PKT auth timeout Counts of authentication timeout messages.

PKT acct_timeout Counts of accounting timeout messages.

Realtime Account timer Counts of real-time accounting requests.

PKT response Counts of responses from servers.

Session ctrl pkt Counts of session control messages.

Normal author request Counts of normal authorization requests.

Set policy result Counts of responses to the Set policy packets.

Dynamic Author Ext request Counts of dynamic authorization extension requests.

Auth accept Number of accepted authentication packets.

Auth reject Number of rejected authentication packets.

Auth continue Number of authentication continue packets.

Account success Number of accounting succeeded packets.

Account failure Number of accounting failed packets.

Server ctrl req Number of server control requests.

RecError_MSG_sum Number of received packets in error.

SndMSG_Fail_sum Number of packets that failed to be sent out.

Timer_Err Number of packets for indicating timer startup failures.

Alloc_Mem_Err Number of packets for indicating memory allocation failures.

State Mismatch Number of packets for indicating mismatching status.

Other_Error Number of packets for indicating other types of errors.

Number of times that no response was received for stop-accounting

No-response-acct-stop packet
packets.

Discarded No-response-acct-stop Number of stop-accounting packets that were buffered but then
packet for buffer overflow discarded due to full memory.

Related commands
radius scheme

display stop-accounting-buffer (for RADIUS)

Use display stop-accounting-buffer to display information about buffered stop-accounting requests.
Syntax
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id |
time-range start-time stop-time | user-name user-name } [ | { begin | exclude | include }
regular-expression ]

64
Views
Any view
Default command level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for
the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive
string of 1 to 32 characters.
session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a
string of 1 to 50 characters.
time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range. The start
time and end time must be in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD.
user-name user-name: Specifies the stop-accounting requests buffered for a user. The username is a
case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain
name depends on the setting configured by the user-name-format command for the RADIUS scheme.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If the device sends a stop-accounting request to a RADIUS server but receives no response, it retransmits
it up to a certain number of times (defined by the retry command). If the device still receives no response,
it considers the stop-accounting attempt a failure, buffers the request, and makes another
stop-accounting attempt. The maximum number of the stop-accounting attempts is defined by the retry
stop-accounting command. If all attempts fail, the device discards the request.
Examples
# Display information about the stop-accounting requests buffered for user abc.
<Sysname> display stop-accounting-buffer user-name abc
RDIdx Session-ID user name Happened time
1 1000326232325010 abc 23:27:16-08/31/2006
1 1000326232326010 abc 23:33:01-08/31/2006
Total 2 record(s) Matched

Related commands
• reset stop-accounting-buffer
• stop-accounting-buffer enable
• user-name-format
• retry
• retry stop-accounting

65
key (RADIUS scheme view)
Use key to set the shared key for secure RADIUS authentication/authorization or accounting
communication.
Use undo key to remove the configuration.
Syntax
key { accounting | authentication } [ cipher | simple ] key
undo key { accounting | authentication }
Default
No shared key is configured.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
accounting: Sets the shared key for secure RADIUS accounting communication.
authentication: Sets the shared key for secure RADIUS authentication/authorization communication.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
key: Specifies the shared key string. This argument is case sensitive.
• In non-FIPS mode, a ciphertext password is a string of 1 to 117 characters, and a plaintext password
is a string of 1 to 64 characters. If you specify neither cipher nor simple, you set a plaintext shared
key.
• In FIPS mode, a ciphertext password is a string of 8 to 117 characters, and a plaintext password is
a string of 8 to 64 characters that must contain digits, uppercase letters, lowercase letters, and
special characters. If you specify neither cipher nor simple, you set a plaintext shared key.
Usage guidelines
For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.
The shared keys specified during the configuration of the RADIUS servers take precedence.
The shared keys configured on the device must match those configured on the RADIUS servers.
In FIPS mode, the shared key specified in this command is encrypted and decrypted through 3DES.
Examples
# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain
text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key accounting simple ok

# For RADIUS scheme radius1, set the shared key for secure accounting communication to ok in plain
text.
<Sysname> system-view

66
 [Sysname] radius scheme radius1
[Sysname-radius-radius1] key accounting ok

# For RADIUS scheme radius1, set the shared key for secure authentication/authorization
communication to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in ciphertext.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] key authentication cipher
$c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B

Related commands
display radius scheme

nas-ip (RADIUS scheme view)

Use nas-ip to specify a source IP address for outgoing RADIUS packets.
Use undo nas-ip to restore the default.
Syntax
nas-ip { ipv4-address | ipv6 ipv6-address }
undo nas-ip
Default
The source IP address of an outgoing RADIUS packet is that configured by the radius nas-ip command
in system view. If the radius nas-ip command is not configured, the source IP address is the IP address of
the outbound interface.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
ipv4-address: Specifies an IPv4 address in dotted decimal notation. It must be an address of the device
and cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address.
ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the device and cannot be
a link-local address.
Usage guidelines
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that
is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving
a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address
of any managed NAS. If it is, the server processes the packet. If it is not, the server drops the packet.
The source IP address specified for outgoing RADIUS packets must be of the same IP version as the IP
addresses of the RADIUS servers in the RADIUS scheme. Otherwise, the source IP address configuration
does not take effect.
A RADIUS scheme can have only one source IP address for outgoing RADIUS packets. If you specify a
new source IP address for the same RADIUS scheme, the new one overwrites the old one.

67
 The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme,
whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The
setting in RADIUS scheme view takes precedence.
Examples
# Set the source IP address for outgoing RADIUS packets to 10.1.1.1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] nas-ip 10.1.1.1

Related commands
radius nas-ip

primary accounting (RADIUS scheme view)

Use primary accounting to specify the primary RADIUS accounting server.
Use undo primary accounting to remove the configuration.
Syntax
primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key |
vpn-instance vpn-instance-name ] *
undo primary accounting
Default
No primary RADIUS accounting server is specified.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
ipv4-address: Specifies the IPv4 address of the primary RADIUS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS accounting server, which must be
a valid global unicast address.
port-number: Specifies the service port number of the primary RADIUS accounting server, which is a UDP
port number. The value range for the port number is 1 to 65535, and the default is 1813.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary RADIUS
accounting server.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 117
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
• In FIPS mode, the shared key must be at least eight characters and contain digits, uppercase letters,
lowercase letters, and special characters.

68
 vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS accounting
server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the
server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary RADIUS accounting server are the
same as those configured on the server.
The IP addresses of the accounting servers and those of the authentication/authorization servers must be
of the same IP version.
The IP addresses of the primary and secondary accounting servers must be different from each other.
Otherwise, the configuration fails.
In FIPS mode, the shared key specified in this command is encrypted and decrypted through 3DES.
The shared key configured by this command takes precedence over that configured by using the key
accounting [ cipher | simple ] key command.
If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN
specified for the RADIUS scheme.
If you change the primary accounting server when the device has already sent a start-accounting request
to the server, the communication with the primary server times out, and the device looks for a server in
active state from the new primary server on.
If you remove an accounting server being used by users, the device can no longer send real-time
accounting requests or stop-accounting requests for the users, and it does not buffer the stop-accounting
requests.
For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.
Examples
# For RADIUS scheme radius1, set the IP address of the primary accounting server to 10.110.1.2, the UDP
port to 1813, and the shared key to hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary accounting 10.110.1.2 1813 key simple hello

Related commands
• key (RADIUS scheme view)
• vpn-instance (RADIUS scheme view)

primary authentication (RADIUS scheme view)

Use primary authentication to specify the primary RADIUS authentication/authorization server.
Use undo primary authentication to remove the configuration.
Syntax
primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key
| probe username name [ interval interval ] | vpn-instance vpn-instance-name ] *
undo primary authentication

69
Default
No primary RADIUS authentication/authorization server is specified.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
ipv4-address: Specifies the IPv4 address of the primary RADIUS authentication/authorization server.
ipv6 ipv6-address: Specifies the IPv6 address of the primary RADIUS authentication/authorization server,
which must be a valid global unicast address.
port-number: Specifies the service port number of the primary RADIUS authentication/authorization
server, which is a UDP port number. The value range for the port number is 1 to 65535, and the default
is 1812.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary RADIUS
authentication/authorization server.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 117
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
• In FIPS mode, the shared key must be at least eight characters and contain digits, uppercase letters,
lowercase letters, and special characters.
probe: Enables the device to detect the status of the primary RADIUS authentication/authorization server.
username name: Specifies the username in the authentication request that is used to detect the status of
the primary RADIUS authentication/authorization server.
interval interval: Specifies the interval between two server status detections. The value range for the
interval argument is 1 to 3600, and the default is 60, in minutes.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary RADIUS
authentication/authorization server belongs. The vpn-instance-name argument is a case-sensitive string
of 1 to 31 characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary RADIUS authentication/authorization
server are the same as those configured on the server.
The shared key configured by this command takes precedence over that configured by using the key
authentication [ cipher | simple ] key command.
In FIPS mode, the shared key specified in this command is encrypted and decrypted through 3DES.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.
The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other. Otherwise, the configuration fails.

70
 If the specified server resides on an MPLS L3VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN
specified for the RADIUS scheme.
If you remove the primary authentication server when an authentication process is in progress, the
communication with the primary server times out, and the device looks for a server in active state from the
new primary server on.
For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.
With the server status detection feature enabled, the device sends an authentication request that carries
the specified username to the primary server at the specified interval. If the device receives no response
from the server within the time interval specified by the timer response-timeout command, the device
sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the device still receives
no response from the server, the device considers the server as unreachable. If the device receives a
response from the server before the maximum number of retries is reached, the device considers the
server as reachable. The device sets the status of the server to block or active according to the status
detection result, regardless of the current status of the server.
For 802.1X authentication, if the status of every server is block, the device assigns the port connected to
an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X
critical VLAN, see Security Configuration Guide.
To ensure that the device can set the server to its actual status, set a longer quiet timer for the primary
server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on
a port, the device might frequently change the server status, and the port might frequently join and leave
the critical VLAN.
Examples
# For RADIUS scheme radius1, set the IP address of the primary authentication/authorization server to
10.110.1.1, the UDP port to 1812, and the shared key to hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 1812 key hello

# In RADIUS scheme radius1, set the username used for status detection of the primary
authentication/authorization server to test, and set the server status detection interval to 120 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] primary authentication 10.110.1.1 probe username test interval
120

Related commands
• key (RADIUS scheme view)
• vpn-instance (RADIUS scheme view)

radius client
Use radius client enable to enable the RADIUS client service.
Use undo radius client to disable the RADIUS client service.
Syntax
radius client enable

71
 undo radius client
Default
The RADIUS client service is enabled.
Views
System view
Default command level
2: System level
Usage guidelines
When the RADIUS client service is disabled, the following events occur:
• No more stop-accounting requests of online users can be sent out or buffered, and the RADIUS
server can no longer receive logoff requests from online users. After a user goes offline, the RADIUS
server still has the user's record during a certain period of time.
• The buffered accounting packets cannot be sent out and are deleted from the buffer when the
configured maximum number of attempts is reached, affecting the precision of user accounting.
• If local authentication, authorization, or accounting is configured as the backup, the device
performs local authentication, authorization, or accounting instead after the RADIUS request fails.
Local accounting is only for monitoring and controlling the number of local user connections. It does
not provide the statistics function that the accounting feature generally provides.
Examples
# Enable the RADIUS client service.
<Sysname> system-view
[Sysname] radius client enable

radius nas-ip
Use radius nas-ip to specify a source address for outgoing RADIUS packets.
Use undo radius nas-ip to remove the configuration.
Syntax
radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
undo radius nas-ip { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
The source IP address of an outgoing RADIUS packet is the IP address of the outbound interface.
Views
System view
Default command level
2: System level
Parameters
ipv4-address: Specifies an IPv4 address in dotted decimal notation. It must be an address of the device
and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback address.
ipv6 ipv6-address: Specifies an IPv6 address. It must be a unicast address of the device and cannot be
a loopback address or link-local address.

72
 vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IPv4 address belongs.
The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With a VPN specified,
the command specifies a private-network source IPv4 address. With no VPN specified, the command
specifies a public-network source IPv4 address.
Usage guidelines
You can specify up to one public-network source IP address and 15 private-network source IP addresses.
A newly specified public-network source IP address overwrites the previous one. Each VPN can have only
one private-network source IP address. A private-network source IP address newly specified for a VPN
overwrites the previous one.
The source IP address of RADIUS packets that a NAS sends must match the IP address of the NAS that
is configured on the RADIUS server. A RADIUS server identifies a NAS by its IP address. Upon receiving
a RADIUS packet, a RADIUS server checks whether the source IP address of the packet is the IP address
of any managed NAS. If it is, the server processes the packet. If it is not, the server drops the packet.
The setting configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme,
whereas that configured by the radius nas-ip command in system view is for all RADIUS schemes. The
setting in RADIUS scheme view takes precedence.
Examples
# Set the IP address for the device to use as the source address of the RADIUS packets to 129.10.10.1.
<Sysname> system-view
[Sysname] radius nas-ip 129.10.10.1

Related commands
nas-ip

radius scheme
Use radius scheme to create a RADIUS scheme and enter RADIUS scheme view.
Use undo radius scheme to delete a RADIUS scheme.
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
Default
No RADIUS scheme is defined.
Views
System view
Default command level
3: Manage level
Parameters
radius-scheme-name: Specifies the RADIUS scheme name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
A RADIUS scheme can be referenced by more than one ISP domain at the same time.
A RADIUS scheme referenced by ISP domains cannot be removed.

73
Examples
# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1]

Related commands
display radius scheme

radius trap
Use radius trap to enable the trap function for RADIUS.
Use undo radius trap to disable the trap function for RADIUS.
Syntax
radius trap { accounting-server-down | authentication-error-threshold | authentication-server-down }
undo radius trap { accounting-server-down | authentication-error-threshold |
authentication-server-down }
Default
The trap function is disabled for RADIUS.
Views
System view
Default command level
2: System level
Parameters
accounting-server-down: Sends traps when the reachability of the accounting server changes.
authentication-error-threshold: Sends traps when the number of authentication failures exceed the
specified threshold. The threshold is represented by the ratio of the number of failed request transmission
attempts to the total number of transmission attempts. The value range for the threshold is 1 to 100, and
the default is 30. This threshold can only be configured through the MIB.
authentication-server-down: Sends traps when the reachability of the authentication server changes.
Usage guidelines
With the trap function for RADIUS, a NAS sends a trap message in the following cases:
• When the status of a RADIUS server changes. If a NAS sends a request but receives no response
before the maximum number of attempts is exceeded, it places the server in blocked state and
sends a trap message. If a NAS receives a response from a RADIUS server it considered
unreachable, it considers that the RADIUS server is reachable again and also sends a trap
message.
• When the ratio of the number of failed transmission attempts to the total number of authentication
request transmission attempts reaches the threshold.
Examples
# Enable the device to send traps in response to accounting server reachability changes.
<Sysname> system-view
[Sysname] radius trap accounting-server-down

74
reset radius statistics
Use reset radius statistics to clear RADIUS statistics.
Syntax
reset radius statistics
Views
User view
Default command level
2: System level
Examples
# Clear RADIUS statistics.
<Sysname> reset radius statistics

Related commands
display radius statistics

reset stop-accounting-buffer (for RADIUS)

Use reset stop-accounting-buffer to clear buffered stop-accounting requests for which no responses have
been received.
Syntax
reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range
start-time stop-time | user-name user-name }
Views
User view
Default command level
2: System level
Parameters
radius-scheme radius-scheme-name: Specifies buffered stop-accounting requests that are destined for
the accounting server defined in a RADIUS scheme. The RADIUS scheme name is a case-insensitive
string of 1 to 32 characters.
session-id session-id: Specifies the stop-accounting requests buffered for a session. The session ID is a
string of 1 to 50 characters.
time-range start-time stop-time: Specifies the stop-accounting requests buffered in a time range. The start
time and end time must be in the format HH:MM:SS-MM/DD/YYYY or HH:MM:SS-YYYY/MM/DD.
user-name user-name: Specifies the stop-accounting requests buffered for a user. The username is a
case-sensitive string of 1 to 80 characters. Whether the user-name argument should include the domain
name depends on the setting configured by the user-name-format command for the RADIUS scheme.
Examples
# Clear the stop-accounting requests buffered for user user0001@test.
<Sysname> reset stop-accounting-buffer user-name user0001@test

75
 # Clear the stop-accounting requests buffered in the time range of 0:0:0 to 23:59:59 on August 31,
2006.
<Sysname> reset stop-accounting-buffer time-range 0:0:0-08/31/2006 23:59:59-08/31/2006

Related commands
• stop-accounting-buffer enable
• display stop-accounting-buffer

retry
Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS
server.
Use undo retry to restore the default.
Syntax
retry retry-times
undo retry
Default
The maximum number of RADIUS packet transmission attempts is 3.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
retry-times: Specifies the maximum number of RADIUS packet transmission attempts, in the range of 1 to
20.
Usage guidelines
Because RADIUS uses UDP packets to transmit data, the communication is not reliable. If the device does
not receive a response to its request from the RADIUS server within the response timeout period, it
retransmits the RADIUS request. If the number of transmission attempts exceeds the limit but the device
still receives no response from the RADIUS server, the device considers the request a failure.
The maximum number of packet transmission attempts multiplied by the RADIUS server response timeout
period cannot be greater than 75.
Examples
# Set the maximum number of RADIUS request transmission attempts to 5 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry 5

Related commands
• radius scheme
• timer response-timeout

76
retry realtime-accounting
Use retry realtime-accounting to set the maximum number of accounting attempts.
Use undo retry realtime-accounting to restore the default.
Syntax
retry realtime-accounting retry-times
undo retry realtime-accounting
Default
The maximum number of accounting attempts is 5.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255.
Usage guidelines
A RADIUS server usually checks whether a user is online by using a timeout timer. If it receives no
real-time accounting request for a user in the timeout period from the NAS, it considers that there might
be line or device failures and stops accounting for the user. This might happen when some unexpected
failure occurs. To cooperate with this feature of the RADIUS server, the NAS must keep pace with the
server in disconnecting the user. The maximum number of accounting attempts, together with some other
parameters, enables the NAS to promptly disconnect the user.
The maximum number of accounting attempts, together with some other parameters, controls how the
NAS sends accounting request packets.
Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer
response-timeout command), the maximum number of RADIUS packet transmission attempts is 3 (set
with the retry command), the real-time accounting interval is 12 minutes (set with the timer
realtime-accounting command), and the maximum number of accounting attempts is five (set with the
retry realtime-accounting command). In this case, the device generates an accounting request every 12
minutes, and retransmits the request if it sends the request but receives no response within 3 seconds. If
the device receives no response after transmitting the request three times, it considers the accounting
attempt a failure, and it makes another accounting attempt. If five consecutive accounting attempts fail,
the device cuts the user connection.
Examples
# Set the maximum number of accounting attempts to 10 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry realtime-accounting 10

Related commands
• retry
• timer response-timeout
• timer realtime-accounting

77
retry stop-accounting (RADIUS scheme view)
Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts.
Use undo retry stop-accounting to restore the default.
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
Default
The maximum number of stop-accounting request transmission attempts is 500.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
retry-times: Specifies the maximum number of stop-accounting request transmission attempts, in the
range of 10 to 65535.
Usage guidelines
The maximum number of stop-accounting request transmission attempts, together with some other
parameters, controls how the NAS deals with stop-accounting request packets.
Suppose that the RADIUS server response timeout period is 3 seconds (set with the timer
response-timeout command), the maximum number of transmission attempts is five (set with the retry
command), and the maximum number of stop-accounting request transmission attempts is 20 (set with
the retry stop-accounting command). For each stop-accounting request, if the device receives no
response within 3 seconds, it retransmits the request. If it receives no responses after retransmitting the
request five times, it considers the attempt a failure, buffers the request, and makes another attempt. If 20
consecutive attempts fail, the device discards the request.
Examples
# Set the maximum number of stop-accounting request transmission attempts to 1000 for RADIUS
scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] retry stop-accounting 1000

Related commands
• retry
• retry stop-accounting
• timer response-timeout
• display stop-accounting-buffer

secondary accounting (RADIUS scheme view)

Use secondary accounting to specify a secondary RADIUS accounting server.

78
 Use undo secondary accounting to remove the configuration.
Syntax
secondary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ] key
| vpn-instance vpn-instance-name ] *
undo secondary accounting [ ipv4-address | ipv6 ipv6-address ]
Default
No secondary RADIUS accounting server is specified.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
ipv4-address: Specifies the IPv4 address of the secondary RADIUS accounting server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS accounting server, which must
be a valid global unicast address.
port-number: Specifies the service port number of the secondary RADIUS accounting server, which is a
UDP port number. The value range for the port number is 1 to 65535, and the default is 1813.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary
RADIUS accounting server.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 117
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
• In FIPS mode, the shared key must be at least eight characters and contain digits, uppercase letters,
lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS accounting
server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the
server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the secondary RADIUS accounting server are the
same as those configured on the server.
You can configure up to 16 secondary RADIUS accounting servers for a RADIUS scheme. After the
configuration, if the primary server fails, the device looks for a secondary server in active state (a
secondary RADIUS accounting server configured earlier has a higher priority) and tries to communicate
with it.
The IP addresses of the accounting servers and those of the authentication/authorization servers must be
of the same IP version.
The IP addresses of the primary and secondary accounting servers must be different from each other.
Otherwise, the configuration fails.
The shared key configured by this command takes precedence over that configured by using the key
accounting [ cipher | simple ] key command.

79
 In FIPS mode, the shared key specified in this command is encrypted and decrypted through 3DES.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN
specified for the RADIUS scheme.
If you remove a secondary accounting server when the device has already sent a start-accounting
request to the server, the communication with the secondary server times out, and the device looks for a
server in active state from the primary server on.
If you remove an accounting server being used by online users, the device can no longer send real-time
accounting requests or stop-accounting requests for the users, and it does not buffer the stop-accounting
requests.
For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.
Examples
# For RADIUS scheme radius1, specify two secondary accounting servers with the server IP addresses of
10.110.1.1 and 10.110.1.2 and the UDP port number of 1813. Set the shared keys to hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813 key hello
[Sysname-radius-radius1] secondary accounting 10.110.1.2 1813 key hello

# For RADIUS scheme radius2, set the IP address of the secondary accounting server to 10.110.1.1, the
UDP port to 1813, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B in ciphertext.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary accounting 10.110.1.1 1813 key cipher
$c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B

Related commands
• key (RADIUS scheme view)
• state
• vpn-instance (RADIUS scheme view)

secondary authentication (RADIUS scheme view)

Use secondary authentication to specify a secondary RADIUS authentication/authorization server.
Use undo secondary authentication to remove the configuration.
Syntax
secondary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key [ cipher | simple ]
key | probe username name [ interval interval ] | vpn-instance vpn-instance-name ] *
undo secondary authentication [ ipv4-address | ipv6 ipv6-address ]
Default
No secondary RADIUS authentication/authorization server is specified.
Views
RADIUS scheme view

80
Default command level
2: System level
Parameters
ipv4-address: Specifies the IPv4 address of the secondary RADIUS authentication/authorization server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS authentication/authorization
server, which is a valid global unicast address.
port-number: Specifies the service port number of the secondary RADIUS authentication/authorization
server, which is a UDP port number. The value range for the port number is 1 to 65535, and the default
is 1812.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary
RADIUS authentication/authorization server.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 117
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 64 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
• In FIPS mode, the shared key must be at least eight characters and contain digits, uppercase letters,
lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary RADIUS
authentication/authorization server belongs. The vpn-instance-name argument is a case-sensitive string
of 1 to 31 characters. If the server is on the public network, do not specify this option.
probe: Enables the device to detect the status of the secondary RADIUS authentication/authorization
server.
username name: Specifies the username in the authentication request that is used to detect the status of
the secondary RADIUS authentication/authorization server.
interval interval: Specifies the interval between two server status detections. The value range for the
interval argument is 1 to 3600, and the default is 60, in minutes.
Usage guidelines
Make sure the port number and shared key settings of the secondary RADIUS
authentication/authorization server are the same as those configured on the server.
The shared key configured by this command takes precedence over that configured by using the key
accounting [ cipher | simple ] key command.
In FIPS mode, the shared key specified in this command is encrypted and decrypted through 3DES.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance
vpn-instance-name option. The VPN specified by this command takes precedence over the VPN
specified for the RADIUS scheme.
You can configure up to 16 secondary RADIUS authentication/authorization servers for a RADIUS
scheme. After the configuration, if the primary server fails, the device looks for a secondary server in
active state (a secondary RADIUS authentication/authorization server configured earlier has a higher
priority) and tries to communicate with it.
The IP addresses of the authentication/authorization servers and those of the accounting servers must be
of the same IP version.

81
 The IP addresses of the primary and secondary authentication/authorization servers must be different
from each other. Otherwise, the configuration fails.
If you remove a secondary authentication server in use in the authentication process, the communication
with the secondary server times out, and the device looks for a server in active state from the primary
server on.
For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.
With the server status detection feature enabled, the device sends an authentication request that carries
the specified username to the secondary server at the specified interval. If the device receives no
response from the server within the time interval specified by the timer response-timeout command, the
device sends the authentication request again.
If the maximum number of retries (specified by the retry command) is reached and the device still receives
no response from the server, the device considers the server as unreachable. If the device receives a
response from the server before the maximum number of retries is reached, the device considers the
server as reachable. The device sets the status of the server to block or active according to the status
detection result, regardless of the current status of the server.
For 802.1X authentication, if the status of every server is block, the device assigns the port connected to
an authentication user to the specified 802.1X critical VLAN. For more information about the 802.1X
critical VLAN, see Security Configuration Guide.
To ensure that the device can set the server to its actual status, set a longer quiet timer for the secondary
server with the timer quiet command. If you set a short quiet timer and configure 802.1X critical VLAN on
a port, the device might frequently change the server status, and the port might frequently join and leave
the critical VLAN.
Examples
# Specify two secondary authentication/authorization servers for RADIUS scheme radius1, with the
server IP addresses of 10.110.1.1 and 10.110.1.2 and the UDP port number of 1813. Set the shared keys to
hello in plain text.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.1 1812 key simple hello
[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812 key simple hello

# For RADIUS scheme radius2, set the IP address of the secondary authentication/authorization server
to 10.110.1.2, the UDP port to 1812, and the shared key to $c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B
in ciphertext.
<Sysname> system-view
[Sysname] radius scheme radius2
[Sysname-radius-radius2] secondary authentication 10.110.1.2 1812 key cipher
$c$3$NMCbVjyIutaV6csCOGp4zsKRTlg2eT3B

# In RADIUS scheme radius1, set the username used for status detection of the secondary
authentication/authorization server to test, and set the server status detection interval to 120 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] secondary authentication 10.110.1.1 probe username test interval
120

Related commands
• key (RADIUS scheme view)

82
 • state
• vpn-instance (RADIUS scheme view)

security-policy-server
Use security-policy-server to specify a security policy server for a RADIUS scheme.
Use undo security-policy-server to remove one or all security policy servers for a RADIUS scheme.
Syntax
security-policy-server ip-address
undo security-policy-server { ip-address | all }
Default
No security policy server is specified for a RADIUS scheme.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
ip-address: Specifies a security policy server by its IP address.
all: Specifies all security policy servers.
Usage guidelines
You can specify up to eight security policy servers for a RADIUS scheme.
You can change security policy servers for a RADIUS scheme only when no user is using the scheme.
Examples
# Specify security policy server 10.110.1.2 for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] security-policy-server 10.110.1.2

server-type (RADIUS scheme view)

Use server-type to specify the RADIUS server type.
Use undo server-type to restore the default.
Syntax
server-type { extended | standard }
undo server-type
Default
The supported RADIUS server type is standard.
Views
RADIUS scheme view

83
Default command level
2: System level
Parameters
extended: Specifies the extended RADIUS server (generally running on IMC), which requires the RADIUS
client and RADIUS server to interact according to the procedures and packet formats provisioned by the
proprietary RADIUS protocol.
standard: Specifies the standard RADIUS server, which requires the RADIUS client and RADIUS server to
interact according to the procedures and packet format of the standard RADIUS protocol (RFC 2865 and
2866 or their successors).
Examples
# Configure the RADIUS server type of RADIUS scheme radius1 as standard.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] server-type standard

state primary
Use state primary to set the status of a primary RADIUS server.
Syntax
state primary { accounting | authentication } { active | block }
Default
The primary RADIUS server specified for a RADIUS scheme is in active state.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
accounting: Sets the status of the primary RADIUS accounting server.
authentication: Sets the status of the primary RADIUS authentication/authorization server.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
During an authentication or accounting process, the device first tries to communicate with the primary
server if the primary server is in active state. If the primary server is unavailable, the device changes the
status of the primary server to blocked, starts a quiet timer for the server, and then tries to communicate
with a secondary server in active state (a secondary RADIUS server configured earlier has a higher
priority). When the quiet timer of the primary server times out, the status of the server changes to active
automatically. If you set the status of the server to blocked before the quiet timer times out, the status of
the server cannot change back to active automatically unless you set the status to active manually.
When the primary server and secondary servers are both in blocked state, the device communicates with
the primary server.

84
Examples
# Set the status of the primary server in RADIUS scheme radius1 to blocked.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] state primary authentication block

Related commands
• display radius scheme
• state secondary

state secondary
Use state secondary to set the status of a secondary RADIUS server.
Syntax
state secondary { accounting | authentication } [ ip ipv4-address | ipv6 ipv6-address ] { active | block }
Default
Every secondary RADIUS server specified in a RADIUS scheme is in active state.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
accounting: Sets the status of the secondary RADIUS accounting server.
authentication: Sets the status of the secondary RADIUS authentication/authorization server.
ip ipv4-address: Specifies the IPv4 address of the secondary RADIUS server.
ipv6 ipv6-address: Specifies the IPv6 address of the secondary RADIUS server.
active: Specifies the active state, the normal operation state.
block: Specifies the blocked state, the out-of-service state.
Usage guidelines
If no IP address is specified, this command changes the status of all configured secondary servers for
authentication/authorization or accounting.
If the device finds that a secondary server in active state is unreachable, the device changes the status of
the secondary server to blocked, starts a quiet timer for the server, and continues to try to communicate
with the next secondary server in active state (a secondary RADIUS server configured earlier has a
higher priority). When the quiet timer of a server times out, the status of the server changes to active
automatically. If you set the status of the server to blocked before the quiet timer times out, the status of
the server cannot change back to active automatically unless you set the status to active manually. If all
configured secondary servers are unreachable, the device considers the authentication or accounting
attempt a failure.
Examples
# Set the status of all secondary servers in RADIUS scheme radius1 to blocked.
<Sysname> system-view

85
 [Sysname] radius scheme radius1
[Sysname-radius-radius1] state secondary authentication block

Related commands
• display radius scheme
• state primary

stop-accounting-buffer enable (RADIUS scheme view)

Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no
responses are received.
Use undo stop-accounting-buffer enable to disable the buffering function.
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
Default
The device buffers stop-accounting requests to which no responses are received.
Views
RADIUS scheme view
Default command level
2: System level
Usage guidelines
Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every
stop-accounting request to the RADIUS accounting servers. For each stop-accounting request that
receives no response in the specified period of time, the NAS buffers and resends the packet until it
receives a response or the number of transmission attempts reaches the configured limit. In the latter case,
the NAS discards the packet. However, if you have removed the accounting server, stop-accounting
messages are not buffered.
Examples
# Enable the device to buffer the stop-accounting requests to which no responses are received.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] stop-accounting-buffer enable

Related commands
• reset stop-accounting-buffer
• display stop-accounting-buffer

timer quiet (RADIUS scheme view)

Use timer quiet to set the quiet timer for servers.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes

86
 undo timer quiet
Default
The server quiet period is 5 minutes.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
minutes: Specifies the server quiet period in minutes, in the range of 0 to 255. If you set this argument to
0, when the device attempts to send an authentication or accounting request but the current server is
unreachable, the device sends the request to the next server in active state, without changing the current
server's status. As a result, when the device attempts to send a request of the same type for another user,
it still tries to send the request to the current server because the current server is in active state.
Usage guidelines
The quiet timer controls whether the device changes the status of an unreachable server from active to
blocked and how long the device keeps an unreachable server in blocked state.
If you determine that the primary server is unreachable because the device's port connected to the server
is out of service temporarily or the server is busy, you can set the server quiet period to 0 so that the
device uses the primary server whenever possible.
Set the server quiet timer correctly. Too short a quiet timer might result in frequent authentication or
accounting failures because the device keeps trying to communicate with an unreachable server that is
in active state.
Examples
# Set the quiet timer for the servers to 10 minutes.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer quiet 10

Related commands
display radius scheme

timer realtime-accounting (RADIUS scheme view)

Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
RADIUS scheme view

87
Default command level
2: System level
Parameters
minutes: Specifies the real-time accounting interval in minutes. The value can be 0 or a multiple of 3, in
the range of 3 to 60.
Usage guidelines
For real-time accounting, a NAS must transmit the accounting information of online users to the RADIUS
accounting server periodically. This command sets the interval.
When the real-time accounting interval on the device is 0, the device sends online user accounting
information to the RADIUS accounting server at the real-time accounting interval configured on the server,
or does not send online user accounting information.
Different real-time accounting intervals impose different performance requirements on the NAS and the
RADIUS server. A shorter interval helps achieve higher accounting precision but requires higher
performance. Use a longer interval when there are a large number of users (1000 or more).
Table 7 Recommended real-time accounting intervals

Number of users Real-time accounting interval (in minutes)

1 to 99 3

100 to 499 6

500 to 999 12

1000 or more 15 or longer

Examples
# Set the real-time accounting interval to 51 minutes for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer realtime-accounting 51

Related commands
retry realtime-accounting

timer response-timeout (RADIUS scheme view)

Use timer response-timeout to set the RADIUS server response timeout timer.
Use undo timer response-timeout to restore the default.
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The RADIUS server response timeout period is 3 seconds.
Views
RADIUS scheme view

88
Default command level
2: System level
Parameters
seconds: Specifies the RADIUS server response timeout period in seconds, in the range of 1 to 10.
Usage guidelines
If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request
(authentication/authorization or accounting request), it resends the request so that the user has more
opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to
control the transmission interval.
The maximum number of RADIUS packet transmission attempts multiplied by the RADIUS server response
timeout period cannot be greater than 75.
Examples
# Set the RADIUS server response timeout timer to 5 seconds for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] timer response-timeout 5

Related commands
retry

user-name-format (RADIUS scheme view)

Use user-name-format to specify the format of the username to be sent to a RADIUS server.
Syntax
user-name-format { keep-original | with-domain | without-domain }
Default
The ISP domain name is included in the username.
Views
RADIUS scheme view
Default command level
2: System level
Parameters
keep-original: Sends the username to the RADIUS server as it is entered.
with-domain: Includes the ISP domain name in the username sent to the RADIUS server.
without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.
Usage guidelines
A username is generally in the format userid@isp-name, of which isp-name is used by the device to
determine the ISP domain to which a user belongs. Some earlier RADIUS servers, however, cannot
recognize a username including an ISP domain name. Before sending a username including a domain
name to such a RADIUS server, the device must remove the domain name. This command allows you to
specify whether to include a domain name in a username to be sent to a RADIUS server.

89
 If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the
RADIUS scheme to more than one ISP domain, avoiding the confused situation where the RADIUS server
regards two users in different ISP domains but with the same userid as one.
For 802.1X users using EAP authentication, the user-name-format command configured for a RADIUS
scheme does not take effect and the device does not change the usernames from clients before
forwarding them to the RADIUS server.
If the RADIUS scheme is used for roaming wireless users, specify the keep-original keyword. Otherwise,
authentication of the wireless users might fail.
Examples
# Specify the device to remove the domain name in the username sent to the RADIUS servers for the
RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] user-name-format without-domain

Related commands
radius scheme

vpn-instance (RADIUS scheme view)

Use vpn-instance to specify a VPN instance for a RADIUS scheme.
Use undo vpn-instance to remove the configuration.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Views
RADIUS scheme view
Default command level
2: System level
Parameters
vpn-instance-name: Specifies the name of the MPLS VPN, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN instance specified here applies to all IPv4 servers in the RADIUS scheme for which no specific
VPN instance is specified. The VPN instance specified here has no effect on IPv6 RADIUS servers.
Examples
# Specify VPN instance test for RADIUS scheme radius1.
<Sysname> system-view
[Sysname] radius scheme radius1
[Sysname-radius-radius1] vpn-instance test

Related commands
display radius scheme

90
HWTACACS configuration commands
data-flow-format (HWTACACS scheme view)
Use data-flow-format to set the traffic statistics unit for data flows or packets.
Use undo data-flow-format to restore the default.
Syntax
data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet { giga-packet |
kilo-packet | mega-packet | one-packet } } *
undo data-flow-format { data | packet }
Default
The unit for data flows is byte and that for data packets is one-packet.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
data { byte | giga-byte | kilo-byte | mega-byte }: Specifies the unit for data flows, which can be byte,
kilobyte, megabyte, or gigabyte.
packet { giga-packet | kilo-packet | mega-packet | one-packet }: Specifies the unit for data packets,
which can be one-packet, kilo-packet, mega-packet, or giga-packet.
Usage guidelines
The unit for data flows and that for packets must be consistent with those on the HWTACACS server.
Otherwise, accounting cannot be performed correctly.
Examples
# Set the traffic statistics unit for data flows and that for packets to kilobytes and kilo-packets, respectively,
in HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] data-flow-format data kilo-byte packet kilo-packet

Related commands
display hwtacacs

display hwtacacs
Use display hwtacacs to display the configuration of HWTACACS schemes or the statistics for the
HWTACACS servers specified in HWTACACS schemes.
Syntax
display hwtacacs [ hwtacacs-scheme-name [ statistics ] ] [ | { begin | exclude | include }
regular-expression ]

91
Views
Any view
Default command level
1: Monitor level
Parameters
hwtacacs-scheme-name: Specifies the HWTACACS scheme name.
statistics: Displays the statistics for the HWTACACS servers specified in the HWTACACS scheme.
Without this keyword, the command displays the configuration of the HWTACACS scheme.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If no HWTACACS scheme is specified, the command displays the configuration of all HWTACACS
schemes.
Examples
# Display the configuration of HWTACACS scheme gy.
<Sysname> display hwtacacs gy
--------------------------------------------------------------------
HWTACACS-server template name : gy
Primary-authentication-server : 172.31.1.11:49
VPN instance : vpn1
Key : ******
Primary-authorization-server : 172.31.1.11:49
VPN instance : vpn1
Key : ******
Primary-accounting-server : 172.31.1.11:49
VPN instance : vpn1
Key : ******
Secondary-authentication-server : 0.0.0.0:0
VPN instance : -
Secondary-authorization-server : 0.0.0.0:0
VPN instance : -
Key : ******
Secondary-accounting-server : 0.0.0.0:0
VPN instance : -
Key : ******
Current-authentication-server : 172.31.1.11:49
VPN instance : -
Key : ******
Current-authorization-server : 172.31.1.11:49

92
 VPN instance : -
Key : ******
Current-accounting-server : 172.31.1.11:49
VPN instance : -
Key : ******
NAS-IP-address : 0.0.0.0
Authentication key : ******
Authorization key : ******
Accounting key : ******
VPN instance : -
Quiet-interval(min) : 5
Realtime-accounting-interval(min) : 12
Response-timeout-interval(sec) : 5
Acct-stop-PKT retransmit times : 100
Username format : with-domain
Data traffic-unit : B
Packet traffic-unit : one-packet
--------------------------------------------------------------------

Table 8 Command output

Field Description
HWTACACS-server template name Name of the HWTACACS scheme.

IP address and port number of the primary authentication server. If no

primary authentication server is specified, this field displays
Primary-authentication-server 0.0.0.0:0.
This rule also applies to the following eight fields.

Primary-authorization-server IP address and port number of the primary authorization server.

Primary-accounting-server IP address and port number of the primary accounting server.

Secondary-authentication-server IP address and port number of the secondary authentication server.

Secondary-authorization-server IP address and port number of the secondary authorization server.

Secondary-accounting-server IP address and port number of the secondary accounting server.

Current-authentication-server IP address and port number of the authentication server.

Current-authorization-server IP address and port number of the authorization server.

Current-accounting-server IP address and port number of the accounting server.

VPN instance MPLS L3VPN to which the server belongs.

Shared key for secure HWTACACS authentication, authorization, or

Key
accounting communication.

IP address of the NAS. If no NAS is specified, this field displays

NAS-IP-address
0.0.0.0.

Shared key for authentication, displayed as a series of asterisks

Authentication key
(******). If no key is configured, this field displays N/A.

Shared key for authorization, displayed as a series of asterisks

Authorization key
(******). If no key is configured, this field displays N/A.

93
 Field Description
Shared key for accounting, displayed as a series of asterisks (******).
Accounting key
If no key is configured, this field displays N/A.

Acct-stop-PKT retransmit times Number of stop-accounting packet transmission attempts.

Data traffic-unit Unit for data flows.

Packet traffic-unit Unit for data packets.

# Display the statistics for the servers specified in HWTACACS scheme gy.
<Sysname> display hwtacacs gy statistics
---[HWTACACS template gy primary authentication]---
HWTACACS server open number: 10
HWTACACS server close number: 10
HWTACACS authen client access request packet number: 10
HWTACACS authen client access response packet number: 6
HWTACACS authen client unknown type number: 0
HWTACACS authen client timeout number: 4
HWTACACS authen client packet dropped number: 4
HWTACACS authen client access request change password number: 0
HWTACACS authen client access request login number: 5
HWTACACS authen client access request send authentication number: 0
HWTACACS authen client access request send password number: 0
HWTACACS authen client access connect abort number: 0
HWTACACS authen client access connect packet number: 5
HWTACACS authen client access response error number: 0
HWTACACS authen client access response failure number: 0
HWTACACS authen client access response follow number: 0
HWTACACS authen client access response getdata number: 0
HWTACACS authen client access response getpassword number: 5
HWTACACS authen client access response getuser number: 0
HWTACACS authen client access response pass number: 1
HWTACACS authen client access response restart number: 0
HWTACACS authen client malformed access response number: 0
HWTACACS authen client round trip time(s): 5
---[HWTACACS template gy primary authorization]---
HWTACACS server open number: 1
HWTACACS server close number: 1
HWTACACS author client request packet number: 1
HWTACACS author client response packet number: 1
HWTACACS author client timeout number: 0
HWTACACS author client packet dropped number: 0
HWTACACS author client unknown type number: 0
HWTACACS author client request EXEC number: 1
HWTACACS author client request PPP number: 0
HWTACACS author client request VPDN number: 0
HWTACACS author client response error number: 0
HWTACACS author client response EXEC number: 1
HWTACACS author client response PPP number: 0

94
 HWTACACS author client response VPDN number: 0
HWTACACS author client round trip time(s): 3
---[HWTACACS template gy primary accounting]---
HWTACACS server open number: 0
HWTACACS server close number: 0
HWTACACS account client request packet number: 0
HWTACACS account client response packet number: 0
HWTACACS account client unknown type number: 0
HWTACACS account client timeout number: 0
HWTACACS account client packet dropped number: 0
HWTACACS account client request command level number: 0
HWTACACS account client request connection number: 0
HWTACACS account client request EXEC number: 0
HWTACACS account client request network number: 0
HWTACACS account client request system event number: 0
HWTACACS account client request update number: 0
HWTACACS account client response error number: 0
HWTACACS account client round trip time(s): 0

Related commands
hwtacacs scheme

display stop-accounting-buffer (for HWTACACS)

Use display stop-accounting-buffer to display information about buffered stop-accounting requests.
Syntax
display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name [ | { begin | exclude |
include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined
for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a
case-insensitive string of 1 to 32 characters.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about stop-accounting requests buffered for HWTACACS scheme hwt1.

95
 <Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1
Total 0 record(s) Matched

Related commands
• reset stop-accounting-buffer
• stop-accounting-buffer enable
• retry stop-accounting

hwtacacs nas-ip
Use hwtacacs nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo hwtacacs nas-ip to remove the configuration.
Syntax
hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ]
undo hwtacacs nas-ip ip-address [ vpn-instance vpn-instance-name ]
Default
The source IP address of a packet sent to the server is the IP address of the outbound interface.
Views
System view
Default command level
2: System level
Parameters
ip-address: Specifies an IP address in dotted decimal notation. It must be an address of the device and
cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the source IP address belongs. The
vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. With a VPN specified, the
command specifies a private-network source IP address. With no VPN specified, the command specifies
a public-network source IP address.
Usage guidelines
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS
that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address.
Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of
the packet is the IP address of any managed NAS. If it is, the server processes the packet. If it is not, the
server drops the packet.
You can specify up to one public-network source IP address and 15 private-network source IP addresses.
A newly specified public-network source IP address overwrites the previous one. Each VPN can have only
one private-network source IP address specified. A private-network source IP address newly specified for
a VPN overwrites the previous one.
The setting configured by the nas-ip command in HWTACACS scheme view is only for the HWTACACS
scheme, whereas that configured by the hwtacacs nas-ip command in system view is for all HWTACACS
schemes. The setting in HWTACACS scheme view takes precedence.
Examples
# Set the IP address for the device to use as the source address of the HWTACACS packets to 129.10.10.1.

96
 <Sysname> system-view
[Sysname] hwtacacs nas-ip 129.10.10.1

Related commands
nas-ip

hwtacacs scheme
Use hwtacacs scheme to create an HWTACACS scheme and enter HWTACACS scheme view.
Use undo hwtacacs scheme to delete an HWTACACS scheme.
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
Default
No HWTACACS scheme exists.
Views
System view
Default command level
3: Manage level
Parameters
hwtacacs-scheme-name: Specifies the HWTACACS scheme name, a case-insensitive string of 1 to 32
characters.
Usage guidelines
An HWTACACS scheme can be referenced by more than one ISP domain at the same time.
An HWTACACS scheme referenced by ISP domains cannot be removed.
Examples
# Create an HWTACACS scheme named hwt1, and enter HWTACACS scheme view.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1]

key (HWTACACS scheme view)

Use key to set the shared key for secure HWTACACS authentication, authorization, or accounting
communication.
Use undo key to remove the configuration.
Syntax
key { accounting | authentication | authorization } [ cipher | simple ] key
undo key { accounting | authentication | authorization }
Default
No shared key is configured.

97
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
accounting: Sets the shared key for secure HWTACACS accounting communication.
authentication: Sets the shared key for secure HWTACACS authentication communication.
authorization: Sets the shared key for secure HWTACACS authorization communication.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
key: Specifies the shared key string. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 255 characters. If cipher is specified, it must be a ciphertext string of 1 to 373 characters.
If neither cipher nor simple is specified, you set a plaintext shared key string. In FIPS mode, the string must
contain at least eight characters of digits, uppercase letters, lowercase letters, and special characters.
Usage guidelines
The shared keys configured on the device must match those configured on the HWTACACS servers.
In FIPS mode, the shared key specified in this command is encrypted and decrypted through 3DES.
For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.
Examples
# Set the shared key for secure HWTACACS accounting communication to hello in plain text for
HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key accounting simple hello

# Set the shared key for secure HWTACACS accounting communication to hello in plain text for
HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key accounting hello

# Set the shared key for secure HWTACACS accounting communication

to$c$3$jaeN0ej15fjuHKeuVh8mqicHzaHdMw== in ciphertext for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] key accounting cipher $c$3$jaeN0ej15fjuHKeuVh8mqicHzaHdMw==

Related commands
display hwtacacs

nas-ip (HWTACACS scheme view)

Use nas-ip to specify a source IP address for outgoing HWTACACS packets.
Use undo nas-ip to restore the default.

98
Syntax
nas-ip ip-address
undo nas-ip
Default
The source IP address of an outgoing HWTACACS packet is configured by the hwtacacs nas-ip
command in system view. If the hwtacacs nas-ip command is not configured, the source IP address is the
IP address of the outbound interface.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
ip-address: Specifies an IP address in dotted decimal notation. It must be an address of the device and
cannot be 0.0.0.0, 255.255.255.255, a class D address, or a class E address.
Usage guidelines
The source IP address of HWTACACS packets that a NAS sends must match the IP address of the NAS
that is configured on the HWTACACS server. An HWTACACS server identifies a NAS by IP address.
Upon receiving an HWTACACS packet, an HWTACACS server checks whether the source IP address of
the packet is the IP address of any managed NAS. If it is, the server processes the packet. If it is not, the
server drops the packet.
If you execute the command multiple times, the most recent configuration takes effect.
The setting configured by the nas-ip command in HWTACACS scheme view is only for the HWTACACS
scheme, whereas that configured by the hwtacacs nas-ip command in system view is for all HWTACACS
schemes. The setting in HWTACACS scheme view takes precedence.
Examples
# Set the source address for outgoing HWTACACS packets to 10.1.1.1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

Related commands
hwtacacs nas-ip

primary accounting (HWTACACS scheme view)

Use primary accounting to specify the primary HWTACACS accounting server.
Use undo primary accounting to remove the configuration.
Syntax
primary accounting ip-address [ port-number | key [ cipher | simple ] key | vpn-instance
vpn-instance-name ] *
undo primary accounting

99
Default
No primary HWTACACS accounting server is specified.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address of the primary HWTACACS accounting server in dotted decimal
notation. The default is 0.0.0.0.
port-number: Specifies the service port number of the primary HWTACACS accounting server. The value
range for the port number is 1 to 65535, and the default is 49.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary
HWTACACS accounting server.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 373
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 255 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
• In FIPS mode, the shared key must contain at least eight characters and the plaintext shared key
string must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS
accounting server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31
characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary HWTACACS accounting server are
the same as those configured on the server.
The IP addresses of the primary and secondary HWTACACS accounting servers must be different.
Otherwise, the configuration fails.
The shared key configured by this command takes precedence over that configured by using the key
accounting [ cipher | simple ] key command.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance
vpn-instance-name option.
If you execute the command multiple times, the most recent configuration takes effect.
You can remove an accounting server only when it is not used by any active TCP connection to send
accounting packets. Removing an accounting server only affects accounting processes that occur after
the remove operation.
The VPN specified by this command takes precedence over the VPN specified for the HWTACACS
scheme.
Examples
# Specify the IP address and port number of the primary accounting server for HWTACACS scheme
test1 as 10.163.155.12 and 49.
<Sysname> system-view
[Sysname] hwtacacs scheme test1

100
 [Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49 key simple abCD1@

Related commands
• display hwtacacs
• key (HWTACACS scheme view)
• vpn-instance (HWTACACS scheme view)

primary authentication (HWTACACS scheme view)

Use primary authentication to specify the primary HWTACACS authentication server.
Use undo primary authentication to remove the configuration.
Syntax
primary authentication ip-address [ port-number | key [ cipher | simple ] key | vpn-instance
vpn-instance-name ] *
undo primary authentication
Default
No primary HWTACACS authentication server is specified.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address of the primary HWTACACS authentication server in dotted decimal
notation. The default is 0.0.0.0.
port-number: Specifies the service port number of the primary HWTACACS authentication server. The
value range for the port number is 1 to 65535, and the default is 49.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary
HWTACACS authentication server.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 373
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 255 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
• In FIPS mode, the shared key must contain at least eight characters and the plaintext shared key
string must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS
authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31
characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary HWTACACS authentication server are
the same as those configured on the server.
The IP addresses of the primary and secondary HWTACACS authentication servers must be different.
Otherwise, the configuration fails.

101
 The shared key configured by this command takes precedence over that configured by using the key
authentication [ cipher | simple ] key command.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance
vpn-instance-name option.
If you execute the command multiple times, the most recent configuration takes effect.
You can remove an authentication server only when it is not used by any active TCP connection to send
authentication packets. Removing an authentication server only affects authentication processes that
occur after the remove operation.
The VPN specified by this command takes precedence over the VPN specified for the HWTACACS
scheme.
Examples
# Specify the IP address and port number of the primary authentication server for HWTACACS scheme
hwt1 as 10.163.155.13 and 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49 key simple abCD1@

Related commands
• display hwtacacs
• key (HWTACACS scheme view)
• vpn-instance (HWTACACS scheme view)

primary authorization
Use primary authorization to specify the primary HWTACACS authorization server.
Use undo primary authorization to remove the configuration.
Syntax
primary authorization ip-address [ port-number | key [ cipher | simple ] key | vpn-instance
vpn-instance-name ] *
undo primary authorization
Default
No primary HWTACACS authorization server is specified.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address of the primary HWTACACS authorization server in dotted decimal
notation. The default is 0.0.0.0.
port-number: Specifies the service port number of the primary HWTACACS authorization server. The
value range for the port number is 1 to 65535, and the default is 49.

102
 key [ cipher | simple ] key: Specifies the shared key for secure communication with the primary
HWTACACS authorization server.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 373
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 255 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
• In FIPS mode, the shared key must contain at least eight characters and the plaintext shared key
string must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the primary HWTACACS
authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31
characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the primary HWTACACS authorization server are
the same as those configured on the server.
The IP addresses of the primary and secondary authorization servers must be different. Otherwise, the
configuration fails.
The shared key configured by this command takes precedence over that configured by using the key
authorization [ cipher | simple ] key command.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance
vpn-instance-name option.
If you execute the command multiple times, the most recent configuration takes effect.
You can remove an authorization server only when it is not used by any active TCP connection to send
authorization packets. Removing an authorization server only affects authorization processes that occur
after the remove operation.
The VPN specified by this command takes precedence over the VPN specified for the HWTACACS
scheme.
Examples
# Configure the IP address and port number of the primary authorization server for HWTACACS scheme
hwt1 as 10.163.155.13 and 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple abCD1@

Related commands
• display hwtacacs
• key (HWTACACS scheme view)
• vpn-instance (HWTACACS scheme view)

reset hwtacacs statistics

Use reset hwtacacs statistics to clear HWTACACS statistics.
Syntax
reset hwtacacs statistics { accounting | all | authentication | authorization }

103
Views
User view
Default command level
1: Monitor level
Parameters
accounting: Specifies the HWTACACS accounting statistics.
all: Specifies all HWTACACS statistics.
authentication: Specifies the HWTACACS authentication statistics.
authorization: Specifies the HWTACACS authorization statistics.
Examples
# Clear all HWTACACS statistics.
<Sysname> reset hwtacacs statistics all

Related commands
display hwtacacs

reset stop-accounting-buffer (for HWTACACS)

Use reset stop-accounting-buffer to clear the buffered stop-accounting requests for which no responses
have been received.
Syntax
reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
Views
User view
Default command level
2: System level
Parameters
hwtacacs-scheme hwtacacs-scheme-name: Specifies buffered stop-accounting requests that are destined
for the accounting server defined in an HWTACACS scheme. The HWTACACS scheme name is a
case-insensitive string of 1 to 32 characters.
Examples
# Clear the stop-accounting requests buffered for HWTACACS scheme hwt1.
<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1

Related commands
• stop-accounting-buffer enable
• display stop-accounting-buffer

retry stop-accounting (HWTACACS scheme view)

Use retry stop-accounting to set the maximum number of stop-accounting request transmission attempts.
Use undo retry stop-accounting to restore the default.

104
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
Default
The maximum number of stop-accounting request transmission attempts is 100.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
retry-times: Specifies the maximum number of stop-accounting request transmission attempts, in the
range of 1 to 300.
Examples
# Set the maximum number of stop-accounting request transmission attempts to 50 for HWTACACS
scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] retry stop-accounting 50

Related commands
• reset stop-accounting-buffer
• display stop-accounting-buffer

secondary accounting (HWTACACS scheme view)

Use secondary accounting to specify a secondary HWTACACS accounting server.
Use undo secondary accounting to remove the configuration.
Syntax
secondary accounting ip-address [ port-number | key [ cipher | simple ] key | vpn-instance
vpn-instance-name ] *
undo secondary accounting
Default
No secondary HWTACACS accounting server is specified.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address of the secondary HWTACACS accounting server in dotted decimal
notation. The default is 0.0.0.0.

105
 port-number: Specifies the service port number of the secondary HWTACACS accounting server. The
value range for the port number is 1 to 65535, and the default is 49.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary
HWTACACS accounting server.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 373
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 255 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
• In FIPS mode, the shared key must contain at least eight characters and the plaintext shared key
string must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS
accounting server belongs to. The vpn-instance-name argument is a case-sensitive string of 1 to 31
characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the secondary HWTACACS accounting server are
the same as those configured on the server.
The IP addresses of the primary and secondary accounting servers must be different. Otherwise, the
configuration fails.
If you execute the command multiple times, the most recent configuration takes effect.
The shared key configured by this command takes precedence over that configured by using the key
accounting [ cipher | simple ] key command.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance
vpn-instance-name option.
You can remove an accounting server only when it is not used by any active TCP connection to send
accounting packets. Removing an accounting server only affects accounting processes that occur after
the remove operation.
The VPN specified by this command takes precedence over the VPN specified for the HWTACACS
scheme.
Examples
# Specify the IP address and port number of the secondary accounting server for HWTACACS scheme
hwt1 as 10.163.155.12 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49 key simple abCD1@

Related commands
• display hwtacacs
• key (HWTACACS scheme view)
• vpn-instance (HWTACACS scheme view)

secondary authentication (HWTACACS scheme view)

Use secondary authentication to specify a secondary HWTACACS authentication server.
Use undo secondary authentication to remove the configuration.

106
Syntax
secondary authentication ip-address [ port-number | key [ cipher | simple ] key | vpn-instance
vpn-instance-name ] *
undo secondary authentication
Default
No secondary HWTACACS authentication server is specified.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address of the secondary HWTACACS authentication server in dotted
decimal notation. The default is 0.0.0.0.
port-number: Specifies the service port number of the secondary HWTACACS authentication server. The
value range for the port number is 1 to 65535, and the default is 49.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary
HWTACACS authentication server.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 373
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 255 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
• In FIPS mode, the shared key must contain at least eight characters and the plaintext shared key
string must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS
authentication server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31
characters. If the server is on the public network, do not specify this option.
Usage guidelines
Make sure the port number and shared key settings of the secondary HWTACACS authentication server
are the same as those configured on the server.
The IP addresses of the primary and secondary authentication servers must be different. Otherwise, the
configuration fails.
If the specified server resides on an MPLS VPN, specify the VPN by using the vpn-instance
vpn-instance-name option.
The shared key configured by this command takes precedence over that configured by using the key
authentication [ cipher | simple ] key command.
If you execute the command multiple times, the most recent configuration takes effect.
You can remove an authentication server only when it is not used by any active TCP connection to send
authentication packets is using it. Removing an authentication server only affects authentication
processes that occur after the remove operation.
The VPN specified by this command takes precedence over the VPN specified for the HWTACACS
scheme.

107
Examples
# Specify the IP address and port number of the secondary authentication server for HWTACACS
scheme hwt1 as 10.163.155.13 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49 key simple abCD1@

Related commands
• display hwtacacs
• key (HWTACACS scheme view)
• vpn-instance (HWTACACS scheme view)

secondary authorization
Use secondary authorization to specify a secondary HWTACACS authorization server.
Use undo secondary authorization to remove the configuration.
Syntax
secondary authorization ip-address [ port-number | key [ cipher | simple ] key | vpn-instance
vpn-instance-name ] *
undo secondary authorization
Default
No secondary HWTACACS authorization server is specified.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address of the secondary HWTACACS authorization server in dotted decimal
notation. The default is 0.0.0.0.
port-number: Specifies the service port number of the secondary HWTACACS authorization server. The
value range for the port number is 1 to 65535, and the default is 49.
key [ cipher | simple ] key: Specifies the shared key for secure communication with the secondary
HWTACACS authorization server.
• cipher key: Specifies a ciphertext shared key, which is a case-sensitive ciphertext string of 1 to 373
characters.
• simple key: Specifies a plaintext shared key, which is a case-sensitive string of 1 to 255 characters.
• If neither cipher nor simple is specified, you set a plaintext shared key string.
• In FIPS mode, the shared key must contain at least eight characters and the plaintext shared key
string must contain digits, uppercase letters, lowercase letters, and special characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the secondary HWTACACS
authorization server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31
characters. If the server is on the public network, do not specify this option.

108
Usage guidelines
Make sure the port number and shared key settings of the secondary HWTACACS authorization server
are the same as those configured on the server.
The IP addresses of the primary and secondary authorization servers cannot be the same. Otherwise, the
configuration fails.
If the specified server resides on an MPLS VPN, you also must specify that VPN with the secondary
authorization command to ensure normal communication with the server. The VPN specified here takes
precedence over the VPN specified for the HWTACACS scheme.
The shared key configured by this command takes precedence over that configured by using the key
authorization [ cipher | simple ] key command.
If you execute the command multiple times, the most recent configuration takes effect.
You can remove an authorization server only when it is not used by any active TCP connection to send
authorization packets. Removing an authorization server only affects authorization processes that occur
after the remove operation.
Examples
# Configure the secondary authorization server 10.163.155.13 with TCP port number 49.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49 key simple abCD1@

Related commands
• display hwtacacs
• key (HWTACACS scheme view)
• vpn-instance (HWTACACS scheme view)

stop-accounting-buffer enable (HWTACACS scheme view)

Use stop-accounting-buffer enable to enable the device to buffer stop-accounting requests to which no
responses are received.
Use undo stop-accounting-buffer enable to disable the buffering function.
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
Default
The device buffers stop-accounting requests to which no responses are received.
Views
HWTACACS scheme view
Default command level
2: System level
Usage guidelines
Stop-accounting requests affect the charge to users. A NAS must make its best effort to send every
stop-accounting request to the HWTACACS accounting servers. For each stop-accounting request that

109
 receives no response in the specified period of time, the NAS buffers and resends the packet until it
receives a response or until the number of transmission attempts reaches the configured limit. In the latter
case, the NAS discards the packet.
Examples
# In HWTACACS scheme hwt1, enable the device to buffer the stop-accounting requests that receive no
responses.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable

Related commands
• reset stop-accounting-buffer
• display stop-accounting-buffer

timer quiet (HWTACACS scheme view)

Use timer quiet to set the quiet timer for the primary server.
Use undo timer quiet to restore the default.
Syntax
timer quiet minutes
undo timer quiet
Default
The primary server quiet period is 5 minutes.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
minutes: Specifies the primary server quiet period in minutes, in the range of 1 to 255.
Usage guidelines
When the primary server is found unreachable, the device changes the status of the server from active to
blocked and keeps the server in blocked state until the quiet timer expires.
Examples
# Set the quiet timer for the primary server to 10 minutes.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer quiet 10

Related commands
display hwtacacs

110
timer realtime-accounting (HWTACACS scheme view)
Use timer realtime-accounting to set the real-time accounting interval.
Use undo timer realtime-accounting to restore the default.
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
Default
The real-time accounting interval is 12 minutes.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
minutes: Specifies the real-time accounting interval in minutes. The value can be 0 or a multiple of 3, in
the range of 3 to 60. A value of 0 means "Do not send online user accounting information to the
HWTACACS server."
Usage guidelines
For real-time accounting, a NAS must transmit the accounting information of online users to the
HWTACACS accounting server periodically. This command is for setting the interval.
Consider the performance of the NAS and the HWTACACS server when you set the real-time accounting
interval. A shorter interval requires higher performance. Use a longer interval when there are a large
number of users (more than 1000, inclusive).
Table 9 Recommended real-time accounting intervals

Number of users Real-time accounting interval (in minutes)

1 to 99 3

100 to 499 6

500 to 999 12

1000 or more 15 or more

Examples
# Set the real-time accounting interval to 51 minutes for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

timer response-timeout (HWTACACS scheme view)

Use timer response-timeout to set the HWTACACS server response timeout timer.
Use undo timer response-timeout to restore the default.

111
Syntax
timer response-timeout seconds
undo timer response-timeout
Default
The HWTACACS server response timeout time is 5 seconds.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
seconds: Specifies the HWTACACS server response timeout period in seconds, in the range of 1 to 300.
Usage guidelines
HWTACACS is based on TCP. When the server response timeout timer or the TCP timeout timer times out,
the device is disconnected from the HWTACACS server.
Examples
# Set the HWTACACS server response timeout timer to 30 seconds for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] timer response-timeout 30

Related commands
display hwtacacs

user-name-format (HWTACACS scheme view)

Use user-name-format to specify the format of the username to be sent to an HWTACACS server.
Syntax
user-name-format { keep-original | with-domain | without-domain }
Default
The ISP domain name is included in the username.
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
keep-original: Sends the username to the HWTACACS server as it is entered.
with-domain: Includes the ISP domain name in the username sent to the HWTACACS server.
without-domain: Excludes the ISP domain name from the username sent to the HWTACACS server.

112
Usage guidelines
A username is generally in the format userid@isp-name, of which isp-name is used by the device to
determine the ISP domain to which a user belongs. Some earlier HWTACACS servers, however, cannot
recognize a username that includes an ISP domain name. Before sending a username including a
domain name to such an HWTACACS server, the device must remove the domain name. This command
allows you to specify whether to include a domain name in a username to be sent to an HWTACACS
server.
If an HWTACACS scheme defines that the username is sent without the ISP domain name, do not apply
the HWTACACS scheme to more than one ISP domain. This avoids the confusing situation in which the
HWTACACS server regards two users in different ISP domains but with the same userid as one.
If the HWTACACS scheme is used for wireless users, specify the keep-original keyword. Otherwise,
authentication of the wireless users might fail.
Examples
# Specify the device to remove the ISP domain name in the username sent to the HWTACACS servers for
the HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] user-name-format without-domain

vpn-instance (HWTACACS scheme view)

Use vpn-instance to specify a VPN instance for an HWTACACS scheme.
Use undo vpn-instance to remove the configuration.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Views
HWTACACS scheme view
Default command level
2: System level
Parameters
vpn-instance-name: Specifies the name of the MPLS L3VPN instance, a case-sensitive string of 1 to 31
characters.
Usage guidelines
The VPN specified here takes effect for all servers in the HWTACACS scheme for which no specific VPN
instance is specified.
Examples
# Specify VPN instance test for HWTACACS scheme hwt1.
<Sysname> system-view
[Sysname] hwtacacs scheme hwt1
[Sysname-hwtacacs-hwt1] vpn-instance test

113
Related commands
display hwtacacs

RADIUS server configuration commands

The following matrix shows the command and router compatibility:

MSR20-
Command MSR900 MSR93X MSR20 MSR30 MSR50 MSR1000
1X
RADIUS
server
No No Yes Yes Yes No Yes
configuration
commands

authorization-attribute (RADIUS-server user view)

Use authorization-attribute to specify the authorization attributes (ACL and VLAN) that the RADIUS
server assigns to the RADIUS client in a response message after the RADIUS user passes RADIUS
authentication. The RADIUS client uses the assigned authorization attributes to control the access of the
RADIUS user.
Use undo authorization-attribute to remove the configuration.
Syntax
authorization-attribute { acl acl-number | vlan vlan-id } *
undo authorization-attribute { acl | vlan } *
Default
No authorization attribute is configured.
Views
RADIUS-server user view
Default command level
2: System level
Parameters
acl acl-number: Specifies the number of an ACL, in the range of 2000 to 5999.
vlan vlan-id: Specifies the ID of a VLAN, in the range of 1 to 4094.
Examples
# Configure the authorized VLAN for RADIUS user user1 as VLAN 3.
<Sysname> system-view
[Sysname] radius-server user user1
[Sysname-rdsuser-user1] authorization-attribute vlan 3

Related commands
radius-server user

114
description (RADIUS-server user view)
Use description to configure a description for the RADIUS user. The description is used for user
information management.
Use undo description to remove the user description.
Syntax
description text
undo description
Default
No description is configured for the RADIUS user.
Views
RADIUS-server user view
Default command level
2: System level
Parameters
text: Description of the RADIUS user, a case-sensitive string of 1 to 255 characters.
Examples
# Configure a description of VIP user for RADIUS user user1.
<Sysname> system-view
[Sysname] radius-server user user1
[Sysname-rdsuser-user1] description VIP user

Related commands
radius-server user

expiration-date (RADIUS-server user view)

Use expiration-date to configure the expiration time of a RADIUS user.
Use undo expiration-date to remove the configuration.
Syntax
expiration-date time
undo expiration-date
Default
A RADIUS user has no expiration time, and no expiration check is performed.
Views
RADIUS-server user view
Default command level
2: System level

115
Parameters
time: Specifies the expiration time of the RADIUS user, in the format HH:MM:SS-MM/DD/YYYY or
HH:MM:SS-YYYY/MM/DD. HH:MM:SS indicates the time, where HH is in the range of 0 to 23, and
MM and SS are in the range of 0 to 59. YYYY/MM/DD indicates the date, where YYYY is in the range
of 2000 to 2035, MM is in the range of 1 to 12, and the range of DD depends on the month. Except for
the zeros in 00:00:00, leading zeros can be omitted. For example, 2:2:0-2010/2/2 equals
02:02:00-2010/02/02.
Usage guidelines
For temporary network access requirements, create a guest account for the user, and specify an
expiration time for the account. After the user passes authentication, the RADIUS server checks whether
the current system time is before the expiration time. If it is, the server permits the user to access the
network. Otherwise, the server denies the access request of the user.
If you change the system time manually or the system time is changed in any other way, the access device
uses the new system time for expiration check.
Examples
# Configure user user1 to expire in 12:10:20 on May 31, 2012.
<Sysname> system-view
[Sysname] radius-server user user1
[Sysname-rdsuser-user1] expiration-date 12:10:20-2012/05/31

Related commands
radius-server user

password (RADIUS-server user view)

Use password to configure a password for a RADIUS user.
Use undo password to delete the password of a RADIUS user.
Syntax
password [ cipher | simple ] password
undo password
Default
No password is configured for a RADIUS user.
Views
RADIUS-server user view
Default command level
2: System level
Parameters
cipher: Sets a ciphertext password.
simple: Sets a plaintext password.
password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be
a string of 1 to 128 characters. If cipher is specified, it must be a ciphertext string of 1 to 201 characters.
If neither cipher nor simple is specified, you set a plaintext password string.

116
Usage guidelines
For security purposes, all passwords, including passwords configured in plain text, are saved in
ciphertext.
Examples
# Set the password to 123456 in plain text for RADIUS user user1.
<Sysname> system-view
[Sysname] radius-server user user1
[Sysname-rdsuser-user1] password simple 123456

# Set the password to $c$3$joGi2vMNJMbTEjpMA1J7Nuv2+iif3Q== in ciphertext for RADIUS user

user2.
<Sysname> system-view
[Sysname] radius-server user user2
[Sysname-rdsuser-user2] password cipher $c$3$joGi2vMNJMbTEjpMA1J7Nuv2+iif3Q==

Related commands
radius-server user

radius-server client-ip
Use radius-server client-ip to specify a RADIUS client.
Use undo radius-server client-ip to delete the specified RADIUS client or all RADIUS clients.
Syntax
radius-server client-ip ip-address [ key [ cipher | simple ] string ]
undo radius-server client-ip { ip-address | all }
Views
System view
Default command level
2: System level
Parameters
ip-address: Specifies the IPv4 address of the RADIUS client.
key: Sets the shared key for secure communication with the RADIUS client.
cipher: Sets a ciphertext shared key.
simple: Sets a plaintext shared key.
string: Specifies the shared key string. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 64 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters. If
neither cipher nor simple is specified, you set a plaintext shared key string.
all: Specifies all RADIUS clients.
Usage guidelines
The IP address of the RADIUS client specified on the RADIUS server must be consistent with the source IP
address of RADIUS packets configured on the RADIUS client.
The shared key specified on the RADIUS serer must be consistent with that configured on the RADIUS
client.

117
 For security purposes, all shared keys, including keys configured in plain text, are saved in ciphertext.
You can specify multiple RADIUS clients. The maximum number of RADIUS clients that can be configured
depends on the storage space.
Examples
# Specify RADIUS client 10.1.1.1 and the shared key to 1234 in plain text.
<Sysname> system-view
[Sysname] radius-server client-ip 10.1.1.1 key simple 1234

radius-server user
Use radius-server user to create a RADIUS user and enter RADIUS-server user view.
Use undo radius-server user to delete the specified RADIUS user or all RADIUS users.
Syntax
radius-server user user-name
undo radius-server user { user-name | all }
Default
No RADIUS user exists.
Views
System view
Default command level
2: System level
Parameters
user-name: user-name: Specifies the RADIUS username, a case-sensitive string of 1 to 64 characters that
can contain the domain name. It cannot contain question mark (?),left angle bracket (<), right angle
bracket (>), backward slash (\), quotation mark ("), percent sign (%), apostrophe ('), ampersand (&),
number sign (#), or spaces and cannot be a, al, or all.
all: Removes all RADIUS users.
Usage guidelines
The maximum number of RADIUS users who can be created depends on the device model.
If the access device is configured to send usernames that carry the domain name to the RADIUS server,
the username of the RADIUS user configured here must contain the domain name. Otherwise, the
username of the RADIUS user configured here does not contain the domain name.
Examples
# Create RADIUS user user1, and enter its view.
<Sysname> system-view
[Sysname] radius-server user user1
[Sysname-rdsuser-user1]

Related commands
user-name-format (RADIUS scheme view)

118
802.1X commands

display dot1x
Use display dot1x to display information about 802.1X.
Syntax
display dot1x [ sessions | statistics ] [ interface interface-list ] [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
sessions: Displays 802.1X session information.
statistics: Displays 802.1X statistics.
interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports
or port ranges. The start port number must be smaller than the end number and the two ports must be the
same type.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify the sessions or statistics keyword, the command displays all information about
802.1X, including session information, statistics, and configurations.
Examples
# Display all information about 802.1X.
<Sysname> display dot1x
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled

Configuration: Transmit Period 30 s, Handshake Period 15 s

119
 Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Reauth Period 3600 s
The maximal retransmitting times 3

The maximum 802.1X user resource number is 1024 per slot

Total current used 802.1X resource number is 1

Ethernet4/0 is link-up
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Handshake is disabled
Handshake secure is disabled
802.1X unicast-trigger is enabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Port-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: NOT configured
Guest VLAN: 4
Auth-fail VLAN: NOT configured
Critical VLAN: 3
Critical recovery-action: reinitialize
Max number of on-line users is 256

EAPOL Packet: Tx 1087, Rx 986

Sent EAP Request/Identity Packets : 943
EAP Request/Challenge Packets: 60
EAP Success Packets: 29, Fail Packets: 55
Received EAPOL Start Packets : 60
EAPOL LogOff Packets: 24
EAP Response/Identity Packets : 724
EAP Response/Challenge Packets: 54
Error Packets: 0

Controlled User(s) amount to 1

Table 10 Command output

Field Description
Equipment 802.1X protocol is enabled Specifies whether 802.1X is enabled globally.

CHAP authentication is enabled Specifies whether CHAP authentication is enabled.

Specifies whether the device sends a trap when detecting that

Proxy trap checker is disabled
a user is accessing the network through a proxy.

Specifies whether the device logs off the user when detecting
Proxy logoff checker is disabled
that the user is accessing the network through a proxy.

120
Field Description
Transmit Period Username request timeout timer in seconds.

Handshake Period Handshake timer in seconds.

Reauth Period Periodic online user re-authentication timer in seconds.

Quiet Period Quiet timer in seconds.

Status of the quiet timer. In this example, the quiet timer is

Quiet Period Timer is disabled
enabled.

Supp Timeout Client timeout timer in seconds.

Server Timeout Server timeout timer in seconds.

Maximum number of attempts for sending an authentication

The maximal retransmitting times
request to a client.

The maximum 802.1X user resource number

Maximum number of concurrent 802.1X user per card.
per slot

Total current used 802.1X resource number Total number of online 802.1X users.

Ethernet4/0 is link-up Status of the port. In this example, Ethernet 4/0 is up.

802.1X protocol is disabled Specifies whether 802.1X is enabled on the port.

Specifies whether the port sends a trap when detecting that a

Proxy trap checker is disabled
user is accessing the network through a proxy.

Specifies whether the port logs off the user when detecting the
Proxy logoff checker is disabled
user is accessing the networking through a proxy.

Handshake is disabled Specifies whether handshake is enabled on the port.

Handshake secure is disabled Specifies whether handshake security is enabled on the port.

802.1X unicast-trigger is disabled Specifies whether unicast trigger is enabled on the port.

Specifies whether periodic online user re-authentication is

Periodic reauthentication is disabled
enabled on the port.

The port is an authenticator Role of the port.

Authentication Mode is Auto Authorization state of the port.

Port Control Type Access control method of the port.

Specifies whether the 802.1X multicast-trigger function is

802.1X Multicast-trigger is enabled
enabled.

Mandatory authentication domain Mandatory authentication domain on the port.

802.1X guest VLAN configured on the port. NOT configured is

Guest VLAN
displayed if no guest VLAN is configured.

Auth-Fail VLAN configured on the port. NOT configured is

Auth-fail VLAN
displayed if no Auth-Fail VLAN is configured.

802.1X critical VLAN configured on the port. NOT configured

Critical VLAN is displayed if no 802.1X critical VLAN is configured on the
port.

121
 Field Description
Action that the port takes when an active (reachable)
authentication server is detected available for the 802.1X
Critical recovery-action users in the critical VLAN:
• reinitialize—The port triggers authentication.
• NOT configured—The port does not trigger authentication.
Max number of on-line users Maximum number of concurrent 802.1X users on the port.

EAPOL Packet Number of sent (Tx) and received (Rx) EAPOL packets.

Sent EAP Request/Identity Packets Number of sent EAP-Request/Identity packets.

EAP Request/Challenge Packets Number of sent EAP-Request/Challenge packets.

EAP Success Packets Number of sent EAP Success packets.

Fail Packets Number of sent EAP-Failure packets.

Received EAPOL Start Packets Number of received EAPOL-Start packets.

EAPOL LogOff Packets Number of received EAPOL-LogOff packets.

EAP Response/Identity Packets Number of received EAP-Response/Identity packets.

EAP Response/Challenge Packets Number of received EAP-Response/Challenge packets.

Error Packets Number of received error packets.

Controlled User(s) amount Number of authenticated users on the port.

Related commands
• reset dot1x statistics
• dot1x
• dot1x retry
• dot1x max-user
• dot1x port-control
• dot1x port-method
• dot1x timer

dot1x
Use dot1x to enable 802.1X.
Use undo dot1x to disable 802.1X.
Syntax
In system view:
dot1x [ interface interface-list ]
undo dot1x [ interface interface-list ]
In Ethernet interface view:
dot1x
undo dot1x

122
Default
802.1X is neither enabled globally nor enabled for any port.
Views
System view, Ethernet interface view
Default command level
2: System level
Parameters
interface interface-list: Specifies a port list, which can contain multiple ports. The interface-list argument
is in the format of interface-list = { interface-type interface-number [ to interface-type interface-number ] }
& <1-10>, where interface-type represents the port type, interface-number represents the port number,
and & <1-10> means that you can provide up to 10 ports or port ranges. The start port number must be
smaller than the end number and the two ports must be of the same type.
Usage guidelines
Use the dot1x command in system view to enable 802.1X globally.
Use the undo dot1x command in system view to disable 802.1X globally.
Use the dot1x interface command in system view or the dot1x command in interface view to enable
802.1X for specified ports.
Use the undo dot1x interface command in system view or the undo dot1x command in interface view to
disable 802.1X for specified ports.
802.1X must be enabled both globally in system view and for the intended ports in system view or
interface view. Otherwise, it does not function.
You can configure 802.1X parameters either before or after enabling 802.1X.
Examples
# Enable 802.1X for ports Ethernet 1/1, and Ethernet 1/5 to Ethernet 1/7.
<Sysname> system-view
[Sysname] dot1x interface ethernet 1/1 ethernet 1/5 to ethernet 1/7

Or
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] dot1x
[Sysname-Ethernet1/1] quit
[Sysname] interface ethernet 1/5
[Sysname-Ethernet1/5] dot1x
[Sysname-Ethernet1/5] quit
[Sysname] interface ethernet 1/6
[Sysname-Ethernet1/6] dot1x
[Sysname-Ethernet1/6] quit
[Sysname] interface ethernet 1/7
[Sysname-Ethernet1/7] dot1x

# Enable 802.1X globally.

<Sysname> system-view
[Sysname] dot1x

123
Related commands
display dot1x

dot1x authentication-method
Use dot1x authentication-method to specify an EAP message handling method.
Use undo dot1x authentication-method to restore the default.
Syntax
dot1x authentication-method { chap | eap | pap }
undo dot1x authentication-method
Default
The network access device performs EAP termination and uses CHAP to communicate with the RADIUS
server.
Views
System view
Default command level
2: System level
Parameters
chap: Sets the access device to perform Extensible Authentication Protocol (EAP) termination and use the
Challenge Handshake Authentication Protocol (CHAP) to communicate with the RADIUS server.
eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods
to communicate with the RADIUS server.
pap: Sets the access device to perform EAP termination and use the Password Authentication Protocol
(PAP) to communicate with the RADIUS server.
Usage guidelines
The network access device terminates or relays EAP packets:
1. In EAP termination mode—The access device re-encapsulates and sends the authentication data
from the client in standard RADIUS packets to the RADIUS server, and performs either CHAP or
PAP authentication with the RADIUS server. In this mode the RADIUS server supports only
MD5-Challenge EAP authentication, and "username+password" EAP authentication initiated by
an iNode client.
{ PAP transports usernames and passwords in clear text. The authentication method applies to
scenarios that do not require high security. To use PAP, the client must be an HP iNode 802.1X
client.
{ CHAP transports username in plaintext and encrypted password over the network. It is more
secure than PAP.
2. In EAP relay mode—The access device relays EAP messages between the client and the RADIUS
server. The EAP relay mode supports multiple EAP authentication methods, such as
MD5-Challenge, EAP-TL, and PEAP. To use this mode, you must make sure the RADIUS server
supports the EAP-Message and Message-Authenticator attributes and uses the same EAP
authentication method as the client. If this mode is used, the user-name-format command
configured in RADIUS scheme view does not take effect. For more information about the
user-name-format command, see "RADIUS configuration commands."

124
 Local authentication supports PAP and CHAP.
If RADIUS authentication is used, you must configure the network access device to use the same
authentication method (PAP, CHAP, or EAP) as the RADIUS server.
Examples
# Enable the access device to terminate EAP packets and perform PAP authentication with the RADIUS
server.
<Sysname> system-view
[Sysname] dot1x authentication-method pap

Related commands
display dot1x

dot1x auth-fail vlan

Use dot1x auth-fail vlan to configure an Auth-Fail VLAN on a port for users that have failed 802.1X
authentication because of the failure to comply with the organization security strategy, such as using a
wrong password.
Use undo dot1x auth-fail vlan to restore the default.
Syntax
dot1x auth-fail vlan authfail-vlan-id
undo dot1x auth-fail vlan
Default
No Auth-Fail VLAN is configured on a port.
Views
Ethernet interface view
Default command level
2: System level
Parameters
authfail-vlan-id: Specifies the ID of the Auth-Fail VLAN for the port, in the range of 1 to 4094. Make sure
the VLAN has been created and is not a super VLAN. For more information about super VLANs, see
Layer 2—LAN Switching Configuration Guide.
Usage guidelines
You must enable 802.1X multicast trigger function for an Auth-Fail VLAN to take effect on a port that
performs port-based access control.
When you change the access control method from port-based to MAC-based on a port that is in an
Auth-Fail VLAN, the port is removed from the Auth-Fail VLAN. The device does not support Auth-Fail
VLAN on a port that implements MAC-based access control.
To delete a VLAN that has been configured as an Auth-Fail VLAN, you must remove the Auth-Fail VLAN
configuration first.
You can configure both an Auth-Fail VLAN and a guest VLAN for a port.
Examples
# Configure VLAN 3 as the Auth-Fail VLAN for port Ethernet 1/1.

125
 <Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] dot1x auth-fail vlan 3

Related commands
• dot1x
• dot1x port-method

dot1x critical vlan

Use dot1x critical vlan to configure an 802.1X critical VLAN on a port for users that fail 802.1X
authentication because all the RADIUS servers in their ISP domains have been unreachable.
Use undo dot1x critical vlan to restore the default.
Syntax
dot1x critical vlan vlan-id
undo dot1x critical vlan
Default
No critical VLAN is configured on any port.
Views
Layer 2 Ethernet interface view
Default command level
2: System level
Parameters
vlan-id: Specifies a VLAN ID in the range of 1 to 4094. Make sure the VLAN has been created and is
not a super VLAN. For more information about super VLANs, see Layer 2—LAN Switching Configuration
Guide.
Usage guidelines
You can configure only one critical VLAN on a port. The MAC authentication critical VLANs on different
ports can be different.
When you change the access control method from port-based to MAC-based on a port that is in a critical
VLAN, the port is removed from the critical VLAN. The device does not support critical VLAN on a port
that implements MAC-based access control.
To delete a VLAN that has been configured as an 802.1X critical VLAN, you must perform the undo
dot1x critical vlan command first.
Examples
# Specify VLAN 3 as the 802.1X critical VLAN on port Ethernet 1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1
[Sysname-Ethernet1/1] dot1x critical vlan 3

126
dot1x critical recovery-action
Use dot1x critical recovery-action to configure the action that a port takes when an active (reachable)
RADIUS authentication server is detected for users in the 802.1X critical VLAN.
Use undo dot1x critical recovery-action to restore the default.
Syntax
dot1x critical recovery-action reinitialize
undo dot1x critical recovery-action
Default
When a reachable RADIUS server is detected, the system removes the port or 802.1X users from the
critical VLAN without triggering authentication.
Views
Layer 2 Ethernet interface view
Default command level
2: System level
Parameters
reinitialize: Enables the port to trigger 802.1X re-authentication on detection of a reachable RADIUS
authentication server for users in the critical VLAN.
Usage guidelines
The dot1x critical recovery-action command takes effect only for the 802.1X users in the critical VLAN on
a port. It enables the port to take one of the following actions to trigger 802.1X authentication after
removing 802.1X users from the critical VLAN on detection of a reachable RADIUS authentication server:
• If MAC-based access control is used, the port sends a unicast Identity EAP/Request to each 802.1X
user.
• If port-based access control is used, the port sends a multicast Identity EAP/Request to all the
802.1X users attached to the port.
Examples
# Configure port Ethernet 1/1 to trigger 802.1X re-authentication on detection of an active RADIUS
authentication server for users in the critical VLAN.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] dot1x critical recovery-action reinitialize

dot1x domain-delimiter
Use dot1x domain-delimiter to specify a set of domain name delimiters supported by the access device.
Any character in the configured set can be used as the domain name delimiter for 802.1X authentication
users.
Use undo dot1x domain-delimiter to restore the default.
Syntax
dot1x domain-delimiter string
undo dot1x domain-delimiter

127
Default
The access device supports only the at sign (@) delimiter for 802.1X users.
Views
System view
Default command level
2: System level
Parameters
string: Specifies a set of 1 to 16 domain name delimiters for 802.1X users. No space is required between
delimiters. Available delimiters include the at sign (@), backslash (/), and forward slash (\).
Usage guidelines
The delimiter set you configured overrides the default setting. If @ is not included in the delimiter set, the
access device does not support the 802.1X users that use @ as the domain name delimiter.
If a username string contains multiple configured delimiters, the leftmost delimiter is the domain name
delimiter. For example, if you configure @, /, and \ as delimiters, the domain name delimiter for the
username string 123/22\@abc is the forward slash (/).
The cut connection user-name user-name and display connection user-name user-name commands are
not available for 802.1X users that use / or \ as the domain name delimiter. For more information about
the two commands, see "AAA configuration commands."
Examples
# Specify the characters @, /, and \ as domain name delimiters.
<Sysname> system-view
[Sysname] dot1x domain-delimiter @\/

dot1x guest-vlan
Use dot1x guest-vlan to configure an 802.1X guest VLAN for the specified or all ports. A guest VLAN on
a port accommodates users that have not performed 802.1X authentication. In the guest VLAN, users can
access a limited set of network resources, such as a software server, to download anti-virus software and
system patches.
Use undo dot1x guest-vlan to remove the 802.1X guest VLAN on the specified or all ports.
Syntax
In system view:
dot1x guest-vlan guest-vlan-id [ interface interface-list ]
undo dot1x guest-vlan [ interface interface-list ]
In interface view:
dot1x guest-vlan guest-vlan-id
undo dot1x guest-vlan
Default
No 802.1X guest VLAN is configured on a port.
Views
System view, Ethernet interface view

128
Default command level
2: System level
Parameters
guest-vlan-id: Specifies the ID of the VLAN to be specified as the 802.1X guest VLAN. The value range
for the VLAN ID is 1 to 4094. Make sure the VLAN has been created and is not a super VLAN. For more
information about super VLANs, see Layer 2—LAN Switching Configuration Guide.
interface interface-list: Specifies a port list. The interface-list argument is in the format of interface-list =
{ interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type
represents the port type, interface-number represents the port number, and & <1-10> means that you can
provide up to 10 ports or port ranges. The start port number must be smaller than the end number and
the two ports must be of the same type. If no interface is specified, you configure an 802.1X guest VLAN
for all Layer 2 Ethernet ports.
Usage guidelines
You must enable 802.1X for an 802.1X guest VLAN to take effect.
To have the 802.1X guest VLAN take effect, complete the following tasks:
• Enable 802.1X both globally and on the interface.
• If the port performs port-based access control, enable the 802.1X multicast trigger function.
When you change the access control method from port-based to MAC-based on a port that is in a guest
VLAN, the port is removed from the guest VLAN. The device does not support guest VLAN on a port that
implements MAC-based access control.
To delete a VLAN that has been configured as a guest VLAN, you must remove the guest VLAN
configuration first.
You can configure both an Auth-Fail VLAN and an 802.1X guest VLAN on a port.
Examples
# Specify VLAN 999 as the 802.1X guest VLAN for port Ethernet 1/1
<Sysname> system-view
[Sysname] dot1x guest-vlan 999 interface ethernet 1/1

# Specify VLAN 10 as the 802.1X guest VLAN for ports Ethernet 1/2 to Ethernet 1/5.
<Sysname> system-view
[Sysname] dot1x guest-vlan 10 interface ethernet 1/2 to ethernet 1/5

# Specify VLAN 7 as the 802.1X guest VLAN for all ports.

<Sysname> system-view
[Sysname] dot1x guest-vlan 7

# Specify VLAN 3 as the 802.1X guest VLAN for port Ethernet 1/7.
<Sysname> system-view
[Sysname] interface ethernet 1/7
[Sysname-Ethernet1/7] dot1x guest-vlan 3

Related commands
• dot1x
• dot1x port-method
• dot1x multicast-trigger

129
dot1x handshake
Use dot1x handshake to enable the online user handshake function. The function enables the device to
periodically send handshake messages to the client to check whether a user is online.
Use undo dot1x handshake to disable the function.
Syntax
dot1x handshake
undo dot1x handshake
Default
The function is enabled.
Views
Ethernet Interface view
Default command level
2: System level
Usage guidelines
The 802.1X proxy detection function depends on the online user handshake function. Enable handshake
before enabling proxy detection and disable proxy detection before disabling handshake.
HP recommends that you use the iNode client software to ensure the normal operation of the online user
handshake function.
Examples
# Enable the online user handshake function.
<Sysname> system-view
[Sysname] interface ethernet 1/4
[Sysname-Ethernet1/4] dot1x handshake

dot1x handshake secure

Use dot1x handshake secure to enable the online user handshake security function. The function enables
the device to prevent users from using illegal client software.
Use undo dot1x handshake secure to disable the function.
Syntax
dot1x handshake secure
undo dot1x handshake secure
Default
The function is disabled.
Views
Ethernet Interface view
Default command level
2: System level

130
Usage guidelines
The online user handshake security function is implemented based on the online user handshake function.
To bring the security function into effect, make sure the online user handshake function is enabled.
HP recommends that you use the iNode client software and IMC server to ensure the normal operation
of the online user handshake security function.
Examples
# Enable the online user handshake security function.
<Sysname> system-view
[Sysname] interface ethernet 1/4
[Sysname-Ethernet1/4] dot1x handshake secure

Related commands
dot1x handshake

dot1x mandatory-domain
Use dot1x mandatory-domain to specify a mandatory 802.1X authentication domain on a port.
Use undo dot1x mandatory-domain to remove the mandatory authentication domain.
Syntax
dot1x mandatory-domain domain-name
undo dot1x mandatory-domain
Default
No mandatory authentication domain is specified.
Views
Ethernet interface view
Default command level
2: System level
Parameters
domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 24 characters.
Usage guidelines
When authenticating an 802.1X user trying to access the port, the system selects an authentication
domain in the following order: the mandatory domain, the ISP domain specified in the username, and
the default ISP domain.
To display or cut all 802.1X connections in a mandatory domain, use the display connection domain
isp-name or cut connection domain isp-name command. The output from the display connection
command without any parameters displays domain names entered by users at login. For more
information about the display connection command or the cut connection command, see "AAA
configuration commands."
Examples
# Configure the mandatory authentication domain my-domain for 802.1X users on Ethernet 1/1.
<Sysname> system-view
[Sysname] interface ethernet 1/1

131
 [Sysname-Ethernet1/1] dot1x mandatory-domain my-domain

# After 802.1X user usera passes the authentication, execute the display connection command to display
the user connection information on Ethernet 1/1. For more information about the display connection
command, see "AAA configuratio commands."
[Sysname-Ethernet1/1] display connection interface ethernet 1/1

Index=68 ,Username=usera@my-domian
MAC=00-15-E9-A6-7C-FE
IP=3.3.3.3
IPv6=N/A
Total 1 connection(s) matched.

Related commands
display dot1x

dot1x max-user
Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port.
Use undo dot1x max-user to restore the default.
Syntax
In system view:
dot1x max-user user-number [ interface interface-list ]
undo dot1x max-user [ interface interface-list ]
In Ethernet interface view:
dot1x max-user user-number
undo dot1x max-user
Default
A maximum of 256 concurrent 802.1X users are allowed on a port.
Views
System view, Ethernet interface view
Default command level
2: System level
Parameters
user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range is 1
to 256.
interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports
or port ranges. The start port number must be smaller than the end number and the two ports must be of
the same type.

132
Usage guidelines
In system view:
• If you do not specify the interface-list argument, the command applies to all ports.
• If you specify the interface-list argument, the command applies to the specified ports.
In Ethernet port view, the interface interface-list option is not available and the command applies to only
the Ethernet port.
Examples
# Set the maximum number of concurrent 802.1X users on port Ethernet 1/1 to 32.
<Sysname> system-view
[Sysname] dot1x max-user 32 interface ethernet 1/1

Or
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] dot1x max-user 32

# Configure Ethernet 1/2 through Ethernet 1/5 each to support a maximum of 32 concurrent 802.1X
users.
<Sysname> system-view
[Sysname] dot1x max-user 32 interface ethernet 1/2 to ethernet 1/5

Related commands
display dot1x

dot1x multicast-trigger
Use dot1x multicast-trigger to enable the 802.1X multicast trigger function. The device acts as the
initiator and periodically multicasts Identify EAP-Request packets out of a port to detect 802.1X clients
and trigger authentication.
Use undo dot1x multicast-trigger to disable the function.
Syntax
dot1x multicast-trigger
undo dot1x multicast-trigger
Default
The multicast trigger function is enabled.
Views
Ethernet interface view
Default command level
2: System level
Usage guidelines
You can use the dot1x timer tx-period command to set the interval for sending multicast Identify
EAP-Request packets.
Examples
# Enable the multicast trigger function on interface Ethernet 1/1.

133
 <Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] dot1x multicast-trigger

Related commands
display dot1x

dot1x port-control
Use dot1x port-control to set the authorization state for the specified or all ports.
Use undo dot1x port-control to restore the default.
Syntax
In system view:
dot1x port-control { authorized-force | auto | unauthorized-force } [ interface interface-list ]
undo dot1x port-control [ interface interface-list ]
In Ethernet interface view:
dot1x port-control { authorized-force | auto | unauthorized-force }
undo dot1x port-control
Default
The default port authorization state is auto.
Views
System view, Ethernet interface view
Default command level
2: System level
Parameters
authorized-force: Places the specified or all ports in the authorized state, enabling users on the ports to
access the network without authentication.
auto: Places the specified or all ports initially in the unauthorized state to allow only EAPOL packets to
pass, and after a user passes authentication, sets the port in the authorized state to allow access to the
network. You can use this option in most scenarios.
unauthorized-force: Places the specified or all ports in the unauthorized state, denying any access
requests from users on the ports.
interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports
or port ranges. The start port number must be smaller than the end number and the two ports must be of
the same type.
Usage guidelines
In system view, if no interface is specified, the command applies to all ports.
Examples
# Set the authorization state of port Ethernet 1/1 to unauthorized-force.

134
 <Sysname> system-view
[Sysname] dot1x port-control unauthorized-force interface ethernet 1/1

Or
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] dot1x port-control unauthorized-force

# Set the authorization state of ports Ethernet 1/2 through Ethernet 1/5 to unauthorized-force.
<Sysname> system-view
[Sysname] dot1x port-control unauthorized-force interface ethernet 1/2 to ethernet 1/5

Related commands
display dot1x

dot1x port-method
Use dot1x port-method to specify an access control method for the specified or all ports.
Use undo dot1x port-method to restore the default.
Syntax
In system view:
dot1x port-method { macbased | portbased } [ interface interface-list ]
undo dot1x port-method [ interface interface-list ]
In Ethernet interface view:
dot1x port-method { macbased | portbased }
undo dot1x port-method
Default
MAC-based access control applies.
Views
System view, Ethernet interface view
Default command level
2: System level
Parameters
macbased: Uses MAC-based access control on a port to separately authenticate each user attempting to
access the network. By using this method, when an authenticated user logs off, no other online users are
affected.
portbased: Uses port-based access control on a port. By using this method, once an 802.1X user passes
authentication on the port, any subsequent user can access the network through the port without
authentication. When the authenticated user logs off, all other users are logged off.
interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports

135
 or port ranges for this argument. The start port number must be smaller than the end number and the two
ports must be the same type.
Usage guidelines
In system view, if no interface is specified, the command applies to all ports.
Examples
# Configure port Ethernet 1/1 to implement port-based access control.
<Sysname> system-view
[Sysname] dot1x port-method portbased interface ethernet 1/1

Or
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] dot1x port-method portbased

# Configure ports Ethernet 1/2 through Ethernet 1/5 to implement port-based access control.
<Sysname> system-view
[Sysname] dot1x port-method portbased interface ethernet 1/2 to ethernet 1/5

Related commands
display dot1x

dot1x quiet-period
Use dot1x quiet-period to enable the quiet timer. When a client fails 802.1X authentication, the device
must wait a period of time before it can process authentication requests from the client.
Use undo dot1x quiet-period to disable the timer.
Syntax
dot1x quiet-period
undo dot1x quiet-period
Default
The quiet timer is disabled.
Views
System view
Default command level
2: System level
Examples
# Enable the quiet timer.
<Sysname> system-view
[Sysname] dot1x quiet-period

Related commands
• display dot1x
• dot1x timer

136
dot1x re-authenticate
Use dot1x re-authenticate to enable the periodic online user re-authentication function.
Use undo dot1x re-authenticate to disable the function.
Syntax
dot1x re-authenticate
undo dot1x re-authenticate
Default
The periodic online user re-authentication function is disabled.
Views
Ethernet interface view
Default command level
2: System level
Usage guidelines
Periodic re-authentication enables the access device to periodically authenticate online 802.1X users on
a port. This function tracks the connection status of online users and updates the authorization attributes
assigned by the server, such as the ACL, VLAN, and user profile-based QoS.
You can use the dot1x timer reauth-period command to configure the interval for re-authentication.
Examples
# Enable the 802.1X periodic online user re-authentication function on Ethernet 1/1 and set the periodic
re-authentication interval to 1800 seconds.
<Sysname> system-view
[Sysname] dot1x timer reauth-period 1800
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] dot1x re-authenticate

Related commands
dot1x timer reauth-period

dot1x retry
Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client.
Use undo dot1x retry to restore the default.
Syntax
dot1x retry max-retry-value
undo dot1x retry
Default
The maximum number of attempts that the device can send an authentication request to a client is twice.
Views
System view

137
Default command level
2: System level
Parameters
max-retry-value: Specifies the maximum number of attempts for sending an authentication request to a
client. The value range is 1 to 10.
Usage guidelines
After the network access device sends an authentication request to a client, if the device receives no
response from the client within the username request timeout timer (set with the dot1x timer tx-period
tx-period-value command) or the client timeout timer (set with the dot1x timer supp-timeout
supp-timeout-value command), the device retransmits the authentication request. The network access
device stops retransmitting the request, if it has made the maximum number of request transmission
attempts but still received no response.
This command applies to all ports of the device.
Examples
# Set the maximum number of attempts for sending an authentication request to a client as 9.
<Sysname> system-view
[Sysname] dot1x retry 9

Related commands
display dot1x

dot1x supp-proxy-check
Use dot1x supp-proxy-check to enable the proxy detection function and set the processing method on
the specified ports or all ports.
Use undo dot1x supp-proxy-check to disable the function on the specified ports or all ports.
Syntax
In system view:
dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
undo dot1x supp-proxy-check { logoff | trap } [ interface interface-list ]
In Ethernet interface view:
dot1x supp-proxy-check { logoff | trap }
undo dot1x supp-proxy-check { logoff | trap }
Default
The proxy detection function is disabled. Users can use an authenticated 802.1X client as a network
access proxy to bypass monitoring and accounting.
Views
System view, Ethernet interface view
Default command level
2: System level

138
Parameters
logoff: Logs off a user accessing the network through a proxy.
trap: Sends a trap to the network management system when a user is detected accessing the network
through a proxy.
interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports
or port ranges. The start port number must be smaller than the end number and the two ports must be of
the same type. If no interface is specified, the command applies to all ports.
Usage guidelines
This function requires the cooperation of the iNode client software.
The proxy detection function must be enabled both globally in system view and for the intended ports in
system view or Ethernet interface view. Otherwise, it does not work.
Examples
# Configure ports Ethernet 1/1 to 1/8 to log off users accessing the network through a proxy.
<Sysname> system-view
[Sysname] dot1x supp-proxy-check logoff
[Sysname] dot1x supp-proxy-check logoff interface ethernet 1/1 to ethernet 1/8

# Configure port Ethernet 1/9 to send a trap when a user is detected accessing the network through a
proxy.
<Sysname> system-view
[Sysname] dot1x supp-proxy-check trap
[Sysname] dot1x supp-proxy-check trap interface ethernet 1/9

Or
<Sysname> system-view
[Sysname] dot1x supp-proxy-check trap
[Sysname] interface ethernet 1/9
[Sysname-Ethernet1/9] dot1x supp-proxy-check trap

Related commands
display dot1x

dot1x timer
Use dot1x timer to set 802.1X timers.
Use undo dot1x timer to restore the defaults.
Syntax
dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value |
reauth-period reauth-period-value | server-timeout server-timeout-value | supp-timeout
supp-timeout-value | tx-period tx-period-value }
undo dot1x timer { handshake-period | quiet-period | reauth-period | server-timeout | supp-timeout
| tx-period }

139
Default
The handshake timer is 15 seconds, the quiet timer is 60 seconds, the periodic re-authentication timer is
3600 seconds, the server timeout timer is 100 seconds, the client timeout timer is 30 seconds, and the
username request timeout timer is 30 seconds.
Views
System view
Default command level
2: System level
Parameters
handshake-period-value: Sets the handshake timer in seconds. It is in the range of 5 to 1024.
quiet-period-value: Sets the quiet timer in seconds. It is in the range of 10 to 120.
reauth-period-value: Sets the periodic re-authentication timer in seconds. It is in the range of 60 to
86400.
server-timeout-value: Sets the server timeout timer in seconds. It is in the range of 100 to 300.
supp-timeout-value: Sets the client timeout timer in seconds. It is in the range of 1 to 120.
tx-period-value: Sets the username request timeout timer in seconds. It is in the range of 10 to 120.
Usage guidelines
You can set the client timeout timer to a high value in a low-performance network, set the quiet timer to
a high value in a vulnerable network or a low value for quicker authentication response, or adjust the
server timeout timer to adapt to the performance of different authentication servers. In most cases, the
default settings are sufficient.
The network device uses the following 802.1X timers:
• Handshake timer (handshake-period)—Sets the interval at which the access device sends client
handshake requests to check the online status of a client that has passed authentication. If the
device receives no response after sending the maximum number of handshake requests, it considers
that the client has logged off.
• Quiet timer (quiet-period)—Starts when a client fails authentication. The access device must wait
the time period before it can process the authentication attempts from the client.
• Periodic re-authentication timer (reauth-period)—Sets the interval at which the network device
periodically re-authenticates online 802.1X users. To enable periodic online user re-authentication
on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication
timer applies to the users that have been online only after the old timer expires.
• Server timeout timer (server-timeout)—Starts when the access device sends a RADIUS
Access-Request packet to the authentication server. If no response is received when this timer
expires, the access device retransmits the request to the server.
• Client timeout timer (supp-timeout)—Starts when the access device sends an EAP-Request/MD5
Challenge packet to a client. If no response is received when this timer expires, the access device
retransmits the request to the client.
• Username request timeout timer (tx-period)—Starts when the device sends an EAP-Request/Identity
packet to a client in response to an authentication request. If the device receives no response before
this timer expires, it retransmits the request. The timer also sets the interval at which the network
device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request
authentication.

140
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] dot1x timer server-timeout 150

Related commands
display dot1x

dot1x unicast-trigger
Use dot1x unicast-trigger to enable the 802.1X unicast trigger function.
Use undo dot1x unicast-trigger to disable the function.
Syntax
dot1x unicast-trigger
undo dot1x unicast-trigger
Default
The unicast trigger function is disabled.
Views
Ethernet interface view
Default command level
2: System level
Usage guidelines
The unicast trigger function enables the network access device to initiate 802.1X authentication when it
receives a data frame from an unknown source MAC address. The device sends a unicast Identity
EAP/Request packet to the unknown source MAC address, and retransmits the packet if it has received
no response within a period of time (set with the dot1x timer tx-period command). This process continues
until the maximum number of request attempts (set with the dot1x retry command) is reached.
Examples
# Enable the unicast trigger function for interface Ethernet 1/1.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] dot1x unicast-trigger

Related commands
• display dot1x
• dot1x timer tx-period
• dot1x retry

reset dot1x statistics

Use reset dot1x statistics to clear 802.1X statistics.
Syntax
reset dot1x statistics [ interface interface-list ]

141
Views
User view
Default command level
2: System level
Parameters
interface interface-list: Specifies an Ethernet port list, which can contain multiple Ethernet ports. The
interface-list argument is in the format of interface-list = { interface-type interface-number [ to
interface-type interface-number ] } & <1-10>, where interface-type represents the port type,
interface-number represents the port number, and & <1-10> means that you can provide up to 10 ports
or port ranges. The start port number must be smaller than the end number and the two ports must be of
the same type.
Usage guidelines
If a list of ports is specified, the command clears 802.1X statistics for all the specified ports. If no ports are
specified, the command clears all 802.1X statistics.
Examples
# Clear 802.1X statistics on port Ethernet 1/1.
<Sysname> reset dot1x statistics interface ethernet 1/1

Related commands
display dot1x

142
EAD fast deployment commands

dot1x free-ip
Use dot1x free-ip to configure a free IP. Users can access the segment before passing 802.1X
authentication.
Use undo dot1x free-ip to remove the specified or all free IP addresses.
Syntax
dot1x free-ip ip-address { mask-address | mask-length }
undo dot1x free-ip { ip-address { mask | mask-length } | all }
Default
No free IP is configured.
Views
System view
Default command level
2: System level
Parameters
ip-address: Specifies a freely accessible IP address segment, also called "a free IP."
mask: Specifies an IP address mask.
mask-length: Specifies IP address mask length.
all: Removes all free IP addresses.
Usage guidelines
When global MAC authentication, Layer-2 portal authentication, or port security is enabled, the free IP
does not take effect.
A maximum of six free IP addresses can be configured on a device.
The free IP takes effect only on the port that is in the authorization state of auto.
The following matrix shows the command and router compatibility:

Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000

Only available on
dot1x
No No No No MSR30-11E and No No
free-ip
MSR30-11F

Examples
# Configure 192.168.0.0/24 as a free IP address.
<Sysname> system-view
[Sysname] dot1x free-ip 192.168.0.0 24

143
Related commands
display dot1x

dot1x timer ead-timeout

Use dot1x timer ead-timeout to set the EAD rule timer.
Use undo dot1x timer ead-timeout to restore the default.
Syntax
dot1x timer ead-timeout ead-timeout-value
undo dot1x timer ead-timeout
Default
The timer is 30 minutes.
Views
System view
Default command level
2: System level
Parameters
ead-timeout-value: Specifies the EAD rule timer in minutes. The value range is 1 to 1440.
Usage guidelines
EAD fast deployment automatically creates an ACL rule, or EAD rule, to open access to the redirect URL
for each redirected user seeking to access the network. The EAD rule timer sets the lifetime of each ACL
rule. When the timer expires or the user passes authentication, the rule is removed. If users fail to
download EAD client or pass authentication before the timer expires, they must reconnect to the network
to access the free IP.
To prevent ACL rule resources from being used up, you can shorten the timer when the amount of EAD
users is large.
The following matrix shows the command and router compatibility:

Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000

Only available on
dot1x timer
No No No No MSR30-11E and No No
ead-timeout
MSR30-11F

Examples
# Set the EAD rule timer to 5 minutes.
<Sysname> system-view
[Sysname] dot1x timer ead-timeout 5

Related commands
display dot1x

144
dot1x url
Use dot1x url to configure a redirect URL. When a user uses a Web browser to access networks other
than the free IP, the device redirects the user to the redirect URL.
Use undo dot1x url to remove the redirect URL.
Syntax
dot1x url url-string
undo dot1x url
Default
No redirect URL is defined.
Views
System view
Default command level
2: System level
Parameters
url-string: Specifies the redirect URL, a case-sensitive string of 1 to 64 characters in the format
http://string.
Usage guidelines
The redirect URL must be on the free IP subnet.
If you configure the dot1x url command multiple times, the last configured URL takes effect.
The following matrix shows the command and router compatibility:

Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000

Only available on
dot1x url No No No No MSR30-11E and No No
MSR30-11F

Examples
# Configure the redirect URL as http://192.168.0.1.
<Sysname> system-view
[Sysname] dot1x url http://192.168.0.1

Related commands
• display dot1x
• dot1x free-ip

145
MAC authentication configuration commands

display mac-authentication
Use display mac-authentication to display MAC authentication settings and statistics, including global
settings, and port-specific settings and MAC authentication and online user statistics.
Syntax
display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to
interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port
ranges. The start port and end port of a port range must be of the same type and the end port number
must be greater than the start port number. A port range defined without the to interface-type
interface-number option comprises only one port.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you specify a list of ports, the command displays port-specific settings and statistics only for the
specified ports.
If you do not specify any port, the command displays port-specific settings and statistics for all ports.
Examples
# Display all MAC authentication settings and statistics.
<Sysname> display mac-authentication
MAC address authentication is enabled.
User name format is MAC address in lowercase, like xxxxxxxxxxxx
Fixed username:mac
Fixed password:not configured
Offline detect period is 300s
Quiet period is 60s.
Server response timeout value is 100s
the max allowed user number is 1024 per slot

146
 Current user number amounts to 0
Current domain: not configured, use default domain

Silent Mac User info:

MAC Addr From Port Port Index
Ethernet1/1 is link-up
MAC address authentication is enabled
Authenticate success: 0, failed: 0
Max number of on-line users is 256
Current online user number is 0
MAC Addr Authenticate state AuthIndex

……(output omitted)
Table 11 Command output

Field Description
MAC address authentication is
Whether MAC authentication is enabled.
enabled

Type of user account, MAC-based or shared.

• If MAC-based accounts are used, this field displays "User name
format is MAC address…" and the format settings for usernames and
User name format is MAC address
passwords. For example, MAC addresses without hyphens in lower
in lowercase, like xxxxxxxxxxxx
case.
• If a shared account is used, this field displays "User name format is
fixed account."

Username of the shared account for MAC authentication users. If

Fixed username:
MAC-based accounts are used, this field displays mac.

Password of the shared account for MAC authentication users.

• If MAC-based accounts are used or if a shared account is used but no
Fixed password: password is configured, this field displays not configured.
• If a shared account is used and a password is configured, this field
displays ******.

Offline detect period Setting of the offline detect timer.

Quiet period Setting of the quiet timer.

Server response timeout value Setting of the server timeout timer.

the max allowed user number Maximum number of users each slot supports.

Current user number amounts to Number of online users.

Current domain: not configured,

Authentication domain in use.
use default domain

Information about silent MAC addresses. A MAC address is marked

silent when it fails a MAC authentication, and at the same time, a quiet
Silent Mac User info timer starts. Before the timer expires, the device drops any packet from
the MAC address and does not perform MAC authentication for the
MAC address.

Ethernet1/1 is link-up Status of the link on port Ethernet 1/1. In this example, the link is up.

MAC address authentication is

Whether MAC authentication is enabled on port Ethernet 1/1.
enabled

147
 Field Description
MAC authentication statistics, including the number of successful and
Authenticate success: 0, failed: 0
unsuccessful authentication attempts.

Maximum number of concurrent online users allowed on the port.

Max number of on-line users
If MAC authentication is not enabled on the port, the field displays 0.

Current online user number Number of online users on the port.

MAC Addr MAC address of the online user.

User status. Possible values include the following:

• MAC_AUTHENTICATOR_CONNECT—The user is logging in.
• MAC_AUTHENTICATOR_SUCCESS—The user has passed the
Authenticate state
authentication.
• MAC_AUTHENTICATOR_FAIL—The user failed the authentication.
• MAC_AUTHENTICATOR_LOGOFF—The user has logged off.
AuthIndex Authenticator index.

mac-authentication
Use mac-authentication in system view to enable MAC authentication globally.
Use mac-authentication interface interface-list in system view to enable MAC authentication on a list of
ports, or use mac-authentication in interface view to enable MAC authentication on a port.
Use undo mac-authentication in system view to disable MAC authentication globally.
Use undo mac-authentication interface interface-list in system view to disable MAC authentication on a
list of ports, or use undo mac-authentication in interface view to disable MAC authentication on a port.
Syntax
In system view:
mac-authentication [ interface interface-list ]
undo mac-authentication [ interface interface-list ]
In Ethernet interface view:
mac-authentication
undo mac-authentication
Default
MAC authentication is not enabled globally or on any port.
Views
System view, Ethernet interface view
Default command level
2: System level
Parameters
interface interface-list: Specifies an Ethernet port list, in the format of { interface-type interface-number
[ to interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10
port ranges. The start port and end port of a port range must be of the same type and the end port

148
 number must be greater than the start port number. A port range defined without the to interface-type
interface-number option comprises only one port.
The following matrix shows the option and router compatibility:

MSR20-1
Option MSR900 MSR93X MSR20 MSR30 MSR50 MSR1000
X
interface
Yes No Yes Yes Yes Yes No
interface-list

Usage guidelines
To use MAC authentication on a port, you must enable the function both globally and on the port.
Examples
# Enable MAC authentication globally.
<Sysname> system-view
[Sysname] mac-authentication
Mac-auth is enabled globally.

# Enable MAC authentication on port Ethernet 1/1.

<Sysname> system-view
[Sysname] mac-authentication interface Ethernet 1/1
Mac-auth is enabled on port Ethernet1/1.

Or
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] mac-authentication
Mac-auth is enabled on port Ethernet1/1.

mac-authentication domain
Use mac-authentication domain to specify a global authentication domain in system view or a port
specific authentication domain in interface view for MAC authentication users.
Use undo mac-authentication domain to restore the default.
Syntax
mac-authentication domain domain-name
undo mac-authentication domain
Default
The default authentication domain is used for MAC authentication users. For more information about the
default authentication domain, see the domain default enable command in "AAA configuration
commands."
Views
System view, interface view
Default command level
2: System level

149
Parameters
domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters.
The domain name cannot contain any forward slash (/), colon (:), asterisk (*), question mark (?),
less-than sign (<), greater-than sign (>), or at sign (@).
Usage guidelines
The global authentication domain is applicable to all MAC authentication enabled ports. A port specific
authentication domain is applicable only to the port. You can specify different authentication domains on
different ports.
A port chooses an authentication domain for MAC authentication users in this order: port specific
domain, global domain, and the default authentication domain.
Examples
# Specify the domain1 domain as the global authentication domain for MAC authentication users.
<Sysname> system-view
[Sysname] mac-authentication domain domain1

# Specify the aabbcc domain as the authentication domain for MAC authentication users on port
Ethernet 1/1.
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] mac-authentication domain aabbcc

Related commands
display mac-authentication

mac-authentication host-mode multi-vlan

Use mac-authentication host-mode multi-vlan to enable MAC authentication multi-VLAN mode on a
port.
Use undo mac-authentication host-mode multi-vlan to restore the default.
Syntax
mac-authentication host-mode multi-vlan
undo mac-authentication host-mode multi-vlan
Default
MAC authentication multi-VLAN mode is disabled on a port.
Views
Layer 2 Ethernet interface view
Default command level
2: System level
Usage guidelines
The multi-VLAN mode enables a MAC-authenticated user to forward packets in multiple VLANs on the
port without re-authentication.
By default, a MAC authentication-enabled port forwards packets for an authenticated user only in the
VLAN where the user is authenticated. If the user forwards packets in a different VLAN, the port must
re-authenticate the user. After the user passes re-authentication, the port will update the MAC and VLAN
mapping of the user. For a user that sends various types of traffic (for example, data, video, and audio)

150
 in multiple VLANs, frequent MAC re-authentication can downgrade the system performance and affect
data transmission quality.
Examples
# Enable MAC authentication multi-VLAN mode on GigabitEthernet 1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] mac-authentication host-mode multi-vlan

mac-authentication max-user
Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users
on a port.
Use undo mac-authentication max-user to restore the default.
Syntax
mac-authentication max-user user-number
undo mac-authentication max-user
Default
A maximum of 256 concurrent MAC authentication users are allowed on a port.
Views
Interface view
Default command level
2: System level
Parameters
user-number: Specifies a maximum number of concurrent MAC authentication users on the port. The
value range is 1 to 256.
Usage guidelines
The default maximum number of concurrent MAC authentication users on a port depends on the device
model.
Examples
# Configure port Ethernet 1/1 to support up to 32 concurrent MAC authentication users.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] mac-authentication max-user 32

mac-authentication timer
Use mac-authentication timer to set the MAC authentication timers.
Use undo mac-authentication timer to restore the default settings.
Syntax
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout
server-timeout-value }

151
 undo mac-authentication timer { offline-detect | quiet | server-timeout }
Default
The offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100
seconds.
Views
System view
Default command level
2: System level
Parameters
offline-detect offline-detect-value: Sets the offline detect timer in the range of 60 to 65535 seconds. This
timer sets the interval that the device waits for traffic from a user before it regards the user idle. If a user
connection has been idle for two consecutive intervals, the device logs the user out and stops accounting
for the user.
quiet quiet-value: Sets the quiet timer in the range of 1 to 3600 seconds. This timer sets the interval that
the device must wait before it can perform MAC authentication for a user that has failed MAC
authentication. All packets from the MAC address are dropped during the quiet time. This quiet
mechanism prevents repeated authentication from affecting system performance.
server-timeout server-timeout-value: Sets the server timeout timer in the range of 100 to 300 seconds.
This timer sets the interval that the access device waits for a response from a RADIUS server before it
regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot
access the network.
Examples
# Set the server timeout timer to 150 seconds.
<Sysname> system-view
[Sysname] mac-authentication timer server-timeout 150

Related commands
display mac-authentication

mac-authentication timer auth-delay

Use mac-authentication timer auth-delay to enable MAC authentication delay and set the delay time.
Use undo mac-authentication timer auth-delay to restore the default.
Syntax
mac-authentication timer auth-delay time
undo mac-authentication timer auth-delay
Default
MAC authentication delay is disabled.
Views
Layer 2 Ethernet interface view
Default command level
2: System level

152
Parameters
time: Specifies the delay time for MAC authentication in seconds. The value range is 1 to 180.
Usage guidelines
When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC
authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is
triggered or if 802.1X authentication fails within the delay period, the port continues to process MAC
authentication.
Do not set the port security mode to mac-else-userlogin-secure or mac-else-userlogin-secure-ext when
you want to use MAC authentication delay. The delay does not take effect on a port in either of the two
modes. For more information about port security modes, see "Port security commands."
Examples
# Enable MAC authentication delay on Ethernet 0/1 and set the delay time to 30 seconds.
<Sysname> system-view
[Sysname] interface ethernet 0/1
[Sysname-Ethernet0/1] mac-authentication timer auth-delay 30

Related commands
• display mac-authentication
• port-security port-mode

mac-authentication user-name-format
Use mac-authentication user-name-format to configure the type of user accounts for MAC authentication
users.
Use undo mac-authentication user-name-format to restore the default.
Syntax
mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ]
| mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] }
undo mac-authentication user-name-format
Default
Each user's MAC address is used as the username and password for MAC authentication, and letters
must be input in lower case without hyphens.
Views
System view
Default command level
2: System level
Parameters
fixed: Uses a shared account for all MAC authentication users.
account name: Specifies the username for the shared account. The name takes a case-insensitive string
of 1 to 55 characters. If no username is specified, the default name mac applies.
password: Specifies the password for the shared user account:
cipher: Sets a ciphertext password.

153
 simple: Sets a plaintext password.
password: Specifies the password. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 63 characters. If cipher is specified, it must be a ciphertext string of 1 to 117 characters.
mac-address: Uses MAC-based user accounts for MAC authentication users. If this option is specified,
you must create one user account for each user, and use the MAC address of the user as both the
username and password for the account. You can also specify the format of username and password:
• with-hyphen—Hyphenates the MAC address, for example xx-xx-xx-xx-xx-xx.
• without-hyphen—Excludes hyphens from the MAC address, for example, xxxxxxxxxxxx.
• lowercase—Enters letters in lower case.
• uppercase—Capitalizes letters.
Usage guidelines
MAC authentication supports the following types of user account:
• One MAC-based user account for each user. A user can pass MAC authentication only when its
MAC address matches a MAC-based user account. This method is suitable for an insecure
environment.
• One shared user account for all users. Any user can pass MAC authentication on any MAC
authentication enabled port. You can use this method in a secure environment to limit network
resources accessible to MAC authentication users, for example, by assigning an authorized ACL or
VLAN for the shared account.
For security purposes, all passwords, including passwords configured in plain text, are saved in cipher
text to the configuration file.
Examples
# Configure a shared account for MAC authentication users: set the username as abc and password as
xyz, and display the password in plain text.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password simple xyz

# Configure a shared account for MAC authentication users: set the username as abc and password as
$c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg, and display the password in cipher text.
<Sysname> system-view
[Sysname] mac-authentication user-name-format fixed account abc password cipher
$c$3$Uu9Dh4xRKWa8RHW3TFnNTafBbhdPAg

# Use MAC-based user accounts for MAC authentication users, and each MAC address must be
hyphenated, and in upper case.
<Sysname> system-view
[Sysname] mac-authentication user-name-format mac-address with-hyphen uppercase

Related commands
display mac-authentication

reset mac-authentication statistics

Use reset mac-authentication statistics to clear MAC authentication statistics.
Syntax
reset mac-authentication statistics [ interface interface-list ]

154
Views
User view
Default command level
2: System level
Parameters
interface interface-list: Specifies a port list, in the format of { interface-type interface-number [ to
interface-type interface-number ] }&<1-10>, where &<1-10> indicates that you can specify up to 10 port
ranges. The start port and end port of a port range must be of the same type and the end port number
must be greater than the start port number. A port range defined without the to interface-type
interface-number option comprises only one port.
Usage guidelines
If no port list is specified, the command clears all global and port-specific MAC authentication statistics.
If a port list is specified, the command clears the MAC authentication statistics on the specified ports.
Examples
# Clear MAC authentication statistics on port Ethernet 1/1.
<Sysname> reset mac-authentication statistics interface ethernet 1/1

Related commands
display mac-authentication

155
Port security configuration commands

display port-security
Use display port-security to display port security configuration information, operation information, and
statistics for one or more ports.
Syntax
display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
interface interface-list: Specifies Ethernet ports by an Ethernet port list in the format of { interface-type
interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> means that you can
specify up to 10 ports or port ranges. The starting port and ending port of a port range must be of the
same type, and the ending port number must be greater than the starting port number.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If the interface interface-list parameter is not provided, the command displays port security information,
operation information, and status about all ports.
Examples
# Display port security configuration information, operation information, and statistics for all ports.
<Sysname> display port-security
Equipment port-security is enabled
Trap is enabled
AutoLearn aging time is 1 minutes
Disableport Timeout: 20s
OUI value:
Index is 1, OUI value is 000d1a
Index is 2, OUI value is 003c12

GigabitEthernet1/1 is link-down
Port mode is userLoginWithOUI
NeedToKnow mode is NeedToKnowOnly

156
 Intrusion Portection mode is disableport-temporarily
Max MAC address number is 50
Stored MAC address number is 0
Authorization is ignored
Security MAC address learning mode is sticky
Security MAC address aging type is absolute
GigabitEthernet1/2 is link-down
GigabitEthernet1/3 is link-down

Table 12 Command output

Field Description
Equipment port-security Whether the port security is enabled or not.

Whether trapping for MAC address learning is enabled or not. If it is enabled,

Trap
the port sends trap information after it learns a new MAC address.

Secure MAC aging timer. The timer applies to sticky or dynamic secure MAC
AutoLearn aging time
addresses.

Disableport Timeout Silence timeout period of the port that receives illegal packets, in seconds.

OUI value List of OUI values allowed.

Port security mode, which can be one of the following modes:

• noRestrictions.
• autoLearn.
• macAddressWithRadius.
• macAddressElseUserLoginSecure.
• macAddressElseUserLoginSecureExt.
• secure.
• userLogin.
• userLoginSecure.
Port mode
• userLoginSecureExt.
• macAddressOrUserLoginSecure.
• macAddressOrUserLoginSecureExt.
• userLoginWithOUI.
• presharedKey.
• macAddressAndPresharedKey.
• userLoginSecureExtOrPresharedKey.
For more information about port security modes, see Security Configuration
Guide.

Need to know (NTK) mode, which can be one of the following modes:
• NeedToKnowOnly—Allows only unicast packets with authenticated
destination MAC addresses.
NeedToKnow mode • NeedToKnowWithBroadcast—Allows only unicast packets and broadcasts
with authenticated destination MAC addresses.
• NeedToKnowWithMulticast—Allows unicast packets, multicasts and
broadcasts with authenticated destination MAC addresses.

157
 Field Description
Intrusion protection action mode, which can be one of the following modes:
• BlockMacAddress—Adds the source MAC address of the illegal packet to
the blocked MAC address list.
Intrusion mode • DisablePort—Shuts down the port that receives illegal packets permanently.
• DisablePortTemporarily—Shuts down the port that receives illegal packets
for some time.
• NoAction—Performs no intrusion protection.
Max MAC address number Maximum number of MAC addresses that port security allows on the port.

Stored MAC address

Number of MAC addresses stored.
number

Whether the authorization information from the server is ignored or not:

• permitted—Authorization information from the RADIUS server takes effect.
Authorization
• ignored—Authorization information from the RADIUS server does not take
effect.

Secure MAC address learning mode:

Security MAC address
• sticky—Learn MAC addresses as sticky secure MAC addresses.
learning mode
• dynamic—Learns MAC addresses as dynamic secure MAC addresses.
Secure MAC address aging type:
Security MAC address
• absolute—Timer aging.
aging type
• inactivity—Inactivity aging.

Related commands
• port-security enable
• port-security port-mode
• port-security ntk-mode
• port-security intrusion-mode
• port-security max-mac-count
• port-security mac-address security
• port-security authorization ignore
• port-security oui
• port-security trap

display port-security mac-address block

Use display port-security mac-address block to display information about blocked MAC addresses.
Syntax
display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ]
[ count ] [ | { begin | exclude | include } regular-expression ]
Views
Any view

158
Default command level
2: System level
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094.
count: Displays only the count of the blocked MAC addresses.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
With no keyword or argument specified, the command displays information about all blocked MAC
addresses.
Examples
# Display information about all blocked MAC addresses.
<Sysname> display port-security mac-address block
MAC ADDR From Port VLAN ID
0002-0002-0002 Ethernet1/1 1
000d-88f8-0577 Ethernet1/1 1

--- 2 mac address(es) found ---

# Display the count of all blocked MAC addresses.

<Sysname> display port-security mac-address block count

--- 2 mac address(es) found ---

# Display information about all blocked MAC addresses in VLAN 1.

<Sysname> display port-security mac-address block vlan 1
MAC ADDR From Port VLAN ID
0002-0002-0002 Ethernet1/1 1
000d-88f8-0577 Ethernet1/1 1

--- 2 mac address(es) found ---

# Display information about all blocked MAC addresses of port Ethernet 1/1.
<Sysname> display port-security mac-address block interface ethernet1/1
MAC ADDR From Port VLAN ID
000d-88f8-0577 Ethernet1/1 1

--- 1 mac address(es) found ---

# Display information about all blocked MAC addresses of port Ethernet 1/1 in VLAN 1.
<Sysname> display port-security mac-address block interface ethernet 1/1 vlan 1

159
 MAC ADDR From Port VLAN ID
000d-88f8-0577 Ethernet1/1 1

--- 1 mac address(es) found ---

Table 13 Command output

Field Description
MAC ADDR Blocked MAC address.

Port having received frames with the blocked MAC address being the
From Port
source address.

VLAN ID ID of the VLAN to which the port belongs.

x mac address(es) found Number of blocked MAC addresses.

Related commands
port-security intrusion-mode

display port-security mac-address security

Use display port-security mac-address security to display information about secure MAC addresses.
Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or
configured by the port-security mac-address security command.
Syntax
display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ]
[ count ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094.
count: Displays only the count of the secure MAC addresses.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
With no keyword or argument specified, the command displays information about all secure MAC
addresses.

160
Examples
# Display information about all secure MAC addresses.
<Sysname> display port-security mac-address security
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0002-0002-0002 1 Security Ethernet1/1 NOAGED
000d-88f8-0577 1 Security Ethernet1/1 NOAGED

--- 2 mac address(es) found ---

# Display only the count of the secure MAC addresses.

<Sysname> display port-security mac-address security count
2 mac address(es) found

# Display information about secure MAC addresses in VLAN 1.

<Sysname> display port-security mac-address security vlan 1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0002-0002-0002 1 Security Ethernet1/1 NOAGED
000d-88f8-0577 1 Security Ethernet1/1 NOAGED

--- 2 mac address(es) found ---

# Display information about secure MAC addresses on port Ethernet 1/1.

<Sysname> display port-security mac-address security interface ethernet1/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000d-88f8-0577 1 Security Ethernet1/1 NOAGED

--- 1 mac address(es) found ---

# Display information about secure MAC addresses of port Ethernet 1/1 in VLAN 1.
<Sysname> display port-security mac-address security interface ethernet 1/1 vlan 1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000d-88f8-0577 1 Security Ethernet1/1 NOAGED

--- 1 mac address(es) found ---

Table 14 Command output

Field Description
MAC ADDR Secure MAC address.

VLAN ID ID of the VLAN to which the port belongs.

Type of the MAC address added. "Security" means it is a secure MAC

STATE
address.

PORT INDEX Port to which the secure MAC address belongs.

Period of time before the secure MAC address ages out. "NOAGED"
AGING TIME(s)
is displayed for secure MAC addresses.

x mac address(es) found Number of secure MAC addresses stored.

Related commands
port-security mac-address security

161
display port-security preshared-key user
Use display port-security preshared-key user to display information about pre-shared key (PSK) user
information.
Syntax
display port-security preshared-key user [ interface interface-type interface-number ] [ | { begin |
exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If the interface interface-type interface-number parameters are not provided, the command displays
information about PSK users on all ports.
Examples
# Display information about PSK users on all ports.
<Sysname> display port-security preshared-key user
Index Mac-Address VlanID Interface
-----------------------------------------------------
0 0000-1122-3344 1 wlan-bss-1
1 0000-1133-2244 2 wlan-bss-2

# Display information about PSK users on WLAN port WLAN-BSS 1.

<Sysname> display port-security preshared-key user interface wlan-bss 1
Index Mac-Address VlanID Interface
-----------------------------------------------------
0 0000-1122-3344 1 wlan-bss-1

Table 15 Command output

Field Description
Index Index of the user.

Mac-Address MAC address of the user.

VlanID VLAN ID of the user.

Interface Port that the user accesses.

162
port-security authorization ignore
Use port-security authorization ignore to configure a port to ignore the authorization information
received from the server (an RADIUS server or the local device).
Use undo port-security authorization ignore to restore the default.
Syntax
port-security authorization ignore
undo port-security authorization ignore
Default
A port uses the authorization information from the server.
Views
Ethernet interface view, WLAN-Ethernet interface view, WLAN-BSS interface view
Default command level
2: System level
Usage guidelines
After a user passes RADIUS or local authentication, the server performs authorization based on the
authorization attributes configured for the user's account. For example, it assigns a VLAN.
Examples
# Configure port GigabitEthernet 1/1 to ignore the authorization information from the authentication
server.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] port-security authorization ignore

Related commands
display port-security

port-security enable
Use port-security enable to enable port security.
Use undo port-security enable to disable port security.
Syntax
port-security enable
undo port-security enable
Default
Port security is disabled.
Views
System view
Default command level
2: System level

163
Usage guidelines
You must disable global 802.1X and MAC authentication before you enable port security on a port.
Enabling or disabling port security resets the following security settings to the default:
• 802.1X access control mode is MAC-based, and the port authorization state is auto.
• Port security mode is noRestrictions.
You cannot disable port security when online users are present.
Examples
# Enable port security.
<Sysname> system-view
[Sysname] port-security enable

Related commands
• display port-security
• dot1x
• dot1x port-method
• dot1x port-control
• mac-authentication

port-security intrusion-mode
Use port-security intrusion-mode to configure the intrusion protection feature so that the port takes the
pre-defined actions when intrusion protection is triggered on the port.
Use undo port-security intrusion-mode to restore the default.
Syntax
port-security intrusion-mode { blockmac | disableport | disableport-temporarily }
undo port-security intrusion-mode
Default
Intrusion protection is disabled.
Views
Layer 2 Ethernet interface view, WLAN-BSS interface view
Default command level
2: System level
Parameters
blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and
discards frames with blocked source MAC addresses. This implements illegal traffic filtering on the port.
A blocked MAC address is restored to normal after being blocked for 3 minutes, which is fixed and
cannot be changed. To view the blocked MAC address list, use the display port-security mac-address
block command.
disableport: Disables the port permanently upon detecting an illegal frame received on the port. This
keyword is supported only on Layer 2 Ethernet interfaces.

164
 disableport-temporarily: Disables the port for a specific period of time whenever it receives an illegal
frame. Use port-security timer disableport to set the period.
Usage guidelines
To restore the connection of the port, use the undo shutdown command.
Examples
# Configure port GigabitEthernet 1/1 to block the source MAC addresses of illegal frames after intrusion
protection is triggered.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] port-security intrusion-mode blockmac

Related commands
• display port-security
• display port-security mac-address block
• port-security timer disableport

port-security mac-address aging-type inactivity

Use port-security mac-address aging type inactivity to enable inactivity aging for secure MAC
addresses (sticky or dynamic).
Use undo port-security mac-address aging type inactivity to restore the default.
Syntax
port-security mac-address aging-type inactivity
undo port-security mac-address aging-type inactivity
Default
The inactivity aging function is disabled.
Views
Layer 2 Ethernet interface view
Default command level
2: System level
Usage guidelines
If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been
sent from the sticky MAC address. When you use an aging timer together with the inactivity aging
function, the aging timer restarts once traffic data is detected from the sticky MAC address The inactivity
aging function prevents the unauthorized use of a secure MAC address when the authorized user is
offline, and removes outdated secure MAC addresses so new secure MAC addresses can be learned.
Examples
# Enable inactivity aging for secure MAC addresses on interface Ethernet 1/1.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] port-security mac-address aging-type inactivity

165
Related commands
• port-security timer autolearn aging
• port-security mac-address dynamic

port-security mac-address dynamic

Use port-security mac-address dynamic to enable the dynamic secure MAC function. This function
converts sticky MAC addresses to dynamic, and disables saving them to the configuration file.
Use undo port-security mac-address dynamic to disable the dynamic secure MAC function. Then, all
dynamic secure MAC addresses are converted to sticky MAC addresses, and you can manually
configure sticky MAC address.
Syntax
port-security mac-address dynamic
undo port-security mac-address dynamic
Default
The dynamic secure MAC function is disabled. Sticky MAC addresses can be saved to the configuration
file, and once saved, survive a device reboot.
Views
Layer 2 Ethernet interface view
Default command level
2: System level
Usage guidelines
After you execute this command, you cannot manually configure sticky MAC address, and secure MAC
addresses automatically learned by a port in autoLearn mode are also dynamic. All dynamic MAC
addresses are lost at reboot. Use this command when you want to clear all sticky MAC addresses after
a device reboot.
You can display dynamic secure MAC addresses by using the display port-security mac-address security
command.
Examples
# Enable the dynamic secure MAC function on interface Ethernet 1/1.
<Sysname> system-view
[Sysname] interface ethernet1/1
[Sysname-Ethernet1/1] port-security mac-address dynamic

Related commands
• display port-security mac-address security
• mac-address dynamic

port-security mac-address security

Use port-security mac-address security to add a secure MAC address in Layer 2 Ethernet interface view
or system view.
Use undo port-security mac-address security to remove a secure MAC address.

166
Syntax
In Layer 2 Ethernet interface view:
port-security mac-address security [ sticky ] mac-address vlan vlan-id
undo port-security mac-address security [ sticky ] mac-address vlan vlan-id
In system view:
port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan
vlan-id
undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ]
vlan vlan-id ]
Default
No secure MAC address entry is configured.
Views
Layer 2 Ethernet interface view, system view
Default command level
2: System level
Parameters
sticky: Specifies a sticky MAC address. If you do not provide this keyword, the command configures a
static secure MAC address.
mac-address: Secure MAC address, in the H-H-H format.
interface interface-type interface-number: Specifies a Layer 2 Ethernet port by its type and number.
vlan vlan-id: Specifies the VLAN that has the secure MAC address. The vlan-id argument represents the
ID of the VLAN, in the range of 1 to 4094. Make sure you have assigned the Layer 2 port to the specified
VLAN.
Usage guidelines
Secure MAC addresses are MAC addresses configured or learned in autoLearn mode. They can survive
link down/up events, and once saved, can survive a device reboot. You can bind a MAC address to only
one port in a VLAN.
When a port is operating in autoLearn mode, you can add important or frequently used MAC addresses
as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication
failure.
Static secure MAC addresses never age out unless you remove them by using the undo port-security
mac-address security command, changing the port security mode, or disabling the port security feature.
Sticky MAC addresses can be manually configured or automatically learned in autoLearn mode. Sticky
MAC addresses do not age out by default. You can use the port-security timer autolearn aging
command to set an aging timer for them. When the timer expires, the sticky MAC addresses are
removed.
You cannot change the type of a secure address entry that has been added or add two entries that are
identical except for their entry type. For example, you cannot add the port-security mac-address security
sticky 1-1-1 vlan 10 entry when a port-security mac-address security 1-1-1 vlan 10 entry exists. To add the
new entry, you must delete the old entry.

167
 To enable port security on a port, use the port-security enable command, and to set the port in autoLearn
mode, use the port-security port-mode autolearn command.
When the dynamic secure MAC function is enabled (using the port-security mac-address dynamic
command), you cannot manually configure sticky MAC addresses.
Examples
# Enable port security, set port GigabitEthernet 1/1 in autoLearn mode, and add a static secure MAC
address 0001-0001-0002 in VLAN 10.
<Sysname> system-view
[Sysname] port-security enable
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] port-security max-mac-count 100
[Sysname-GigabitEthernet1/1] port-security port-mode autolearn
[Sysname-GigabitEthernet1/1] quit
[Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 1/1
vlan 10

# Enable port security, set port GigabitEthernet 1/1 in autoLearn mode, and add a static secure MAC
address 0001-0002-0003 in VLAN 4 in interface view.
<Sysname> system-view
[Sysname] port-security enable
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] port-security max-mac-count 100
[Sysname-GigabitEthernet1/1] port-security port-mode autolearn
[Sysname-GigabitEthernet1/1] port-security mac-address security 0001-0002-0003 vlan 4

Related commands
• display port-security
• port-security timer autolearn aging

port-security max-mac-count
Use port-security max-mac-count to set the maximum number of MAC addresses that port security allows
on a port.
Use undo port-security max-mac-count to restore the default setting.
Syntax
port-security max-mac-count count-value
undo port-security max-mac-count
Default
Port security has no limit on the number of MAC addresses on a port.
Views
Ethernet interface view, WLAN-Ethernet interface view, WLAN-BSS interface view
Default command level
2: System level

168
Parameters
count-value: Specifies the maximum number of MAC addresses that port security allows on the port. The
value range is 1 to 1024.
Usage guidelines
In autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured
and automatically learned) on the port.
In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum
number of authenticated MAC addresses on the port. The actual maximum number of concurrent users
that the port accepts equals this limit or the authentication method's limit on the number of concurrent
users, whichever is smaller. For example, in userLoginSecureExt mode, if 802.1X allows less concurrent
users than port security's limit on the number of MAC addresses, port security's limit takes effect.
You cannot change port security's limit on the number of MAC addresses when the port is operating in
autoLearn mode or is a wireless port that has online users.
Examples
# Set port security's limit on the number of MAC addresses to 100 on port GigabitEthernet 1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] port-security max-mac-count 100

Related commands
display port-security

port-security ntk-mode
Use port-security ntk-mode to configure the NTK feature.
Use undo port-security ntk-mode to restore the default.
Syntax
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }
undo port-security ntk-mode
Default
NTK is disabled on a port and all frames are allowed to be sent.
Views
Ethernet interface view, WLAN-BSS interface view
Default command level
2: System level
Parameters
ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination
MAC addresses.
ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with
authenticated destination MAC addresses.
ntkonly: Forwards only unicast frames with authenticated destination MAC addresses.

169
Usage guidelines
The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow
frames to be sent to only devices passing authentication, preventing illegal devices from intercepting
network traffic.
If a wireless port has online users, you cannot change its NTK settings.
The following matrix shows the command and router compatibility:

Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000

port-security
Yes No Yes Yes Yes Yes Yes
ntk-mode

Examples
# Set the NTK mode of port GigabitEthernet 1/1 to ntkonly, allowing the port to forward received
packets to only devices passing authentication.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] port-security ntk-mode ntkonly

Related commands
display port-security

port-security oui
Use port-security oui to configure an OUI value for user authentication.
Use undo port-security oui to delete the OUI value with the specified OUI index.
Syntax
port-security oui oui-value index index-value
undo port-security oui index index-value
Default
No OUI value is configured.
Views
System view
Default command level
2: System level
Parameters
oui-value: Specifies an organizationally unique identifier (OUI) string, a 48-bit MAC address in the
H-H-H format. The system uses only the 24 high-order bits as the OUI value.
index-value: Specifies the OUI index in the range of 1 to 16.
Usage guidelines
An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device
vendor. Use this command when you configure a device to allow packets from certain wired devices to
pass authentication or to allow packets from certain wireless devices to initiate authentication. For

170
 example, when a company allows only IP phones of vendor A in the Intranet, use this command to set the
OUI of vendor A.
Examples
# Configure an OUI value of 000d2a, setting the index to 4.
<Sysname> system-view
[Sysname] port-security oui 000d-2a10-0033 index 4

Related commands
display port-security

port-security port-mode
Use port-security port-mode to set the port security mode of a port.
Use undo port-security port-mode to restore the default.
Syntax
port-security port-mode { autolearn | mac-and-psk | mac-authentication | mac-else-userlogin-secure
| mac-else-userlogin-secure-ext | psk | secure | userlogin | userlogin-secure | userlogin-secure-ext |
userlogin-secure-ext-or-psk | userlogin-secure-or-mac | userlogin-secure-or-mac-ext |
userlogin-withoui }
undo port-security port-mode
Default
A port operates in noRestrictions mode, where port security does not take effect.
Views
Interface view
Default command level
2: System level
Parameters

Keyword Security mode Description

In this mode, a port can learn MAC addresses, and allows
frames sourced from learned or configured the MAC
addresses to pass. The automatically learned MAC
addresses are secure MAC addresses. You can also
configure secure MAC addresses by using the
port-security mac-address security command. A secure
autolearn autoLearn MAC address never ages out by default. In addition, you
can configure MAC addresses manually by using the
mac-address dynamic and mac-address static commands
for a port in autoLearn mode.
When the number of secure MAC addresses reaches the
upper limit set by the port-security max-mac-count
command, the port changes to secure mode.

In this mode, a user must pass MAC authentication and

macAddressAndPres then use the pre-configured PSK to negotiate with the
mac-and-psk
haredKey device. Only when the negotiation succeeds, can the user
access the device.

171
Keyword Security mode Description
macAddressWithRad In this mode, a port performs MAC authentication for users
mac-authentication
ius and services multiple users.

This mode is the combination of the

macAddressWithRadius and userLoginSecure modes, with
MAC authentication having a higher priority.
• For wired users, the port performs MAC authentication
mac-else-userlogin-secu macAddressElseUserL 30 seconds after receiving non-802.1X frames.
re oginSecure • For wireless users, the port performs MAC
authentication upon receiving non-802.1X frames.
Upon receiving 802.1X frames, the port performs MAC
authentication, and if the MAC authentication fails, it
performs 802.1X authentication.

Similar to the macAddressElseUserLoginSecure mode

mac-else-userlogin-secu macAddressElseUserL
except that a port in this mode supports multiple 802.1X
re-ext oginSecureExt
and MAC authentication users.

In this mode, a user must use a pre-configured static key,

psk presharedKey also called "the PSK," to negotiate with the device and can
access the port only after the negotiation succeeds.

In this mode, MAC address learning is disabled on the port

and you can configure MAC addresses by using the
mac-address static and mac-address dynamic commands.
secure secure The port permits only frames sourced from secure MAC
addresses and MAC addresses you manually configured
by using the mac-address static and mac-address dynamic
commands.

In this mode, a port performs 802.1X authentication and

implements port-based access control.
userlogin userLogin If one 802.1X user passes authentication, all the other
802.1X users of the port can access the network without
authentication.

In this mode, a port performs 802.1X authentication and

userlogin-secure userLoginSecure implements MAC-based access control. It services only
one user passing 802.1X authentication.

Similar to the userLoginSecure mode except that this mode

userlogin-secure-ext userLoginSecureExt
supports multiple online 802.1X users.

In this mode, a user interacts with the device, choosing to

userlogin-secure-ext-or- userLoginSecureExtO
undergo UserLoginSecure mode or use the PSK to
psk rPresharedKey
negotiate with the device.

This mode is the combination of the userLoginSecure and

macAddressWithRadius modes.
• For wired users, the port performs MAC authentication
30 seconds after receiving non-802.1X frames and
macAddressOrUserL
userlogin-secure-or-mac performs 802.1X authentication upon receiving 802.1X
oginSecure
frames.
• For wireless users, the port performs 802.1X
authentication first. If 802.1X authentication fails, MAC
authentication is performed.

172
 Keyword Security mode Description
Similar to the macAddressOrUserLoginSecure mode
userlogin-secure-or-mac macAddressOrUserL
except that a port in this mode supports multiple 802.1X
-ext oginSecureExt
and MAC authentication users.

Similar to the userLoginSecure mode. In addition, a port in

this mode also permits frames from a user whose MAC
address contains a specific OUI (organizationally unique
identifier).
• For wired users, the port performs 802.1X
userlogin-withoui userLoginWithOUI authentication upon receiving 802.1X frames, and
performs OUI check upon receiving non-802.1X
frames.
• For wireless users, the port performs OUI check at first.
If the OUI check fails, the port performs 802.1X
authentication.

Usage guidelines
To change the security mode of a port security enabled port, you must set the port in noRestrictions mode
first. When the port has online users, you cannot change port security mode.

IMPORTANT:
If you are configuring the autoLearn mode, first set port security's limit on the number of MAC addresses
by using the port-security max-mac-count command. You cannot change the setting when the port is
operating in autoLearn mode.

When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change
the access control mode or port authorization state. The port security automatically modifies these
settings in different security modes.
The support of ports for security modes varies:
• The presharedKey, macAddressAndPresharedKey, and userLoginSecureExtOrPresharedKey modes
apply to only WLAN-BSS and WLAN-Ethernet ports.
• The autoLearn, secure, userLogin, and userloginWithOUI modes apply to only Layer 2 Ethernet
ports.
Table 16 Port security modes supported by different types of ports

Port type Supported security modes

autolearn, mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext,
Layer 2
secure, userlogin, userlogin-secure, userlogin-secure-ext, userlogin-secure-or-mac,
Ethernet port
userlogin-secure-or-mac-ext, userlogin-withoui

mac-and-psk, mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext,

WLAN-BSS
psk, userlogin-secure, userlogin-secure-ext, userlogin-secure-ext-or-psk,
port
userlogin-secure-or-mac, userlogin-secure-or-mac-ext

mac-and-psk, mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext,

WLAN-Etherne
psk, userlogin-secure, userlogin-secure-ext, userlogin-secure-ext-or-psk,
t port
userlogin-secure-or-mac, userlogin-secure-or-mac-ext

The following matrix shows the autoLearn, secure and userLogin modes on Layer 2 Ethernet ports and
router compatibility:

173
 MSR9 MSR MSR20 MSR MSR1
Keyword MSR30 MSR50
00 93X -1X 20 000
Only available on
autolearn No No No No MSR30-11E and No No
MSR30-11F routers

Only available on
secure No No No No MSR30-11E and No No
MSR30-11F routers

Only available on Only available on

other MSR30 series MSR50 routers
userlogin Yes Yes Yes Yes Yes
with FSW modules with FSW modules
installed installed

Examples
# Enable port security and set port GigabitEthernet 1/1 in secure mode.
<Sysname> system-view
[Sysname] port-security enable
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] port-security port-mode secure

# Change the port security mode of port GigabitEthernet 1/1 to userLogin.

[Sysname-GigabitEthernet1/1] undo port-security port-mode
[Sysname-GigabitEthernet1/1] port-security port-mode userlogin

# Set WLAN port WLAN-BSS 1 to operate in presharedKey mode.

<Sysname> system-view
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] port-security port-mode psk

Related commands
display port-security

port-security timer autolearn aging

Use port-security timer autolearn aging to set the secure MAC aging timer. The timer applies to all sticky
or dynamic secure MAC addresses.
Use undo port-security timer autolearn aging to restore the default.
Syntax
port-security timer autolearn aging time-value
undo port-security timer autolearn aging
Default
Secure MAC addresses never age out.
Views
System view
Default command level
2: System level

174
Parameters
time-value: Sets the aging timer in minutes for secure MAC addresses. The value is in the range of 0 to
129600. To disable the aging timer, set the timer to 0.
Examples
# Set the secure MAC aging timer to 30 minutes.
<Sysname> system-view
[Sysname] port-security timer autolearn aging 30

Related commands
• display port-security
• port-security mac-address security

port-security preshared-key
Use port-security preshared-key to configure a PSK.
Use undo port-security preshared-key to remove the PSK.
Syntax
port-security preshared-key { pass-phrase | raw-key } [ cipher | simple ] key
undo port-security preshared-key
Default
No PSK is configured.
Views
WLAN-BSS interface view, WLAN-Ethernet interface view
Default command level
2: System level
Parameters
pass-phrase: Enters a PSK in the form of a character string.
raw-key: Enters a PSK in the form of a hexadecimal number.
cipher: Sets a ciphertext PSK.
simple: Sets a plaintext PSK.
key: Specifies the PSK. This argument is case sensitive. If simple is specified, it must be a
non-hexadecimal string of 8 to 63 characters or a 64-character hexadecimal string. If cipher is specified,
it must be a ciphertext string of 8 to 117 characters. If neither cipher nor simple is specified, you set a
plaintext key string.
• The cipher key option specifies an encrypted PSK, which is displayed in cipher text. You can input
a character or hexadecimal string of 12, 24, 32, 44, 64, 76, 88, or 96 characters for the key
argument.
• The simple key option specifies a plain text PSK, which is displayed in plain text. You can input a
character string of 8 to 63 displayable characters or a hexadecimal string of 64 characters for the
key argument.

175
 • If neither cipher nor simple is specified, you set a plaintext key to be displayed in cipher text. The
key can be a character string of 8 to 63 displayable characters or a hexadecimal string of 64
characters.
• For security purposes, all PSKs, including PSKs configured in plain text, are saved in cipher text to
the configuration file.
Examples
# Configure the plaintext PSK abcdefgh on port WLAN-BSS 1.
<Sysname> system-view
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] port-security preshared-key pass-phrase simple abcdefgh

# Configure the plaintext, hexadecimal string

123456789abcdefg123456789abcdefg123456789abcdefg123456789abcdefg as the PSK on port
WLAN-BSS 1.
<Sysname> system-view
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] port-security preshared-key raw-key
1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

# Configure ciphertext PSK wrWR2LZofLzlEY9ZdYsidw== on port WLAN-BSS 1.

<Sysname> system-view
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] port-security preshared-key raw-key cipher wrWR2LZofLzlEY9ZdYsidw==

port-security timer disableport

Use port-security timer disableport to set the silence period during which the port remains disabled.
Use undo port-security timer disableport to restore the default.
Syntax
port-security timer disableport time-value
undo port-security timer disableport
Default
The silence period is 20 seconds.
Views
System view
Default command level
2: System level
Parameters
time-value: Specifies the silence period in seconds during which the port remains disabled. The value is
in the range of 20 to 300.
Usage guidelines
If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an
illegal frame, use this command to set the silence period.

176
Examples
# Configure the intrusion protection policy as disabling the port temporarily whenever it receives an
illegal frame and set the silence period to 30 seconds.
<Sysname> system-view
[Sysname] port-security timer disableport 30
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] port-security intrusion-mode disableport-temporarily

Related commands
display port-security

port-security trap
Use port-security trap to enable port security traps.
Use undo port-security trap to disable port security traps.
Syntax
port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff | ralmlogon }
undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff | ralmlogon }
Default
Port security traps are disabled.
Views
System view
Default command level
2: System level
Parameters
addresslearned: Enables MAC address learning traps. The port security module sends traps when a port
learns a new MAC address.
dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when
an 802.1X authentication fails.
dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an
802.1X authentication is passed.
dot1xlogoff: Enables 802.1X user logoff event traps. The port security module sends traps when an
802.1X user is logged off.
intrusion: Enables intrusion traps. The port security module sends traps when it detects illegal frames.
ralmlogfailure: Enables MAC authentication failure traps. The port security module sends traps when a
MAC authentication fails.
ralmlogoff: Enables MAC authentication user logoff traps. The port security module sends traps when a
MAC authentication user is logged off.
ralmlogon: Enables MAC authentication success traps. The port security module sends traps when a
MAC authentication is passed.

177
 NOTE:
RALM (RADIUS Authenticated Login using MAC-address) means RADIUS authentication based on MAC
address.

Usage guidelines
You can enable certain port security traps for monitoring user behaviors.
Examples
# Enable MAC address learning traps.
<Sysname> system-view
[Sysname] port-security trap addresslearned

Related commands
display port-security

port-security tx-key-type 11key

Use port-security tx-key-type 11key to enable key negotiation of the 11key type.
Use undo port-security tx-key-type to disable key negotiation of the 11key type.
Syntax
port-security tx-key-type 11key
undo port-security tx-key-type
Default
Key negotiation of the 11key type is disabled.
Views
WLAN-BSS interface view, WLAN-Ethernet interface view
Default command level
2: System level
Examples
# Enable key negotiation of the 11key type on port WLAN-BSS 1.
<Sysname> system-view
[Sysname] interface wlan-bss 1
[Sysname-WLAN-BSS1] port-security tx-key-type 11key

178
IPsec configuration commands

The MSR series routers support ACL-based IPsec in either standard or aggregation data flow protection
mode.
The following matrix shows the FIPS and hardware compatibility:

Hardware FIPS mode

MSR900 No.

MSR93X No.

MSR20-1X No.

MSR20 Yes.

MSR30 Yes (except the MSR30-16).

MSR50 Yes.

MSR1000 Yes.

ah authentication-algorithm
Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Use undo ah authentication-algorithm to restore the default.
Syntax
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha2-256 } *
undo ah authentication-algorithm
Default
In FIPS mode, MD5 is not supported, and AH uses SHA-1 for authentication.
In non-FIPS mode, no authentication algorithm is specified.
Views
IPsec transform set view
Default command level
2: System level
Parameters
aes-xcbc-mac: Uses the AEX-XCBC-MAC algorithm.
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
sha2-256: Uses the SHA2-256 algorithm.

179
Usage guidelines
You must use the transform command to specify the AH security protocol or both AH and ESP before you
specify authentication algorithms for AH.
Examples
# Configure IPsec transform set prop1 to use AH and SHA1.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] transform ah
[Sysname-ipsec-transform-set-prop1] ah authentication-algorithm sha1

Related commands
• ipsec transform-set
• transform

connection-name
Use connection-name to configure an IPsec connection name. This name functions only as a description
of the IPsec policy.
Use undo connection-name to restore the default.
Syntax
connection-name name
undo connection-name
Default
No IPsec connection name is configured.
Views
IPsec policy view, IPsec policy template view
Default command level
2: System level
Parameters
name: Specifies an IPsec connection name, a case-insensitive string of 1 to 32 characters.
Example
# Set IPsec connection name to CenterToA.
<Sysname> system-view
[Sysname] ipsec policy policy1 1 isakmp
[Sysname-ipsec-policy-isakmp-policy1-1] connection-name CenterToA

cryptoengine enable
Use cryptoengine enable to enable the encryption engine.
Use undo cryptoengine enable to disable the encryption engine.
Syntax
cryptoengine enable

180
 undo cryptoengine enable
Default
The encryption engine is enabled.
Views
System view
Default command level
2: System level
Examples
# Enable the encryption engine.
<Sysname> system-view
[Sysname] cryptoengine enable

display ipsec policy

Use display ipsec policy to display information about IPsec policies.
Syntax
display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
brief: Displays brief information about all IPsec policies.
name: Displays detailed information about a specified IPsec policy or IPsec policy group.
policy-name: Specifies the name of the IPsec policy, a string of 1 to 15 characters.
seq-number: Specifies the sequence number of the IPsec policy, in the range of 1 to 65535.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameters, the command displays detailed information about all IPsec
policies.
If you specify the name policy-name option but leave the seq-number argument, the command displays
detailed information about the specified IPsec policy group.

181
Examples
# Display brief information about all IPsec policies.
<Sysname> display ipsec policy brief
IPsec Policy Name Mode ACL IKE Peer Name Mapped Template
------------------------------------------------------------------------
bbbbbbbbbbbbbbb-1 template aaaaaaaaaaaaaaa
man-1 manual 3400
map-1 isakmp 3000 peer
nat-1 isakmp 3500 nat
test-1 isakmp 3200 test
toccccc-1 isakmp 3003 tocccc

IPsec Policy Name Mode ACL Local Address Remote Address

------------------------------------------------------------------------
man-1 manual 3400 3.3.3.1 3.3.3.2

Table 17 Command output

Field Description
IPsec Policy Name Name and sequence number of the IPsec policy separated by hyphen.

Negotiation mode of the IPsec policy:

• manual—Manual mode.
Mode • isakmp—IKE negotiation mode.
• template—IPsec policy template mode.
• gdoi—GDOI negotiation mode.

ACL ACL referenced by the IPsec policy.

IKE Peer Name IKE peer name.

Mapped Template Referenced IPsec policy template.

Local Address IP address of the local end.

Remote Address IP address of the remote end.

# Display detailed information about all IPsec policies.

<Sysname> display ipsec policy
===========================================
IPsec Policy Group: "policy_isakmp"
Interface: Ethernet1/1
===========================================

------------------------------------
IPsec policy name: "policy_isakmp"
sequence number: 10
acl version: ACL4
mode: isakmp
-------------------------------------
encapsulation mode: tunnel
security data flow : 3000
selector mode: standard

182
 ike-peer name: per
PFS: N
transform-set name: prop1
synchronization inbound anti-replay-interval: 1000 packets
synchronization outbound anti-replay-interval: 10000 packets
IPsec sa local duration(time based): 3600 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
policy enable: True
tfc enable: False
===========================================
IPsec Policy Group: "policy_man"
Interface: Ethernet1/2
===========================================

-----------------------------------------
IPsec policy name: "policy_man"
sequence number: 10
acl version: ACL4
mode: manual
-----------------------------------------
encapsulation mode: tunnel
security data flow : 3002
tunnel local address: 162.105.10.1
tunnel remote address: 162.105.10.2
transform-set name: prop1
inbound AH setting:
AH spi: 12345 (0x3039)
AH string-key:
AH authentication hex key : ******
inbound ESP setting:
ESP spi: 23456 (0x5ba0)
ESP string-key:
ESP encryption hex key: ******
ESP authentication hex key: ******
outbound AH setting:
AH spi: 54321 (0xd431)
AH string-key:
AH authentication hex key: ******
outbound ESP setting:
ESP spi: 65432 (0xff98)
ESP string-key:
ESP encryption hex key: ******
ESP authentication hex key: ******

===========================================
IPsec Policy Group: "manual"
Interface:
Protocol: OSPFv3, RIPng, BGP

183
===========================================

-----------------------------
IPsec policy name: "policy001"
sequence number: 10
acl version: None
mode: manual
-----------------------------
encapsulation mode: tunnel
security data flow :
tunnel local address:
tunnel remote address:
transform-set name: prop1
inbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
inbound ESP setting:
ESP spi: 23456 (0x5ba0)
ESP string-key:
ESP encryption hex key: ******
ESP authentication hex key: ******
outbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
outbound ESP setting:
ESP spi: 23456 (0x5ba0)
ESP string-key:
ESP encryption hex key: ******
ESP authentication hex key: ******

===========================================
IPsec Policy Group: "gdoi-map"
Interface: Ethernet1/1
===========================================

------------------------------------
IPsec policy name: " gdoi-map "
sequence number: 10
mode: gdoi
-------------------------------------
group name :gdoi-group

Table 18 Command output

Field Description
security data flow ACL referenced by the IPsec policy.

184
 Field Description
Interface Interface to which the IPsec policy is applied.

Name of the protocol to which the IPsec policy is applied. (This

Protocol field is not displayed when the IPsec policy is not applied to any
routing protocol.)

sequence number Sequence number of the IPsec policy.

ACL version:
• ACL4—IPv4 ACL.
acl version
• ACL6—IPv6 ACL.
If no ACL is referenced, this field displays None.

Negotiation mode of the IPsec policy:

• manual—Manual mode.
mode • isakmp—IKE negotiation mode.
• template—IPsec policy template mode.
• gdoi—GDOI negotiation mode.

encapsulation mode Mode in which IPsec encapsulates IP packets: tunnel or transport.

Data flow protection mode of the IPsec policy: standard or

selector mode
aggregation.

ike-peer name IKE peer referenced by the IPsec policy.

PFS Whether the PFS feature is used.

DH group Used DH group, whose value can be 1, 2, 5, or 14.

tunnel local address Local IP address of the tunnel.

tunnel remote address Remote IP address of the tunnel.

transform-set name Transform set referenced by the IPsec policy.

policy enable Whether the IPsec policy is enabled or not.

tfc enable Whether the TFC padding function is enabled or not.

synchronization inbound Interval at which the inbound anti-replay window is synchronized.

anti-replay-interval It is expressed in the number of received packets.

synchronization outbound Interval at which the outbound anti-replay sequence number is

anti-replay-interval synchronized. It is expressed in the number of sent packets.

AH/ESP settings in the inbound/outbound direction, including the

inbound/outbound AH/ESP setting
SPI and keys.

group name Name of the GDOI group.

Related commands
ipsec policy (system view)

display ipsec policy-template

Use display ipsec policy-template to display information about IPsec policy templates.

185
Syntax
display ipsec policy-template [ brief | name template-name [ seq-number ] ] [ | { begin | exclude |
include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
brief: Displays brief information about all IPsec policy templates.
name: Displays detailed information about a specified IPsec policy template or IPsec policy template
group.
template-name: Specifies the name of the IPsec policy template, a string of 1 to 41 characters.
seq-number: Specifies the sequence number of the IPsec policy template, in the range of 1 to 65535.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameters, the command displays detailed information about all IPsec policy
templates.
If you specify the name template-name option but leave the seq-number argument, the command
displays information about the specified IPsec policy template group.
Examples
# Display brief information about all IPsec policy templates.
<Sysname> display ipsec policy-template brief
Policy-template-Name acl Remote-Address
------------------------------------------------------
test-tplt300 2200

Table 19 Command output

Field Description
Policy-template-Name Name and sequence number of the IPsec policy template separated by hyphen.

acl ACL referenced by the IPsec policy template.

Remote Address Remote IP address.

# Display detailed information about all IPsec policy templates.

<Sysname> display ipsec policy-template

===============================================

186
 IPsec Policy Template Group: "test"
===============================================

---------------------------------
Policy template name: "test"
sequence number: 1
---------------------------------
encapsulation mode: tunnel
security data flow :
ACL’s Version: acl4
ike-peer name: per
PFS: N
transform-set name: testprop
synchronization inbound anti-replay-interval: 1000 packets
synchronization outbound anti-replay-interval: 10000 packets
IPsec sa local duration(time based): 3600 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes

Table 20 Command output

Field Description
encapsulation mode Mode in which IPsec encapsulates IP packets: tunnel or transport.

security data flow ACL referenced by the IPsec policy template.

ACL version:
ACL’s Version • acl4—IPv4 ACL.
• acl6—IPv6 ACL.
ike-peer name IKE peer referenced by the IPsec policy template.

PFS Whether the PFS feature is used.

DH group Used DH group, whose value can be 1, 2, 5, or 14.

transport-set name IPsec transform set referenced by the IPsec policy template.

synchronization inbound Interval at which the inbound anti-replay window is synchronized. It is

anti-replay-interval expressed in the number of received packets.

synchronization outbound Interval at which the outbound anti-replay sequence number is

anti-replay-interval synchronized. It is expressed in the number of sent packets.

IPsec sa local duration(time based) Time-based lifetime of the IPsec SAs at the local end.

IPsec sa local duration(traffic based) Traffic-based lifetime of the IPsec SAs at the local end.

Related commands
ipsec policy-template

display ipsec profile

Use display ipsec profile to display the configuration information of IPsec profiles.
Syntax
display ipsec profile [ name profile-name ] [ | { begin | exclude | include } regular-expression ]

187
Views
Any view
Default command level
1: Monitor level
Parameters
name profile-name: Displays the configuration information of an IPsec profile. The profile-name
argument specifies the name of the IPsec profile and is a case-insensitive string of 1 to 15 characters.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameters, the command displays the configuration information of all IPsec
profiles.
Example
# Display the configuration of all IPsec profiles.
<Sysname> display ipsec profile

===========================================
IPsec profile: "2"
Interface: Tunnel2
===========================================

-----------------------------
IPsec profile name: "2"
mode: dvpn
-----------------------------
encapsulation mode: tunnel
security data flow :
ike-peer name: peer1
PFS: Y, DH group: 2
transform-set name: prop1
synchronization inbound anti-replay-interval: 1000 packets
synchronization outbound anti-replay-interval: 10000 packets
IPsec sa local duration(time based): 3600 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
policy enable: True
tfc enable: False

===========================================
IPsec profile: "btoa"
Interface: Tunnel1

188
 ===========================================

-----------------------------
IPsec profile name: "btoa"
mode: tunnel
-----------------------------
encapsulation mode: tunnel
security data flow :
ike-peer name: btoa
PFS: N
transform-set name: method1
synchronization inbound anti-replay-interval: 1000 packets
synchronization outbound anti-replay-interval: 10000 packets
IPsec sa local duration(time based): 3600 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
policy enable: True
tfc enable: False

Table 21 Command output

Field Description
Interface Interface that references the IPsec profile.

Encapsulation mode for the IPsec profile:

mode • dvpn—DVPN tunnel mode.
• tunnel—IPsec tunnel mode.
encapsulation mode Mode in which IPsec encapsulates IP packets: tunnel or transport.

ACL referenced by the IPsec profile.

security data flow Because an IPsec profile does not reference any ACL, this field is
blank.

ike-peer name IKE peer referenced by the IPsec profile.

synchronization inbound Interval at which the inbound anti-replay window is

anti-replay-interval synchronized. It is expressed in the number of received packets.

synchronization outbound Interval at which the outbound anti-replay sequence number is

anti-replay-interval synchronized. It is expressed in the number of sent packets.

PFS Whether the PFS feature is used.

DH group Used DH group, whose value can be 1, 2, 5, or 14.

transport-set name IPsec transform set referenced by the IPsec profile.

IPsec sa local duration(time based) Time-based SA lifetime at the local end.

IPsec sa local duration(traffic based) Traffic-based SA lifetime at the local end.

policy enable Whether the IPsec policy is enabled.

tfc enable Whether the TFC padding function is enabled or not.

Related commands
ipsec profile

189
display ipsec sa
Use display ipsec sa to display information about IPsec SAs.
Syntax
display ipsec sa [ brief | policy policy-name [ seq-number ] | remote ip-address ] [ | { begin | exclude
| include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
brief: Displays brief information about all IPsec SAs.
policy: Displays detailed information about IPsec SAs created by using a specified IPsec policy.
policy-name: Specifies the name of the IPsec policy, a string of 1 to 15 characters.
seq-number: Specifies the sequence number of the IPsec policy, in the range of 1 to 65535.
remote ip-address: Displays detailed information about the IPsec SA with a specified remote address.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameters, the command displays information about all IPsec SAs.
Examples
# Display brief information about all IPsec SAs.
<Sysname> display ipsec sa brief
total phase-2 IPv4 SAs: 0
Src Address Dst Address SPI Protocol Algorithm
--------------------------------------------------------
10.1.1.1 10.1.1.2 300 ESP E:DES;
A:HMAC-MD5-96
10.1.1.2 10.1.1.1 400 ESP E:DES;
A:HMAC-MD5-96
total phase-2 IPv6 SAs: 0
Src Address Dst Address SPI Protocol Algorithm
--------------------------------------------------------

190
 Table 22 Command output

Field Description
Local IP address.
Src Address
If this address is not concerned, this field displays an em dash (—).

Remote IP address.
Dst Address
If this address is not concerned, this field displays an em dash (—).

SPI Security parameter index.

Protocol Security protocol used by IPsec.

Authentication algorithm and encryption algorithm used by the security protocol,

Algorithm where E indicates the encryption algorithm and A indicates the authentication
algorithm. A value of NULL means that type of algorithm is not specified.

display ipsec session

Use display ipsec session to display information about IPsec sessions.
Syntax
display ipsec session [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
integer: Specifies the ID of the IPsec tunnel, in the range of 1 to 2000000000.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameters, the command displays information about all IPsec sessions.
IPsec can find matched tunnels directly by session, reducing the intermediate matching procedures and
improving the forwarding efficiency. A session is identified by the quintuplet of protocol, source IP
address, source port, destination IP address, and destination port.
Examples
# Display information about all IPsec sessions.
<Sysname> display ipsec session
------------------------------------------------------------
total sessions : 2
------------------------------------------------------------

191
 tunnel-id : 3
session idle time/total duration (sec) : 36/300

session flow : (8 times matched)

Sour Addr : 15.15.15.1 Sour Port: 0 Protocol : 1
Dest Addr : 15.15.15.2 Dest Port: 0 Protocol : 1

------------------------------------------------------------
tunnel-id : 4
session idle duration/total duration (sec) : 7/300

session flow : (3 times matched)

Sour Addr : 12.12.12.1 Sour Port: 0 Protocol : 1
Dest Addr : 13.13.13.1 Dest Port: 0 Protocol : 1

# Display information about the session with an IPsec tunnel ID of 5.

<Sysname> display ipsec session tunnel-id 5
------------------------------------------------------------
total sessions : 1
------------------------------------------------------------
tunnel-id : 5
session idle time/total duration (sec) : 30/300

session flow : (4 times matched)

Sour Addr : 12.12.12.2 Sour Port: 0 Protocol : 1
Dest Addr : 13.13.13.2 Dest Port: 0 Protocol : 1

Table 23 Command output

Field Description
total sessions Total number of IPsec sessions.

tunnel-id IPsec tunnel ID.

session idle time Idle duration of the IPsec session in seconds.

total duration Lifetime of the IPsec session in seconds, defaulted to 300 seconds.

session flow Flow information of the IPsec session.

times matched Total number of packets matching the IPsec session.

Sour Addr Source IP address of the IPsec session.

Dest Addr Destination IP address of the IPsec session.

Sour Port Source port number of the IPsec session.

Dest Port Destination port number of the IPsec session.

Protocol Protocol number of the IPsec protected data flow, for example, 1 for ICMP.

Related commands
reset ipsec session

192
display ipsec statistics
Use display ipsec statistics to display IPsec packet statistics.
Syntax
display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
tunnel-id integer: Specifies an IPsec tunnel by its ID in the range of to 2000000000.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameters, the command displays the statistics for all IPsec packets.
Examples
# Display statistics on all IPsec packets.
<Sysname> display ipsec statistics
the security packet statistics:
input/output security packets: 47/62
input/output security bytes: 3948/5208
input/output dropped security packets: 0/45
dropped security packet detail:
not enough memory: 0
can't find SA: 45
queue is full: 0
authentication has failed: 0
wrong length: 0
replay packet: 0
packet too long: 0
wrong SA: 0
ACL check failure: 0

# Display IPsec packet statistics for Tunnel 3.

<Sysname> display ipsec statistics tunnel-id 3
------------------------------------------------
Connection ID : 3
------------------------------------------------
the security packet statistics:

193
 input/output security packets: 5124/8231
input/output security bytes: 52348/64356
input/output dropped security packets: 0/0
dropped security packet detail:
not enough memory: 0
queue is full: 0
authentication has failed: 0
wrong length: 0
replay packet: 0
packet too long: 0
wrong SA: 0
ACL check failure: 0

Table 24 Command output

Field Description
Connection ID ID of the tunnel.

input/output security packets Counts of inbound and outbound IPsec protected packets.

input/output security bytes Counts of inbound and outbound IPsec protected bytes.

Counts of inbound and outbound IPsec protected packets that are

input/output dropped security packets
discarded by the device.

Detailed information about inbound/outbound packets that get

dropped security packet detail
dropped.

not enough memory Number of packets dropped due to lack of memory.

can't find SA Number of packets dropped due to finding no security association.

queue is full Number of packets dropped due to full queues.

authentication has failed Number of packets dropped due to authentication failure.

wrong length Number of packets dropped due to wrong packet length.

replay packet Number of packets replayed.

packet too long Number of packets dropped due to excessive packet length.

wrong SA Number of packets dropped due to improper SA.

ACL check failure Number of packets dropped due to ACL check failure.

Related commands
reset ipsec statistics

display ipsec transform-set

Use display ipsec transform-set to display information about IPsec transform sets.
Syntax
display ipsec transform-set [ transform-set-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view

194
Default command level
1: Monitor level
Parameters
transform-set-name: Specifies the name of an IPsec transform set, a string of 1 to 32 characters. If you do
not specify an IPsec transform set, the command displays information about all IPsec transform sets.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameters, the command displays information about all IPsec transform sets.
Examples
# Display information about all IPsec transform sets.
<Sysname> display ipsec transform-set
IPsec transform-set name: tran1
encapsulation mode: tunnel
transform: esp-new
ESP protocol:
Integrity: md5-hmac-96
Encryption: des
IPsec transform-set name: tran2
encapsulation mode: transport
transform: esp-new
ESP protocol:
Integrity: md5-hmac-96
Encryption: des

Table 25 Command output

Field Description
IPsec transform-set name Name of the IPsec transform set.

encapsulation mode Encapsulation mode used by the IPsec transform set, transport or tunnel.

Security protocols used by the IPsec transform set: AH, ESP, or both. If both
transform
protocols are configured, IPsec uses ESP before AH.

AH protocol Authentication algorithm used by AH.

ESP protocol Authentication algorithm and encryption algorithm used by ESP.

Related commands
ipsec transform-set

195
display ipsec tunnel
Use display ipsec tunnel to display information about IPsec tunnels.
Syntax
display ipsec tunnel [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameters, the command displays information about all IPsec tunnels.
Examples
# Display information about IPsec tunnels.
<Sysname> display ipsec tunnel
total tunnel : 2
------------------------------------------------
connection id: 3
perfect forward secrecy:
SA's SPI:
inbound: 187199087 (0xb286e6f) [ESP]
outbound: 3562274487 (0xd453feb7) [ESP]
tunnel:
local address: 44.44.44.44
remote address : 44.44.44.55
flow:
sour addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP
dest addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP
current Encrypt-card:

------------------------------------------------
connection id: 5
perfect forward secrecy:
SA's SPI:
inbound: 12345 (0x3039) [ESP]
outbound: 12345 (0x3039) [ESP]
tunnel:

196
 flow:
current Encrypt-card:

# Display information about IPsec tunnels in aggregation mode.

<Sysname> display ipsec tunnel
total tunnel: 2
------------------------------------------------
connection id: 4
perfect forward secrecy:
SA's SPI:
inbound : 2454606993 (0x924e5491) [ESP]
outbound : 675720232 (0x2846ac28) [ESP]
tunnel :
local address: 44.44.44.44
remote address : 44.44.44.45
flow :
as defined in acl 3001
current Encrypt-card :

Table 26 Command output

Field Description
connection id Connection ID, used to uniquely identify an IPsec Tunnel.

Perfect forward secrecy, indicating which DH group is to be used for fast

perfect forward secrecy
negotiation mode in IKE phase 2.

SA's SPI SPIs of the inbound and outbound SAs.

tunnel Local and remote addresses of the tunnel.

Data flow protected by the IPsec tunnel, including source IP address,

flow
destination IP address, source port, destination port and protocol.

as defined in acl 3001 The IPsec tunnel protects all data flows defined by ACL 3001.

Encryption card interface used by the current tunnel. This field is not displayed
current Encrypt-card
if the interface is not used.

encapsulation-mode
Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP
packets.
Use undo encapsulation-mode to restore the default.
Syntax
encapsulation-mode { transport | tunnel }
undo encapsulation-mode
Default
A security protocol encapsulates IP packets in tunnel mode.
Views
IPsec transform set view, IPsec policy view, IPsec policy template view, IPsec profile view

197
Default command level
2: System level
Parameters
transport: Uses transport mode.
tunnel: Uses tunnel mode.
Usage guidelines
IPsec for IPv6 routing protocols supports only the transport mode.
When IPsec uses IKEv1, this command can be used only in IPsec transform set view, and its related
commands include only ipsec transform-set.
When IPsec uses IKEv2, this command can be used only in IPsec policy view, IPsec policy template view,
and IPsec profile view, and its related commands include ipsec policy (system view), ipsec
policy-template, and ipsec profile (system view).
Examples
# When IPsec uses IKEv1, configure IPsec transform set tran1 to use the transport encapsulation mode.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport

# When IPsec uses IKEv2, configure IPsec policy policy1 with sequence number 100 to use the transport
encapsulation mode.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] encapsulation-mode transport

Related commands
ipsec transform-set

esn enable
Use esn enable to enable the extended sequence number (ESN) function.
Use undo esn enable to disable the function.
Syntax
esn enable
undo esn enable
Default
ESN is disabled.
Views
IPsec transform set view
Default command level
2: System level

198
Usage guidelines
The anti-replay function works based on sequence numbers. The ESN function extends the size of the
sequence number from 32 bits to 64 bits. When a great quantity of traffic needs IPsec protection, this
extension can help prevent the sequence number resource from being depleted due to frequent rekeying.
The ESN function takes effect only when it is enabled on both the initiator and responder.
Examples
# Enable ESN for IPsec transform set prop1.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] esn enable

Related commands
ipsec transform-set

esp authentication-algorithm
Use esp authentication-algorithm to specify authentication algorithms for ESP.
Use undo esp authentication-algorithm to restore the default.
Syntax
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha2-256 } *
undo esp authentication-algorithm
Default
In FIPS mode, MD5 is not supported, and ESP uses SHA-1 for authentication.
In non-FIPS mode, no authentication algorithm is specified.
Views
IPsec transform set view
Default command level
2: System level
Parameters
aes-xcbc-mac: Uses the AEX-XCBC-MAC algorithm.
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
sha2-256: Uses the SHA2-256 algorithm.
Usage guidelines
Compared with SHA1, MD5 is faster but less secure. MD5 is sufficient for most networks. To deploy a
highly secure network, use SHA1.
In non-FIPS mode, you can configure ESP authentication, encryption, or both authentication and
encryption. In FIPS mode, you must configure both ESP authentication and encryption.
Examples
# Configure IPsec transform set prop1 to use ESP and specify SHA1 as the authentication algorithm for
ESP.

199
 <Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] transform esp
[Sysname-ipsec-transform-set-prop1] esp authentication-algorithm sha1

Related commands
• ipsec transform-set
• esp encryption-algorithm

esp encryption-algorithm
Use esp encryption-algorithm to specify encryption algorithms for ESP.
Use undo esp encryption-algorithm to restore the default.
Syntax
esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192
| aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des } *
undo esp encryption-algorithm
Default
In FIPS mode, DES and 3DES are not supported, and ESP uses AES-128 for encryption.
In non-FIPS mode, no encryption algorithm is specified.
Views
IPsec transform set view
Default command level
2: System level
Parameters
3des: Uses triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key.
aes-cbc-128: Uses Advanced Encryption Standard (AES) in CBC mode that uses a 128-bit key.
aes-cbc-192: Uses AES in CBC mode that uses a 192-bit key.
aes-cbc-256: Uses AES in CBC mode that uses a 256-bit key.
aes-ctr-128: Uses AES in CTR mode that uses a 128-bit key.
aes-ctr-192: Uses AES in CTR mode that uses a 192-bit key.
aes-ctr-256: Uses AES in CTR mode that uses a 256-bit key.
camellia-cbc-128: Uses Camellia in cipher block chaining (CBC) mode that uses a 128-bit key.
camellia-cbc-192: Uses Camellia in CBC mode that uses a 192-bit key.
camellia-cbc-256: Uses Camellia in CBC mode that uses a 256-bit key.
des: Uses DES in CBC mode, which uses a 56-bit key.
Usage guidelines
In non-FIPS mode, you can configure ESP authentication, encryption, or both authentication and
encryption.

200
 In FIPS mode, you must configure both ESP authentication and encryption. If you delete the specified
authentication algorithm or encryption algorithm, ESP uses the default authentication algorithm or
encryption algorithm.
Examples
# Configure IPsec transform set prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] transform esp
[Sysname-ipsec-transform-set-prop1] esp encryption-algorithm 3des

Related commands
• display ipsec transform-set
• esp authentication-algorithm

ike-peer (IPsec policy view/IPsec policy template view/IPsec

profile view)
Use ike-peer to reference an IKE peer in an IPsec policy, IPsec policy template, or IPsec profile configured
through IKE negotiation.
Use undo ike peer to remove the reference.
Syntax
ike-peer peer-name [ primary ]
undo ike-peer peer-name
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level
Parameters
peer-name: Specifies the IKE peer name, a string of 1 to 32 characters.
primary: Specifies the IKE peer as a primary IKE peer.
Usage guidelines
This command applies only to IKE negotiation mode.
If an IPsec policy uses the ISAKMP mode, you can execute the ike-peer command multiple times in the
IPsec policy view to reference a list of IKE peers. If the IKE negotiation through a peer fails, the next IKE
peer is used.
If you specify the primary keyword in the ike-peer command, the specified IKE peer has the highest
priority for a negotiation. You can specify a maximum of one primary IKE peer in the view of an IPsec
policy.
Reference as few IKE peers as possible. If you reference multiple IKE peers, specify one as the primary
IKE peer to improve the negotiation efficiency.
Examples
# Configure a reference to an IKE peer in an IPsec policy.

201
 <Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1

# Configure a reference to multiple IKE peers in an IPsec policy.

<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1
[Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer2

# Configure a reference to multiple IKE peers in an IPsec policy, and specify a primary IKE peer.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1 primary
[Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer2

# Configure a reference to an IKE peer in an IPsec profile.

<Sysname> system-view
[Sysname] ipsec profile profile1
[Sysname-ipsec-profile- profile1] ike-peer peer1

Related commands
• ipsec policy
• ipsec profile

ikev2 profile (IPsec policy view/IPsec policy template

view/IPsec profile view)
Use ikev2 profile to specify an IKEv2 profile for an IPsec policy, IPsec policy template, or IPsec profile.
Use undo ikev2 profile to remove the configuration.
Syntax
ikev2 profile profile-name
undo ikev2 profile
Default
No IKEv2 profile is specified for an IPsec policy, IPsec policy template, or IPsec profile.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level
Parameters
profile-name: Specifies the IKEv2 profile name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
The IKEv2 profile must already exist.
For an IPsec policy or profile, you can specify an IKE peer for IKEv1 negotiation or an IKEv2 profile for
IKEv2 negotiation, but not both at the same time.

202
Examples
# Specify IKEv2 profile profile1 for an IPsec policy.
<Sysname> system-view
[Sysname] ipsec policy map 1 isakmp
[Sysname-ipsec-policy-isakmp-map-1] ikev2 profile profile1

Related commands
• ikev2 profile (system view)
• ipsec policy (system view)
• ipsec profile (system view)

ipsec anti-replay check

Use ipsec anti-replay check to enable IPsec anti-replay checking.
Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
Default
IPsec anti-replay checking is enabled.
Views
System view
Default command level
2: System level
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[Sysname] ipsec anti-replay check

ipsec anti-replay window

Use ipsec anti-replay window to set the size of the anti-replay window.
Use undo ipsec anti-replay window to restore the default.
Syntax
ipsec anti-replay window width
undo ipsec anti-replay window
Default
The size of the anti-replay window is 32.
Views
System view

203
Default command level
2: System level
Parameters
width: Specifies the size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024.
Usage guidelines
Your configuration affects only IPsec SAs negotiated later.
Examples
# Set the size of the anti-replay window to 64.
<Sysname> system-view
[Sysname] ipsec anti-replay window 64

ipsec binding policy

Use ipsec binding policy to bind an IPsec policy, IPsec policy group or IPsec profile to the encryption card
interface.
Use undo ipsec binding policy to remove the binding.
Syntax
ipsec binding policy policy-name [ seq-number ] [ primary ]
undo ipsec binding policy policy-name [ seq-number ] [ primary ]
Default
An encryption card interface is bound with no IPsec policy, IPsec policy group, or IPsec profile.
Views
Encryption card interface view
Default command level
2: System level
Parameters
policy-name: Specifies the name of the IPsec policy group or IPsec profile, a case-insensitive string of 1
to 15 characters. Valid characters are English letters and numbers. No minus sign (-) can be included.
seq-number: Specifies the sequence number of the IPsec policy, in the range of 1 to 65535. A smaller
value represents a higher priority.
primary: Specifies the current encryption card as the primary card of the IPsec policy, IPsec policy group,
or IPsec profile.
Usage guidelines
An IPsec policy group can be bound to an encryption card either before or after it is applied to an
interface, as long as you create it first. After binding an IPsec policy group to an encryption card, you
must apply it to at least one interface so that the flows matching the policy are to be processed with the
encryption card.
An encryption card interface can be bound with multiple IPsec policies, IPsec policy groups, or IPsec
profiles, provided that those IPsec policies, IPsec policy groups, or IPsec profiles have different names. An
IPsec policy, IPsec policy group or IPsec profile can be bound to multiple encryption cards.

204
 An IPsec policy template cannot be bound to an encryption card interface, but an IPsec policy
originating from an IPsec policy template can.
You can specify an encryption card as the primary card when binding an IPsec policy, IPsec policy group,
or IPsec profile to the card. You can perform this configuration multiple times, but only the most recent
configuration takes effect. When an IPsec policy, IPsec policy group or IPsec profile is bound to the
current encryption card, the IPsec policy, IPsec policy group or IPsec profile with the same name bound
before will be overlaid.
An IPsec policy, IPsec policy group, or IPsec profile uses the bound primary card to provide security
services. If there is no primary card, an IPsec policy, IPsec policy group, or IPsec profile prefers the first
encryption card bound to it. Once an IPsec policy, IPsec policy group, or IPsec profile takes a second
encryption card as the primary card, the new primary card begins to provide security services
immediately.
The following matrix shows the command and router compatibility:

MSR90 MSR93 MSR20

Command MSR20 MSR30 MSR50 MSR1000
0 X -1X
ips
ec Yes Yes
bin MIM FIC
din No No No No encryption encryption No
g module module
pol required required
icy

Examples
# Bind IPsec policy group map to interface Encrypt 1/0.
<Sysname> system-view
[Sysname] interface encrypt 1/0
[Sysname-Encrypt1/0] ipsec binding policy map

# Bind the IPsec policy with the name of map1 and sequence number of 10 to interface Encrypt 1/0.
[Sysname] interface encrypt 1/0
[Sysname-Encrypt1/0] ipsec binding policy map1 10

# Bind IPsec policy group map to interface Encrypt 1/0 and specify the current encryption card as the
primary card.
[Sysname] interface encrypt 1/0
[Sysname-Encrypt1/0] ipsec binding policy map primary

# Bind the IPsec policy with the name of map1 and sequence number of 10 to interface Encrypt 1/0 and
specify the current encryption card as the primary card.
[Sysname] interface encrypt 1/0
[Sysname-Encrypt1/0] ipsec binding policy map1 10 primary

# Bind IPsec profile map1 to interface Encrypt 1/0.

<Sysname> system-view
[Sysname] interface encrypt 1/0
[Sysname-Encrypt1/0] ipsec binding policy map1

Related commands
• ipsec policy (system view)

205
 • ipsec profile (system view)

ipsec cpu-backup enable

Use ipsec cpu-backup enable to enable the IPsec module backup function.
Use undo ipsec cpu-backup enable to disable the IPsec module backup function.
Syntax
ipsec cpu-backup enable
undo ipsec cpu-backup enable
Default
The IPsec module backup function is enabled.
Views
System view
Default command level
2: System level
Usage guidelines
The following matrix shows the command and router compatibility:

MSR20-1
Command MSR900 MSR93X MSR20 MSR30 MSR50 MSR1000
X
ipsec
cpu-backup No Yes No Yes Yes Yes No
enable

Examples
# Enable the IPsec module backup function.
<Sysname> system-view
[Sysname] ipsec cpu-backup enable

ipsec decrypt check

Use ipsec decrypt check to enable ACL checking of de-encapsulated IPsec packets.
Use undo ipsec decrypt check to disable ACL checking of de-encapsulated IPsec packets.
Syntax
ipsec decrypt check
undo ipsec decrypt check
Default
ACL checking of de-encapsulated IPsec packets is enabled.
Views
System view

206
Default command level
2: System level
Examples
# Enable ACL checking of de-encapsulated IPsec packets.
<Sysname> system-view
[Sysname] ipsec decrypt check

ipsec fragmentation before-encryption

Use ipsec fragmentation before-encryption enable to enable fragmentation before encapsulation.
Use undo ipsec fragmentation before-encryption enable to enable fragmentation after encapsulation.
Syntax
ipsec fragmentation before-encryption enable
undo ipsec fragmentation before-encryption enable
Default
Fragmentation before encapsulation is enabled.
Views
System view
Default command level
2: System level
Usage guidelines
After fragmentation before encapsulation is enabled, if the size a packet after encapsulation exceeds the
interface MTU, the interface fragments the packet before encapsulating it.
After fragmentation after encapsulation is enabled, an interface first encapsulates a packet. If the size of
the packet after encapsulation exceeds the interface MTU, it fragments the encapsulated packet.
After fragmentation before encapsulation is enabled, if a packet to be fragmented has the DF bit set, the
device drops the packet and sends an ICMP error control message.
If a GDOI IPsec policy entry is applied to an interface of the device, you must enable fragmentation
before encryption. Otherwise, packets fragmented after encapsulation at the local end cannot be
reassembled at the remote end, resulting in a decryption failure.
Examples
# Enable fragmentation before encapsulation.
<Sysname> system-view
[Sysname] ipsec fragmentation before-encryption enable

ipsec invalid-spi-recovery enable

Use ipsec invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.
Use undo ipsec invalid-spi-recovery enable to restore the default.
Syntax
ipsec invalid-spi-recovery enable

207
 undo ipsec invalid-spi-recovery enable
Default
The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs.
Views
System view
Default command level
2: System level
Usage guidelines
Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its
peer when it receives an IPsec packet but cannot find any SA with the specified SPI. When the peer
receives the message, it deletes the SAs on its side. Then, subsequent traffic triggers the two peers to
establish new SAs.
Examples
# Enable invalid SPI recovery.
<Sysname> system-view
[Sysname] ipsec invalid-spi-recovery enable

ipsec no-nat-process enable

Use ipsec no-nat-process enable to configure the interface to forward packets to IPsec transparently
without performing address translation.
Use the undo ipsec no-nat-process enable to restore the default.
Syntax
ipsec no-nat-process enable
undo ipsec no-nat-process enable
Default
If both NAT and IPsec are configured on an interface, outgoing packets on the interface will be
processed by NAT and then by IPsec.
Views
System view
Default command level
2: System level
Usage guidelines
Configure this command if you require that packets to be protected by IPsec not to be NATed.
Examples
# Configure interface Ethernet 0/0 to forward packets to IPsec transparently without performing address
translation.
<Sysname> system-view
[Sysname] interface ethernet 0/0
[Sysname-Ethernet0/0] ipsec no-nat-process enable

208
ipsec policy (interface view)
Use ipsec policy to apply an IPsec policy group to an interface.
Use undo ipsec policy to remove the application.
Syntax
ipsec policy policy-name
undo ipsec policy [ policy-name ]
Views
Interface view
Default command level
2: System level
Parameters
policy-name: Specifies the name of the existing IPsec policy group to be applied to the interface, a string
of 1 to 15 characters.
Usage guidelines
Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the
interface, remove the original application first. An IPsec policy group can be applied to more than one
interface.
With an IPsec policy group applied to an interface, the system uses each IPsec policy in the group to
protect certain data flows.
For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the
IPsec policy group in the ascending order of sequence numbers. If it finds an IPsec policy whose ACL
matches the packet, it uses the IPsec policy to protect the packet. If it finds no ACL of the IPsec policies
matches the packet, it does not provide IPsec protection for the packet and sends the packet out directly.
Examples
# Apply IPsec policy group pg1 to interface Serial 2/2.
<Sysname> system-view
[Sysname] interface serial 2/2
[Sysname-Serial2/2] ipsec policy pg1

Related commands
ipsec policy (system view)

ipsec policy (system view)

Use ipsec policy to create an IPsec policy and enter its view.
Use undo ipsec policy to delete the specified IPsec policies.
Syntax
ipsec policy policy-name seq-number [ gdoi | isakmp | manual ]
undo ipsec policy policy-name [ seq-number ]
Default
No IPsec policy exists.

209
Views
System view
Default command level
2: System level
Parameters
policy-name: Specifies the name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No
minus sign (-) can be included.
seq-number: Specifies the sequence number for the IPsec policy, in the range of 1 to 65535.
gdoi: Sets up SAs through GDOI negotiation.
isakmp: Sets up SAs through IKE negotiation.
manual: Sets up SAs manually.
Usage guidelines
When creating an IPsec policy, you must specify the generation mode.
You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and
then re-create it with the new mode.
IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely
by its name and sequence number. In an IPsec policy group, an IPsec policy with a smaller sequence
number has a higher priority.
The undo ipsec policy command without the seq-number argument deletes an IPsec policy group.
To construct a group domain VPN, you must create a GDOI IPsec policy on a GM. For more information,
see Security Configuration Guide.
Examples
# Create an IPsec policy with the name policy1 and sequence number 101, and specify the manual
mode for it.
<Sysname> system-view
[Sysname] ipsec policy policy1 101 manual
[Sysname-ipsec-policy-manual-policy1-101]

Related commands
• ipsec policy (interface view)
• display ipsec policy

ipsec policy isakmp template

Use ipsec policy isakmp template to create an IPsec policy by referencing an existing IPsec policy
template, so that IKE can use the IPsec policy for SA negotiation.
Use undo ipsec policy with the seq-number argument to delete an IPsec policy.
Use undo ipsec policy without the seq-number argument to delete an IPsec policy group.
Syntax
ipsec policy policy-name seq-number isakmp template template-name
undo ipsec policy policy-name [ seq-number ]

210
Views
System view
Default command level
2: System level
Parameters
policy-name: Specifies the name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No
minus sign (-) can be included.
seq-number: Specifies the sequence number for the IPsec policy, in the range of 1 to 65535.
isakmp template template-name: Specifies the name of the IPsec policy template to be referenced.
Usage guidelines
In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
After you create an IPsec policy by referencing an IPsec policy template, to modify the configuration for
the IPsec policy, you must enter the IPsec policy template view instead of the IPsec policy view.
You cannot change the negotiation mode of an IPsec policy. To do so, you must delete the IPsec policy
and then re-create it.
Related commands
• ipsec policy (system view)
• ipsec policy-template
Examples
# Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy
template temp1.
<Sysname> system-view
[Sysname] ipsec policy policy2 200 isakmp template temp1

ipsec policy local-address

Use ipsec policy local-address to configure an IPsec policy group as a shared source interface policy
group. This equals binding the IPsec policy group to a source interface. Only loopback interfaces can be
source interfaces.
Use undo ipsec policy local-address to remove a shared source interface policy group.
Syntax
ipsec policy policy-name local-address loopback number
undo ipsec policy policy-name local-address
Views
System view
Default command level
2: System level
Parameters
policy-name: Specifies the name of an IPsec policy, a case-insensitive string of 1 to 15 characters. Valid
characters are English letters and numbers. No minus sign (-) can be included.

211
 loopback number: Specifies a loopback interface by giving its number.
Usage guidelines
The IPsec policy group and loopback interface to be referenced must have been created.
The IPsec policy group to be referenced must have been configured with one or more IPsec policies.
When you configure an IPsec policy group to be a shared source interface policy group, if the IPsec
policy group has already been applied to an interface and the interface has established IPsec SAs, the
IPsec SAs are removed and reestablished.
If the shared source interface has both primary and secondary IP addresses configured, the primary IP
address is used for IKE negotiation. The local IP address configured by using the local-address command
in IKE peer view does not take effect.
Examples
# Configure IPsec policy group map as a shared source interface policy group, binding it to source
interface Loopback 0.
<Sysname> system-view
[Sysname] ipsec policy map 1 isakmp
[Sysname-ipsec-policy-isakmp-map-1] quit
[Sysname] interface loopback 0
[Sysname-LoopBack0] ip address 5.5.5.5 32
[Sysname-LoopBack0] quit
[Sysname] ipsec policy map local-address loopback 0

Related commands
• ipsec policy (system view)
• ipsec policy (interface view)

ipsec policy-template
Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view.
Use undo ipsec policy-template to delete the specified IPsec policy templates.
Syntax
ipsec policy-template template-name seq-number
undo ipsec policy-template template-name [ seq-number ]
Default
No IPsec policy template exists.
Views
System view
Default command level
2: System level
Parameters
template-name: Specifies the name for the IPsec policy template, a case-insensitive string of 1 to 41
characters. No minus sign (-) can be included.
seq-number: Specifies the sequence number for the IPsec policy template, in the range of 1 to 65535.

212
Usage guidelines
Using the undo command without the seq-number argument deletes an IPsec policy template group.
In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher
priority.
Examples
# Create an IPsec policy template with the name template1 and the sequence number 100.
<Sysname> system-view
[Sysname] ipsec policy-template template1 100
[Sysname-ipsec-policy-template-template1-100]

Related commands
display ipsec policy template

ipsec profile (system view)

Use ipsec profile to create an IPsec profile and enter its view. An IPsec profile defines the IPsec transform
sets to be used to protect the data and the IKE negotiation parameters used to set up the SAs.
Use undo ipsec profile to delete an IPsec profile.
Syntax
ipsec profile profile-name
undo ipsec profile profile-name
Default
No IPsec profile exists.
Views
System view
Default command level
2: System level
Parameters
profile-name: Specifies the name for the IPsec profile, a case-insensitive string of 1 to 15 characters,
which cannot contain minus signs (-).
Usage guidelines
IPsec profiles can be applied to only DVPN interfaces and IPsec tunnel interfaces.
Examples
# Create IPsec profile profile1 and enter its view.
<Sysname> system-view
[Sysname] ipsec profile profile1
[Sysname-ipsec-profile-profile1]

Related commands
• ipsec profile (tunnel interface view)
• display ipsec profile

213
ipsec profile (tunnel interface view)
Use ipsec profile to apply an IPsec profile to a DVPN tunnel interface or an IPsec tunnel interface.
Use undo ipsec profile to remove the application.
Syntax
ipsec profile profile-name
undo ipsec profile
Default
No IPsec profile is applied to a DVPN tunnel interface or an IPsec tunnel interface, and no IPsec
protection is provided.
Views
Tunnel interface view
Default command level
2: System level
Parameters
profile-name: Specifies the name of the IPsec profile, a case-insensitive string of 1 to 15 characters.
Usage guidelines
Only one IPsec profile can be applied to a tunnel interface.
To apply another IPsec profile to the tunnel interface, remove the original application first.
An IPsec profile cannot be applied to the DVPN tunnel interface and the IPsec tunnel interface
simultaneously.
Examples
# Apply IPsec profile vtiprofile to the IPsec tunnel interface.
<Sysname> system-view
[Sysname] interface tunnel 0
[Sysname-Tunnel0] tunnel-protocol ipsec ipv4
[Sysname-Tunnel0] ipsec profile vtiprofile

# Apply IPsec profile dvpnprofile to the DVPN tunnel interface.

<Sysname> system-view
[Sysname] interface tunnel 1
[Sysname-Tunnel1] tunnel-protocol dvpn udp
[Sysname-Tunnel1] ipsec profile dvpnprofile

Related commands
• ipsec profile (system view)
• interface tunnel (Layer 3—IP Services Command Reference).

ipsec sa global-duration
Use ipsec sa global-duration to configure the global SA lifetime.
Use undo ipsec sa global-duration to restore the default.

214
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
Default
The time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is 1843200
kilobytes.
Views
System view
Default command level
2: System level
Parameters
seconds: Specifies the time-based global SA lifetime in seconds, in the range of 180 to 604800.
kilobytes: Specifies the traffic-based global SA lifetime in kilobytes, in the range of 2560 to
4294967295.
Usage guidelines
When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses.
If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime.
When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by
the remote.
You can configure both a time-based and a traffic-based global SA lifetime. An SA is aged out when it
has existed for the specified time period or has processed the specified volume of traffic.
The SA lifetime applies to only IKE negotiated SAs instead of manually configured SAs.
Examples
# Set the time-based global SA lifetime to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec sa global-duration time-based 7200

# Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes).

[Sysname] ipsec sa global-duration traffic-based 10240

Related commands
sa duration

ipsec session idle-time

Use ipsec session idle-time to set the idle timeout for IPsec sessions.
Use undo ipsec session idle-time to restore the default.
Syntax
ipsec session idle-time seconds
undo ipsec session idle-time
Default
The IPsec session idle timeout is 300 seconds.

215
Views
System view
Default command level
2: System level
Parameters
seconds: Specifies the IPsec session idle timeout in seconds, in the range of 60 to 3600.
Examples
# Set the IPsec session idle timeout to 600 seconds.
<Sysname> system-view
[Sysname] ipsec session idle-time 600

ipsec transform-set
Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view.
Use undo ipsec transform-set to delete an IPsec transform set.
Syntax
ipsec transform-set transform-set-name
undo ipsec transform-set transform-set-name
Default
No IPsec transform set exists.
Views
System view
Default command level
2: System level
Parameters
transform-set-name: Specifies the name of an IPsec transform set, a case-insensitive string of 1 to 32
characters.
Examples
# Create an IPsec transform set named tran1 and enter its view.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1]

Related commands
display ipsec transform-set

local-address
Use local-address to configure the local gateway IP address.
Use undo local-address to restore the default.

216
Syntax
local-address { ipv4-address | ipv6 ipv6-address }
undo local-address
Default
The IP address of the interface to which the IPsec policy is applied is used as the local gateway IP
address.
Views
IPsec policy view, IPsec policy template view
Default command level
2: System level
Parameters
ipv4-address: Specifies the IPv4 address of the local security gateway.
ipv6 ipv6-address: Specifies the IPv6 address of the local security gateway.
Usage guidelines
This local gateway IP address configuration is required on an IKEv2 negotiation initiator and optional on
a responder.
Examples
# Use 1.1.1.1 as the local gateway IP address.
<Sysname> system-view
[Sysname] ipsec policy map 1 isakmp
[Sysname-ipsec-policy-isakmp-map-1] local-address 1.1.1.1

pfs
Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the
feature when employing the IPsec policy or IPsec profile to initiate a negotiation.
Use undo pfs to remove the configuration.
Syntax
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }
undo pfs
Default
The PFS feature is not used for negotiation.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level
Parameters
dh-group1: Uses 768-bit Diffie-Hellman group. This keyword is not available for FIPS mode.
dh-group2: Uses 1024-bit Diffie-Hellman group.

217
 dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
Usage guidelines
In terms of security and necessary calculation time, the following four groups are in the descending order:
2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit
Diffie-Hellman group (dh-group2) and 768-bit Diffie-Hellman group (dh-group1).
This command allows IPsec to perform an additional key exchange process during the negotiation phase
2, providing an additional level of security.
The local Diffie-Hellman group must be the same as that of the peer.
This command can be used only when the SAs are to be set up through IKE negotiation.
Related commands
• ipsec policy-template
• ipsec policy (system view)
• ipsec profile (system view)
Examples
# Enable and configure PFS for IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 200 isakmp
[Sysname-ipsec-policy-isakmp-policy1-200] pfs dh-group1

policy enable
Use policy enable to enable the IPsec policy.
Use undo policy enable to disable the IPsec policy.
Syntax
policy enable
undo policy enable
Default
The IPsec policy is enabled.
Views
IPsec policy view, IPsec policy template view
Default command level
2: System level
Usage guidelines
The command is not applicable to manual IPsec policies.
If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation.
Examples
# Enable the IPsec policy with the name policy1 and sequence number 100.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp

218
 [Sysname-ipsec-policy-isakmp-policy1-100] policy enable

Related commands
• ipsec policy (system view)
• ipsec policy-template

qos pre-classify
Use qos pre-classify to enable packet information pre-extraction.
Use undo qos pre-classify to restore the default.
Syntax
qos pre-classify
undo qos pre-classify
Default
Packet information pre-extraction is disabled.
Views
IPsec policy view, IPsec policy template view
Default command level
2: System level
Usage guidelines
With the packet information pre-extraction feature enabled, QoS classifies a packet based on the header
of the original IP packet—the header of the IP packet that has not been encapsulated by IPsec.
Examples
# Enable packet information pre-extraction.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] qos pre-classify

Related commands
• ipsec policy (system view)
• ipsec policy-template

remote-address
Use remote-address to configure the remote gateway IP address.
Use undo remote-address to restore the default.
Syntax
remote-address { [ ipv6 ] host-name [ dynamic ] | ipv4-address | ipv6 ipv6-address }
undo remote-address { [ ipv6 ] host-name [ dynamic ] | ipv4-address | ipv6 ipv6-address }
Default
No remote gateway IP address is configured.

219
Views
IPsec policy view, IPsec policy template view
Default command level
2: System level
Parameters
ipv6: Specifies an IPv6 address. Without this keyword, you must specify an IPv4 address.
hostname: Specifies the host name of the remote security gateway, a case-insensitive string of 1 to 255
characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address
by the DNS server.
dynamic: Uses dynamic address resolution for the remote gateway host name. If you do not provide this
keyword, the local end has the remote host name resolved only once after you configure the remote
gateway host name.
ipv4-address: Specifies the IPv4 address of the remote security gateway.
ipv6 ipv6-address: Specifies the IPv6 address of the remote security gateway.
Usage guidelines
This remote gateway IP address configuration is required on an IKEv2 negotiation initiator and optional
on a responder.
Examples
# Use 1.1.1.1 as the remote gateway IP address.
<Sysname> system-view
[Sysname] ipsec policy map 1 isakmp
[Sysname-ipsec-policy-isakmp-map-1] remote-address 1.1.1.1

reset ipsec sa
Use reset ipsec sa to clear IPsec SAs.
Syntax
reset ipsec sa [ parameters dest-address protocol spi | policy policy-name [ seq-number ] | remote
ip-address ]
Views
User view
Default command level
2: System level
Parameters
parameters: Specifies IPsec SAs that use the specified destination address, security protocol, and SPI .
dest-address: Specifies the destination address, in dotted decimal notation.
protocol: Specifies the security protocol, which can be keyword ah or esp, case insensitive.
spi: Specifies the security parameter index in the range of 256 to 4294967295.
policy: Specifies IPsec SAs that use an IPsec policy or IPsec profile.

220
 policy-name: Specifies the name of the IPsec policy or IPsec profile, a case-sensitive string of 1 to 15
alphanumeric characters.
seq-number: Specifies the sequence number of the IPsec policy, in the range of 1 to 65535. If no
seq-number is specified, all the policies in the IPsec policy group named policy-name are specified.
remote: Specifies SAs to or from the specified remote address, in dotted decimal notation.
ip-address: Specifies the remote address.
Usage guidelines
Immediately after an SA is manually set up, the system automatically sets up a new SA based on the
parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system sets up new SAs only
when IKE negotiation is triggered by interesting packets.
IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the
other direction is also automatically cleared.
If you do not specify any parameter, the command clears all IPsec SAs.
If you specify neither active nor standby, the command clears both active and standby IPsec SAs.
Examples
# Clear all IPsec SAs.
<Sysname> reset ipsec sa

# Clear the IPsec SA with a remote IP address of 10.1.1.2.

<Sysname> reset ipsec sa remote 10.1.1.2

# Clear all IPsec SAs of IPsec policy template policy1.

<Sysname> reset ipsec sa policy policy1

# Clear the IPsec SA of the IPsec policy with the name of policy1 and sequence number of 10.
<Sysname> reset ipsec sa policy policy1 10

# Clear the IPsec SA with a remote IP address of 10.1.1.2, security protocol of AH, and SPI of 10000.
<Sysname> reset ipsec sa parameters 10.1.1.2 ah 10000

# Clear all IPsec SAs of IPsec profile policy1.

<Sysname> reset ipsec sa policy policy1

Related commands
display ipsec sa

reset ipsec session

Use reset ipsec session to clear the sessions of a specified IPsec tunnel or all IPsec tunnels.
Syntax
reset ipsec session [ tunnel-id integer ]
Views
User view
Default command level
2: System level

221
Parameters
integer: Specifies the ID of the IPsec tunnel, in the range of 1 to 2000000000.
Examples
# Clear all IPsec sessions.
<Sysname> reset ipsec session

# Clear the sessions of IPsec tunnel 5.

<Sysname> reset ipsec session tunnel-id 5

Related commands
display ipsec session

reset ipsec statistics

Use reset ipsec statistics to clear IPsec packet statistics.
Syntax
reset ipsec statistics
Views
User view
Default command level
1: Monitor level
Examples
# Clear IPsec packet statistics.
<Sysname> reset ipsec statistics

Related commands
display ipsec statistics

reverse-route
Use reverse-route to enable and configure the IPsec Reverse Route Inject (RRI) feature.
Use undo reverse-route to disable IPsec RRI.
Syntax
reverse-route [ remote-peer ip-address [ gateway | static ] | static ]
undo reverse-route
Default
IPsec RRI is disabled.
Views
IPsec policy view, IPsec policy template view
Default command level
2: System level

222
Parameters
static: Enables static IPsec Reverse Route Inject (RRI). Static IPsec RRI creates static routes based on the
ACL that the IPsec policy references. This keyword is available only in IPsec policy view. If this keyword
is not specified, you enable dynamic IPsec RRI, which creates static routes based on IPsec SAs.
remote-peer ip-address: Specifies a next hop for the static routes. To use the static routes for route backup
and load balancing, specify this option.
gateway: Creates two recursive routes: one to the remote tunnel endpoint and the other to the protected
remote private network. Use the gateway keyword in an IKE-enabled IPsec policy to define an explicit
default forwarding path for IPsec traffic.
Usage guidelines
IPsec RRI operates in static mode or dynamic mode:
• Static IPsec RRI creates one static route for each destination address permitted by the ACL that the
IPsec policy references. Static IPsec RRI creates static routes immediately after you configure IPsec
RRI for an IPsec policy and apply the IPsec policy. When you disable RRI, or remove the ACL or the
peer gateway IP address from the policy, IPsec RRI deletes all static routes it has created. The static
mode applies to scenarios where the topologies of branch networks seldom change.
• Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. Dynamic IPsec RRI creates
static routes when the IPsec SAs are established, and deletes the static routes when the IPsec SAs are
deleted. The dynamic mode applies to scenarios where the topologies of branch networks change
frequently.
The destination and next hop address in a static route created by IPsec RRI depend on your settings.
See Table 27.
Table 27 Possible IPsec RRI configurations and the generated routing information

IPsec RRI
Command Route destination Next hop address
mode
• Manual IPsec policy: Peer tunnel
address set with the tunnel remote
Destination IP address command.
specified in a permit rule of
reverse-route static Static • IPsec policy that uses IKE: The remote
the ACL that is referenced by
tunnel endpoint, which is the address
the IPsec policy
configured in the remote-address
command in IKE view.

Destination IP address
reverse-route
specified in a permit rule of Address identified by the ip-address
remote-peer Static
the ACL that is referenced by argument.
ip-address static
the IPsec policy

Protected peer private

reverse-route Dynamic Remote tunnel endpoint.
network

Address identified by the ip-address

reverse-route
Protected peer private argument, typically, the next hop
remote-peer Dynamic
network address of the interface where the IPsec
ip-address
policy is applied.

223
 IPsec RRI
Command Route destination Next hop address
mode
• For the route destined for the
protected peer private network, the
next hop is the remote tunnel
endpoint.
reverse-route • Protected peer private
network • For the route destined for the remote
remote-peer Dynamic
tunnel endpoint, the next hop address
ip-address gateway • Remote tunnel endpoint
is the address specified by the
ip-address argument (outgoing
interface: the interface where the
IPsec policy is applied).

Enabling, disabling, or changing RRI settings in an IPsec policy deletes all IPsec SAs created or
negotiated by the policy.
To view static routes created by RRI, use the display ip routing-table command. For information about the
routing table, see Layer 3—IP Routing Configuration Guide.
If you configure an address range in IKE peer view, static IPsec RRI does not take effect.
Examples
# Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network
3.0.0.0/24 as the destination and the remote gateway 1.1.1.2 as the next hop.
<Sysname> system-view
[Sysname] ike peer 1
[Sysname-ike-peer-1] remote-address 1.1.1.2
[Sysname-ike-peer-1] quit
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 permit ip source 2.0.0.0 0.0.0.255 destination 3.0.0.0
0.0.0.255
[Sysname-acl-adv-3000] quit
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] security acl 3000
[Sysname-ipsec-policy-isakmp-1-1] transform-set tran1
[Sysname-ipsec-policy-isakmp-1-1] ike-peer 1
[Sysname-ipsec-policy-isakmp-1-1] reverse-route static
[Sysname-ipsec-policy-isakmp-1-1] quit
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] ipsec policy 1
[Sysname-Ethernet1/1]quit

# Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not
shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.2 Eth1/1

# Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network as
the destination and 1.1.1.3 as the next hop.
[Sysname] ipsec policy 1 1 isakmp

224
 [Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 static
[Sysname-ipsec-policy-isakmp-1-1] quit

# Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not
shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.3 Eth1/1

# Configure dynamic IPsec RRI to create static routes based on IPsec SAs. Take the peer private network
as the destination and the remote tunnel endpoint 1.1.1.2 as the next hop.
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route
[Sysname-ipsec-policy-isakmp-1-1] quit

# Display the routing table. The expected route appears in the table after the IPsec SA negotiation
succeeds. (Other routes are not shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.2 Eth1/1

# Configure dynamic IPsec RRI to create static routes based on IPsec SAs. Take 1.1.1.3 as the next hop.
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3
[Sysname-ipsec-policy-isakmp-1-1] quit

# Display the routing table. The expected route appears in the routing table after the IPsec SA negotiation
succeeds. (Other routes are not shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.3 Eth1/1

# Configure dynamic IPsec RRI to create two static routes based on an IPsec SA: one to the peer private
network 3.0.0.0/24 through the remote tunnel endpoint 1.1.1.2, and the other to the remote tunnel
endpoint through 1.1.1.3.
[Sysname]ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 gateway

# Display the routing table. The expected routes appear in the routing table after the IPsec SA negotiation
succeeds. (Other routes are not shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.2/32 Static 60 0 1.1.1.3 Eth1/1
3.0.0.0/24 Static 60 0 1.1.1.2 Eth1/1

Related commands
• reverse-route preference
• reverse-route tag

225
reverse-route preference
Use reverse-route preference to change the preference of the static routes created by IPsec RRI.
Use undo reverse-route preference to restore the default.
Syntax
reverse-route preference preference-value
undo reverse-route preference
Views
IPsec policy view
Default command level
2: System level
Parameters
preference-value: Sets a preference value for the static routes created by IPsec RRI. The value range is 1
to 255. A smaller value represents a higher priority.
Usage guidelines
The default preference for the static routes created by IPsec RRI is 60.
When you change the route preference, static IPsec RRI deletes all static routes it has created and creates
new static routes. In contrast, dynamic IPsec RRI applies the new preference only to subsequent static
routes. It does not delete or modify static routes it has created.
Examples
# Set the preference to 100 for static routes populated by IPsec RRI.
<Sysname>system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route preference 100

Related commands
reverse-route

reverse-route tag
Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in
implementing flexible route control through routing policies.
Use undo reverse-route tag to restore the default.
Syntax
reverse-route tag tag-value
undo reverse-route tag
Default
The tag value is 0 for the static routes created by IPsec RRI.
Views
IPsec policy view

226
Default command level
2: System level
Parameters
tag-value: Sets a route tag for the static routes, in the range of 1 to 4294967295.
Usage guidelines
This command makes sense only when used together with the reverse-route command.
When you change the route tag, static IPsec RRI deletes all static routes it has created and creates new
static routes. In contrast, dynamic IPsec RRI applies the new route tag only to subsequent static routes. It
does not delete or modify static routes it has created.
For information about routing policies, see Layer 3—IP Routing Configuration Guide.
Examples
# Set the tag value to 50 for the static routes created by IPsec RRI.
<Sysname>system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route tag 50

Related commands
reverse-route

sa authentication-hex
Use sa authentication-hex to configure an authentication key for an SA.
Use undo sa authentication-hex to remove the configuration.
Syntax
sa authentication-hex { inbound | outbound } { ah | esp } [ cipher | simple ] hex-key
undo sa authentication-hex { inbound | outbound } { ah | esp }
Views
IPsec policy view
Default command level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
cipher: Sets a ciphertext authentication key.
simple: Sets a plaintext authentication key.
hex-key: Specifies the key string. If cipher is specified, this argument is case sensitive and must be a
ciphertext string of 1 to 117 characters. If simple is specified, this argument is case insensitive and must
be a 16-byte hexadecimal string for MD5, a 20-byte hexadecimal string for SHA1, 32-byte hexadecimal

227
 string for SHA2, or a 16-byte hexadecimal string for AES-XBC-MAC. If neither cipher nor simple is
specified, you set a plaintext authentication key string.
Usage guidelines
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound
SAs.
The authentication key for the inbound SA at the local end must be the same as that for the outbound SA
at the remote end, and the authentication key for the outbound SA at the local end must be the same as
that for the inbound SA at the remote end.
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the
outbound SA must be identical.
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format
(both in hexadecimal format or both in string format), and the keys must be specified in the same format
for both ends of the tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text to the
configuration file.
Examples
# Configure the authentication keys of the inbound and outbound SAs that use AH as
0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 in plain text.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah simple
112233445566778899aabbccddeeff00
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah simple
aabbccddeeff001100aabbccddeeff00

Related commands
ipsec policy (system view)

sa duration
Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile.
Use undo sa duration to restore the default.
Syntax
sa duration { time-based seconds | traffic-based kilobytes }
undo sa duration { time-based | traffic-based }
Default
The SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime.
The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level

228
Parameters
seconds: Specifies the time-based SA lifetime in seconds, in the range of 180 to 604800.
kilobytes: Specifies the traffic-based SA lifetime in kilobytes, in the range of 2560 to 4294967295.
Usage guidelines
When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy or IPsec profile that
it uses. If the IPsec policy or IPsec transform set is not configured with its own lifetime settings, IKE uses the
global SA lifetime settings, which are configured with the ipsec sa global-duration command.
When negotiating to set up an SA, IKE prefers the shorter ones of the local lifetime settings and those
proposed by the remote.
The SA lifetime applies to only IKE negotiated SAs instead of manually configured SAs.
Related commands
• ipsec sa global-duration
• ipsec policy (system view)
• ipsec profile (system view)
Examples
# Set the SA lifetime for IPsec policy1 to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200

# Set the SA lifetime for IPsec policy policy1 to 20480 kilobytes (20 Mbytes).
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480

# Set the SA lifetime for IPsec profile profile1 to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec profile profile1
[Sysname-ipsec-profile-profile1] sa duration time-based 7200

# Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes).
<Sysname> system-view
[Sysname] ipsec profile profile1
[Sysname-ipsec-profile-profile1] sa duration traffic-based 20480

sa encryption-hex
Use sa encryption-hex to configure an encryption key for an SA.
Use undo sa encryption-hex to remove the configuration.
Syntax
sa encryption-hex { inbound | outbound } esp [ cipher | simple ] hex-key
undo sa encryption-hex { inbound | outbound } esp
Views
IPsec policy view

229
Default command level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
esp: Uses ESP.
cipher: Sets a ciphertext encryption key.
simple: Sets a plaintext encryption key.
hex-key: Specifies the key string. If cipher is specified, this argument is case sensitive and must be a
ciphertext string of 1 to 117 characters. If simple is specified, this argument is case insensitive, and must
be an 8-byte hexadecimal string for DES-CBC, a 16-byte hexadecimal string for AES128-CBC and
camellia128-CBC, a 20-byte hexadecimal string for AESCTR-128, a 24-byte hexadecimal string for
3DES-CBC, AES192-CBC, and camellia192-CBC, or a 32-byte hexadecimal string for AES256-CBC and
camellia256-CBC. If neither cipher nor simple is specified, you set a plaintext encryption key string.
Usage guidelines
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound
SAs.
The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at
the remote end, and the encryption key for the outbound SA at the local end must be the same as that for
the inbound SA at the remote end.
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the
outbound SA must be identical.
At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format
(both in hexadecimal format or both in string format), and the keys must be specified in the same format
for both ends of the tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text to the
configuration file.
Examples
# Configure the encryption keys for the inbound and outbound SAs that use ESP as
0x1234567890abcdef and 0xabcdefabcdef1234 in plain text.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp simple
1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp simple
abcdefabcdef1234

Related commands
ipsec policy (system view)

sa spi
Use sa spi to configure an SPI for an SA.

230
 Use undo sa spi to remove the configuration.
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
Default
An SA does not have an SPI.
Views
IPsec policy view
Default command level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
spi-number: Security parameters index (SPI) in the SA triplet, in the range of 256 to 4294967295.
Usage guidelines
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must configure parameters for both inbound and outbound
SAs. For an ACL-based manual IPsec policy, specify different SPIs for different SAs.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the
local outbound SA and remote inbound SA.
When you configure IPsec for an IPv6 routing protocol, follow these guidelines:
• The inbound and outbound SAs at the local end must use the same SPI.
• Within a certain network scope, each router must use the same SPI and keys for its inbound and
outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be
directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected
neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a
neighbor group.
Examples
# Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec
policy.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000

Related commands
ipsec policy (system view)

231
sa string-key
Use sa string-key to set a key string for an SA.
Use undo sa string-key to remove the configuration.
Syntax
sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key
undo sa string-key { inbound | outbound } { ah | esp }
Views
IPsec policy view
Default command level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
cipher: Sets a ciphertext key.
simple: Sets a plaintext key.
string-key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a
ciphertext string of 1 to 373 characters. If simple is specified, it must be a string of 1 to 255 characters.
If neither cipher nor simple is specified, you set a plaintext key string. For different algorithms, enter
strings of any length in the specified range. Using this key string, the system automatically generates keys
meeting the algorithm requirements. When the protocol is ESP, the system generates the keys for the
authentication algorithm and encryption algorithm respectively.
Usage guidelines
This command applies only to manual IPsec policies. This command is not available for FIPS mode.
When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the
local outbound SA and remote inbound SA.
Enter keys in the same format for the local and remote inbound and outbound SAs. For example, if the
local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound
SAs must use keys in characters.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text to the
configuration file.
When you configure an IPsec policy for an IPv6 protocol, follow these guidelines:
• Within a certain network scope, each router must use the same SPI and keys for its inbound and
outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be
directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected
neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a
neighbor group.

232
 • Enter the keys in the same format on all routers. For example, if you enter the keys in hexadecimal
format on one router, do so across the defined scope.
Examples
# Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab,
respectively.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab

# Configure the inbound and outbound SAs that use AH to use the plaintext key abcdef.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple abcdef

Related commands
ipsec policy (system view)

security acl
Use security acl to specify the ACL for the IPsec policy to reference.
Use undo security acl to remove the configuration.
Syntax
security acl acl-number [ aggregation ]
undo security acl
Default
An IPsec policy references no ACL.
Views
IPsec policy view, IPsec policy template view
Default command level
2: System level
Parameters
acl-number: Specifies the number of the ACL for the IPsec policy to reference, in the range of 3000 to
3999.
aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the
standard mode is used.
Usage guidelines
With an IKE-dependent IPsec policy configured, data flows can be protected in two modes:
• Standard mode, in which one tunnel protects one data flow. The data flow permitted by each ACL
rule is protected by one tunnel that is established separately for it.
• Aggregation mode, in which one tunnel protects all data flows permitted by all the rules of an ACL.
When your device works with an old-version device, use the aggregation mode on both devices.

233
 An IPsec policy references only one ACL. If you specify more than one ACL for an IPsec policy, the IPsec
policy references the one last specified.
In a GDOI IPsec policy view, you cannot specify an IPv6 ACL, nor specify the aggregation keyword.
Packets matching a permit rule of the specified ACL are discarded.
Examples
# Configure IPsec policy policy1 to reference ACL 3001.
<Sysname> system-view
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Sysname-acl-adv-3001] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] security acl 3001

# Configure IPsec policy policy2 to reference ACL 3002, setting the data flow protection mode to
aggregation.
<Sysname> system-view
[Sysname] acl number 3002
[Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2
0.0.0.255
[Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2
0.0.0.255
[Sysname] ipsec policy policy2 1 isakmp
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation

Related commands
ipsec policy (system view)

tfc enable (IPsec policy view/ IPsec policy template view/IPsec

profile view)
Use tfc enable to enable the traffic flow confidentiality (TFC) padding function.
Use undo tfc enable to restore the default.
Syntax
tfc enable
undo tfc enable
Default
TFC padding is disabled.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level

234
Usage guidelines
The TFC padding function helps conceal the length of the original packets, but might adversely affect the
packet encapsulation and de-encapsulation performance. This function applies to only two types of IP
packets:
• IP packets that are encapsulated by ESP in tunnel mode
• IP packets that carry UDP datagrams and are encapsulated by ESP in transport mode.
Examples
# Enable the TFC padding function.
<Sysname> system-view
[Sysname] ipsec policy map 1 isakmp
[Sysname-ikev2-policy-isakmp-map-1] tfc enable

transform
Use transform to specify a security protocol for an IPsec transform set.
Use undo transform to restore the default.
Syntax
transform { ah | ah-esp | esp }
undo transform
Default
The ESP protocol is used.
Views
IPsec transform set view
Default command level
2: System level
Parameters
ah: Uses the AH protocol.
ah-esp: Uses ESP first and then AH.
esp: Uses the ESP protocol.
Usage guidelines
The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol.
Examples
# Configure IPsec transform set prop1 to use AH.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] transform ah

Related commands
ipsec transform-set

235
transform-set
Use transform-set to specify an IPsec transform set for the IPsec policy or IPsec profile to reference.
Use undo transform-set to remove an IPsec transform set referenced by the IPsec policy or IPsec profile.
Syntax
transform-set transform-set-name&<1-6>
undo transform-set [ transform-set-name ]
Default
An IPsec policy or IPsec profile references no IPsec transform set.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Default command level
2: System level
Parameters
transform-set-name&<1-6>: Specifies the name of the IPsec transform set, a string of 1 to 32 characters.
&<1-6> means that you can specify up to six transform sets, which are separated by space.
Usage guidelines
The specified IPsec transform sets must already exist.
A manual IPsec policy can reference only one IPsec transform set. To replace a referenced IPsec transform
set, use the undo transform-set command to remove the original transform set binding and then use the
transform-set command to reconfigure one.
An IKE negotiated IPsec policy can reference up to six IPsec transform sets. The IKE negotiation process
will search for and use the exactly matched transform set.
An IPsec profile can reference up to six IPsec transform sets. The IKE negotiation process will search for
and use the exactly matched transform set.
Examples
# Configure IPsec policy policy1 to reference IPsec transform set tran1.
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] transform-set tran1

# Configure IPsec profile profile1 to reference IPsec transform set tran2.

<Sysname> system-view
[Sysname] ipsec transform-set tran2
[Sysname-ipsec-transform-set-prop2] quit
[Sysname] ipsec profile profile1
[Sysname-ipsec-profile-profile1] transform-set tran2

Related commands
• ipsec transform-set
• ipsec policy (system view)
• ipsec profile (system view)

236
tunnel local
Use tunnel local to configure the local address of an IPsec tunnel.
Use undo tunnel local to remove the configuration.
Syntax
tunnel local ip-address
undo tunnel local
Default
No local address is configured for an IPsec tunnel.
Views
IPsec policy view
Default command level
2: System level
Parameters
ip-address: Specifies the local address for the IPsec tunnel.
Usage guidelines
This command applies to only manual IPsec policies.
The local address, if not configured, will be the address of the interface to which the IPsec policy is
applied.
Examples
# Set the local address of the IPsec tunnel to the address of Loopback 0, 10.0.0.1.
<Sysname> system-view
[Sysname] interface loopback 0
[Sysname-LoopBack0] ip address 10.0.0.1 32
[Sysname-LoopBack0] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] tunnel local 10.0.0.1

Related commands
ipsec policy (system view)

tunnel remote
Use tunnel remote to configure the remote address of an IPsec tunnel.
Use undo tunnel remote to remove the configuration.
Syntax
tunnel remote ip-address
undo tunnel remote [ ip-address ]
Default
No remote address is configured for the IPsec tunnel.

237
Views
IPsec policy view
Default command level
2: System level
Parameters
ip-address: Specifies the remote address for the IPsec tunnel.
Usage guidelines
This command applies to only manual IPsec policies.
If you configure the remote address multiple times, the most recent configuration takes effect.
An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end
must be the same as that of the local IP address of the remote end.
Examples
# Set the remote address of the IPsec tunnel to 10.1.1.2.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 manual
[Sysname-ipsec-policy-policy1-10] tunnel remote 10.1.1.2

Related commands
ipsec policy (system view)

238
IKE configuration commands

The following matrix shows the FIPS and hardware compatibility:

Hardware FIPS mode

MSR900 No.

MSR93X No.

MSR20-1X No.

MSR20 Yes.

MSR30 Yes (except the MSR30-16).

MSR50 Yes.

MSR1000 Yes.

authentication-algorithm
Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.
Use undo authentication-algorithm to restore the default.
Syntax
authentication-algorithm { md5 | sha }
undo authentication-algorithm
Default
An IKE proposal uses the SHA1 authentication algorithm.
Views
IKE proposal view
Default command level
2: System level
Parameters
md5: Uses HMAC-MD5. This keyword is not available for FIPS mode.
sha: Uses HMAC-SHA1.
Examples
# Set MD5 as the authentication algorithm for IKE proposal 10.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] authentication-algorithm md5

Related commands
• ike proposal
• display ike proposal

239
authentication-method
Use authentication-method to specify an authentication method for an IKE proposal.
Use undo authentication-method to restore the default.
Syntax
authentication-method { pre-share | rsa-signature }
undo authentication-method
Default
An IKE proposal uses the pre-shared key authentication method.
Views
IKE proposal view
Default command level
2: System level
Parameters
pre-share: Uses the pre-shared key method.
rsa-signature: Uses the RSA digital signature method.
Examples
# Specify that IKE proposal 10 uses the pre-shared key authentication method.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] authentication-method pre-share

Related commands
• ike proposal
• display ike proposal

certificate domain
Use certificate domain to configure the PKI domain of the certificate when IKE uses digital signature as
the authentication mode.
Use undo certificate domain to remove the configuration.
Syntax
certificate domain domain-name
undo certificate domain
Views
IKE peer view
Default command level
2: System level
Parameters
domain-name: Specifies the name of the PKI domain, a string of 1 to 15 characters.

240
Examples
# Configure the PKI domain as abcde for IKE negotiation.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] certificate domain abcde

Related commands
• authentication-method
• pki domain

dh
Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.
Use undo dh to restore the default.
Syntax
dh { group1 | group2 | group5 | group14 }
undo dh
Default
In FIPS mode, IKE phase 1 key negotiation uses group2, the 1024-bit Diffie-Hellman group.
In non-FIPS mode, IKE phase 1 key negotiation uses group1, the 768-bit Diffie-Hellman group.
Views
IKE proposal view
Default command level
2: System level
Parameters
group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1. This keyword is not
available for FIPS mode.
group2: Uses the 1024-bit Diffie-Hellman group for key negotiation in phase 1.
group5: Uses the 1536-bit Diffie-Hellman group for key negotiation in phase 1.
group14: Uses the 2048-bit Diffie-Hellman group for key negotiation in phase 1.
Examples
# Specify 768-bit Diffie-Hellman for IKE proposal 10.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] dh group1

Related commands
• ike proposal
• display ike proposal

241
display ike dpd
Use display ike dpd to display information about Dead Peer Detection (DPD) detectors.
Syntax
display ike dpd [ dpd-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
dpd-name: Specifies the DPD name, a string of 1 to 32 characters.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameters, the command displays information about all DPD detectors.
Examples
# Display information about all DPD detectors.
<Sysname> display ike dpd

---------------------------
IKE dpd: dpd1
references: 1
interval-time: 10
time_out: 5
---------------------------

Table 28 Command output

Field Description
references Number of IKE peers that use the DPD detector.

Interval-time DPD query trigging interval in seconds.

time_out DPD packet retransmission interval in seconds.

Related commands
ike dpd

242
display ike peer
Use display ike peer to display information about IKE peers.
Syntax
display ike peer [ peer-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
peer-name: Specifies the name of the IKE peer, a string of 1 to 32 characters.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameters, the command displays information about all IKE peers.
Examples
# Display information about all IKE peers.
<Sysname> display ike peer

---------------------------
IKE Peer: rtb4tunn
exchange mode: main on phase 1
pre-shared-key ******
peer id type: ip
peer ip address: 44.44.44.55
local ip address:
peer name:
nat traversal: disable
dpd: dpd1
---------------------------

Table 29 Command output

Field Description
exchange mode IKE negotiation mode in phase 1.

pre-shared-key Pre-shared key used in phase 1, displayed as ******.

peer id type ID type used in phase 1.

peer ip address IP address of the remote security gateway.

243
 Field Description
local ip address IP address of the local security gateway.

peer name Name of the remote security gateway.

nat traversal Whether NAT traversal is enabled.

dpd Name of the peer DPD detector.

Related commands
ike peer

display ike proposal

Use display ike proposal to view the settings of all IKE proposals.
Syntax
display ike proposal [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
This command displays the configuration information of all IKE proposals in the descending order of
proposal priorities.
Examples
# Display the settings of all IKE proposals.
<Sysname> display ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
--------------------------------------------------------------------------
10 PRE_SHARED SHA DES_CBC MODP_1024 5000
11 PRE_SHARED MD5 DES_CBC MODP_768 50000
default PRE_SHARED SHA DES_CBC MODP_768 86400

Table 30 Command output

Field Description
priority Priority of the IKE proposal.

244
 Field Description
authentication method Authentication method used by the IKE proposal.

authentication algorithm Authentication algorithm used by the IKE proposal.

encryption algorithm Encryption algorithm used by the IKE proposal.

Diffie-Hellman group DH group used in IKE negotiation phase 1.

duration (seconds) ISAKMP SA lifetime (in seconds) of the IKE proposal.

Related commands
• authentication-method
• ike proposal
• encryption-algorithm
• authentication-algorithm
• dh
• sa duration

display ike sa
Use display ike sa to display information about the current IKE SAs.
Syntax
display ike sa [ verbose [ connection-id connection-id | remote-address remote-address ] ] [ | { begin |
exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
verbose: Displays detailed information.
connection-id connection-id: Displays detailed information about IKE SAs by connection ID, in the range
of 1 to 2000000000.
remote: Displays detailed information about IKE SAs with a specified remote address.
ip-address: Specifies the remote address.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

245
Usage guidelines
If you do not specify any parameters or keywords, the command displays brief information about the
current IKE SAs.
Examples
# Display brief information about the current IKE SAs.
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
2 202.38.0.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT

# Display brief information about IKE SAs and rekey SAs of GDOI type.
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi status
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 GROUP
2 202.38.0.2 RD|RK 1 GROUP
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT RK-REKEY

Table 31 Command output

Field Description
total phase-1 SAs Total number of SAs for phase 1.

connection-id Identifier of the ISAKMP SA.

peer Remote IP address of the SA.

Status of the SA:

• RD (READY)—The SA has been established.
• ST (STAYALIVE)—This end is the initiator of the tunnel negotiation.
• RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted
later.
flag • FD (FADING)—The soft lifetime is over but the tunnel is still in use. The tunnel will
be deleted when the hard lifetime is over.
• TO (TIMEOUT)—The SA has received no keepalive packets after the last
keepalive timeout. If no keepalive packets are received before the next keepalive
timeout, the SA will be deleted.
• RK (REKEY)—The SA is a rekey SA.
The phase the SA belongs to:
• Phase 1—The phase for establishing the ISAKMP SA.
phase
• Phase 2—The phase for negotiating the security service. IPsec SAs are
established in this phase.

246
 Field Description
Interpretation domain the SA belongs to.
doi • IPSEC—The SA is negotiated through IKE.
• GROUP—The SA is negotiated through GDOI.

# Display detailed information about the current IKE SAs.

<Sysname> display ike sa verbose
---------------------------------------------
connection id: 2
vpn-instance:
transmitting entity:
---------------------------------------------
local ip: 4.4.4.4
local id type: IPV4_ADDR
local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR
remote id: 4.4.4.5

authentication-method: PRE-SHARED-KEY
authentication-algorithm: HASH-SHA1
encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 86379
exchange-mode: MAIN
diffie-hellman group: GROUP1
nat traversal: NO

# Display detailed information about the IKE SA with the connection ID of 2.

<Sysname> display ike sa verbose connection-id 2
---------------------------------------------
connection id: 2
vpn-instance:
transmitting entity:
---------------------------------------------
local ip: 4.4.4.4
local id type: IPV4_ADDR
local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR
remote id: 4.4.4.5

authentication-method: PRE-SHARED-KEY
authentication-algorithm: HASH-SHA1
encryption-algorithm: DES-CBC

247
 life duration(sec): 86400
remaining key duration(sec): 82480
exchange-mode: MAIN
diffie-hellman group: GROUP1
nat traversal: NO

# Display detailed information about the IKE SA with the remote address of 4.4.4.5.
<Sysname> display ike sa verbose remote-address 4.4.4.5
---------------------------------------------
connection id: 2
vpn-instance:
transmitting entity: initiator
local ip: 4.4.4.4
local id type: IPV4_ADDR
local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR
remote id: 4.4.4.5

authentication-method: PRE-SHARED-KEY
authentication-algorithm: HASH-SHA1
encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 82236
exchange-mode: MAIN
diffie-hellman group: GROUP1
nat traversal: NO

Table 32 Command output

Field Description
connection id Identifier of the ISAKMP SA.

vpn-instance MPLS L3VPN that the protected data belongs to.

transmitting entity Entity in the IKE negotiation.

local ip IP address of the local gateway.

local id type Identifier type of the local gateway.

local id Identifier of the local gateway.

remote ip IP address of the remote gateway.

remote id type Identifier type of the remote gateway.

remote id Identifier of the remote security gateway.

authentication-method Authentication method used by the IKE proposal.

authentication-algorithm Authentication algorithm used by the IKE proposal.

encryption-algorithm Encryption algorithm used by the IKE proposal.

248
 Field Description
life duration(sec) Lifetime of the ISAKMP SA in seconds.

remaining key duration(sec) Remaining lifetime of the ISAKMP SA in seconds.

exchange-mode IKE negotiation mode in phase 1.

diffie-hellman group DH group used for key negotiation in IKE phase 1.

nat traversal Whether NAT traversal is enabled.

Related commands
• ike proposal
• ike peer

dpd
Use dpd to apply a DPD detector to an IKE peer.
Use undo dpd to remove the application.
Syntax
dpd dpd-name
undo dpd
Default
No DPD detector is applied to an IKE peer.
Views
IKE peer view
Default command level
2: System level
Parameters
dpd-name: Specifies the DPD detector name, a string of 1 to 32 characters.
Examples
# Apply dpd1 to IKE peer peer1.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] dpd dpd1

encryption-algorithm
Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.
Use undo encryption-algorithm to restore the default.
Syntax
encryption-algorithm { 3des-cbc | aes-cbc [ key-length ] | des-cbc }
undo encryption-algorithm

249
Default
In FIPS mode, DES-CBC and 3DES-CBC are not supported, and an IKE proposal uses the 128-bit AES
algorithm in CBC mode for encryption.
In non-FIPS mode, an IKE proposal uses the 56-bit DES algorithm in CBC mode for encryption.
Views
IKE proposal view
Default command level
2: System level
Parameters
3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses
168-bit keys for encryption.
aes-cbc: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses
128-bit, 192-bit, or 256-bit keys for encryption.
key-length: Key length for the AES algorithm, which can be 128, 192 or 256 bits and is defaulted to 128
bits.
des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses
56-bit keys for encryption.
Examples
# Use 56-bit DES in CBC mode as the encryption algorithm for IKE proposal 10.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] encryption-algorithm des-cbc

Related commands
• ike proposal
• display ike proposal

exchange-mode
Use exchange-mode to select an IKE negotiation mode.
Use undo exchange-mode to restore the default.
Syntax
exchange-mode { aggressive | main }
undo exchange-mode
Default
Main mode is used.
Views
IKE peer view
Default command level
2: System level

250
Parameters
aggressive: Specifies the aggressive mode. This keyword is not available for FIPS mode.
main: Specifies the main mode.
Usage guidelines
When the user (for example, a dial-up user) at the remote end of an IPsec tunnel obtains an IP address
automatically and pre-shared key authentication is used, HP recommends setting the IKE negotiation
mode to aggressive at the local end.
In FIPS mode, the aggressive mode is not supported.
Examples
# Specify that IKE negotiation operates in main mode.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] exchange-mode main

Related commands
id-type

id-type
Use id-type to select the type of the ID for IKE negotiation.
Use undo id-type to restore the default.
Syntax
id-type { ip | name | user-fqdn }
undo id-type
Default
The ID type is IP address.
Views
IKE peer view
Default command level
2: System level
Parameters
ip: Uses an IP address as the ID during IKE negotiation.
name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation.
user-fqdn: Uses a name of the user FQDN type as the ID during IKE negotiation.
Usage guidelines
In main mode, only the ID type of IP address can be used in IKE negotiation and SA creation. In
aggressive mode, either type can be used.
If the ID type of FQDN is used, configure a name without any at sign (@) for the local security gateway,
for example, foo.bar.com. If the ID type of user FQDN is used, configure a name with an at sign (@) for
the local security gateway, for example, [email protected].

251
Examples
# Use the ID type of name during IKE negotiation.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] id-type name

Related commands
• local-name
• ike local-name
• remote-name
• remote-address
• local-address
• exchange-mode

ike dpd
Use ike dpd to create a DPD detector and enter IKE DPD view.
Use undo ike dpd to remove a DPD detector.
Syntax
ike dpd dpd-name
undo ike dpd dpd-name
Views
System view
Default command level
2: System level
Parameters
dpd-name: Specifies the name for the DPD detector, a string of 1 to 32 characters.
Usage guidelines
DPD irregularly detects dead IKE peers. It works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.
3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval,
it retransmits the DPD hello.
4. If the local end still receives no DPD acknowledgement after having made the maximum number of
retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA
and the IPsec SAs based on the IKE SA.
DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic
than the keepalive mechanism, which exchanges messages periodically.
Examples
# Create a DPD detector named dpd2.
<Sysname> system-view

252
 [Sysname] ike dpd dpd2

Related commands
• display ike dpd
• interval-time
• time-out

ike local-name
Use ike local-name to configure a name for the local security gateway.
Use undo ike local-name to restore the default.
Syntax
ike local-name name
undo ike local-name
Default
The device name is used as the name of the local security gateway.
Views
System view
Default command level
2: System level
Parameters
name: Specifies the name of the local security gateway for IKE negotiation, a case-sensitive string of 1
to 255 characters.
Usage guidelines
If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer
uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike
local-name command in system view or the local-name command in IKE peer view on the local device.
If you configure both the ike local-name command and the local-name command, the name configured
by the local-name command is used.
The IKE negotiation initiator sends its security gateway name as its ID to the peer, and the peer uses the
security gateway name configured with the remote-name command to authenticate the initiator. Make
sure the local gateway name matches the remote gateway name configured on the peer.
Examples
# Configure the local security gateway name as app.
<Sysname> system-view
[Sysname] ike local-name app

Related commands
• remote-name
• id-type

253
ike next-payload check disabled
Use ike next-payload check disabled to disable the checking of the Next payload field in the last
payload of an IKE message during IKE negotiation, gaining interoperation with products assigning the
field a value other than zero.
Use undo ike next-payload check disabled to restore the default.
Syntax
ike next-payload check disabled
undo ike next-payload check disabled
Default
The Next payload field is checked.
Views
System view
Default command level
2: System level
Examples
# Disable Next payload field checking for the last payload of an IKE message.
<Sysname> system-view
[Sysname] ike next-payload check disabled

ike peer (system view)

Use ike peer to create an IKE peer and enter IKE peer view.
Use undo ike peer to delete an IKE peer.
Syntax
ike peer peer-name
undo ike peer peer-name
Views
System view
Default command level
2: System level
Parameters
peer-name: Specifies the IKE peer name, a string of 1 to 32 characters.
Examples
# Create an IKE peer named peer1 and enter IKE peer view.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1]

254
ike proposal
Use ike proposal to create an IKE proposal and enter IKE proposal view.
Use undo ike proposal to delete an IKE proposal.
Syntax
ike proposal proposal-number
undo ike proposal proposal-number
Views
System view
Default command level
2: System level
Parameters
proposal-number: Specifies the IKE proposal number in the range of 1 to 65535. The lower the number,
the higher the priority of the IKE proposal. During IKE negotiation, a high priority IKE proposal is
matched before a low priority IKE proposal.
Usage guidelines
The system provides a default IKE proposal, which has the lowest priority and uses these settings:
• Encryption algorithm DES-CBC
• Authentication algorithm HMAC-SHA1
• Authentication method Pre-shared key
• DH group MODP_768
• SA lifetime 86400 seconds
Examples
# Create IKE proposal 10 and enter IKE proposal view.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10]

Related commands
display ike proposal

ike sa keepalive-timer interval

Use ike sa keepalive-timer interval to set the ISAKMP SA keepalive interval.
Use undo ike sa keepalive-timer interval to disable the ISAKMP SA keepalive transmission function.
Syntax
ike sa keepalive-timer interval seconds
undo ike sa keepalive-timer interval
Default
No keepalive packet is sent.

255
Views
System view
Default command level
2: System level
Parameters
seconds: Specifies the transmission interval of ISAKMP SA keepalives in seconds, in the range of 20 to
28800.
Usage guidelines
The keepalive interval configured at the local end must be shorter than the keepalive timeout configured
at the remote end.
Examples
# Set the keepalive interval to 200 seconds.
<Sysname> system-view
[Sysname] ike sa keepalive-timer interval 200

Related commands
ike sa keepalive-timer timeout

ike sa keepalive-timer timeout

Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout.
Use undo ike sa keepalive-timer timeout to disable the function.
Syntax
ike sa keepalive-timer timeout seconds
undo ike sa keepalive-timer timeout
Default
No keepalive packet is sent.
Views
System view
Default command level
2: System level
Parameters
seconds: Specifies the ISAKMP SA keepalive timeout in seconds, in the range of 20 to 28800.
Usage guidelines
The keepalive timeout configured at the local end must be longer than the keepalive interval configured
at the remote end. Since it seldom occurs that more than three consecutive packets are lost on a network,
the keepalive timeout can be configured to be three times of the keepalive interval.
Examples
# Set the keepalive timeout to 20 seconds.
<Sysname> system-view
[Sysname] ike sa keepalive-timer timeout 20

256
Related commands
ike sa keepalive-timer interval

ike sa nat-keepalive-timer interval

Use ike sa nat-keepalive-timer interval to set the NAT keepalive interval.
Use undo ike sa nat-keepalive-timer interval to disable the function.
Syntax
ike sa nat-keepalive-timer interval seconds
undo ike sa nat-keepalive-timer interval
Default
The NAT keepalive interval is 20 seconds.
Views
System view
Default command level
2: System level
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300.
Examples
# Set the NAT keepalive interval to 5 seconds.
<Sysname> system-view
[Sysname] ike sa nat-keepalive-timer interval 5

interval-time
Use interval-time to set the DPD query triggering interval for a DPD detector.
Use undo interval-time to restore the default.
Syntax
interval-time interval-time
undo interval-time
Default
The default DPD interval is 10 seconds.
Views
IKE DPD view
Default command level
2: System level
Parameters
interval-time: Sets DPD interval in seconds, in the range of 1 to 300 seconds. When the local end sends
an IPsec packet, it checks the time the last IPsec packet was received from the peer. If the time interval
exceeds the DPD interval, it sends a DPD hello to the peer.

257
Examples
# Set the DPD interval to 1 second for dpd2.
<Sysname> system-view
[Sysname] ike dpd dpd2
[Sysname-ike-dpd-dpd2] interval-time 1

local
Use local to set the subnet type of the local security gateway for IKE negotiation.
Use undo local to restore the default.
Syntax
local { multi-subnet | single-subnet }
undo local
Default
The subnet is a single one.
Views
IKE peer view
Default command level
2: System level
Parameters
multi-subnet: Sets the subnet type to multiple.
single-subnet: Sets the subnet type to single.
Usage guidelines
Use this command to enable interoperability with a NetScreen device.
Examples
# Set the subnet type of the local security gateway to multiple.
<Sysname> system-view
[Sysname] ike peer xhy
[Sysname-ike-peer-xhy] local multi-subnet

local-address
Use local-address to configure the IP address of the local security gateway in IKE negotiation.
Use undo local-address to remove the configuration.
Syntax
local-address ip-address
undo local-address
Default
The primary address of the interface referencing the IPsec policy is used as the local security gateway IP
address for IKE negotiation. Use this command if you want to specify a different address for the local
security gateway.

258
Views
IKE peer view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address of the local security gateway to be used in IKE negotiation.
Examples
# Set the IP address of the local security gateway to 1.1.1.1.
<Sysname> system-view
[Sysname] ike peer xhy
[Sysname-ike-peer-xhy] local-address 1.1.1.1

local-name
Use local-name to configure a name for the local security gateway to be used in IKE negation.
Use undo local-name to restore the default.
Syntax
local-name name
undo local-name
Default
The device name is used as the name of the local security gateway view.
Views
IKE peer view
Default command level
2: System level
Parameters
name: Specifies the name for the local security gateway to be used in IKE negotiation, a case-sensitive
string of 1 to 255 characters.
Usage guidelines
If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer
uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike
local-name command in system view or the local-name command in IKE peer view on the local device.
If you configure both the ike local-name command and the local-name command, the name configured
by the local-name command is used.
The IKE negotiation initiator sends its security gateway name as its ID to the peer, and the peer uses the
security gateway name configured with the remote-name command to authenticate the initiator. Make
sure the local gateway name matches the remote gateway name configured on the peer.
Examples
# Set the name of the local security gateway to localgw in IKE peer view of peer1.
<Sysname> system-view
[Sysname] ike peer peer1

259
 [Sysname-ike-peer-peer1] local-name localgw

Related commands
• remote-name
• id-type

nat traversal
Use nat traversal to enable the NAT traversal function of IKE/IPsec.
Use undo nat traversal to disable the NAT traversal function of IKE/IPsec.
Syntax
nat traversal
undo nat traversal
Default
The NAT traversal function is disabled.
Views
IKE peer view
Default command level
2: System level
Examples
# Enable the NAT traversal function for IKE peer peer1.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] nat traversal

peer
Use peer to set the subnet type of the peer security gateway for IKE negotiation.
Use undo peer to restore the default.
Syntax
peer { multi-subnet | single-subnet }
undo peer
Default
The subnet is a single one.
Views
IKE peer view
Default command level
2: System level
Parameters
multi-subnet: Sets the subnet type to multiple.

260
 single-subnet: Sets the subnet type to single.
Usage guidelines
Use this command to enable interoperability with a NetScreen device.
Examples
# Set the subnet type of the peer security gateway to multiple.
<Sysname> system-view
[Sysname] ike peer xhy
[Sysname-ike-peer-xhy] peer multi-subnet

pre-shared-key
Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation.
Use undo pre-shared-key to remove the configuration.
Syntax
pre-shared-key [ cipher | simple ] key
undo pre-shared-key
Views
IKE peer view
Default command level
2: System level
Parameters
cipher: Sets a ciphertext pre-shared key.
simple: Sets a plaintext pre-shared key.
key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a ciphertext
string of 1 to 201 characters. If simple is specified, it must be a string of 1 to 128 characters. If neither
cipher nor simple is specified, you set a plaintext key string.
Usage guidelines
For security purposes, all keys, including keys configured in plain text, are saved in cipher text to the
configuration file.
In FIPS mode, the key must contain at least eight characters including digits, uppercase and lowercase
letters, and special characters.
Examples
# Set the pre-shared key used in IKE negotiation to plaintext string abcde.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] pre-shared-key simple abcde

Related commands
authentication-method

261
proposal (IKE peer view)
Use proposal to specify the IKE proposals for the IKE peer to reference.
Use undo proposal to remove one or all IKE proposals referenced by the IKE peer.
Syntax
proposal proposal-number&<1-6>
undo proposal [ proposal-number ]
Default
An IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals
configured in system view.
Views
IKE peer view
Default command level
2: System level
Parameters
proposal-number&<1-6>: Specifies the sequence number of the IKE proposal for the IKE peer to
reference, in the range of 1 to 65535. &<1-6> means that you can specify the proposal-number
argument for up to six times. An IKE proposal with a smaller sequence number has a higher priority.
Usage guidelines
In the IKE negotiation phase 1, the local end uses the IKE proposals specified for it, if any.
An IKE peer can reference up to six IKE proposals.
The responder uses the IKE proposals configured in system view for negotiation.
Examples
# Configure IKE peer peer1 to reference IKE proposal 10.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] proposal 10

Related commands
• ike proposal
• ike peer (system view)

remote-address
Use remote-address to configure the IP address of the IPsec remote security gateway.
Use undo remote-address to remove the configuration.
Syntax
remote-address { hostname [ dynamic ] | low-ip-address [ high-ip-address ] }
undo remote-address
Views
IKE peer view

262
Default command level
2: System level
Parameters
hostname: Specifies the host name of the IPsec remote security gateway, a case-insensitive string of 1 to
255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP
address by the DNS server.
dynamic: Specifies to use dynamic address resolution for the IPsec remote peer name. If you do not
provide this keyword, the local end has the remote host name resolved only once after you configure the
remote host name.
low-ip-address: Specifies the IP address of the IPsec remote security gateway. It is the lowest address in
the address range if you want to specify a range of addresses.
high-ip-address: Specifies the highest address in the address range if you want to specify a range of
addresses.
Usage guidelines
The IP address configured with the remote-address command must match the local security gateway IP
address that the remote security gateway uses for IKE negotiation, which is the IP address configured with
the local-address command or, if the local-address command is not configured, the primary IP address
of the interface to which the policy is applied.
The local end can be the initiator of IKE negotiation if the remote address is a host IP address or a host
name. The local end can only be the responder of IKE negotiation if the remote address is an address
range that the local end can respond to.
If the IP address of the remote address changes frequently, configure the host name of the remote
gateway with the dynamic keyword so that the local end can use the up-to-date remote IP address to
initiate IKE negotiation.
Examples
# Configure the IP address of the remote security gateway as 10.0.0.1.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] remote-address 10.0.0.1

# Configure the host name of the remote gateway as test.com, and specify the local end to dynamically
update the remote IP address.
<Sysname> system-view
[Sysname] ike peer peer2
[Sysname-ike-peer-peer2] remote-address test.com dynamic

Related commands
• id-type ip
• local-address

remote-name
Use remote-name to configure the name of the remote gateway.
Use undo remote-name to remove the configuration.

263
Syntax
remote-name name
undo remote-name
Views
IKE peer view
Default command level
2: System level
Parameters
name: Specifies the name of the peer security gateway for IKE negotiation, a string of 1 to 255
characters.
Usage guidelines
If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation
initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security
gateway name configured with the remote-name command to authenticate the initiator. Make sure the
local gateway name matches the remote gateway name configured on the peer.
Examples
# Configure the remote security gateway name as apple for IKE peer peer1.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] remote-name apple

Related commands
• id-type
• local-name
• ike local-name

reset ike sa
Use reset ike sa to clear IKE SAs.
Syntax
reset ike sa [ connection-id ]
Views
User view
Default command level
2: System level
Parameters
connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to
2000000000.
Usage guidelines
If you do not specify any parameter, the command clears all ISAKMP SAs.

264
 When you clear a local IPsec SA, its ISAKMP SA can transmit the Delete message to notify the remote
end to delete the paired IPsec SA. If the ISAKMP SA has been cleared, the local end cannot notify the
remote end to clear the paired IPsec SA, and you must manually clear the remote IPsec SA.
Examples
# Clear the IKE SA that uses connection ID 2.
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
2 202.38.0.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT RK--REKEY
<Sysname> reset ike sa 2
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT RK--REKEY

Related commands
display ike sa

sa duration
Use sa duration to set the ISAKMP SA lifetime for an IKE proposal.
Use undo sa duration to restore the default.
Syntax
sa duration seconds
undo sa duration
Default
The ISAKMP SA lifetime is 86400 seconds.
Views
IKE proposal view
Default command level
2: System level
Parameters
seconds: Specifies the ISAKMP SA lifetime in seconds, in the range of 60 to 604800.
Usage guidelines
Before an SA expires, IKE negotiates a new SA. The new SA takes effect immediately after being set up,
and the old one will be cleared automatically when it expires.

265
Examples
# Specify the ISAKMP SA lifetime for IKE proposal 10 as 600 seconds (10 minutes).
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] sa duration 600

Related commands
• ike proposal
• display ike proposal

time-out
Use time-out to set the DPD packet retransmission interval for a DPD detector.
Use undo time-out to restore the default.
Syntax
time-out time-out
undo time-out
Views
IKE DPD view
Default command level
2: System level
Parameters
time-out: Specifies the DPD packet retransmission interval in seconds, in the range of 1 to 60.
Usage guidelines
The default DPD packet retransmission interval is 5 seconds.
Examples
# Set the DPD packet retransmission interval to 1 second for dpd2.
<Sysname> system-view
[Sysname] ike dpd dpd2
[Sysname-ike-dpd-dpd2] time-out 1

266
IKEv2 configuration commands

address
Use address to configure a peer host address or address range. When working as an IKEv2 negotiation
initiator, the local end uses this information to identify a peer.
Use undo address to delete a peer host address or address range.
Syntax
address { ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] }
undo address { ipv4-address [ mask-length ] | ipv6 ipv6-address [ prefix-length ] }
Default
An IKEv2 peer has no peer host address or address range.
Views
IKEv2 peer view
Default command level
2: System level
Parameters
ipv4-address: Specifies the IPv4 host address of the IKEv2 peer.
mask-length: Specifies the mask length of the IPv4 address, in the range of 0 to 32.
ipv6 ipv6-address: Specifies the IPv6 host address of the IKEv2 peer.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
Examples
# Create an IKEv2 keyring named keyr1.
<Sysname> system-view
[Sysname] ikev2 keyring keyr1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keyring-keyr1] peer peer1

# Configure the peer address range 3.3.3.0 for the peer, with the mask 255.255.255.0.
[Sysname-ikev2-keyring-keyr1-peer-peer1] address 3.3.3.0 255.255.255.0

Related commands
peer (IKEv2 keyring view)

authentication (ikev2 profile view)

Use authentication to specify the local authentication method or remote authentication methods.
Use undo authentication to restore the default.

267
Syntax
authentication { local | remote } { pre-share | rsa-sig }
undo authentication { local | remote { pre-share | rsa-sig } }
Default
Both the local end and remote end use the pre-shared key authentication method.
Views
IKEv2 profile view
Default command level
2: System level
Parameters
local: Specifies the local identity authentication method.
remote: Specifies the remote identity authentication method.
pre-share: Uses the pre-shared key authentication method.
rsa-sig: Uses the RSA digital signature authentication method.
Usage guidelines
Two peers might use different identity authentication methods.
You can specify only one local identity authentication method but can specify multiple remote identity
authentication methods. When the device has multiples peers and the identity authentication methods
of the peers are unknown, use this command to configure multiple remote identity authentication
methods.
If you configure the RSA digital signature authentication method, you must use the pki domain command
in IKEv2 profile view to specify the PKI domain used to obtain the signature and digital certificate. If you
configure the pre-shared key authentication method, you must specify a pre-shared key for the peer in the
keyring referenced by the current IKEv2 profile.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1

# Set the local and remote authentication methods to pre-shared key authentication and RSA digital
signature authentication respectively.
[Sysname-ikev2-profile-profile1] authentication local pre-share
[Sysname-ikev2-profile-profile1] authentication remote rsa-sig

# Use PKI domain genl for certificate signing and authentication.

[Sysname-ikev2-profile-profile1] pki domain genl

# Reference keyring keyring1 in the profile.

[Sysname-ikev2-profile-profile1] keyring keyring1

Related commands
• display ikev2 profile
• pki domain (IKEv2 profile view)
• keyring

268
client configuration address respond
Use client configuration address respond to enable the device to accept the IP address allocation
requests from IKEv2 negotiation initiators.
Use undo client configuration address respond to restore the default.
Syntax
client configuration address respond
undo client configuration address respond
Default
The device does not accept the IP address allocation requests from initiators.
Views
IKEv2 profile view
Default command level
2: System level
Usage guidelines
In a scenario where remote users need to use IPsec VPN to access the enterprise network and the remote
hosts need temporary IP addresses for IPsec communication, the branch gateways must generate and
send address allocation requests to the headquarters gateway, and the headquarters gateway must
accept the requests.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1

# Enable the device to accept the IP address allocation requests from IKEv2 negotiation initiators.
[Sysname-ikev2-profile-profile1] client configuration address respond

Related commands
• display ikev2 profile
• connect auto

connect auto
Use connect auto to enable the device to initiate IP address allocation requests when acting as an IKEv2
negotiation initiator.
Use undo connect auto to restore the default.
Syntax
connect auto
undo connect auto
Default
The device does not initiate IP address allocation requests when acting as an IKEv2 negotiation initiator.

269
Views
IKEv2 profile view
Default command level
2: System level
Usage guidelines
In a scenario where remote users need to use IPsec VPN to access the enterprise network and the remote
hosts need temporary IP addresses for IPsec communication, the branch gateways must generate and
send address allocation requests to the headquarters gateway, and the headquarters gateway must
accept the requests.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1

# Enable the device to initiate IP address allocation requests when acting as an IKEv2 negotiation
initiator.
[Sysname-ikev2-profile-profile1] connect auto

Related commands
• display ikev2 profile
• client configuration address respond

display ikev2 policy

Use display ikev2 policy to display the IKEv2 policy configuration information.
Syntax
display ikev2 policy [ policy-name | default ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
policy-name: Specifies the IKEv2 policy name, a case-insensitive string of 1 to 32 characters.
default: Specifies the system predefined IKEv2 policy default.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

270
Usage guidelines
With no parameter specified, the command displays the configuration information of all IKEv2 policies,
including all user-defined policies and the system predefined policy.
Examples
# Display the configuration information of all IKEv2 policies.
<Sysname> display ikev2 policy
IKEv2 policy : 1
Match local : 1.1.1.1
1:1::1:1
Proposal : 1
2
3
4
IKEv2 policy : default
Match local : any
Proposal : default

Table 33 Command output

Field Description
Match local Local IP address for IKEv2 policy matching.

Proposal IKEv2 proposals referenced by the policy.

Related commands
• ikev2 policy
• proposal
• match address local

display ikev2 profile

Use display ikev2 profile to display the IKEv2 profile configuration information.
Syntax
display ikev2 profile [ profile-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
profile-name: Specifies the IKEv2 profile name, a case-insensitive string of 1 to 32 characters.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.

271
 include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
With no parameter specified, the command displays all IKEv2 profiles' configuration information.
Examples
# Display the configuration information of all IKEv2 profiles.
<Sysname> display ikev2 profile
IKEv2 profile : 1
Match : match address local 1.1.1.1
match address local interface Ethernet0/1/1
match address local ipv6 1:1::1:1
Identity : identity local address 1.1.1.1
identity local dn
identity local fqdn 11111111
Auth type : authentication local pre-share
authentication remote pre-share
Keyring : kering1
Sign domain : domain1
Verify domain : domain2
Lifetime : 500 seconds
DPD : enabled

Table 34 Command output

Field Description
Match Criteria for IKEv2 profile matching.

Sign domain PKI domain for certificate signing.

Verify domain PKI domain for certificate authentication.

Lifetime IKEv2 SA lifetime.

DPD Whether the .DPD function is enabled.

Related commands
ikev2 profile (system view)

display ikev2 proposal

Use display ikev2 proposal to display the IKEv2 proposal configuration information.
Syntax
display ikev2 proposal [ proposal-name | default ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level

272
Parameters
proposal-name: Specifies the IKEv2 proposal name, a case-insensitive string of 1 to 32 characters.
default: Specifies the system predefined IKEv2 proposal default.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
With no parameter specified, the command displays all IKEv2 proposals' configuration information.
Examples
# Display the configuration information of all IKEv2 proposals.
<Sysname> display ikev2 proposal
IKEv2 proposal : 1
Encryption : 3DES-CBC
AES-CBC-128
AES-CTR-192
CAMELLIA-CBC-128
Integrity : MD5
SHA2-256
AES-XCBC
PRF : MD5
SHA2-256
AES-XCBC
DH Group : MODP768/Group 2
MODP768/Group 5
IKEv2 proposal : default
Encryption : AES-CBC-128
3DES-CBC
Integrity : SHA1
MD5
PRF : SHA1
MD5
DH Group : MODP768/Group 5
MODP768/Group 2

Related commands
• ikev2 proposal
• encryption
• integrity
• group

273
display ikev2 sa
Use display ikev2 sa to display the current IKEv2 SA information.
Syntax
display ikev2 sa [ { local | remote } { ipv4-address | ipv6 ipv6-address } ] [ verbose ] [ | { begin |
exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
local: Displays information about the IKEv2 SAs that use a specified local address.
remote: Displays information about the IKEv2 SAs that use a specified remote address.
ipv4-address: Specifies the local or remote IPv4 address.
ipv6 ipv6-address: Specifies the local or remote IPv6 address.
verbose: Displays detailed information. Without this keyword, the command displays the summary
information.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
With no parameter specified, the command displays the summary information of all IKEv2 SAs.
Examples
# Display the summary information of all IKEv2 SAs.
<Sysname> display ikev2 sa
total SAs: 1
connection-id peer flag
------------------------------------------------------------------------
1 1.1.1.2 RD|ST

flag meaning
RD--READY ST--STAYALIVE FD--FADING TO--TIMEOUT

# Display the detailed information of all IKEv2 SAs.

<Sysname> display ikev2 sa verbose

-----------------------------------------------
connection id : 1
vpn-instance :

274
 transmitting entity : initiator
local spi : 8f8af3dbf5023a00
remote spi : 0131565b9b3155fa
-----------------------------------------------
local ip : 1.1.1.1
local id type : ID_FQDN
local id : router_a

remote ip : 1.1.1.2
remote id type : ID_FQDN
remote id : router_b

authentication-method : PRE-SHARED-KEY
authentication-algorithm : HMAC_MD5
prf-algorithm : HMAC_MD5
encryption-algorithm : AES-CBC-192

life duration(sec) : 86400

remaining key duration(sec): 85604
diffie-hellman group : GROUP2
nat traversal : NO
DPD configured interval : 0 seconds

local window : 1
remote window : 1
local req msg id : 2
remote req msg id : 2
local next msg id : 0
remote next msg id : 0

# Display brief information about the IKEv2 SAs with the remote address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2
total SAs: 1
connection-id peer flag
------------------------------------------------------------------------
1 1.1.1.2 RD|ST

flag meaning
RD--READY ST--STAYALIVE FD--FADING TO--TIMEOUT

Table 35 Command output

Field Description
connection-id Connection ID of the IKEv2 SA.

vpn-instance VPN instance to which the protected data belongs.

transmitting entity Role of the local end in the IKEv2 negotiation.

life duration(sec) IKEv2 SA lifetime in seconds.

275
 Field Description
remaining key
Remaining time of the IKEv2 SA in seconds.
duration(sec)

local req msg id Sequence number of the local request.

remote req msg id Sequence number of the remote request.

local next msg id Sequence number of the next message the local end is expecting.

remote next msg id Sequence number of the next message the remote end is expecting.

display ikev2 statistics

Use display ikev2 statistics to display IKEv2 negotiation statistics.
Syntax
display ikev2 statistics [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display IKEv2 negotiation statistics.
<Sysname> display ikev2 statistics
------------------------------------------------------------------------
IKEV2 SA Statistics
------------------------------------------------------------------------
Max IKEv2 SAs: 10000 Max in nego: 1000
Total IKEv2 SA Count: 0 active : 0 negotiating: 0
Incoming IKEv2 Requests: 0 accepted: 0 rejected : 0
Outgoing IKEv2 Requests: 0 accepted: 0 rejected : 0
Rejected IKEv2 Requests: 0 SA limit: 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0

Table 36 Command output

Field Description
Max IKEv2 SAs Maximum number of IKEv2 SAs allowed to be established.

276
 Field Description
Max in nego Maximum number of IKEv2 SAs that can be concurrently negotiated.

Total IKEv2 SA Count Total number of IKEv2 SAs.

active Number of IKEv2 SAs established.

negotiating Number of IKEv2 SAs under negotiation.

Rejected IKEv2 Requests Total number of rejected IKEv2 negotiation requests.

Number of IKEv2 negotiation requests rejected because the

SA limit
maximum number of IKEv2 SAs was reached.

Number of cookie-challenge requests rejected due to lack of the

rejected no cookie
cookie.

Related commands
reset ikev2 statistics

dpd (IKEv2 profile view)

Use dpd to configure the IKEv2 DPD function.
Use undo dpd to disable the IKEv2 DPD function.
Syntax
dpd interval { on-demand | periodic }
undo dpd
Default
IKEv2 DPD is disabled.
Views
IKEv2 profile view
Default command level
2: System level
Parameters
interval: Specifies the IKEv2 dead peer detection (DPD) interval in seconds, in the range of 1 to 300.
on-demand: Specifies DPD in on-demand mode.
periodic: Specifies DPD in periodic mode.
Usage guidelines
In on-demand mode, the DPD function works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer to detect its liveliness.
In periodic mode, the DPD function sends DPD hellos to the peer at the specified interval to detect the
liveliness of the peer.
If you configure DPD in both IKEv2 profile view and system view, the configuration in IKEv2 profile view
takes precedence.

277
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1

# Configure on-demand IKEv2 DPD and set the interval to 15 seconds.

[Sysname-ikev2-profile-profile1] dpd 15 on-demand

Related commands
• display ikev2 profile
• ikev2 dpd

encryption
Use encryption to specify encryption algorithms for an IKEv2 proposal.
Use undo encryption to restore the default.
Syntax
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 |
aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *
undo encryption
Default
An IKEv2 proposal has no encryption algorithm.
Views
IKEv2 proposal view
Default command level
2: System level
Parameters
des-cbc: Uses the Data Encryption Standard (DES) in cipher block chaining (CBC) mode, which uses a
56-bit key.
3des-cbc: Uses the triple DES (3DES) in CBC mode, which uses a 168-bit key.
aes-cbc-128: Uses the Advanced Encryption Standard (AES) in CBC mode that uses a 128-bit key.
aes-cbc-192: Uses AES in CBC mode that uses a 192-bit key.
aes-cbc-256: Uses AES in CBC mode that uses a 256-bit key.
aes-ctr-128: Uses AES in counter (CRT) mode that uses a 128-bit key.
aes-ctr-192: Uses AES in CRT mode that uses a 192-bit key.
aes-ctr-256: Uses AES in CRT mode that uses a 256-bit key.
camellia-cbc-128: Uses Camellia in CBC mode that uses a 128-bit key.
camellia-cbc-192: Uses Camellia in CBC mode that uses a 192-bit key.
camellia-cbc-256: Uses Camellia in CBC mode that uses a 256-bit key.

278
Usage guidelines
A stronger algorithm provides higher security but requires more resources. The algorithms, in ascending
order of security strength, include DES, 3DES, 128-bit AES-CBC, 192-bit AES-CBC, 256-bit AES-CBC.
You can specify multiple encryption algorithms for an IKEv2 proposal. An algorithm specified earlier has
a higher priority.

IMPORTANT:
You must specify at least one encryption algorithm for an IKEv2 proposal. Otherwise, the proposal is
incomplete and useless.

Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1

# Specify the encryption algorithms AES-CBC-192 and 3DES for the proposal, with AES-CBC-192
preferred.
[Sysname-ikev2-proposal-prop1] encryption aes-cbc-192 3des-cbc

Related commands
• ikev2 proposal
• display ikev2 proposal

group (ikev2 proposal view)

Use group to specify DH groups for an IKEv2 proposal.
Use undo group to restore the default.
Syntax
group { 1 | 2 | 5 | 14 } *
undo group
Default
An IKEv2 proposal has no DH group.
Views
IKEv2 proposal view
Default command level
2: System level
Parameters
1: Uses the 768-bit Diffie-Hellman (DH) group.
2: Uses the 1024-bit DH group.
5: Uses the 1536-bit DH group.
14: Uses the 2048-bit DH group.
Usage guidelines
A DH group with a longer key provides higher security but requires more resources.

279
 You can specify multiple DH groups for an IKEv2 proposal. A group specified earlier has a higher
priority.

IMPORTANT:
You must specify at least one DH group for an IKEv2 proposal. Otherwise, the proposal is incomplete and
useless.

Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1

# Specify the DH groups 5 and 2 for the proposal, with group 5 preferred.
[Sysname-ikev2-proposal-prop1] group 5 2

Related commands
• ikev2 proposal
• display ikev2 proposal

hostname
Use hostname to configure the host name of the peer. When working as an IKEv2 negotiation initiator,
the local end uses this information to identify a peer.
Use undo hostname to delete the host name.
Syntax
hostname host-name
undo hostname host-name
Default
And IKEv2 peer has no host name.
Views
IKEv2 peer view
Default command level
2: System level
Parameters
host-name: Specifies the host name of the IKEv2 peer, a case-insensitive string of 1 to 255 characters.
Usage guidelines
This host name is only used to search for a peer during an IKEv2 negotiation that is intended for
implementing ACL-based IPsec.
Examples
# Create an IKEv2 keyring named keyr1.
<Sysname> system-view
[Sysname] ikev2 keyring keyr1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keyring-keyr1] peer peer1

280
 # Configure the host name test for the peer.
[Sysname-ikev2-keyring-keyr1-peer-peer1] hostname test

Related commands
peer (IKEv2 keyring view)

identity (IKEv2 peer view)

Use identity to specify an ID for an IKEv2 peer. When working as an IKEv2 negotiation responder, the
device uses this information to identify an IKEv2 peer and search for the pre-shared key. When initiating
an IKEv2 negotiation, the initiator does not know the ID of a peer.
Use undo identity to delete the ID.
Syntax
identity { address { ipv4-address | ipv6 ipv6-address } | email email-string | fqdn fqdn-name | key-id
key-id }
undo identity { address { ipv4-address | ipv6 ipv6-address } | email email-string | fqdn name | key-id
key-id }
Default
An IKEv2 peer has no ID.
Views
IKEv2 peer view
Default command level
2: System level
Parameters
address { ipv4-address | ipv6 ipv6-address }: Uses an IP address as the ID of the peer.
email email-string: Uses an email address as the ID of the peer. The email-string argument is a
case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as [email protected].
fqdn fqdn-name: Uses a fully-qualified domain name (FQDN) as the ID of the peer. The fqdn-name
argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
key-id key-id: Uses the remote gateway's key ID as the ID of the peer. The key-id argument is a
case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary
types of identification.
Usage guidelines
You must configure different identity information for different peers.
Examples
# Create an IKEv2 keyring named keyr1.
<Sysname> system-view
[Sysname] ikev2 keyring keyr1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keyring-keyr1] peer peer1

# Configure FQDN www.test.com as the ID of the peer.

[Sysname-ikev2-keyring-keyr1-peer-peer1] identity fqdn www.test.com

281
Related commands
peer (IKEv2 keyring view)

identity local
Use identity local to configure the local identity information. The device uses this information as its own
ID during the IKE_AUTH exchange.
Use undo identity local to delete the local identity information.
Syntax
identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn fqdn-name
| key-id key-id }
undo identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn
fqdn-name | key-id key-id }
Default
No local identity information is configured.
Views
IKEv2 profile view
Default command level
2: System level
Parameters
address { ipv4-address | ipv6 ipv6-address }: Uses an IP address as the local ID.
dn: Uses the distinguished name (DN) as the local ID.
email email-string: Uses an email address as the local ID. The email-string argument is a case-sensitive
string of 1 to 255 characters in the format defined by RFC 822, such as [email protected].
fqdn fqdn-name: Uses a FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1
to 255 characters, such as www.test.com.
key-id key-id: Uses the local gateway's key ID as the local ID. The key-id argument is a case-sensitive
string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of
identification.
Usage guidelines
You can use this command repeatedly to configure multiple local IDs.
With the RSA digital signature authentication method, you can configure any type of identity information.
With the pre-shared key authentication method, you cannot configure a DN as the identity information.
The local identity information configured on an initiator by this command must match the remote identify
information configured on the responder by using the match identity remote command to search for an
IKEv2 profile.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1

# Use IP address 2.2.2.2 as the local ID.

282
 [Sysname-ikev2-profile-profile1] identity local address 2.2.2.2

Related commands
display ikev2 profile

ikev2 { ip-pool | ipv6-pool }

Use ikev2 { ip-pool | ipv6-pool } to configure an address pool for IKEv2 to use to assign addresses to
peers.
Use undo ikev2 { ip-pool | ipv6-pool } to delete an address pool.
Syntax
ikev2 { ip-pool pool-name ipv4-start-address ipv4-end-address | ipv6-pool pool-name ipv6-start-address
ipv6-end-address }
undo ikev2 { ip-pool | ipv6-pool } pool-name
Default
No address pool exists.
Views
System view
Default command level
2: System level
Parameters
ip-pool pool-name: Specifies the name of the IPv4 address pool, a case-insensitive string of 1 to 32
characters.
ipv6-pool pool-name: Specifies the name of the IPv6 address pool, a case-insensitive string of 1 to 32
characters.
ipv4-start-address ipv4-end-address: Specifies the start address and end address of the IPv4 address
pool.
ipv6-start-address ipv6-end-address: Specifies the start address and end address of the IPv6 address
pool.
Usage guidelines
Different IPv4 address pools must use different names. The same is true for IPv6 address pools.
An address pool can contain up to 8192 addresses.
The device supports assigning an IPv6 address to a peer. You can configure an IPv4 address pool, but
the configuration does not take effect.
Examples
# Configure an IPv4 address pool named ipv4pool, and set the start address and end address to 1.1.1.1
and 1.1.1.2 respectively.
<Sysname> system-view
[Sysname] ikev2 ip-pool ipv4pool 1.1.1.1 1.1.1.2

# Configure an IPv6 address pool named ipv6pool, and set the start address and end address to 1:1::1:1
and 11:1::1:2.
<Sysname> system-view

283
 [Sysname] ikev2 ipv6-pool ipv6pool 1:1::1:1 1:1::1:2

Related commands
client configuration address respond

ikev2 cookie-challenge
Use ikev2 cookie-challenge to enable the cookie challenging function and set the maximum number of
half-open IKE SAs. This function can protect an IKEv2 responder against DoS attacks that use a large
number of source IP addresses to forge IKE_INIT_SA requests. When the number of half-open IKE SAs
reaches a certain threshold, this function generates a cookie and puts the cookie in the response sent to
the initiator. Only when the initiator can initiate a new IKE_INIT_SA request that carries the correct
cookie does the responder consider the initiator valid and proceed with the negotiation.
Use undo ikev2 cookie-challenge to disable the cookie challenging function.
Syntax
ikev2 cookie-challenge number
undo ikev2 cookie-challenge
Default
The cookie challenging function is disabled.
Views
System view
Default command level
2: System level
Parameters
number: Specifies the threshold for triggering the cookie challenging mechanism, in the range of 1 to
1000.
Examples
# Enable the cookie challenging function and set the threshold to 450.
<Sysname> system-view
[Sysname] ikev2 cookie-challenge 450

ikev2 dpd
Use ikev2 dpd to configure the IKEv2 DPD function.
Use undo ikev2 dpd to disable the IKEv2 DPD function.
Syntax
ikev2 dpd interval { on-demand | periodic }
undo ikev2 dpd
Default
IKEv2 DPD is disabled.
Views
System view

284
Default command level
2: System level
Parameters
interval: Specifies the IKEv2 DPD interval in seconds, in the range of 1 to 300.
on-demand: Specifies DPD in on-demand mode.
periodic: Specifies DPD in periodic mode.
Usage guidelines
In on-demand mode, the DPD function works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received
from the peer.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer to detect its liveliness.
In periodic mode, the DPD function sends DPD hellos to the peer at the specified interval to detect the
liveliness of the peer.
Examples
# Configure on-demand IKEv2 DPD and set the interval to 15 seconds.
<Sysname> system-view
[Sysname] ikev2 dpd 15 on-demand

# Configure periodic IKEv2 DPD and set the interval to 15 seconds.

<Sysname> system-view
[Sysname] ikev2 dpd 15 periodic

ikev2 keyring
Use ikev2 keyring to create an IKEv2 keyring and enter IKEv2 keyring view, where you can create IKEv2
peers, configure their hostnames, IP addresses, or IDs, and specify the pre-shared keys.
Use undo ikev2 keyring to delete an IKEv2 keyring and its IKEv2 peers.
Syntax
ikev2 keyring keyring-name
undo ikev2 keyring keyring-name
Default
No IKEv2 keyring exists.
Views
System view
Default command level
2: System level
Parameters
keyring-name: Specifies the IKEv2 keyring name, a case-insensitive string of 1 to 32 characters. It can
consist of only English letters and digits.

285
Usage guidelines
For the device to work as an initiator, you must configure the peer's host name, host IP address, or
address range. For the device to work as a responder, you must configure the peer's host IP address,
address range, or ID.
Examples
# Create an IKEv2 keyring named keyr1.
<Sysname> system-view
[Sysname] ikev2 keyring keyr1

# Create a peer named peer1 for the keyring, configure the IP address range 3.3.3.0/24 as the identity
information of the peer, and set the pre-shared key to abcdef.
[Sysname-ikev2-keyring-keyr1] peer peer1
[Sysname-ikev2-keyring-keyr1-peer-peer1] address 3.3.3.0 255.255.255.0
[Sysname-ikev2-keyring-keyr1-peer-peer1] pre-shared-key abcdef

# Create a peer named peer2 for the keyring, configure the host IP address 3.3.3.3 as the identity
information of the peer, and set the pre-shared key to 123456.
[Sysname-ikev2-keyring-keyr1] peer peer2
[Sysname-ikev2-keyring-keyr1-peer-peer2] address 3.3.3.3 255.255.255.255
[Sysname-ikev2-keyring-keyr1-peer-peer2] pre-shared-key 123456

With the previous configuration, when the device searches for a peer, it uses the IP address 3.3.3.3 as
the matching criterion, and will first find a fuzzy match (peer1) and then find an exact match (peer2) and
use the key 123456.
Related commands
• peer (IKEv2 keyring view)
• address
• hostname
• identity

ikev2 limit
Use ikev2 limit to set the maximum number of half-open IKEv2 SAs and the maximum number of
established IKEv2 SAs.
Use undo ikev2 limit to restore the defaults.
Syntax
ikev2 limit { max-in-negotiation-sa | max-sa } limit
undo ikev2 limit { max-in-negotiation-sa | max-sa }
Default
The maximum number of half-open IKEv2 SAs is 1000, and the maximum number of established IKEv2
SAs is 10000.
Views
System view
Default command level
2: System level

286
Parameters
max-in-negotiation-sa limit: Specifies the maximum number of half-open IKEv2 SAs, in the range of 1 to
2000. IKEv2 SAs being rekeyed are not counted in the number.
max-sa limit: Specifies the maximum number of established IKEv2 SAs at the local end, in the range of
100 to 20000. Rekeyed IKEv2 SAs are not counted in the number if the old ones are already counted.
Examples
# Set the maximum number of half-open IKEv2 SAs to 100.
<Sysname> system-view
[Sysname] ikev2 limit max-in-negotiation-sa 100

# Set the maximum number of established IKEv2 SAs to 5000.

<Sysname> system-view
[Sysname] ikev2 limit max-sa 5000

ikev2 policy
Use ikev2 policy to create an IKEv2 policy and enter IKEv2 policy view.
Use undo ikev2 policy to delete an IKEv2 policy.
Syntax
ikev2 policy policy-name
undo ikev2 policy policy-name
Default
The device has a system predefined IKEv2 policy named default. This policy uses the default IKEv2
proposal and matches any local address.
Views
System view
Default command level
2: System level
Parameters
policy-name: Specifies the IKEv2 policy name, a case-insensitive string of 1 to 32 characters. The name
cannot be default.
Usage guidelines
During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address
of the local security gateway as the matching criterion. An IKEv2 policy uses IKEv2 proposals to indicate
the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups to be used for
negotiation.
An IKEv2 policy must have at least one IKEv2 proposal to be complete.
An IKEv2 policy might have multiple IKEv2 proposals and multiple local IP addresses for policy
matching.
An IKEv2 policy with no local IP address configured for policy matching matches any local IP addresses.
Between two IKEv2 policies with the same configuration, the one configured earlier has a higher priority.

287
 When IKEv2 policies are matched according to local IP address, an IKEv2 policy with a local address
configured takes precedence over an IKEv2 policy with no local address configured.
If no IKEv2 policy is configured, IKEv2 uses the system predefined IKEv2 policy default.
Examples
# Create an IKEv2 policy named prop1, assign IKEv2 proposal prop1 to it, and specify the local address
2.2.2.2 for it.
<Sysname> system-view
[Sysname] ikev2 policy prop1
[Sysname-ikev2-policy-prop1] proposal prop1
[Sysname-ikev2-policy-prop1] match address local 2.2.2.2

With this configuration, when the local end negotiates an IKEv2 SA for 2.2.2.2, it uses the IKEv2
proposal specified in IKEv2 policy prop1.
# Create an IKEv2 policy named policy1, assign IKEv2 proposal prop1 to it, and specify the local
address 3.3.3.3 for it.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] proposal prop1
[Sysname-ikev2-policy-policy1] match address local 3.3.3.3

# Create an IKEv2 policy named policy2, assign IKEv2 proposal prop2 to it, and specify the local
address 3.3.3.3 for it.
[Sysname] ikev2 policy policy2
[Sysname-ikev2-policy-policy2] proposal prop2
[Sysname-ikev2-policy-policy2] match address local 3.3.3.3

With the previous configuration, when the local end negotiates an IKEv2 SA for 3.3.3.3, it uses the IKEv2
proposal specified in IKEv2 policy policy1.
Related commands
• display ikev2 policy
• proposal
• match address pool

ikev2 profile (system view)

Use ikev2 profile to create an IKEv2 profile and enter IKEv2 profile view. An IKEv2 profile includes the
IKEv2 SA parameters that are not negotiated during IKEv2 negotiation, such as the identity information
of the two peers, the authentication method, and the matching criterion used to search for an IKEv2
profile.
Use undo ikev2 profile to delete an IKEv2 profile.
Syntax
ikev2 profile profile-name
undo ikev2 profile profile-name
Default
No IKEv2 profile exists.

288
Views
System view
Default command level
2: System level
Parameters
profile-name: Specifies the IKEv2 profile name, a case-insensitive string of 1 to 32 characters.
Examples
# Create an IKEv2 profile named profile1, and enter its view.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1]

Related commands
• display ikev2 profile
• authentication
• identity local
• keyring
• match

ikev2 proposal
Use ikev2 proposal to create an IKEv2 proposal and enter IKEv2 proposal view. An IKEv2 proposal
includes security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms,
integrity protection algorithms, pseudo-random function (PRF) algorithms, and DH groups.
Use undo ikev2 proposal to delete an IKEv2 proposal.
Syntax
ikev2 proposal proposal-name
undo ikev2 proposal proposal-name
Views
System view
Default command level
2: System level
Parameters
proposal-name: Specifies the IKEv2 proposal name, a case-insensitive string of 1 to 32 characters. The
name cannot be default.
Usage guidelines
The device has a system predefined IKEv2 proposal named default. This proposal has the lowest priority
and uses these settings:
• Encryption algorithms DES-CBC-128 and 3DES
• Integrity protection algorithms SHA1 and MD5
• PRF algorithms SHA1 and MD5

289
 • DH groups 2 and 5
A complete IKEv2 proposal must have at least one set of security parameters, including one encryption
algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
In an IKEv2 proposal, you can configure multiple algorithms of the same type. As a result, you get
multiple sets of security parameters, which are combinations of the algorithms. If you want to use only
one set of security parameters, configure only one set of algorithms for the IKEv2 proposal.
Examples
# Configure an IKEv2 proposal named prop1 that includes the encryption algorithm AES-CBC-128,
integrity protection algorithm SHA1, PRF algorithm SHA1, and DH group 2.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption aes-cbc-128
[Sysname-ikev2-proposal-prop1] integrity sha1
[Sysname-ikev2-proposal-prop1] prf sha1
[Sysname-ikev2-proposal-prop1] group 2

# Configure an IKEv2 proposal named prop2 that includes the encryption algorithms AES-CBC-128 and
3DES-CBC, integrity protection algorithms SHA1 and MD5, PRF algorithms SHA1 and MD5, and DH
group 2.
<Sysname> system-view
[Sysname] ikev2 proposal prop2
[Sysname-ikev2-proposal-prop2] encryption aes-cbc-128 3des-cbc
[Sysname-ikev2-proposal-prop2] integrity sha1 md5
[Sysname-ikev2-proposal-prop2] prf sha1 md5
[Sysname-ikev2-proposal-prop2] group 2

After the previous configuration, IKEv2 proposal prop2 has the following sets of security parameters
(encryption algorithm, integrity protection algorithm, PRF algorithm, and DH group, from left to right):
• AES-CBC-128, SHA1, SHA1, 2
• AES-CBC-128, MD5, MD5, 2
• 3DES-CBC, SHA1, SHA1, 2
• 3DES-CBC, MD5, MD5, 2
• AES-CBC-128, SHA1, MD5, 2
• AES-CBC-128, MD5, SHA1, 2
• 3DES-CBC, SHA1, MD5, 2
• 3DES-CBC, MD5, SHA1, 2
# On the intended IKEv2 negotiation initiator, configure an IKEv2 proposal named propa that includes
the encryption algorithms AES-CBC-128 and 3DES-CBC, integrity protection algorithms SHA1 and MD5,
PRF algorithms SHA1 and MD5, and DH groups 2 and 5.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption aes-cbc-128 3des-cbc
[Sysname-ikev2-proposal-prop1] integrity sha1 md5
[Sysname-ikev2-proposal-prop1] prf sha1 md5
[Sysname-ikev2-proposal-prop1] group 2 5

290
 # On the intended IKEv2 negotiation responder, configure an IKEv2 proposal named propb that includes
the encryption algorithms AES-CBC-128 and 3DES, integrity protection algorithms MD5 and SHA1, PRF
algorithms MD5 and SHA1, and DH groups 5 and 2.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption 3des-cbc aes-cbc-128
[Sysname-ikev2-proposal-prop1] integrity md5 sha1
[Sysname-ikev2-proposal-prop1] prf md5 sha1
[Sysname-ikev2-proposal-prop1] group 5 2

Because the initiator's parameters are preferred, the negotiated algorithms are as follows:
• Encryption algorithm AES-CBC-128
• Integrity protection algorithm SHA1
• PRF algorithm SHA1
• DH group 2
Related commands
• display ikev2 proposal
• encryption
• integrity
• prf
• group

integrity
Use integrity to specify integrity protection algorithms for an IKEv2 proposal.
Use undo integrity to restore the default.
Syntax
integrity { aes-xcbc-mac | md5 | sha1 | sha2-256 } *
undo integrity
Default
An IKEv2 proposal has no integrity protection algorithm.
Views
IKEv2 proposal view
Default command level
2: System level
Parameters
aes-xcbc-mac: Uses the AES-XCBC-MAC algorithm.
md5: Uses the MD5 algorithm.
sha1: Uses the SHA1 algorithm.
sha2-256: Uses the SHA2-256 algorithm.

291
Usage guidelines
You can specify multiple integrity protection algorithms for an IKEv2 proposal. An algorithm specified
earlier has a higher priority.

IMPORTANT:
You must specify at least one integrity protection algorithm for an IKEv2 proposal. Otherwise, the
proposal is incomplete and useless.

Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1

# Specify the integrity protection algorithms MD5 and SHA1 for the proposal, with MD5 preferred.
[Sysname-ikev2-proposal-prop1] integrity sha1 md5

Related commands
display ikev2 proposal

ip-mask
Use ip-mask to specify a mask length for the local IPv4 address pool.
Use undo ip-mask to restore the default.
Syntax
ip-mask mask-length
undo ip-mask
Default
The mask length of a local IPv4 address pool referenced by an IKEv2 profile is 32.
Views
IKEv2 profile view
Default command level
2: System level
Parameters
mask-length: Specifies the mask length for the IPv4 addresses in the local IPv4 address pool, in the range
of 0 to 32.
Examples
# Set the mask length of the IPv4 address pool referenced by IKEv2 profile profile1 to 28.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] ip-mask 28

Related commands
• ikev2 ip-pool
• ip-pool

292
ip-pool
Use ip-pool to specify an IPv4 address pool for an IKEv2 profile.
Use undo ip-pool to remove the configuration.
Syntax
ip-pool pool-name
undo ip-pool
Default
An IKEv2 profile references no address pool.
Views
IKEv2 profile view
Default command level
2: System level
Parameters
pool-name: Specifies the IPv4 address pool name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
If the peer sends IPv4 address allocation requests and the local end accepts address allocation requests,
the local end assigns an available IPv4 addresses in the profile's IPv4 address pool to the peer and sends
the address to the peer in an IKE response packet.
Examples
# Configure IKEv2 profile profile1 to use IPv4 address pool ipv4pool.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] ipv4-pool ipv4pool

Related commands
• ikev2 ip-pool
• ip-mask

ipv6-mask
Use ipv6-mask to specify a prefix length for the local IPv6 address pool.
Use undo ipv6-mask to restore the default.
Syntax
ipv6-mask prefix-length
undo ipv6-mask
Default
The prefix length of a local IPv6 address pool referenced by an IKEv2 profile is 128.
Views
IKEv2 profile view

293
Default command level
2: System level
Parameters
prefix-length: Specifies the prefix length for the IPv6 addresses in the local IPv6 address pool, in the
range of 0 to 128.
Examples
# Set the prefix length of the IPv6 address pool referenced by IKEv2 profile profile1 to 64.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] ipv6-mask 64

Related commands
• ikev2 ipv6-pool
• ipv6-pool

ipv6-pool
Use ipv6-pool to specify an IPv6 address pool for an IKEv2 profile.
Use undo ipv6-pool to remove the configuration.
Syntax
ipv6-pool pool-name
undo ipv6-pool
Default
An IKEv2 profile references no address pool.
Views
IKEv2 profile view
Default command level
2: System level
Parameters
pool-name: Specifies the IPv6 address pool name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
If the peer sends IPv6 address allocation requests and the local end accepts address allocation requests,
the local end assigns an available IPv6 addresses in the profile's IPv6 address pool to the peer and sends
the address to the peer in an IKE response packet.
Examples
# Configure IKEv2 profile profile1 to use IPv6 address pool ipv6pool.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] ipv6-pool ipv6pool

Related commands
• ikev2 ipv6-pool

294
 • ipv6-mask

keyring
Use keyring to specify an IKEv2 keyring for an IKEv2 profile.
Use undo keyring to remove the configuration.
Syntax
keyring keyring-name
undo keyring
Default
An IKEv2 profile references no keyring.
Views
IKEv2 profile view
Default command level
2: System level
Parameters
keyring-name: Specifies the name of an existing IKEv2 keyring, a case-insensitive string of 1 to 32
characters. It can consist of only English letters and digits.
Usage guidelines
When either or both peers use the pre-shared key authentication method, the IKEv2 profile must
reference and can only reference one keyring.
Different IKEv2 profiles can share the same IKEv2 keyring.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1

# Specify the keyring keyring1 for the IKEv2 profile.

[Sysname-ikev2-profile-profile1] keyring keyring1

Related commands
• display ikev2 profile
• ikev2 keyring

lifetime
Use lifetime to set IKEv2 SA lifetime.
Use undo lifetime to restore the default.
Syntax
lifetime seconds
undo lifetime

295
Default
The IKEv2 SA lifetime is 86400 seconds.
Views
IKEv2 profile view
Default command level
2: System level
Parameters
seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400.
Usage guidelines
An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot of
negotiation time. However, the longer the lifetime, the higher the possibility that attacks collect enough
information and initiate attacks.
Two peers might have different IKEv2 SA lifetime settings, and they do not perform lifetime negotiation.
The end with a shorter lifetime always initiates the rekeying request.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1

# Set the IKEv2 SA lifetime to 1200 seconds.

[Sysname-ikev2-profile-profile1] lifetime 1200

Related commands
display ikev2 profile

match
Use match to configure an IKEv2 profile matching criterion.
Use undo match to delete an IKEv2 profile matching criterion.
Syntax
match { address local { ipv4-address | interface interface-type interface-number | ipv6 ipv6-address } |
certificate access-control-policy string | identity remote { address { ipv4-address [ mask-length ] | ipv6
ipv6-address [ prefix-length ] } | email email-string | fqdn fqdn-name | key-id key-id } }
undo match { address local { ipv4-address | interface interface-type interface-number | ipv6
ipv6-address } | certificate access-control-policy string | identity remote { { address ipv4-address
[ mask-length ] | ipv6 ipv6-address [ prefix-length ] } | email email-string | fqdn fqdn-name | key-id
key-id } }
Default
No IKEv2 profile matching criterion is configured.
Views
IKEv2 profile view
Default command level
2: System level

296
Parameters
address local: Uses the local identity information for IKEv2 profile matching. A responder using the RSA
digital signature authentication method uses its local identity information to search for an IKEv2 profile
and to initiate the certificate request. When the device works as a responder and uses the RSA digital
signature authentication method, you must specify this keyword and the interface or IP address you
specified for this keyword must be the interface to which the IPsec policy is applied, or the primary
address of the interface.
• ipv4-address: Specifies a local IPv4 address.
• ipv6-address: Specifies a local IPv6 address.
• interface interface-type interface-number: Specifies a local interface.
certificate access-control-policy string: Uses a certificate access control policy and the subject name in
the initiator's digital certificate for IKEv2 profile matching. A match is found when the subject name meets
the certificate access control policy. The string argument is a string of 1 to 32 characters. For more
information about the certificate and certificate access control policy, see the Security Configuration
Guide.
identity remote: Uses the remote identity information for IKEv2 profile matching. A responder uses the
configured remote identity information and the A match is found when the identify information
configured on the initiator by using the identity local command meets this matching criterion.
• address ipv4-address [ mask-length ]: Remote IPv4 address or address range. The mask length is
in the range of 1 to 32.
• ipv6 ipv6-address [ prefix-length ]: Specifies a remote IPv6 address or address range. The prefix
length is in the range of 0 to 128.
• email email-string: Specifies a remote email address, a case-sensitive string of 1 to 255 characters
in the format defined by RFC 822, such as [email protected].
• fqdn fqdn-name: Specifies a remote FQDN, a case-sensitive string of 1 to 255 characters, such as
www.test.com.
• key-id key-id: Specifies a remote key ID, a case-sensitive string of 1 to 255 characters. It is usually
a vendor-specific string for doing proprietary types of identification.
Usage guidelines
This configuration is only required on an IKEv2 negotiation responder. A responder uses its IKEv2 profile
matching criteria to search for an IKEv2 profile. The initiator does not require this configuration; it uses
the IKEv2 profile specified in the IPsec policy.
You can specify multiple matching criteria for an IKEv2 profile. Criteria of the same type are ORed,
whereas those of different types are ANDed. A match must meet one criterion of each specified type.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1

# Configure the IKEv2 profile matching criteria.

[Sysname-ikev2-profile-profile1] match address local 3.3.3.3
[Sysname-ikev2-profile-profile1] match address local 4.4.4.4
[Sysname-ikev2-profile-profile1] match identity remote fqdn www.test.com

With these configuration, a match must use the local IP address 3.3.3.3 or 4.4.4.4, and the remote
FQDN www.test.com.

297
Related commands
• display ikev2 profile
• identity local

match address local

Use match address local to specify a local address used for IKEv2 policy matching.
Use undo match address local to delete a local address used for IKEv2 policy matching.
Syntax
match address local { ipv4-address | ipv6 ipv6-address }
undo match address local { ipv4-address | ipv6 ipv6-address }
Default
No local address is used for IKEv2 policy matching, and the policy matches any local address.
Views
IKEv2 policy view
Default command level
2: System level
Parameters
ipv4-address: Specifies the local IPv4 address for IKEv2 policy matching.
ipv6 ipv6-address: Specifies the local IPv6 address for IKEv2 policy matching.
Usage guidelines
During the IKE_SA_INIT exchange, IKEv2 searches for an IKEv2 policy identified by the IP address of the
local security gateway, and uses an IKEv2 proposal of the policy.
Examples
# Use local address 3.3.3.3 as the address for IKEv2 policy matching.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] match address local 3.3.3.3

Related commands
display ikev2 policy

nat keepalive
Use nat keepalive to set the IKEv2 NAT keepalive interval.
Use undo nat keepalive to restore the default.
Syntax
nat keepalive seconds
undo nat keepalive
Default
The IKEv2 NAT keepalive interval is 10 seconds.

298
Views
IKEv2 profile view
Default command level
2: System level
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.
Usage guidelines
When a NAT gateway exists between two IKEv2 peers, each end using a private address periodically
sends NAT keepalive packets to the other end to prevent its NAT entry from being aged out.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1

# Set the IKEv2 NAT keepalive interval to 1200 seconds.

[Sysname-ikev2-profile-profile1] nat keepalive 1200

Related commands
display ikev2 profile

peer (IKEv2 keyring view)

Use peer to create an IKEv2 peer and enter IKEv2 peer.
Use undo peer to delete an IKEv2 peer.
Syntax
peer peer-name
undo peer peer-name
Default
No IKEv2 peer exists.
Views
IKEv2 keyring view
Default command level
2: System level
Parameters
peer-name: Specifies the IKEv2 peer name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
An IKEv2 peer contains one or two pre-shared keys and the criteria for matching the peer, which includes
the peer's host name, host IP address, IP address range, or ID. The IKEv2 negotiation initiator uses the
peer's host name, host IP address, or address range to search for its peer. The responder uses the peer's
host IP address, address range, or ID to do so.
[Sysname-ikev2-keyring-keyr1-keyr1] peer peer1

299
Examples
# Create an IKEv2 keyring named keyr1.
<Sysname> system-view
[Sysname] ikev2 keyring keyr1

# Create an IKEv2 peer named peer1.

Related commands
• address
• hostname
• identity
• pre-shared-key (IKEv2 peer view)

pki domain (IKEv2 profile view)

Use pki domain to specify a PKI domain for an IKEv2 profile.
Use undo pki domain to remove a PKI domain specified for an IKEv2 profile.
Syntax
pki domain domain-name [ sign | verify ]
undo pki domain domain-name [ sign | verify ]
Views
IKEv2 profile view
Default command level
2: System level
Parameters
domain-name: Specifies the PKI domain name, a case-insensitive string of 1 to 15 characters.
sign: Uses the certificate of the PKI domain to generate a digital signature.
verify: Uses the certificate of the PKI domain to authenticate the digital signature of the peer.
Usage guidelines
If you specify no keyword in the pki domain command, the PKI domain is used for both purposes.
You can use the pki domain command repeatedly to specify a PKI domain for each purpose.
If the local end uses the RSA digital signature authentication method, you must configure a PKI domain
for certificate signing on the local end and a PKI domain for certificate verification on the remote end. If
the remote end uses the RSA digital signature authentication method, you must configure a PKI domain
for certificate signing on the remote end and a PKI domain for certificate verification on the local end.
Otherwise, IKEv2 negotiation will fail.
[Sysname-ikev2-profile-profile1] pki domain pki-local sign
[Sysname-ikev2-profile-profile1] pki domain pki-remote verify

Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1

300
 # Use PKI domain pki-local for certificate signing and PKI domain pki-remote for certificate
authentication.
Related commands
• display ikev2 profile
• authentication
• pki domain

pre-shared-key (IKEv2 peer view)

Use pre-shared-key to configure a pre-shared key for a peer.
Use undo pre-shared-key to delete a pre-shared key of a peer.
Syntax
pre-shared-key [ local | remote ] [ cipher | simple ] key
undo pre-shared-key [ local | remote ]
Default
An IKEv2 peer has no pre-shared key.
Views
IKEv2 peer view
Default command level
2: System level
Parameters
local: Specifies a key for certificate signing.
remote: Specifies a key for certificate authentication.
cipher: Sets a ciphertext pre-shared key.
simple: Sets a plaintext pre-shared key.
key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a ciphertext
string of 1 to 201 characters. If simple is specified, it must be a string of 1 to 128 characters. If neither
cipher nor simple is specified, you set a plaintext key string.
Usage guidelines
If you specify neither the local nor the remote keyword, the same key is used for both certificate signing
and certificate authentication.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Examples
• On an initiator:
# Create an IKEv2 keyring named keyr1.
<Sysname> system-view
[Sysname] ikev2 keyring keyr1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keyring-keyr1] peer peer1

301
 # Use the plaintext pre-shard key 111-key for both certificate signing and certificate
authentication.
[Sysname-ikev2-keyring-keyr1-peer-peer1] pre-shared-key simple 111-key
[Sysname-ikev2-keyring-keyr1-peer-peer1] quit
# Create an IKEv2 peer named peer2.
[Sysname-ikev2-keyring-keyr1] peer peer2
# Use the plaintext pre-shard key 111-key-a for certificate signing and 111-key-b for certificate
authentication.
[Sysname-ikev2-keyring-keyr1-peer-peer2] pre-shared-key local simple 111-key-a
[Sysname-ikev2-keyring-keyr1-peer-peer2] pre-shared-key remote simple 111-key-b
• On a responder:
# Create an IKEv2 keyring named telecom.
<Sysname> system-view
[Sysname] ikev2 keyring telecom
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keyring-telecom] peer peer1
# Use the plaintext pre-shard key 111-key for both certificate signing and certificate
authentication.
[Sysname-ikev2-keyring-telecom-peer-peer1] pre-shared-key simple 111-key
[Sysname-ikev2-keyring-telecom-peer-peer1] quit
# Create an IKEv2 peer named peer2.
[Sysname-ikev2-keyring-telecom] peer peer2
# Use the plaintext pre-shard key 111-key-b for certificate signing and 111-key-a for certificate
authentication.
[Sysname-ikev2-keyring-telecom-peer-peer2] pre-shared-key local simple 111-key-b
[Sysname-ikev2-keyring-telecom-peer-peer2] pre-shared-key remote simple 111-key-a

Related commands
peer (IKEv2 keyring view)

prf (IKEv2 proposal view)

Use prf to specify pseudo-random function (PRF) algorithms for an IKEv2 proposal.
Use undo prf to restore the default.
Syntax
prf { aes-xcbc-mac| md5 | sha1 | sha2-256 } *
undo prf
Default
An IKEv2 proposal has no PRF algorithm.
Views
IKEv2 proposal view
Default command level
2: System level

302
Parameters
aes-xcbc-mac: Uses the AES-XCBC algorithm.
md5: Uses the MD5 algorithm.
sha1: Uses the SHA1 algorithm.
sha2-256: Uses the SHA2-256 algorithm.
Usage guidelines
You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a
higher priority.

IMPORTANT:
You must specify at least one PRF algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete
and useless.

Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1

# Specify the PRF algorithms SHA1 and MD5 for the proposal, with SHA1 preferred.
[Sysname-ikev2-proposal-prop1] prf sha1 md5

Related commands
display ikev2 proposal

proposal (IKEv2 policy view)

Use proposal to specify the IKEv2 proposals for an IKEv2 policy to reference.
Use undo proposal to remove IKEv2 proposal references.
Syntax
proposal proposal-name&<1-6>
undo proposal [ proposal-name ]
Default
A non-system predefined IKEv2 policy references no IKEv2 proposal
Views
IKEv2 policy view
Default command level
2: System level
Parameters
proposal-name&<1-6>: Name of the IKEv2 proposal, a case-insensitive string of 1 to 32 characters.
&<1-6> means that you can specify the proposal-name argument for up to six times.
Usage guidelines
The IKEv2 proposals must already exist.

303
 You can specify up to six IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher
priority.
With no argument specified, the undo proposal command removes all IKEv2 proposal references.
Examples
# Specify IKEv2 proposals proposal1 and proposal2 for IKEv2 policy policy1, with proposal1 preferred.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] proposal proposal1 proposal2

Related commands
display ikev2 policy

reset ikev2 sa
Use reset ikev2 sa to delete IKE SAs and the IPsec SAs negotiated by them.
Syntax
reset ikev2 sa [ { local-address | remote-address } { ipv4-address | ipv6 ipv6-address } ]
Views
User view
Default command level
2: System level
Parameters
remote-address: Deletes the IKEv2 SAs that uses a specified remote address.
local-address: Deletes the IKEv2 SAs that uses a specified local address.
ipv4-address: Specifies the local or remote IPv4 address.
ipv6 ipv6-address: Specifies the local or remote IPv6 address.
Usage guidelines
With no parameter specified, the command deletes all IKEv2 SAs and the IPsec SAs negotiated by them.
Examples
# Delete the IKEv2 SAs with the local address 1.1.1.1 and the IPsec SAs negotiated by them.
<Sysname> reset ikev2 sa local-address 1.1.1.1

# Delete the IKEv2 SAs with the remote address 1.1.1.1 and the IPsec SAs negotiated by them.
<Sysname> reset ikev2 sa remote-address 1.1.1.1

# Delete all IKEv2 SAs and the IPsec SAs negotiated by them.
<Sysname> reset ikev2 sa

Related commands
display ikev2 sa

reset ikev2 statistics

Use reset ikev2 statistics to reset IKEv2 negotiation statistics.

304
Syntax
reset ikev2 statistics
Views
User view
Default command level
2: System level
Examples
# Reset IKEv2 negotiation statistics.
<Sysname> reset ikev2 statistics

Related commands
display ikev2 statistics

305
PKI configuration commands

The following matrix shows the FIPS and hardware compatibility:

Hardware FIPS mode

MSR900 No.

MSR93X No.

MSR20-1X No.

MSR20 Yes.

MSR30 Yes (except the MSR30-16).

MSR50 Yes.

MSR1000 Yes.

attribute
Use attribute to configure the attribute rules of the certificate issuer name, certificate subject name and
alternative certificate subject name.
Use undo attribute to delete the attribute rules of one or all certificates.
Syntax
attribute id { alt-subject-name { fqdn | ip } | { issuer-name | subject-name } { dn | fqdn | ip } } { ctn |
equ | nctn | nequ } attribute-value
undo attribute { id | all }
Default
No restriction exists on the issuer name, subject name, and alternative subject name of a certificate.
Views
Certificate attribute group view
Default command level
2: System level
Parameters
id: Specifies a sequence number for the attribute rule, in the range of 1 to 16.
alt-subject-name: Specifies the name of the alternative certificate subject.
fqdn: Specifies the FQDN of the entity.
ip: Specifies the IP address of the entity.
issuer-name: Specifies the name of the certificate issuer.
subject-name: Specifies the name of the certificate subject.
dn: Specifies the distinguished name of the entity.

306
 ctn: Specifies the contain operation.
equ: Specifies the equal operation.
nctn: Specifies the not-contain operation.
nequ: Specifies the not-equal operation.
attribute-value: Sets an attribute value for the rule, a case-insensitive string of 1 to 128 characters.
all: Specifies all certificate attributes.
Usage guidelines
The attribute of the alternative certificate subject name does not appear as a distinguished name, and
therefore the dn keyword is not available for the attribute.
Examples
# Create a certificate attribute rule, specifying that the DN in the subject name includes the string of abc.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
[Sysname-pki-cert-attribute-group-mygroup] attribute 1 subject-name dn ctn abc

# Create a certificate attribute rule, specifying that the FQDN in the issuer name cannot be the string of
abc.
[Sysname-pki-cert-attribute-group-mygroup] attribute 2 issuer-name fqdn nequ abc

# Create a certificate attribute rule, specifying that the IP address in the alternative subject name cannot
be 10.0.0.1.
[Sysname-pki-cert-attribute-group-mygroup] attribute 3 alt-subject-name ip nequ 10.0.0.1

ca identifier
Use ca identifier to specify the trusted CA and bind the device with the CA.
Use undo ca identifier to remove the configuration.
Syntax
ca identifier name
undo ca identifier
Default
No trusted CA is specified for a PKI domain.
Views
PKI domain view
Default command level
2: System level
Parameters
name: Specifies the name of the trusted CA, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Certificate request, retrieval, revocation, and query depend on the trusted CA.

307
Examples
# Specify the trusted CA as new-ca.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] ca identifier new-ca

certificate request entity

Use certificate request entity to specify the entity for certificate request.
Use undo certificate request entity to remove the configuration.
Syntax
certificate request entity entity-name
undo certificate request entity
Default
No entity is specified for certificate request.
Views
PKI domain view
Default command level
2: System level
Parameters
entity-name: Specifies the name of the entity for certificate request, a case-insensitive string of 1 to 15
characters.
Examples
# Specify the entity for certificate request as entity1.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request entity entity1

Related commands
pki entity

certificate request from

Use certificate request from to specify the authority for certificate request.
Use undo certificate request from to remove the configuration.
Syntax
certificate request from { ca | ra }
undo certificate request from
Default
No authority is specified for certificate request.

308
Views
PKI domain view
Default command level
2: System level
Parameters
ca: Specifies the CA to accept certificate requests.
ra: Specifies the RA to accept certificate requests.
Examples
# Specify that the entity requests a certificate from the CA.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request from ca

certificate request mode

Use certificate request mode to set the certificate request mode.
Use undo certificate request mode to restore the default.
Syntax
certificate request mode { auto [ key-length key-length | password { cipher | simple } password |
before-expire num-days [ regenerate ] ] * | manual }
undo certificate request mode
Default
Manual mode is used.
Views
PKI domain view
Default command level
2: System level
Parameters
auto: Specifies the certificate request mode as auto.
key-length: Specifies the length of the RSA keys in bits. The value range is 512 to 2048, and the default
is 1024.
cipher: Sets a ciphertext password for certificate revocation.
simple: Sets a plaintext password for certificate revocation.
before-expire num-days: Specifies how many days before the current certificate expires an entity requests
a new certificate from the CA. The value range is 0 to 365. If this option is not specified, the entity does
not automatically request a new certificate when the old certificate expires.
regenerate: Generates a new RSA key pair for certificate renewal request. The new RSA key pair
overwrites the old one when the new certificate is obtained. If this keyword is not specified, an entity uses
the old RSA key pair for certificate renewal request.

309
 password: Specifies the password string. This argument is case sensitive. If simple is specified, it must be
a string of 1 to 31 characters. If cipher is specified, it must be a ciphertext string of 1 to 73 characters.
manual: Specifies the certificate request mode as manual..
Usage guidelines
In auto request mode, an entity automatically requests a certificate from a CA if the entity does not have
a local certificate. If the num-days argument is specified, the entity automatically requests a new
certificate the specified number of days before the current certificate expires. In manual request mode, all
operations associated with certificate request are performed manually.
If the before-expire keyword is specified but the regenerate keyword is not specified, an entity uses the
old RSA key pair for certificate renewal request.
If both the before-expire and regenerate keywords are specified, an entity generates a new RSA key pair
each time it submits a certificate renewal request. The new RSA key pair overwrites the old one, which
might interrupt other services that are using the old RSA key pair. Therefore, HP recommends that you use
the public-key rsa general name command to designate a specific RSA key pair for this purpose.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Specify to request a certificate in auto mode.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request mode auto

Related commands
pki request-certificate

certificate request polling

Use certificate request polling to specify the certificate request polling interval and attempt limit.
Use undo certificate request polling to restore the defaults.
Syntax
certificate request polling { count count | interval minutes }
undo certificate request polling { count | interval }
Default
The polling is executed every 20 minutes for up to 50 times.
Views
PKI domain view
Default command level
2: System level
Parameters
count count: Specifies the maximum number of attempts to poll the status of the certificate request. The
value range is 1 to 100.
interval minutes: Specifies the polling interval in minutes, in the range of 5 to 168.

310
Usage guidelines
After an applicant makes a certificate request, the CA might need a long period of time if it verifies the
certificate request manually. During this period, the applicant needs to query the status of the request
periodically to get the certificate as soon as possible after the certificate is signed.
Examples
# Specify the polling interval as 15 minutes and the maximum number of attempts as 40.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request polling interval 15
[Sysname-pki-domain-1] certificate request polling count 40

Related commands
display pki certificate

certificate request url

Use certificate request url to specify the URL of the server for certificate request through SCEP.
Use undo certificate request url to remove the configuration.
Syntax
certificate request url url-string
undo certificate request url
Default
No URL is specified for a PKI domain.
Views
PKI domain view
Default command level
2: System level
Parameters
url-string: Specifies the URL of the registration server for certificate request, a case-insensitive string of 1
to 127 characters. It comprises the location of the server and the location of CGI command interface
script in the format of http://server_location/ca_script_location, where server_location must be an IP
address and does not support domain name resolution.
Examples
# Specify the URL of the server for certificate request.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] certificate request url
http://169.254.0.100/certsrv/mscep/mscep.dll

common-name
Use common-name to configure the common name of an entity, which can be, for example, the user
name.

311
 Use undo common-name to remove the configuration.
Syntax
common-name name
undo common-name
Default
No common name is specified.
Views
PKI entity view
Default command level
2: System level
Parameters
name: Specifies a common name, a case-insensitive string of 1 to 31 characters. No comma can be
included.
Examples
# Configure the common name of an entity as test.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] common-name test

country
Use country to specify the code of the country to which an entity belongs. It is a standard 2-character
code, for example, CN for China.
Use undo country to remove the configuration.
Syntax
country country-code-str
undo country
Default
No country code is specified.
Views
PKI entity view
Default command level
2: System level
Parameters
country-code-str: Specifies a country code, a case-sensitive string of two characters.
Examples
# Set the country code of an entity to CN.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] country CN

312
crl check
Use crl check to enable or disable CRL checking.
Syntax
crl check { disable | enable }
Default
CRL checking is enabled.
Views
PKI domain view
Default command level
2: System level
Parameters
disable: Disables CRL checking.
enable: Enables CRL checking.
Usage guidelines
CRLs are files issued by the CA to publish all certificates that have been revoked. Revocation of a
certificate might occur before the certificate expires. CRL checking is intended for checking whether a
certificate has been revoked. A revoked certificate is no longer trusted.
Examples
# Disable CRL checking.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl check disable

crl update-period
Use crl update-period to set the CRL update period, that is, the interval at which a PKI entity with a
certificate downloads the latest CRL from the LDAP server.
Use undo crl update-period to restore the default.
Syntax
crl update-period hours
undo crl update-period
Default
The CRL update period depends on the next update field in the CRL file.
Views
PKI domain view
Default command level
2: System level
Parameters
hours: Specifies the CRL update period in hours, in the range of 1 to 720.

313
Examples
# Set the CRL update period to 20 hours.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl update-period 20

crl url
Use crl url to specify the URL of the CRL distribution point.
Use undo crl url to remove the configuration.
Syntax
crl url url-string
undo crl url
Default
No CRL distribution point URL is specified.
Views
PKI domain view
Default command level
2: System level
Parameters
url-string: Specifies the URL of the CRL distribution point, a case-insensitive string of 1 to 125 characters
in the format of ldap://server_location or http://server_location, where server_location must be an IP
address or a domain name.
Usage guidelines
When the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local
certificate, and then acquire a CRL through SCEP.
Examples
# Specify the URL of the CRL distribution point.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] crl url ldap://169.254.0.30

display pki certificate

Use display pki certificate to display the contents or request status of a certificate.
Syntax
display pki certificate { { ca | local } domain domain-name | request-status } [ | { begin | exclude |
include } regular-expression ]
Views
Any view

314
Default command level
1: Monitor level
Parameters
ca: Displays the CA certificate.
local: Displays the local certificate.
domain-name: Specifies the name of a PKI domain, a string of 1 to 15 characters.
request-status: Displays the status of a certificate request.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the local certificate.
<Sysname> display pki certificate local domain 1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
10B7D4E3 00010000 0086
Issuer:
[email protected]
C=CN
ST=Country A
L=City X
O=abc
OU=bjs
CN=new-ca
Validity
Not Before: Jan 13 08:57:21 2004 GMT
Not After : Jan 20 09:07:21 2005 GMT
Subject:
C=CN
ST=Country B
L=City Y
CN=pki test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00D41D1F …
Exponent: 65537 (0x10001)
X509v3 extensions:

315
 X509v3 Subject Alternative Name:
DNS: hyf.xxyyzz.net
X509v3 CRL Distribution Points:
URI:http://1.1.1.1:447/myca.crl
… …

Table 37 Command output

Field Description
Version Version of the certificate.

Serial Number Serial number of the certificate.

Issuer Issuer of the certificate.

Validity Validity period of the certificate.

Subject Entity holding the certificate.

Subject Public Key Info Public key information of the entity.

X509v3 extensions Extensions of the X.509 (version 3) certificate.

X509v3 CRL Distribution Points Distribution points of X.509 (version 3) CRLs.

Related commands
• certificate request polling
• pki domain
• pki retrieval-certificate

display pki certificate access-control-policy

Use display pki certificate access-control-policy to display information about certificate access control
policies.
Syntax
display pki certificate access-control-policy { policy-name | all } [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
policy-name: Specifies the name of a certificate access control policy, a string of 1 to 16 characters.
all: Specifies all certificate access control policies.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.

316
 regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about the certificate access control policy named mypolicy.
<Sysname> display pki certificate access-control-policy mypolicy
access-control-policy name: mypolicy
rule 1 deny mygroup1
rule 2 permit mygroup2

Table 38 Command output

Field Description
access-control-policy Name of the certificate access control policy.

rule number Number of the access control rule.

display pki certificate attribute-group

Use display pki certificate attribute-group to display information about one or all certificate attribute
groups.
Syntax
display pki certificate attribute-group { group-name | all } [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
group-name: Specifies the name of a certificate attribute group, a string of 1 to 16 characters.
all: Specifies all certificate attribute groups.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about the certificate attribute group mygroup.
<Sysname> display pki certificate attribute-group mygroup
attribute group name: mygroup
attribute 1 subject-name dn ctn abc
attribute 2 issuer-name fqdn nctn app

317
 Table 39 Command output

Field Description
attribute group name Name of the certificate attribute group.

attribute number Number of the attribute rule.

subject-name Name of the certificate subject.

dn DN of the entity.

ctn Contain operations.

abc Value of attribute 1.

issuer-name Name of the certificate issuer.

fqdn FQDN of the entity.

nctn Not-contain operations.

app Value of attribute 2.

display pki crl domain

Use display pki crl domain to display the locally saved CRLs.
Syntax
display pki crl domain domain-name [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
domain-name: Specifies the name of a PKI domain, a string of 1 to 15 characters.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the locally saved CRLs.
<Sysname> display pki crl domain 1
Certificate Revocation List (CRL):
Version 2 (0x1)
Issuer:
C=CN
O=abc
OU=soft

318
 CN=A Test Root
Last Update: Jan 5 08:44:19 2004 GMT
Next Update: Jan 5 21:42:13 2004 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC
Revoked Certificates:
Serial Number: 05a234448E…
Revocation Date: Sep 6 12:33:22 2004 GMT
CRL entry extensions:…
Serial Number: 05a278445E…
Revocation Date: Sep 7 12:33:22 2004 GMT
CRL entry extensions:…

Table 40 Command output

Field Description
Version Version of the CRL.

Issuer CA issuing the CRLs.

Last Update Last update time.

Next Update Next update time.

CRL extensions Extensions of CRL.

X509v3 Authority Key Identifier CA issuing the CRLs. The certificate version is X.509 v3.

ID of the public key.

keyid A CA might have multiple key pairs. This field indicates the key
pair used by the CRL's signature.

Revoked Certificates Revoked certificates.

Serial Number Serial number of the revoked certificate.

Revocation Date Revocation date of the certificate.

Related commands
• pki domain
• pki retrieval-crl

fqdn
Use fqdn to configure the FQDN of an entity.
Use undo fqdn to remove the configuration.
Syntax
fqdn name-str
undo fqdn
Default
No FQDN is specified for an entity.

319
Views
PKI entity view
Default command level
2: System level
Parameters
name-str: Specifies an FQDN, a case-insensitive string of 1 to 127 characters.
Usage guidelines
An FQDN is the unique identifier of an entity on a network. It consists of a host name and a domain
name and can be resolved into an IP address.
Examples
# Configure the FQDN of an entity as pki.domain-name.com.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] fqdn pki.domain-name.com

ip (PKI entity view)

Use ip to configure the IP address of an entity.
Use undo ip to remove the configuration.
Syntax
ip ip-address
undo ip
Default
No IP address is specified for an entity.
Views
PKI entity view
Default command level
2: System level
Parameters
ip-address: Specifies an IP address.
Examples
# Configure the IP address of an entity as 11.0.0.1.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] ip 11.0.0.1

ldap-server
Use ldap-server to specify an LDAP server for a PKI domain.
Use undo ldap-server to remove the configuration.

320
Syntax
ldap-server ip ip-address [ port port-number ] [ version version-number ]
undo ldap-server
Default
No LDP server is specified for a PKI domain.
Views
PKI domain view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address of an LDAP server in dotted decimal format.
port-number: Specifies the port number of an LDAP server. The value range is 1 to 65535, and the default
is 389.
version-number: Specifies the LDAP version number, either 2 or 3. The default is 2.
Examples
# Specify an LDAP server for PKI domain 1.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] ldap-server ip 169.254.0.30

locality
Use locality to configure the geographical locality of an entity, which can be, for example, a city name.
Use undo locality to remove the configuration.
Syntax
locality locality-name
undo locality
Default
No geographical locality is specified for an entity.
Views
PKI entity view
Default command level
2: System level
Parameters
locality-name: Specifies a locality, a case-insensitive string of 1 to 31 characters. No comma can be
included.
Examples
# Configure the locality of an entity as city.
<Sysname> system-view

321
 [Sysname] pki entity 1
[Sysname-pki-entity-1] locality city

organization
Use organization to configure the name of the organization to which the entity belongs.
Use undo organization to remove the configuration.
Syntax
organization org-name
undo organization
Default
No organization name is specified for an entity.
Views
PKI entity view
Default command level
2: System level
Parameters
org-name: Specifies an organization name, a case-insensitive string of 1 to 31 characters. No comma
can be included.
Examples
# Configure the name of the organization to which an entity belongs as test-lab.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] organization test-lab

organization-unit
Use organization-unit to specify the name of the organization unit to which this entity belongs.
Use undo organization-unit to remove the configuration.
Syntax
organization-unit org-unit-name
undo organization-unit
Default
No organization unit name is specified for an entity.
Views
PKI entity view
Default command level
2: System level

322
Parameters
org-unit-name: Specifies an organization unit name for identifying a department or a unit in an
organization, a case-insensitive string of 1 to 31 characters. No comma can be included.
Examples
# Configure the name of the organization unit to which an entity belongs as group1.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] organization-unit group1

pki certificate access-control-policy

Use pki certificate access-control-policy to create a certificate access control policy and enter its view.
Use undo pki certificate access-control-policy to remove one or all certificate access control policies.
Syntax
pki certificate access-control-policy policy-name
undo pki certificate access-control-policy { policy-name | all }
Default
No access control policy exists by default.
Views
System view
Default command level
2: System level
Parameters
policy-name: Specifies a policy name, a case-insensitive string of 1 to 16 characters. It cannot be a, al,
or all.
all: Specifies all certificate access control policies.
Examples
# Configure an access control policy named mypolicy and enter its view.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy]

pki certificate attribute-group

Use pki certificate attribute-group to create a certificate attribute group and enter its view.
Use undo pki certificate attribute-group to delete one or all certificate attribute groups.
Syntax
pki certificate attribute-group group-name
undo pki certificate attribute-group { group-name | all }
Default
No certificate attribute group exists.

323
Views
System view
Default command level
2: System level
Parameters
group-name: Specifies a group name, a case-insensitive string of 1 to 16 characters. It cannot be a, al,
or all.
all: Specifies all certificate attribute groups.
Examples
# Create a certificate attribute group named mygroup and enter its view.
<Sysname> system-view
[Sysname] pki certificate attribute-group mygroup
[Sysname-pki-cert-attribute-group-mygroup]

pki delete-certificate
Use pki delete-certificate to delete the certificate locally stored for a PKI domain.
Syntax
pki delete-certificate { ca | local } domain domain-name
Views
System view
Default command level
2: System level
Parameters
ca: Deletes the locally stored CA certificate.
local: Deletes the locally stored local certificate.
domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.
Examples
# Delete the local certificate for PKI domain cer.
<Sysname> system-view
[Sysname] pki delete-certificate local domain cer

pki domain
Use pki domain to create a PKI domain and enter PKI domain view or enter the view of an existing PKI
domain.
Use undo pki domain to remove a PKI domain.
Syntax
pki domain domain-name
undo pki domain domain-name

324
Default
No PKI domain exists.
Views
System view
Default command level
2: System level
Parameters
domain-name: Specifies a PKI domain name, a case-insensitive string of 1 to 15 characters.
Usage guidelines
You can create up to 32 PKI domains on a device.
Examples
# Create a PKI domain and enter its view.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1]

pki entity
Use pki entity to create a PKI entity and enter its view.
Use undo pki entity to remove a PKI entity.
Syntax
pki entity entity-name
undo pki entity entity-name
Default
No entity exists.
Views
System view
Default command level
2: System level
Parameters
entity-name: Specifies the name of a PKI entity, a case-insensitive string of 1 to 15 characters.
Usage guidelines
You can configure a variety of attributes for an entity in PKI entity view. An entity is intended only for
convenience of reference by other commands.
Examples
# Create a PKI entity named en and enter its view.
<Sysname> system-view
[Sysname] pki entity en
[Sysname-pki-entity-en]

325
pki import-certificate
Use pki import-certificate to import a CA certificate or local certificate from a file and save it locally.
Syntax
pki import-certificate { ca | local } domain domain-name { der | p12 | pem } [ filename filename ]
Views
System view
Default command level
2: System level
Parameters
ca: Specifies the CA certificate.
local: Specifies the local certificate.
domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.
der: Specifies the certificate format of DER.
p12: Specifies the certificate format of P12.
pem: Specifies the certificate format of PEM.
filename filename: Specifies the name of the certificate file to import, a case-insensitive string of 1 to 127
characters. If no file is specified, the system uses the default file name that is used when the certificate is
retrieved, that is domain-name_ca.cer or domain-name_local.cer.
Usage guidelines
In FIPS mode, MD5 certificates cannot be imported.
Examples
# Import the CA certificate for PKI domain cer in the format of PEM.
<Sysname> system-view
[Sysname] pki import-certificate ca domain cer pem

Related commands
pki domain

pki request-certificate domain

Use pki request-certificate domain to request a local certificate from a CA through SCEP. If SCEP fails,
you can use the pkcs10 keyword to print the request information in BASE64 format, or use the pkcs10
filename filename option to save the request information to a local file and send the file to the CA by an
out-of-band means.
Syntax
pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]
Default
The retrieved certificate is stored in the root directory with the filename domain-name_ca.cer,
domain-name_local.cer, or domain-name_peerentity_entity-name.cer.

326
Views
System view
Default command level
2: System level
Parameters
domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.
password: Specifies the password for certificate revocation, a case-sensitive string of 1 to 31 characters.
pkcs10: Displays the BASE64-encoded PKCS#10 certificate request information, which can be used to
request a certification by an out-of-band means, like phone, disk, or email.
filename filename: Specifies the name of the local file for saving the PKCS#10 certificate request, a
case-insensitive string of 1 to 127 characters.
Usage guidelines
This operation will not be saved in the configuration file.
Examples
# Display the PKCS#10 certificate request information.
<Sysname> system-view
[Sysname] pki request-certificate domain 1 pkcs10
-----BEGIN CERTIFICATE REQUEST-----
MIIBTDCBtgIBADANMQswCQYDVQQDEwJqajCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAw5Drj8ofs9THA4ezkDcQPBy8pvH1kumampPsJmx8sGG52NFtbrDTnTT5
ALx3LJijB3d/ndKpcHT/DfbJVDCn5gdw32tBZyCkEwMHZN3ol2z7Nvdu5TED6iN8
4m+hfp1QWoV6lty3o9pxAXuQl8peUDcfN6WV3LBXYyl1WCtkLkECAwEAAaAAMA0G
CSqGSIb3DQEBBAUAA4GBAA8E7BaIdmT6NVCZgv/I/1tqZH3TS4e4H9Qo5NiCKiEw
R8owVmA0XVtGMbyqBNcDTG0f5NbHrXZQT5+MbFJOnm5K/mn1ro5TJKMTKV46PlCZ
JUjsugaY02GBY0BVcylpC9iIXLuXNIqjh1MBIqVsa1lQOHS7YMvnop6hXAQlkM4c
-----END CERTIFICATE REQUEST-----

Related commands
pki domain

pki retrieval-certificate
Use pki retrieval-certificate to retrieve a certificate from the server for certificate distribution.
Syntax
pki retrieval-certificate { ca | local } domain domain-name
Views
System view
Default command level
2: System level
Parameters
ca: Retrieves the CA certificate.
local: Retrieves the local certificate.

327
 domain-name: Specifies a PKI domain by its name.
Usage guidelines
The retrieved certificates are stored in the root directory of the device, with the file name as
domain-name_ca.cer or domain-name_local.cer according to the certificate type.
Examples
# Retrieve the CA certificate from the certificate issuing server.
<Sysname> system-view
[Sysname] pki retrieval-certificate ca domain 1

Related commands
pki domain

pki retrieval-crl domain

Use pki retrieval-crl domain to retrieve the latest CRLs from the server for CRL distribution.
Syntax
pki retrieval-crl domain domain-name
Views
System view
Default command level
2: System level
Parameters
domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.
Usage guidelines
CRLs help verify the validity of certificates.
Examples
# Retrieve CRLs.
<Sysname> system-view
[Sysname] pki retrieval-crl domain 1

Related commands
pki domain

pki validate-certificate
Use pki validate-certificate to verify the validity of a certificate.
Syntax
pki validate-certificate { ca | local } domain domain-name
Views
System view
Default command level
2: System level

328
Parameters
ca: Verifies the CA certificate.
local: Verifies the local certificate.
domain-name: Specifies a PKI domain by its name, a string of 1 to 15 characters.
Usage guidelines
The focus of certificate validity verification will check that the certificate is signed by the CA and that the
certificate has neither expired nor been revoked.
Examples
# Verify the validity of the local certificate.
<Sysname> system-view
[Sysname] pki validate-certificate local domain 1

Related commands
pki domain

root-certificate fingerprint
Use root-certificate fingerprint to configure the fingerprint to be used for verifying the validity of the CA
root certificate.
Use undo root-certificate fingerprint to remove the configuration.
Syntax
root-certificate fingerprint { md5 | sha1 } string
undo root-certificate fingerprint
Default
No fingerprint is configured for verifying the validity of the CA root certificate.
Views
PKI domain view
Default command level
2: System level
Parameters
md5: Uses an MD5 fingerprint.
sha1: Uses a SHA1 fingerprint.
string: Specifies the fingerprint to be used. An MD5 fingerprint must be a string of 32 characters in
hexadecimal. A SHA1 fingerprint must be a string of 40 characters in hexadecimal.
Examples
# Configure an MD5 fingerprint for verifying the validity of the CA root certificate.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] root-certificate fingerprint md5
12EF53FA355CD23E12EF53FA355CD23E

# Configure a SHA1 fingerprint for verifying the validity of the CA root certificate.

329
 [Sysname-pki-domain-1] root-certificate fingerprint sha1
D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

rule (PKI CERT ACP view)

Use rule to create a certificate attribute access control rule.
Use undo rule to delete one or all access control rules.
Syntax
rule [ id ] { deny | permit } group-name
undo rule { id | all }
Default
No access control rule exists.
Views
PKI certificate access control policy view
Default command level
2: System level
Parameters
id: Assigns a number to the statement, in the range of 1 to 16. The default is the smallest unused number
in this range.
deny: Denies the certificates that match the associated certificate group.
permit: Permits the certificates that match the associated certificate group.
group-name: Specifies a certificate attribute group by its name, a case-insensitive string of 1 to 16
characters. It cannot be a, al, or all.
all: Specifies all access control rules.
Usage guidelines
A certificate attribute group must exist to be associated with a rule.
Examples
# Create an access control rule, specifying that a certificate is considered valid when it matches an
attribute rule in the certificate attribute group mygroup.
<Sysname> system-view
[Sysname] pki certificate access-control-policy mypolicy
[Sysname-pki-cert-acp-mypolicy] rule 1 permit mygroup

state
Use state to specify the name of the state or province where an entity resides.
Use undo state to remove the configuration.
Syntax
state state-name
undo state

330
Default
No state or province is specified.
Views
PKI entity view
Default command level
2: System level
Parameters
state-name: Specifies a state name or a province name, a case-insensitive string of 1 to 31 characters.
No comma can be included.
Examples
# Specify the state where an entity resides.
<Sysname> system-view
[Sysname] pki entity 1
[Sysname-pki-entity-1] state country

331
Public key configuration commands

The following matrix shows the FIPS and hardware compatibility:

Hardware FIPS mode

MSR900 No.

MSR93X No.

MSR20-1X No.

MSR20 Yes.

MSR30 Yes (except the MSR30-16).

MSR50 Yes.

MSR1000 Yes.

display public-key local public

Use display public-key local public to display the public key information of local asymmetric key pairs.
Syntax
display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
dsa: Specifies a DSA key pair.
rsa: Specifies an RSA key pair.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the public key information of the local RSA key pairs.
<Sysname> display public-key local rsa public

=====================================================
Time of Key pair created: 19:59:16 2007/10/25

332
Key name: HOST_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100BC4C392A97734A633BA0F1DB01F
84EB51228EC86ADE1DBA597E0D9066FDC4F04776CEA3610D2578341F5D049143656F1287502C06D39D39F
28F0F5CBA630DA8CD1C16ECE8A7A65282F2407E8757E7937DCCDB5DB620CD1F471401B711713970234844
4A2D8900497A87B8D5F13D61C4DEFA3D14A7DC07624791FC1D226F62DF30203010001

=====================================================
Time of Key pair created: 19:59:17 2007/10/25
Key name: SERVER_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12
B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75
1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001

# Display the public key information of the local DSA key pair.
<Sysname> display public-key local dsa public

=====================================================
Time of Key pair created: 20:00:16 2007/10/25
Key name: HOST_KEY
Key type: DSA Encryption Key
=====================================================
Key code:
308201B83082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD96E5F061C4F
0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1EDBD13EC8B274DA9F75BA26
CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941DDD77FE6B12893DA76EEBC1D128D97F067
8D7722B5341C8506F358214B16A2FAC4B368950387811C7DA33021500C773218C737EC8EE993B4F2DED30
F48EDACE915F0281810082269009E14EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF931
33E84B47093C52B20CD35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC
717B612391C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1585
DA7F42519718CC9B09EEF0381850002818100CCF1F78E0860BE937FD3CA07D2F2A1B66E74E5D1E16693EB
374D677A7A6124EBABD59FE48796C56F3FF919F999AEB97D1F2B83D9B98AC09BC1F72E80DBE337CB29989
A23378EB21C38EE083F11ED6DC8D4DBE001BA85450CEA071C2A471C83761E4CF32C174B418612CDD597B4
41F0CAA05DC01CB93A0ABB247C06FBA4C79054

Table 41 Command output

Field Description
Time of Key pair created Date and time when the local asymmetric key pair was created.

Key name:
• HOST_KEY—Host public key.
Key name
• SERVER_KEY—Server public key. This value is available only for RSA key
pairs.

Key type:
Key type • RSA Encryption Key—RSA key pair.
• DSA Encryption Key—DSA key pair.

333
 Field Description
Key code Public key data.

Related commands
public-key local create

display public-key peer

Use display public-key peer to display information about the specified or all peer public keys on the local
device.
Syntax
display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
brief: Displays brief information about all peer public keys.
name publickey-name: Specifies a peer public key by its name, a case-sensitive string of 1 to 64
characters.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
With neither the brief keyword nor the name publickey-name option specified, the command displays
detailed information about all locally saved peer public keys.
You can use the public-key peer command or the public-key peer import sshkey command to get a local
copy of a peer public key.
Examples
# Display detailed information about the peer host public key named idrsa.
<Sysname> display public-key peer name idrsa
=====================================
Key Name : idrsa
Key Type : RSA
Key Module: 1024
=====================================
Key Code:

334
 30819D300D06092A864886F70D010101050003818B00308187028181009C46A8710216CEC0C01C7CE136B
A76C79AA6040E79F9E305E453998C7ADE8276069410803D5974F708496947AB39B3F39C5CE56C95B6AB74
42D56393BF241F99A639DD02D9E29B1F5C1FD05CC1C44FBD6CFFB58BE6F035FAA2C596B27D1231D159846
B7CB9A7757C5800FADA9FD72F65672F4A549EE99F63095E11BD37789955020123

Table 42 Command output

Field Description
Key Name Name of the public key.

Key Type Key type: RSA or DSA.

Key Module Key modulus length in bits.

Key Code Public key data.

# Display brief information about all locally saved peer public keys.
<Sysname> display public-key peer brief
Type Module Name
---------------------------
RSA 1024 idrsa
DSA 1024 10.1.1.1

Table 43 Command output

Field Description
Type Key type: RSA or DSA.

Module Key modulus length in bits.

Name Name of the public key.

Related commands
• public-key peer
• public-key peer import sshkey

peer-public-key end
Use peer-public-key end to return from public key view to system view.
Syntax
peer-public-key end
Views
Public key view
Default command level
2: System level
Related commands
public-key peer
Examples
# Exit public key view.
<Sysname> system-view

335
 [Sysname] public-key peer key1
[Sysname-pkey-public-key] peer-public-key end
[Sysname]

public-key-code begin
Use public-key-code begin to enter public key code view. Then, enter the key data in the correct format
to specify the peer public key. Spaces and carriage returns are allowed between characters, but are not
saved.
Syntax
public-key-code begin
Views
Public key view
Default command level
2: System level
Usage guidelines
If the peer device is an HP device, input the key data displayed by the display public-key local public
command so that the key is format compliant.
Examples
# Enter public key code view and input the key.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key] public-key-code begin
[Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC
8014F82515F6335A0A
[Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D164
3135877E13B1C531B4
[Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6
B80EB5F52698FCF3D6
[Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1
DDE675AC30CB020301
[Sysname-pkey-key-code]0001

Related commands
• public-key peer
• public-key-code end

public-key-code end
Use public-key-code end to return from public key code view to public key view and to save the
configured public key.
Syntax
public-key-code end
Views
Public key code view

336
Default command level
2: System level
Usage guidelines
The system verifies the key before saving it. If the key is not in the correct format, the system discards the
key and displays an error message. If the key is valid, the system saves the key.
Examples
# Exit public key code view and save the configured public key.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key] public-key-code begin
[Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC
8014F82515F6335A0A
[Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D164
3135877E13B1C531B4
[Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6
B80EB5F52698FCF3D6
[Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1
DDE675AC30CB020301
[Sysname-pkey-key-code]0001
[Sysname-pkey-key-code] public-key-code end
[Sysname-pkey-public-key]

Related commands
• public-key peer
• public-key-code begin

public-key local create

Use public-key local create to create local asymmetric key pairs.
Syntax
public-key local create { dsa | rsa } [ name key-name ]
Default
No asymmetric key pair is created.
Views
System view
Default command level
2: System level
Parameters
dsa: Specifies a DSA key pair.
rsa: Specifies an RSA key pair.
name key-name: Assigns a name to the key pair. The key-name argument is a case-insensitive string of
1 to 64 characters, including letters, digits, and hyphens (-). If no name is assigned, the public key pair
takes the default name.

337
 Table 44 Default local key pair names

Type Default name

• Host key pair: hostkey
RSA
• Server key pair: serverkey
DSA dsakey

Usage guidelines
The key algorithm must be the same as that required by the security application.
The key modulus length must be appropriate (see Table 45). A longer key modulus length value means
higher security level and longer key generation time.
The name of a key pair must be unique among all manually named key pairs that use the same key
algorithm, but can be the same as a key pair that uses a different key algorithm. If a name conflict occurs,
the system asks whether you want to overwrite the existing key pair.
Local asymmetric key pairs created in FIPS mode cannot be used in non-FIPS mode, and vice versa. You
must re-create the local asymmetric keys pairs after you switch between FIPS mode and non-FIPS mode.
The key pairs are automatically saved and can survive system reboots.
Table 45 A comparison of different types of asymmetric key pairs

HP
Type Number of key pairs Modulus length
recommendation
• In non-FIPS mode:
{ If you specify the key pair name,
the command creates a host key
pair.
{ If you do not specify the key pair • In non-FIPS mode:
512 to 2048 bits and In non-FIPS mode, set
name, the command creates one
defaults to 1024 bits. the key modulus
RSA server key pair and one host key
length to at least 768
pair, and both key pairs use their • In FIPS mode:
bits.
default names. 2048 bits.
• In FIPS mode:
If you do not specify a key pair name,
the command creates a host key pair
with the default name.
• In non-FIPS mode:
512 to 2048 bits and In non-FIPS mode, set
The command creates only one host key defaults to 1024 bits. the key modulus
DSA
pair. length to at least 768
• In FIPS mode:
bits.
At least 1024 bits.

Examples
# Create local RSA key pairs with default names.
<Sysname> system-view
[Sysname] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.

338
 Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++++++++++++
+++++++
+++++++++
+++

# Create a local DSA key pair with the default name.

<Sysname> system-view
[Sysname] public-key local create dsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++.++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# Create a local RSA key pair named rsa1.

<Sysname> system-view
[Sysname] public-key local create rsa name rsa1
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++++++++++++
+++++++
+++++++++
+++

Related commands
• public-key local destroy
• display public-key local public

public-key local destroy

Use public-key local destroy to destroy local key pairs.
Syntax
public-key local destroy { dsa | rsa } [ name key-name ]
Views
System view

339
Default command level
2: System level
Parameters
dsa: DSA key pair.
rsa: RSA key pair.
name key-name: Specifies the name of a local key pair. The key-name argument is a case-insensitive
string of 1 to 64 characters, including letters, digits, and hyphens (-). If no name is specified, the
command destroys the specified type of local key pairs that take the default names.
Examples
# Destroy the local RSA key pairs with the default names.
<Sysname> system-view
[Sysname] public-key local destroy rsa
Warning: Confirm to destroy these keys? [Y/N]:y

# Destroy the local DSA key pair with the default name.
<Sysname> system-view
[Sysname] public-key local destroy dsa
Warning: Confirm to destroy these keys? [Y/N] :y

# Destroy the local RSA key pair named rsa1.

<Sysname> system-view
[Sysname] public-key local destroy rsa name rsa1
Warning: Destroy the key pair. Continue? [Y/N]:y

Related commands
public-key local create

public-key local export

Use public-key local export to display an RSA key pair in PEM format on the terminal.
Syntax
public-key local export rsa name key-name pem { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256
| des-cbc } password
Views
System view
Default command level
2: System level
Parameters
rsa: Specifies an RSA key pair.
name key-name: Specifies an RSA key pair by its name. The key-name argument is a case-insensitive
string of 1 to 64 characters, including letters, digits, and hyphens (-).
pem: Specifies the PEM format.
3des-cbc: Specifies the 3DES_CBC encryption algorithm.
aes-cbc-128: Specifies the 128-bit AES_CBC encryption algorithm.

340
 aes-cbc-192: Specifies the 192-bit AES_CBC encryption algorithm.
aes-cbc-256: Specifies the 256-bit AES_CBC encryption algorithm.
password: Specifies a password used to encrypt the RSA key pair.
Usage guidelines
You must specify an encryption algorithm and password to encrypt the specified RSA key pair. The router
does not support displaying RSA key pairs in plaintext.
You cannot display the default RSA key pair.
Examples
# Display the RSA key pair named mykey in PEM format on the terminal, and set the encryption
algorithm and password to 3des-cbc and 12345678, respectively.
<Sysname> system-view
[Sysname] public-key local export rsa name mykey pem 3des-cbc 12345678
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6Ne4EtnoKqBCL2YZvSjrG+8He
sae5FWtyj9D25PEkXagpLqb3i9Gm/Qbb6cqLLPUIgDS8eK7Wt/dXLeFUCDc0lY8V
gujJPvarFL4+Jn+VuL9znNbboA9IxPH2fMvew8lkPCwkXoP+52J+1LRpYkh+rIpE
Kj7FG/3/wzGsXu8WJQIDAQAB
-----END PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7F8FAB15399DF87C

MGaftNqe4esjetm7bRJHSpsbwZ9YUpvA9iWh8R406NGq8e+1A/ZiK23+t1XqRwaU
1FXnwbqHgW1pZ7JxQdgBuC9uXc4VQyP/xe6xCyUepdMC71fmeOaiwUFrj6LAzzBg
o3SfhX1NHyHBnr7c6SnIeUTG2g/qRdj40TD4HcRjgPaLaTGguZ553GyS6ODWAwL7
ZBTjv+vow9kfewZ74ocoBje2gLcWlbmiEKCJGV06zW4gv2AH6I8TAhv4GovIN/v1
lCsD2PscXnPOloLTE/8EDLRHNE8RpIYDWqI/YI8Yg6wlx29mf29+cj/9r4gPrDPy
c/TQ0a0g95Khdy+yl4eDKaFiQQ+Kqn4zdzDTDNq7LRtqr7lGQzVw6srfrr71ib7J
yJFdi2RXETEgOS/jE+xGtNqd38F/YzIRPax7NNMK+hAJC2MzdbN/BEoLWOqG7Plm
hvCE3LFxelExLJU+0XfAX77TI2+5LEHBi1UiGLeH08fd1XUQCefARlIxGoRJdtTu
gHP4+NF4PC9B1/GZoAYUp+171p1QwPk0vyU3TXijueqVUpQBUHGxSE0UW+SS1iwL
8vsSLHIwK4aZ77Z1o+Uw1QBoqw9jpubG4gUkX8RII8E8b13I6/QTH78E4/FgAmIQ
HTYnE2RDHXkhPGR5FGJsZnd21XLvd2BEkGGmhTk80nDeiI2XH3D48E6UahQwcam/
q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV
0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg==
-----END RSA PRIVATE KEY-----

Related commands
public-key local import

public-key local export public dsa

Use public-key local export public dsa without the filename argument to display the host public key of the
local DSA key pair in a specific format.
Use public-key local export public dsa with the filename argument to export the host public key of the
local DSA key pair to the specified file.

341
Syntax
public-key local export public dsa { openssh | ssh2 } [ filename ]
Views
System view
Default command level
2: System level
Parameters
openssh: Uses the format of OpenSSH.
ssh2: Uses the format of SSH2.0.
filename: Specifies the name of the file for storing the local public key. For more information about file
name, see Fundamentals Configuration Guide.
Usage guidelines
SSH2.0 and OpenSSH are different public key formats. Choose the proper format that is supported on
the device where you import the host public key.
Examples
# Export the local DSA host public key in OpenSSH format to the file named key.pub.
<Sysname> system-view
[Sysname] public-key local export public dsa openssh key.pub

# Display the local DSA host public key in SSH2.0 format.

<Sysname> system-view
[Sysname] public-key local export public dsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-20070625"
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3
B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz
WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU
XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH
bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp
RjxsSrhXFVIdRjxw59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOL
o2/RyGqDJIqB4FQwmrkwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22
---- END SSH2 PUBLIC KEY ----

# Display the local DSA host public key in OpenSSH format.

<Sysname> system-view
[Sysname] public-key local export public dsa openssh
ssh-dss
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3
B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbz
WCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YU
XrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HH
bB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatp
RjxsSrhXFVIdRjxw59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOL
o2/RyGqDJIqB4FQwmrkwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22 dsa-key

Related commands
• public-key local create

342
 • public-key local destroy

public-key local export public rsa

Use public-key local export public rsa without the filename argument to display the host public key of the
local RSA key pairs in a specific key format.
Use public-key local export public rsa with the filename argument to export the host public key of the
local RSA key pairs to a specific file.
Syntax
public-key local export public rsa { openssh | ssh1 | ssh2 } [ filename ]
Views
System view
Default command level
2: System level
Parameters
openssh: Uses the format of OpenSSH.
ssh1: Uses the format of SSH1.5.
ssh2: Uses the format of SSH2.0.
filename: Specifies the name of the file for storing the host public key. For more information about file
name, see Fundamentals Configuration Guide.
Usage guidelines
SSH1, SSH2.0 and OpenSSH are different public key formats for different requirements.
Examples
# Export the host public key of the local RSA key pairs in OpenSSH format to the file named key.pub.
<Sysname> system-view
[Sysname] public-key local export public rsa openssh key.pub

# Display the host public key of the local RSA key pairs in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export public rsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20070625"
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6u
t5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j
+o0MpOpzh3W768/+u1riz+1LcwVTs51Q==
---- END SSH2 PUBLIC KEY ----

# Display the host public key of the local RSA key pairs in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export public rsa openssh
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6u
t5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j
+o0MpOpzh3W768/+u1riz+1LcwVTs51Q== rsa-key

343
Related commands
• public-key local create
• public-key local destroy

public-key local import

Use public-key local import to import an RSA key pair in PEM format.
Syntax
public-key local import rsa name key-name pem
Views
System view
Default command level
2: System level
Parameters
rsa: Specifies an RSA key pair.
name key-name: Specifies a name for the imported RSA key pair. The key-name argument is a
case-insensitive string of 1 to 64 characters, including letters, digits, and hyphens (-).
pem: Specifies the PEM format.
Usage guidelines
The system saves the imported RSA key pair at a different location from the default RSA key pair to avoid
overwriting the default RSA key pair.
The RSA key pair to be imported must be in PEM format so that it can be copied and pasted onto the
terminal.
After you execute the public-key local import command, copy the private key of the RSA key pair onto the
terminal when prompted. The public key is included in the private key.
The imported RSA key pair must have been encrypted with a password. You are asked to provide the
password when importing the key pair.
Examples
# Import an RSA key pair in PEM format, name the key pair as mykey, and enter 12345678 as the
password.
<Sysname> system-view
[Sysname] public-key local import rsa name mykey pem
Enter PEM-formatted certificate.
End with a Ctrl+C on a line by itself.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7F8FAB15399DF87C

MGaftNqe4esjetm7bRJHSpsbwZ9YUpvA9iWh8R406NGq8e+1A/ZiK23+t1XqRwaU
1FXnwbqHgW1pZ7JxQdgBuC9uXc4VQyP/xe6xCyUepdMC71fmeOaiwUFrj6LAzzBg
o3SfhX1NHyHBnr7c6SnIeUTG2g/qRdj40TD4HcRjgPaLaTGguZ553GyS6ODWAwL7
ZBTjv+vow9kfewZ74ocoBje2gLcWlbmiEKCJGV06zW4gv2AH6I8TAhv4GovIN/v1
lCsD2PscXnPOloLTE/8EDLRHNE8RpIYDWqI/YI8Yg6wlx29mf29+cj/9r4gPrDPy

344
 c/TQ0a0g95Khdy+yl4eDKaFiQQ+Kqn4zdzDTDNq7LRtqr7lGQzVw6srfrr71ib7J
yJFdi2RXETEgOS/jE+xGtNqd38F/YzIRPax7NNMK+hAJC2MzdbN/BEoLWOqG7Plm
hvCE3LFxelExLJU+0XfAX77TI2+5LEHBi1UiGLeH08fd1XUQCefARlIxGoRJdtTu
gHP4+NF4PC9B1/GZoAYUp+171p1QwPk0vyU3TXijueqVUpQBUHGxSE0UW+SS1iwL
8vsSLHIwK4aZ77Z1o+Uw1QBoqw9jpubG4gUkX8RII8E8b13I6/QTH78E4/FgAmIQ
HTYnE2RDHXkhPGR5FGJsZnd21XLvd2BEkGGmhTk80nDeiI2XH3D48E6UahQwcam/
q/txd/KsLnp0rpJkc/WhOTprioeLQQEBayixKRWzNLsZt3L6lqYbA01Z1THho+EV
0Ng0EZKQyiRV1j7gsBYFRinbSAsIpeYlr7gDAnBCRJdSfPNBKG+ewg==
-----END RSA PRIVATE KEY-----
^C
Please input the password:12345678
[Sysname]

# If an RSA key pair with the same name already exists, specify whether to overwrite the existing key pair.
Warning: The device already has a key pair with the same name. If you choose to continue,
the existing key pair will be overwritten.
Continue? [Y/N]:

Related commands
public-key local export

public-key peer
Use public-key peer to specify a name for the peer public key and enter public key view.
Use undo public-key peer to remove the public key.
Syntax
public-key peer keyname
undo public-key peer keyname
Views
System view
Default command level
2: System level
Parameters
keyname: Specifies a name for the peer public key on the local device, a case-sensitive string of 1 to 64
characters.
Usage guidelines
To manually configure the peer public key on the local device, obtain the public key in hexadecimal from
the peer device beforehand, and perform the following configurations on the local device:
1. Execute the public-key peer command, and then the public-key-code begin command to enter
public key code view.
2. Type the peer public key.
3. Execute the public-key-code end command to save the public key and return to public key view.
4. Execute the peer-public-key end command to return to system view.

345
Examples
# Specify the name for the peer public key as key1 and enter public key view.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key]

Related commands
• public-key-code begin
• public-key-code end
• peer-public-key end
• display public-key peer

public-key peer import sshkey

Use public-key peer import sshkey to import a peer host public key from the public key file.
Use undo public-key peer to remove the specified peer host public key.
Syntax
public-key peer keyname import sshkey filename
undo public-key peer keyname
Views
System view
Default command level
2: System level
Parameters
keyname: Specifies a public key name, a case-sensitive string of 1 to 64 characters.
filename: Specifies the name of the file that saves the peer host public key. For more information about
file name, see Fundamentals Configuration Guide.
Usage guidelines
After execution of this command, the system automatically transforms the peer host public key to the PKCS
format, and imports the key. This operation requires that you get a copy of the public key file from the
peer device through FTP or TFTP in binary mode in advance.
The device supports importing public keys in the format of SSH1.5, SSH2.0, and OpenSSH.
Examples
# Import the peer host public key named key2 from the public key file key.pub.
<Sysname> system-view
[Sysname] public-key peer key2 import sshkey key.pub

Related commands
display public-key peer

public-key rsa
Use public-key rsa to specify an RSA key pair for certificate request.

346
 Use undo public-key to remove the configuration.
Syntax
public-key rsa general name key-name
undo public-key
Default
The RSA key pair with the default name is used for certificate request.
Views
PKI domain view
Default command level
2: System level
Parameters
name key-name: Specifies a key pair name, a case-insensitive string of 1 to 64 characters. It can include
only letters, digits, and hyphens (-).
Usage guidelines
In auto request mode, when an entity is triggered to submit a certificate request, the entity automatically
generates an RSA key pair with the specified name.
Examples
# Specify the RSA key pair abc for certificate request.
<Sysname> system-view
[Sysname] pki domain 1
[Sysname-pki-domain-1] public-key rsa abc

Related commands
public-key local create (see Security Command Reference)

347
RSH configuration commands

rsh
Use rsh to execute an OS command on a remote host.
Syntax
rsh host [ user username ] command remote-command
Views
User view
Default command level
0: Visit level
Parameters
host: IP address or host name of the remote host, a string of 1 to 20 characters.
user username: Specifies the username for remote login, a string of 1 to 20 characters. If you do not
specify a username, the system name of the device, which can be set by using the sysname command,
applies.
command remote-command: Specifies the command to be executed remotely. The commands that are
available depend on the operating system running on the RSH server.
Usage guidelines
The remote host must run the RSH daemon.
Examples
# Display information about the directories and files on remote host 169.254.1.100, which is running
Windows 2000.
<Sysname> rsh 169.254.1.100 command dir
Trying 169.254.1.100 ...
Press CTRL+K to abort
Volume in drive C is SYSTEM
Volume Serial Number is 2A0F-18DF

Directory of C:\WRSHDNT

2004-07-13 09:10 <DIR> .

2004-07-13 09:10 <DIR> ..
2001-05-10 09:04 162,304 UNWISE.EXE
2001-12-05 15:36 45,056 wrshdcfg.exe
1996-08-05 15:39 48,128 ctrlrshd.exe
1998-10-13 16:31 31,744 forewin.exe
2004-01-02 23:05 40,625 history.txt
2003-02-26 17:04 6,822 order.txt
1997-08-26 16:05 23,552 whoami.exe
2001-12-07 17:28 122,880 wrshdctl.exe

348
2003-06-21 10:51 192,512 wrshdnt.cpl
2001-12-09 16:41 38,991 wrshdnt.hlp
2001-12-09 16:26 1,740 wrshdnt.cnt
2003-06-22 11:14 452,230 wrshdnt.htm
2003-06-23 18:18 4,803 wrshdnt_header.htm
2003-06-23 18:18 178 wrshdnt_filelist.xml
2003-06-22 11:13 156,472 wrshdnt.pdf
2001-09-02 15:41 49,152 wrshdrdr.exe
2003-06-21 10:32 69,632 wrshdrun.exe
2004-01-02 15:54 196,608 wrshdsp.exe
2004-01-02 15:54 102,400 wrshdnt.exe
2001-07-30 18:05 766 wrshdnt.ico
2004-07-13 09:10 3,253 INSTALL.LOG
21 files 1,749,848 bytes
2 directories 2,817,417,216 bytes free

# Set the system time of remote host 169.254.1.100, which is running Windows 2000.
<Sysname> rsh 169.254.1.100 command time
Trying 169.254.1.100 ...
Press CTRL+K to abort
The current time is: 6:56:42.57
Enter the new time: 12:00
12:00

349
Portal configuration commands

access-user detect
Use access-user detect to configure the online portal user detection function.
Use undo access-user detect to restore the default.
Syntax
access-user detect type arp retransmit number interval interval
undo access-user detect
Default
The portal user detection function is not configured on an interface.
Views
Interface view
Default command level
2: System level
Parameters
type arp: Uses ARP requests as probe packets.
retransmit number: Specifies the maximum number of times the device sends probe packets to a user
before it receives a reply from the user. If this number is reached but the device still receives no reply from
the portal user, the device considers that the portal user offline and logs out the user. The value range for
the number argument is 2 to 5.
interval interval: Specifies the interval for sending probe packets, in the range of 5 to 120 seconds.
Usage guidelines
When this function is configured on an interface, the interface starts a probe timer (3 minutes, not
configurable). If the interface has not received packets from a portal user when the probe timer expires,
the device sends probe packets (ARP requests) to the portal user. If the device has not received a reply
from the portal user when the maximum number of probes is reached, the device logs off the portal user.
If the device receives a reply from the portal user before the maximum number of probes is reached, it
stops sending probe packets and restarts the probe timer. The device repeats the process to detect
whether portal users are online.
This function is available only for the direct and re-DHCP portal authentication configured on a Layer 3
interface.
Examples
# Configure the portal user detection function on interface Ethernet 1/1, specifying the probe packets as
ARP requests, maximum number of probe attempts as 3, and probe interval as 10 seconds.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] access-user detect type arp retransmit 3 interval 10

350
display portal acl
Use display portal acl to display the ACLs on a specific interface.
Syntax
display portal acl { all | dynamic | static } interface interface-type interface-number [ | { begin | exclude
| include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
all: Displays all portal ACLs, including dynamic and static portal ACLs.
dynamic: Displays dynamic portal ACLs—ACLs generated dynamically after a user passes portal
authentication.
static: Displays static portal ACLs—ACLs generated through portal related configuration, such as
portal-free rule configuration.
interface interface-type interface-number: Displays the ACLs on the specified interface.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display all ACLs on interface Ethernet 1/1.
<Sysname> display portal acl all interface ethernet 1/1
IPv4 portal ACL rules on Ethernet1/1:
Rule 0
Inbound interface : Ethernet1/1
Type : static
Action : permit
Protocol : 0
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : any
MAC : 0000-0000-0000
Interface: any
VLAN : 0
Destination:
IP : 192.168.0.111
Mask : 255.255.255.255

351
 Port : any
Rule 1
Inbound interface : Ethernet1/1
Type : static
Action : redirect
Protocol : 6
Source:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : any
MAC : 0000-0000-0000
Interface: any
VLAN : 2
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : 80
Rule 2
Inbound interface : Ethernet1/1
Type : dynamic
Action : permit
Source:
IP : 2.2.2.2
Mask : 255.255.255.255
MAC : 000d-88f8-0eab
Interface: Ethernet1/1
VLAN : 0
Protocol : 0
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Author ACL:
Number : 3001

Table 46 Command output

Field Description
Rule Sequence number of the portal ACL, which is numbered from 0 in ascending order.

Inbound interface Interface to which the portal ACL is bound.

Type Type of the portal ACL.

Action Match action in the portal ACL.

Protocol Transport layer protocol number in the portal ACL.

Source Source information in the portal ACL.

IP Source IP address in the portal ACL.

Mask Subnet mask of the source IP address in the portal ACL.

Port Source transport layer port number in the portal ACL.

352
 Field Description
MAC Source MAC address in the portal ACL.

Interface Source interface in the portal ACL.

VLAN Source VLAN in the portal ACL.

Protocol Protocol type in the portal ACL.

Destination Destination information in the portal ACL.

IP Destination IP address in the portal ACL.

Port Destination transport layer port number in the portal ACL.

Mask Subnet mask of the destination IP address in the portal ACL.

Authorization ACL information. It is displayed only when the value of the Type field is
Author ACL
dynamic.

Authorization ACL number assigned by the RADIUS server. None indicates that the server
Number
did not assign any ACL.

display portal connection statistics

Use display portal connection statistics to display portal connection statistics on a specific interface or all
interfaces.
Syntax
display portal connection statistics { all | interface interface-type interface-number } [ | { begin | exclude
| include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display portal connection statistics on interface Ethernet 1/1.
<Sysname> display portal connection statistics interface ethernet 1/1
---------------Interface: Ethernet1/1-----------------------
User state statistics:

353
 State-Name User-Num
VOID 0
DISCOVERED 0
WAIT_AUTHEN_ACK 0
WAIT_AUTHOR_ACK 0
WAIT_LOGIN_ACK 0
WAIT_ACL_ACK 0
WAIT_NEW_IP 0
WAIT_USERIPCHANGE_ACK 0
ONLINE 1
WAIT_LOGOUT_ACK 0
WAIT_LEAVING_ACK 0

Message statistics:
Msg-Name Total Err Discard
MSG_AUTHEN_ACK 3 0 0
MSG_AUTHOR_ACK 3 0 0
MSG_LOGIN_ACK 3 0 0
MSG_LOGOUT_ACK 2 0 0
MSG_LEAVING_ACK 0 0 0
MSG_CUT_REQ 0 0 0
MSG_AUTH_REQ 3 0 0
MSG_LOGIN_REQ 3 0 0
MSG_LOGOUT_REQ 2 0 0
MSG_LEAVING_REQ 0 0 0
MSG_ARPPKT 0 0 0
MSG_PORT_REMOVE 0 0 0
MSG_VLAN_REMOVE 0 0 0
MSG_IF_REMOVE 6 0 0
MSG_IF_SHUT 0 0 0
MSG_IF_DISPORTAL 0 0 0
MSG_IF_UP 0 0 0
MSG_ACL_RESULT 0 0 0
MSG_AAACUTBKREQ 0 0 0
MSG_CUT_BY_USERINDEX 0 0 0
MSG_CUT_L3IF 0 0 0
MSG_IP_REMOVE 0 0 0
MSG_ALL_REMOVE 1 0 0
MSG_IFIPADDR_CHANGE 0 0 0
MSG_SOCKET_CHANGE 8 0 0
MSG_NOTIFY 0 0 0
MSG_SETPOLICY 0 0 0
MSG_SETPOLICY_RESULT 0 0 0

Table 47 Command output

Field Description
User state statistics Statistics on portal users.

354
Field Description
State-Name Name of a user state.

User-Num Number of users in a specific state.

Message statistics Statistics on messages.

Msg-Name Message type.

Total Total number of messages of a specific type.

Err Number of erroneous messages of a specific type.

Discard Number of discarded messages of a specific type.

MSG_AUTHEN_ACK Authentication acknowledgment message.

MSG_AUTHOR_ACK Authorization acknowledgment message.

MSG_LOGIN_ACK Accounting acknowledgment message.

MSG_LOGOUT_ACK Accounting-stop acknowledgment message.

MSG_LEAVING_ACK Leaving acknowledgment message.

MSG_CUT_REQ Cut request message.

MSG_AUTH_REQ Authentication request message.

MSG_LOGIN_REQ Accounting request message.

MSG_LOGOUT_REQ Accounting-stop request message.

MSG_LEAVING_REQ Leaving request message.

MSG_ARPPKT ARP message.

MSG_PORT_REMOVE Users-of-a-Layer-2-port-removed message.

MSG_VLAN_REMOVE VLAN user removed message.

Users-removed message, indicating the users on a Layer 3 interface were

MSG_IF_REMOVE
removed because the Layer 3 interface was removed.

MSG_IF_SHUT Layer 3 interface shutdown message.

MSG_IF_DISPORTAL Portal-disabled-on-interface message.

MSG_IF_UP Layer 3 interface came up message.

MSG_ACL_RESULT ACL deployment failure message.

Message that AAA uses to notify portal to delete backup user

MSG_AAACUTBKREQ
information.

MSG_CUT_BY_USERINDEX Force-user-offline message.

Users-removed message, indicating the users on a Layer 3 interface were

MSG_CUT_L3IF
removed because they were logged out.

MSG_IP_REMOVE User-with-an-IP-removed message.

MSG_ALL_REMOVE All-users-removed message.

MSG_IFIPADDR_CHANGE Interface IP address change message.

MSG_SOCKET_CHANGE Socket change message.

MSG_NOTIFY Notification message.

MSG_SETPOLICY Set policy message for assigning security ACL.

355
 Field Description
MSG_SETPOLICY_RESULT Set policy response message.

display portal free-rule

Use display portal free-rule to display information about a specific portal-free rule or all portal-free rules.
Syntax
display portal free-rule [ rule-number ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
rule-number: Specifies the number of a portal-free rule, in the range of 0 to 255.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about portal-free rule 1.
<Sysname> display portal free-rule 1
Rule-Number 1:
Source:
IP : 2.2.2.0
Mask : 255.255.255.0
Port : any
MAC : 0000-0000-0000
Interface : any
Vlan : 0
Destination:
IP : 0.0.0.0
Mask : 0.0.0.0
Port : any
Protocol : 6

Table 48 Command output

Field Description
Rule-Number Number of the portal-free rule.

Source Source information in the portal-free rule.

356
 Field Description
IP Source IP address in the portal-free rule.

Mask Subnet mask of the source IP address in the portal-free rule.

Port Source transport layer port number in the portal-free rule.

MAC Source MAC address in the portal-free rule.

Interface Source interface in the portal-free rule.

Vlan Source VLAN in the portal-free rule.

Destination Destination information in the portal-free rule.

IP Destination IP address in the portal-free rule.

Mask Subnet mask of the destination IP address in the portal-free rule.

Port Destination transport layer port number in the portal-free rule.

Protocol Transport layer protocol number in the portal-free rule.

Related commands
portal free-rule

display portal interface

Use display portal interface to display the portal configuration of an interface.
Syntax
display portal interface interface-type interface-number [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
interface-type interface-number: Specifies an interface by its type and number.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the portal configuration for interface Ethernet 1/1.
<Sysname> display portal interface ethernet 1/1
Portal configuration of Ethernet 1/1
IPv4:

357
 Status: Portal running
Portal server: servername
Portal backup-group: 1
Authentication type: Layer3
Authentication domain: my-domain
Authentication network:
Source IP: 1.1.1.1 Mask : 255.255.0.0

Table 49 Command output

Field Description
Portal configuration of interface Portal configuration on the interface.

IPv4 IPv4 portal configuration.

IPv6 IPv6 portal configuration.

Status of the portal authentication on the interface:

• Portal disabled—Portal authentication is disabled.
Status
• Portal enabled—Portal authentication is enabled but is not functioning.
• Portal running—Portal authentication is functioning.
Portal server Portal server referenced by the interface.

Authentication type Authentication mode enabled on the interface.

Authentication domain Mandatory authentication domain of the interface.

Information of the portal authentication source subnet and destination

Authentication network
subnet.

Source IP IP address of the portal authentication source subnet.

Destination IP IP address of the portal authentication destination subnet.

Mask Subnet mask of the IP address of the portal authentication subnet.

display portal local-server

Use display portal local-server to display configuration information about the local portal server,
including the supported protocol type, and the SSID binding information.
Syntax
display portal local-server [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.

358
 include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display configuration information about the local portal server.
<Sysname> display portal local-server
Protocol: HTTP
Bind SSID list:
ssid1: file1.zip
ssid2: file1.zip

Table 50 Command output

Field Description
Protocol supported by the local portal server, HTTP or HTTPS. The MSR deices
Protocol
support only HTTP.

SSID binding list.

Bind SSID list If no binding entry is configured, this field is null.
If the device does not support SSID binding, this field is not displayed.

Related commands
portal local-server

display portal server

Use display portal server to display information about a specific portal server or all portal servers.
Syntax
display portal server [ server-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about portal server aaa.
<Sysname> display portal server aaa

359
 Portal server:
1)aaa:
IP : 192.168.0.111
VPN instance : vpn1
Port : 50100
Key : ******
URL : http://192.168.0.111
Status : Up

Table 51 Command output

Field Description
1) Number of the portal server.

aaa Name of the portal server.

VPN instance MPLS L3VPN to which the portal server belongs.

IP IP address of the portal server.

Port Listening port on the portal server.

Shared key for exchanges between the access device and portal server.
Key • ****** is displayed if a key is configured.
• Not configured is displayed if no key is configured.
Address the packets are to be redirected to.
URL
Not configured is displayed if no address is configured.

Current status of the portal server. Possible values include:

• N/A—The server is not referenced on any interface, or the server detection function is not
enabled. The reachability of the portal server is unknown.
Status • Up—The portal server is referenced on an interface and the portal server detection
function is enabled, and the portal server is reachable.
• Down—The portal server is referenced on an interface and the portal server detection
function is enabled, but the portal server is unreachable.

Related commands
portal server

display portal server statistics

Use display portal server statistics to display portal server statistics on a specific interface or all
interfaces.
Syntax
display portal server statistics { all | interface interface-type interface-number } [ | { begin | exclude |
include } regular-expression ]
Views
Any view
Default command level
1: Monitor level

360
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and name.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
When the all keyword is specified, the command displays portal server statistics by interface and
therefore statistics about a portal server referenced by more than one interface might be displayed
multiple times.
Examples
# Display portal server statistics on Ethernet 1/1.
<Sysname> display portal server statistics interface ethernet 1/1
---------------Interface: Ethernet1/1----------------------
Server name: st
Invalid packets: 0
Pkt-Name Total Discard Checkerr
REQ_CHALLENGE 3 0 0
ACK_CHALLENGE 3 0 0
REQ_AUTH 3 0 0
ACK_AUTH 3 0 0
REQ_LOGOUT 1 0 0
ACK_LOGOUT 1 0 0
AFF_ACK_AUTH 3 0 0
NTF_LOGOUT 1 0 0
REQ_INFO 6 0 0
ACK_INFO 6 0 0
NTF_USERDISCOVER 0 0 0
NTF_USERIPCHANGE 0 0 0
AFF_NTF_USERIPCHANGE 0 0 0
ACK_NTF_LOGOUT 1 0 0
NTF_HEARTBEAT 0 0 0
NTF_USERSYNC 2 0 0
ACK_NTF_USERSYNC 0 0 0
NTF_CHALLENGE 0 0 0
NTF_USER_NOTIFY 0 0 0
AFF_NTF_USER_NOTIFY 0 0 0
NTF_AUTH 0 0 0
ACK_NTF_AUTH 0 0 0
REQ_QUERY_STATE 0 0 0
ACK_QUERY_STATE 0 0 0
REQ_MACBINDING_INFO 0 0 0

361
 ACK_MACBINDING_INFO 0 0 0
NTF_USER_LOGON 0 0 0
RESERVED33 0 0 0
NTF_USER_LOGOUT 0 0 0
RESERVED35 0 0 0
PT_TYPE_REQ_USER_OFFLINE 0 0 0

Table 52 Command output

Field Description
Interface Interface referencing the portal server.

Server name Name of the portal server.

Invalid packets Number of invalid packets.

Pkt-Name Packet type.

Total Total number of packets.

Discard Number of discarded packets.

Checkerr Number of erroneous packets.

REQ_CHALLENGE Challenge request message the portal server sends to the access device.

Challenge acknowledgment message the access device sends to the portal

ACK_CHALLENGE
server.

REQ_AUTH Authentication request message the portal server sends to the access device.

Authentication acknowledgment message the access device sends to the

ACK_AUTH
portal server.

REQ_LOGOUT Logout request message the portal server sends to the access device.

ACK_LOGOUT Logout acknowledgment message the access device sends to the portal server.

Affirmation message the portal server sends to the access device after
AFF_ACK_AUTH
receiving an authentication acknowledgement message.

Forced logout notification message the access device sends to the portal
NTF_LOGOUT
server.

NTF_HEARTBEAT Portal heartbeat message the portal server sent to the access device.

REQ_INFO Information request message.

ACK_INFO Information acknowledgment message.

User discovery notification message the portal server sends to the access
NTF_USERDISCOVER
device.

User IP change notification message the access device sends to the portal
NTF_USERIPCHANGE
server.

User IP change success notification message the portal server sends to the
AFF_NTF_USERIPCHANGE
access device.

ACK_NTF_LOGOUT Forced logout acknowledgment message from the portal server.

NTF_USERSYNC User synchronization packet the access device received from the portal server.

User synchronization acknowledgment packet the access device sent to the

ACK_NTF_USERSYNC
portal server.

NTF_CHALLENGE Challenge request the access device sent to the portal server.

362
 Field Description
User information notification message the access device sent to the portal
NTF_USER_NOTIFY
server.

NTF_USER_NOTIFY acknowledgment message the access device sent to the

AFF_NTF_USER_NOTIFY
portal server.

Forced authentication notification message the portal server sent to the access
NTF_AUTH
device.

NTF_AUTH acknowledgment message the access device sent to the portal

ACK_NTF_AUTH
server.

REQ_QUERY_STATE User online state query message the portal server sent to the access device.

User online state acknowledgment message the access device sent to the
ACK_QUERY_STATE
portal server.

REQ_MACBINDING_INFO MAC binding query the access device sent to the MAC binding server.

MAC binding query acknowledgment the MAC binding server sent to the
ACK_MACBINDING_INFO
access device.

User login notification message the access device sent to the MAC binding
NTF_USER_LOGON
server.

RESERVED33 Reserved.

User logoff notification message the access device sent to the MAC binding
NTF_USER_LOGOUT
server.

RESERVED35 Reserved.

PT_TYPE_REQ_USER_OFFLIN
Forced user offline request the MAC binding server sent to the access device.
E

display portal tcp-cheat statistics

Use display portal tcp-cheat statistics to display TCP spoofing statistics.
Syntax
display portal tcp-cheat statistics [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

363
Examples
# Display TCP spoofing statistics.
<Sysname> display portal tcp-cheat statistics
TCP Cheat Statistic:
Total Opens: 0
Resets Connections: 0
Current Opens: 0
Packets Received: 0
Packets Sent: 0
Packets Retransmitted: 0
Packets Dropped: 0
HTTP Packets Sent: 0
Connection State:
SYN_RECVD: 0
ESTABLISHED: 0
CLOSE_WAIT: 0
LAST_ACK: 0
FIN_WAIT_1: 0
FIN_WAIT_2: 0
CLOSING: 0

Table 53 Command output

Field Description
TCP Cheat Statistic TCP spoofing statistics.

Total Opens Total number of opened connections.

Resets Connections Number of connections reset through RST packets.

Current Opens Number of connections being set up.

Packets Received Number of received packets.

Packets Sent Number of sent packets.

Packets Retransmitted Number of retransmitted packets.

Packets Dropped Number of dropped packets.

HTTP Packets Sent Number of HTTP packets sent.

Connection State Statistics of connections in various states.

ESTABLISHED Number of connections in ESTABLISHED state.

CLOSE_WAIT Number of connections in CLOSE_WAIT state.

LAST_ACK Number of connections in LAST-ACK state.

FIN_WAIT_1 Number of connections in FIN_WAIT_1 state.

FIN_WAIT_2 Number of connections in FIN_WAIT_2 state.

CLOSING Number of connections in CLOSING state.

364
display portal user
Use display portal user to display information about portal users on a specific interface or all interfaces.
Syntax
display portal user { all | interface interface-type interface-number } [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and name.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about portal users on all interfaces.
<Sysname> display portal user all
Index:2
State:ONLINE
SubState:NONE
ACL:NONE
Work-mode:Stand-alone
VPN instance:NONE
MAC IP Vlan Interface
---------------------------------------------------------------------
000d-88f8-0eab 2.2.2.2 0 Ethernet1/1
Total 1 user(s) matched, 1 listed.

Table 54 Command output

Field Description
Index Index of the portal user.

State Current status of the portal user.

SubState Current sub-status of the portal user.

ACL Authorization ACL of the portal user.

365
 Field Description
User's working mode:
• Primary.
• Secondary.
Work-mode
• Stand-alone.
The MSR routers do not support this field, and the field is always
"Stand-alone."

VPN instance MPLS L3VPN to which the portal server belongs.

MAC MAC address of the portal user.

IP IP address of the portal user.

Vlan VLAN to which the portal user belongs.

Interface Interface to which the portal user is attached.

Total 1 user(s) matched, 1 listed Total number of portal users.

portal auth-network
Use portal auth-network to configure a portal authentication source subnet on an interface. You can use
this command to configure multiple portal authentication source subnets on an interface. Then, only HTTP
packets from the subnets can trigger portal authentication on the interface. If an unauthenticated user is
not on any authentication source subnet, the access device discards all the user's HTTP packets that do
not match any portal-free rule.
Use undo portal auth-network to remove a specific portal authentication source subnet or all portal
authentication subnets.
Syntax
portal auth-network network-address { mask-length | mask }
undo portal auth-network { network-address | all }
Default
The portal authentication source IP subnet is 0.0.0.0/0, which means users in all subnets must pass
portal authentication.
Views
Interface view
Default command level
2: System level
Parameters
network-address: IP address of the authentication source subnet.
mask-length: Length of the subnet mask, in the range of 0 to 32.
mask: Subnet mask, in dotted decimal notation.
all: Specifies all authentication source subnets.

366
Usage guidelines
This command is only applicable for cross-subnet authentication (layer3). The portal authentication
source subnet for direct authentication (direct) can be any source IP address, and the portal
authentication source subnet for re-DHCP authentication (redhcp) is the one determined by the private IP
address of the interface connecting the users.
You can configure multiple authentication source subnets.
If both an authentication source subnet and destination subnet are configured on an interface, only the
authentication destination subnet takes effect.
Examples
# Configure a portal authentication source subnet of 10.10.10.0/24 on Ethernet 1/1 to allow users from
subnet 10.10.10.0/24 to trigger portal authentication.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] portal auth-network 10.10.10.0 24

portal auth-network destination

Use portal auth-network destination to configure an authentication destination subnet on an interface.
Then, only users accessing the specified subnet (excluding the destination IP addresses and subnets
specified in portal-free rules) trigger portal authentication on the interface. Users can access other
networks through the interface without portal authentication.
Use undo portal auth-network destination to cancel the specified or all authentication destination
subnets.
Syntax
portal auth-network destination network-address { mask-length | mask }
undo portal auth-network destination { network-address | all }
Default
The authentication destination subnet is 0.0.0.0/0, which means users accessing any subnets must pass
portal authentication.
Views
Interface view
Default command level
2: System level
Parameters
network-address: IP address of the authentication destination subnet.
mask-length: Length of the subnet mask, in the range of 0 to 32.
mask: Subnet mask, in dotted decimal notation.
all: Removes all authentication destination subnets.
Usage guidelines
Only the three Layer 3 portal authentication modes (direct, re-DHCP, and cross-subnet) support
configuring authentication destination subnets.

367
 You can configure up to 16 authentication destination subnets.
If both an authentication source subnet and destination subnet are configured on an interface, only the
authentication destination subnet takes effect.
Examples
# Configure a portal authentication destination subnet of 2.2.2.0/24 on Ethernet 1/2, so that only users
accessing subnet 2.2.2.0/24 trigger portal authentication on the interface. Users can access other
subnets through the interface without portal authentication.
<Sysname> system-view
[Sysname] interface ethernet 1/2
[Sysname-Ethernet1/2] portal auth-network destination 2.2.2.0 24

portal delete-user
Use portal delete-user to log off portal users.
Syntax
portal delete-user { ip-address | all | interface interface-type interface-number }
Views
System view
Default command level
2: System level
Parameters
ip-address: Specifies a portal user with the specified IP address.
all: Specifies all portal users.
interface interface-type interface-number: Specifies all portal users on the specified interface.
Examples
# Log off the portal user whose IP address is 1.1.1.1.
<Sysname> system-view
[Sysname] portal delete-user 1.1.1.1

Related commands
display portal user

portal domain
Use portal domain to specify an authentication domain for portal users on an interface. Then, the device
uses the authentication domain for authentication, authorization and accounting (AAA) of the portal
users on the interface.
Use undo portal domain to delete the authentication domain specified for portal users.
Syntax
portal domain domain-name
undo portal domain

368
Default
No authentication domain is specified for portal users on an interface.
Views
Interface view
Default command level
2: System level
Parameters
domain-name: Specifies an authentication domain name, a case-insensitive string of 1 to 24 characters.
The domain specified by this argument must already exist.
Examples
# Configure the authentication domain for IPv4 portal users on Ethernet 1/1 as my-domain.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] portal domain my-domain

Related commands
display portal interface

portal free-rule
Use portal free-rule to configure a portal-free rule and specify the source filtering condition, destination
filtering condition, or both.
Use undo portal free-rule to remove a specific portal-free rule or all portal-free rules.
Syntax
portal free-rule rule-number { destination { any | ip { ip-address mask { mask-length | mask } | any } }
| source { any | [ interface interface-type interface-number | ip { ip-address mask { mask-length |
netmask } | any } | mac mac-address | vlan vlan-id ] * } } *
undo portal free-rule { rule-number | all }
Views
System view
Default command level
2: System level
Parameters
rule-number: Specifies the number for the portal-free rule, in the range of 0 to 255.
any: Imposes no limitation on the previous keyword.
ip ip-address: Specifies an IP address for the portal-free rule.
mask { mask-length | mask }: Specifies a mask or mask length for the IP address. The mask argument is
a subnet mask in dotted decimal notation. The mask-length argument is a subnet mask length, an integer
in the range of 0 to 32.
interface interface-type interface-number: Specifies a source interface.
mac mac-address: Specifies a source MAC address in the format H-H-H.

369
 vlan vlan-id: Specifies a source VLAN ID.
all: Specifies all portal-free rules.
Usage guidelines
If you specify both a source IP address and a source MAC address in a portal-free rule, the IP address
must be a host address with a 32-bit mask. Otherwise, the specified MAC address does not take effect.
If you specify both a VLAN and an interface in a portal-free rule, the interface must belong to the VLAN.
Otherwise, the rule does not take effect.
You cannot configure a portal-free rule to have the same filtering criteria as that of an existing one. When
attempted, the system prompts that the rule already exists.
No matter whether portal authentication is enabled on an interface, you can only add or remove a
portal-free rule, rather than modifying it.
A Layer 2 interface in an aggregation group cannot be specified as the source interface of a portal-free
rule, and the source interface of a portal-free rule cannot be added to an aggregation group.
For Layer 2 portal authentication, you can configure only portal-free rules that are from any source
address to any or a specific destination address. When such a portal-free rule is configured, users can
access the specified address without portal authentication.
Examples
# Configure a portal-free rule, allowing any packet whose source IP address is 10.10.10.1/24 and source
interface is Ethernet 1/1 to bypass portal authentication.
<Sysname> system-view
[Sysname] portal free-rule 15 source ip 10.10.10.1 mask 24 interface ethernet 1/1
destination ip any

Related commands
display portal free-rule

portal local-server
Use portal local-server to configure the protocol type to be supported by the local portal server and load
the default authentication page file.
Use undo portal local-server to cancel the configuration.
Syntax
portal local-server http
undo portal local-server http
Default
The local portal server does not support any protocol type.
Views
System view
Default command level
2: System level
Parameters
http: Specifies that the local portal server use HTTP to exchange authentication packets with clients.

370
Usage guidelines
When executing this command, the local portal server loads the default authentication page file, which
is supposed to be saved in the root directory of the device. To make sure the local portal server uses the
user-defined default authentication pages, edit and save them correctly before executing this command.
Otherwise, the system default authentication pages are used.
If you specify HTTP in this command, the redirection URL for HTTP packets is in the format of http://IP
address of the device/portal/logon.htm, and clients and the portal server exchange authentication
information through HTTP.
If an online portal user exists on the device, you cannot remove or change the configured protocol type,
or modify the SSL server policies referenced.
Examples
# Configure the local portal server to support HTTP.
<Sysname> system-view
[Sysname] portal local-server http

Related commands
display portal local-server

portal local-server bind

Use portal local-server bind to configure a binding between one or more SSIDs and an authentication
page file. According to the configuration, the local portal server pushes the authentication pages of the
specified file to the specified SSID clients.
Use undo portal local-server bind to cancel the binding between the customized page file and the
specified or all SSIDs.
Syntax
portal local-server bind ssid ssidname&<1-10> file filename
undo portal local-server bind { ssid ssidname&<1-10> | all }
Default
No binding is configured.
Views
System view
Default command level
2: System level
Parameters
ssid ssidname&<1-10>: Specifies the SSIDs to be bound. The ssidname argument indicates the identifier
of an SSID service template, a case-insensitive string of 1 to 32 characters. An SSID string can contain
letters, numerals, and spaces, but cannot include spaces at the beginning or end of the string and cannot
be f, fi, fil, or file. &<1-10> indicates that you can specify one to ten SSIDs.
file filename: Specifies the file to be bound. The filename argument indicates the name of a customized
authentication page file, excluding the path. filename is a string of 1 to 91 characters, and can contain
letters, numerals, and underscores. You can edit authentication page files and save them in the portal
directory under the root directory of the access device.

371
 all: Specifies all the bound SSIDs.
Usage guidelines
If no SSID-to-customized page file binding is configured on the device, the local portal server pushes the
default authentication pages to a user that access the portal page. If there is such a binding configured
on the device, the local portal server pushes the corresponding authentication pages to the client based
on the customized page file that is bound with the SSID of the user logon interface.
If the name or contents of the file in a binding entry are changed, you must re-configure the binding.
To modify a binding, simply re-execute the portal local-server bind command, without canceling the
existing binding.
If you bind the same SSID to different authentication page files, the last binding takes effect.
Up to 128 binding entries are allowed on the device.
The following matrix shows the command and router compatibility:

Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000

portal local-server
Yes Yes Yes Yes No No Yes
bind

Examples
# Bind SSID1 and SSID2 to the customized authentication page file named file12.zip.
<Sysname> system-view
[Sysname] portal local-server bind ssid ssid1 ssid2 file file12.zip

Related commands
display portal local-server

portal local-server enable

Use portal local-server enable to enable Layer 2 portal authentication on the current port.
Use undo portal to restore the default.
Syntax
portal local-server enable
undo portal
Default
Portal authentication is disabled on a Layer 2 port.
Views
Layer 2 Ethernet interface view
Default command level
2: System level
Usage guidelines
For normal operation of portal authentication on a Layer 2 port, you must disable portal authentication
on all Layer 3 interfaces. HP recommends disabling port security, guest VLAN of 802.1X, and EAD fast

372
 deployment of 802.1X on the port. For information about port security and 802.1X features, see Security
Configuration Guide.
Before enabling portal authentication on a Layer 2 port, be sure to specify the listening IP address of the
local portal server.
The following matrix shows the command and router compatibility:

Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000

Supported on
portal MIM-FSW
local-server No No No No modules, No No
enable MSR30-11E, and
MSR30-11F

Examples
# Enable Layer 2 portal authentication on Ethernet 1/1.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] portal local-server enable

Related commands
portal local-server ip

portal local-server ip
Use portal local-server ip to specify the listening IP address of the local portal server for Layer 2 portal
authentication. When a listening IP address is specified, the device redirects Web requests from portal
clients to the authentication page at the listening IP address.
Use undo portal local-server ip to restore the default.
Syntax
portal local-server ip ip-address
undo portal local-server ip
Default
No listening IP address is specified for the local portal server.
Views
System view
Default command level
2: System level
Parameters
ip-address: Listening IP address of the local portal server. This IP address is that of a Layer 3 interface on
the access device and is routable to from the portal client.
Usage guidelines
HP recommends configuring a loopback interface's address as the listening IP address because:
• The status of a loopback interface is stable. This can avoid authentication page access failures
caused by interface failures.

373
 • A loopback interface does not forward received packets. This can avoid impacting system
performance when there are many network access requests.
The following matrix shows the command and router compatibility:

Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000

Supported on
portal MIM-FSW
local-server No No No No modules, No No
ip MSR30-11E, and
MSR30-11F

Examples
# Specify 1.1.1.1 as the listening IP address of the local portal server for Layer 2 portal authentication.
<Sysname> system-view
[Sysname] interface loopback 1
[Sysname-LoopBack1] ip address 1.1.1.1 32
[Sysname-LoopBack1] quit
[Sysname] portal local-server ip 1.1.1.1

portal max-user
Use portal max-user to set the maximum number of online portal users allowed in the system.
Use undo portal max-user to restore the default.
Syntax
portal max-user max-number
undo portal max-user
Views
System view
Default command level
2: System level
Parameters
max-number: Maximum number of online portal users allowed in the system.
Usage guidelines
If the maximum number of portal users specified in the command is less than that of the current online
portal users, the command can be executed successfully and does not impact the online portal users, but
the system does not allow new portal users to log in until the number drops down below the limit.
All MSR routers support the command, but they have different value ranges and default values:

374
 MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000
MPUF:
1 to 512, 512
Value range: Value range: Value range: Value range: Value range: by default Value range:
1 to 512 1 to 512 1 to 512 1 to 512 1 to 512 MPU-G2: 1 to 512
Default: 512 Default: 512 Default: 512 Default: 512 Default: 512 1 to 4096, Default: 512
4096 by
default

Examples
# Set the maximum number of portal users allowed in the system to 100.
<Sysname> system-view
[Sysname] portal max-user 100

portal move-mode auto

Use portal move-mode auto to enable support for portal user moving. Then, if an authenticated user
moves from a port of the device to another port of the device without logging off, the user can continue
to access the network (without re-authentication) if the following conditions are met:
• The new port is up.
• The original port and the new port belong to the same VLAN.
• The authorization information of the user, if any, is assigned to the new port successfully.
If any condition is not met, the device re-authenticates the user on the new port.
Use undo portal move-mode to disable support for portal user moving.
Syntax
portal move-mode auto
undo portal move-mode
Default
Support for portal user moving is disabled, and if an authenticated user moves from a port of the device
to another port of the device without logging off, the user cannot get online when the original port is still
up, because the original port is still maintaining the authentication information of the user.
Views
System view
Default command level
2: System level
Usage guidelines
If the original port goes down after a user moves from the port to another port, the authentication
information of the user is lost and the user has to be re-authenticated.
Support for portal user moving applies to scenarios where hubs, Layer 2 switches, or APs exist between
users and the access devices.
The following matrix shows the command and router compatibility:

375
 Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000
Supported on
portal MIM-FSW
move-mode No No No No modules, No No
auto MSR30-11E, and
MSR30-11F

Examples
# Enable support for portal user moving.
<Sysname> system-view
[Sysname] portal move-mode auto

portal nas-id-profile
Use portal nas-id-profile to specify a NAS ID profile for the interface.
Use undo portal nas-id-profile to cancel the configuration.
Syntax
portal nas-id-profile profile-name
undo portal nas-id-profile
Default
An interface is not specified with any NAS ID profile.
Views
Interface view
Default command level
2: System level
Parameters
profile-name: Name of the profile that defines the binding relationship between VLANs and NAS IDs, a
case-insensitive string of 1 to 16 characters. The profile can be configured by using the aaa nas-id profile
command. For more information about this command, see "AAA configuration commands."
Usage guidelines
If an interface is specified with a NAS ID profile, the interface prefers to use the binding defined in the
profile. If no NAS ID profile is specified for an interface or no matching binding is found in the specified
profile:
If a NAS ID is configured using the portal nas-id command, the device uses the configured NAS ID as
that of the interface.
Examples
# Specify NAS ID profile aaa for VLAN-interface 2.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] portal nas-id-profile aaa

376
portal nas-ip
Use portal nas-ip to configure an interface to use a specific source IP address for outgoing portal
packets.
Use undo portal nas-ip to delete the specified source IP address. If you do not specify the ipv6 keyword,
this command deletes the specified source IPv4 address.
Syntax
portal nas-ip ip-address
undo portal nas-ip
Default
No source IP address is specified for outgoing portal packets on an interface, and the interface uses the
IP address of the user access interface as the source IP address for outgoing portal packets.
Views
Interface view
Default command level
2: System level
Parameters
ip-address: Specifies a source IP address for outgoing portal packets. This IP address must be a local IP
address, and cannot be 0.0.0.0, 255.255.255.255, a class D address, a class E address, or a loopback
address.
Examples
# Configure interface Ethernet 1/1 to use 2.2.2.2 as the source IP address for outgoing portal packets.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] portal nas-ip 2.2.2.2

portal nas-port-id
Use portal nas-port-id to specify the NAS-Port-ID value carried in a RADIUS request.
Use undo portal nas-port-id to restore the default.
Syntax
portal nas-port-id nas-port-id-value
undo portal nas-port-id
Default
No NAS-Port-ID value is specified for an interface, and the device uses the information obtained from the
physical interface where the portal user accesses as the NAS-Port-ID value in a RADIUS request.
Views
Interface view
Default command level
2: System level

377
Parameters
nas-port-id-value: NAS-Port-ID value, a case-sensitive string of 1 to 253 characters. This value is used as
the value of the NAS-Port-ID attribute in the RADIUS request to be sent to the RADIUS server when a
portal user logs on from an interface.
Usage guidelines
If the device uses a RADIUS server for authentication, authorization, and accounting of portal users,
when a portal user logs on from an interface, the device sends a RADIUS request that carries the
NAS-Port-ID attribute to the RADIUS server.
Examples
# Specify the NAS-Port-ID value of Ethernet 1/1 as ap1.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] portal nas-port-id ap1

portal nas-port-type
Use portal nas-port-type to specify the access port type (indicated by the NAS-Port-Type value) on the
current interface. The specified NAS-Port-Type value is carried in the RADIUS requests sent from the
device to the RADIUS server.
Use undo portal nas-port-type to restore the default.
Syntax
portal nas-port-type { ethernet | wireless }
undo portal nas-port-type
Default
The access port type of an interface is not specified, and the NAS-Port-Type value carried in RADIUS
requests is the user access port type obtained by the access device.
Views
Interface view
Default command level
2: System level
Parameters
ethernet: Specifies the access port type as Ethernet, which corresponds to code 15.
wireless: Specifies the access port type as IEEE 802.11 standard wireless interface, which corresponds to
code 19. This keyword is usually specified on an interface for wireless portal users, making sure that the
NAS-Port-Type value delivered by the access device to the RADIUS server is wireless.
Examples
# Specify the NAS-Port-Type value of Ethernet 1/1 as IEEE 802.11 standard wireless interface.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] portal nas-port-type wireless

378
portal offline-detect interval
Use portal offline-detect interval to set the online Layer 2 portal user detection interval. Then, after a
Layer 2 portal user gets online, the device starts a detection timer for the user, and checks whether the
user has sent any packet to the device at this interval. If the device receives no packets from the user
during two detection intervals or finds that the user's MAC address entry has been aged out, the device
considers that the user has gone offline and clears the authentication information of the user.
Use undo portal offline-detect interval to restore the default.
Syntax
portal offline-detect interval offline-detect-interval
undo portal offline-detect interval
Default
The online Layer 2 portal user detection interval is 300 seconds.
Views
Layer 2 Ethernet interface view
Default command level
2: System level
Parameters
offline-detect-value: Online Layer 2 portal user detection interval in the range of 60 to 65535.
Usage guidelines
This detection interval must be equal to or less than the MAC address entry aging time. Otherwise, many
portal users are considered offline due to aged MAC address entries.
Examples
# Set the online Layer 2 portal user detection interval to 3600 seconds on port Ethernet 1/1.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-ethernet1/1] portal offline-detect interval 3600

portal redirect-url
Use portal redirect-url to specify the autoredirection URL for authenticated portal users.
Use undo portal redirect-url to restore the default.
Syntax
portal redirect-url url-string [ wait-time period ]
undo portal redirect-url
Default
An authenticated portal user is redirected to the URL that the user entered in the address bar before portal
authentication.
Views
System view

379
Default command level
2: System level
Parameters
url-string: Autoredirection URL for authenticated portal users, a string of 1 to 127 characters. It must start
with http:// and must be a fully qualified URL.
period: Time that the device must wait before redirecting an authenticated portal user to the
autoredirection URL. The value range for this argument is 1 to 90 seconds, and the default is 5 seconds.
Usage guidelines
To use this feature for remote Layer 3 portal authentication, the portal server must be an IMC portal server
that supports the page auto-redirection function.
The wait-time period option is effective for only local portal authentication.
Examples
# Configure the device to redirect a portal user to http://www.testpt.cn 3 seconds after the user passes
portal authentication.
<Sysname> system-view
[Sysname] portal redirect-url http://www.testpt.cn wait-time 3

portal server
Use portal server to configure a portal server for Layer 3 portal authentication.
Use undo portal server to remove a portal server, restore the default destination port and default URL
address, or delete the shared key or the VPN instance configuration.
Syntax
portal server server-name ip ip-address [ key [ cipher | simple ] key-string | port port-id | url url-string
| vpn-instance vpn-instance-name ] *
undo portal server server-name [ key | port | url | vpn-instance ]
Default
No portal server is configured for Layer 3 portal authentication.
Views
System view
Default command level
2: System level
Parameters
server-name: Specifies a name for the portal server, a case-sensitive string of 1 to 32 characters.
ip ip-address: Specifies the IP address of the portal server. If you specify the local portal server, the IP
address specified must be that of a Layer 3 interface on the device and must be reachable from the portal
clients.
key: Specifies a shared key for communication with the portal server. Portal packets exchanged between
the access device and the portal server carry an authenticator, which is generated with the shared key.
The receiver uses the authenticator to check the correctness of the received portal packets.
cipher: Sets a ciphertext shared key.

380
 simple: Sets a plaintext shared key.
key-string: Specifies the shared key. This argument is case sensitive. If simple is specified, it must be a
string of 1 to 16 characters. If cipher is specified, it must be a ciphertext string of 1 to 53 characters. If
neither simple nor cipher is specified, you set a plaintext shared key.
url url-string: Specifies the uniform resource locator (URL) to which HTTP packets are to be redirected. The
default URL is in the http://ip-address format, where ip-address is the IP address of the portal server. You
can also specify the domain name of the portal server, in which case you must use the portal free-rule
command to configure the IP address of the DNS server as a portal authentication-free destination IP
address.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the portal server belongs.
vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the portal server is on the public
network, do not specify this option.
Usage guidelines
If the specified portal server exists and no user is on the interfaces referencing the portal server, using the
undo portal server server-name command removes the specified portal server, and if keyword port or url
is also provided, the command restores the destination port number or URL address to the default.
The configured portal server and its parameters can be removed or modified only when the portal server
is not referenced by an interface. To remove or modify the settings of a portal server that has been
referenced by an interface, you must first remove the portal configuration on the interface by using the
undo portal command.
For local portal server configuration, the keywords key, port, and url are usually not required and, if
configured, does not take effect.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text to the
configuration file.
Examples
# Configure portal server pts, setting the IP address to 192.168.0.111, the key to plaintext string of portal,
and the redirection URL to http://192.168.0.111/portal.
<Sysname> system-view
[Sysname] portal server pts ip 192.168.0.111 key simple portal url
http://192.168.0.111/portal

Related commands
display portal server

portal server banner

Use portal server banner to configure the welcome banner of the default webpage provided by the local
portal server.
Use undo portal server banner to restore the default.
Syntax
portal server banner banner-string
undo portal server banner
Default
No webpage welcome banner is configured.

381
Views
System view
Default command level
2: System level
Parameters
banner-string: Welcome banner for the webpage, a case-sensitive string of 1 to 50 characters. It cannot
contain the less-than sign (<) or the and sign (&). If multiple continuous spaces exist in the string, the
browser recognizes them as one.
Usage guidelines
The configured welcome banner is applied to only the default authentication pages, rather than the
customized authentication pages.
Examples
# Configure the welcome banner of the default webpage provided by the local portal server as Welcome
to Portal Authentication.
<Sysname> system-view
[Sysname] portal server banner Welcome to Portal Authentication

portal server method

Use portal server method to enable Layer 3 portal authentication on an interface, and specify the portal
server and the authentication mode to be used.
Use undo portal to disable the specified portal server or all portal servers on an interface.
Syntax
portal server server-name method { direct | layer3 | redhcp }
undo portal
Default
Layer 3 portal authentication is disabled on an interface.
Views
Interface view
Default command level
2: System level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters.
method: Specifies the authentication mode to be used.
direct: Direct authentication.
layer3: Cross-subnet authentication.
redhcp: Re-DHCP authentication.
Usage guidelines
The specified portal server must exist.

382
 For the local portal server, the re-DHCP authentication mode can be configured but does not take effect.
Examples
# Enable Layer 3 portal authentication on interface Ethernet 1/1, referencing portal server pts and
setting the authentication mode to direct.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] portal server pts method direct

Related commands
display portal server

portal server server-detect

Use portal server server-detect to configure portal server detection, including the detection method,
action, probe interval, and maximum number of probe attempts. When this function is configured, the
device checks the status of the specified server periodically and takes the specified actions when the
server status changes.
Use undo portal server server-detect to cancel the detection of the specified portal server.
Syntax
portal server server-name server-detect method { http | portal-heartbeat } * action { log | permit-all |
trap } * [ interval interval ] [ retry retries ]
undo portal server server-name server-detect
Default
The portal server detection function is not configured.
Views
System view
Default command level
2: System level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal
server must have existed.
server-detect method { http | portal-heartbeat }: Specifies the portal server detection method. Two
detection methods are available:
• http: Probes HTTP connections. In this method, the access device periodically sends TCP connection
requests to the HTTP service port of the portal servers enabled on its interfaces. If the TCP
connection with a portal server can be established, the access device considers that the HTTP
service of the portal server is open and the portal server is reachable—the detection succeeds. If the
TCP connection cannot be established, the access device considers that the detection fails—the
portal server is unreachable. If a portal server does not support the portal server heartbeat function,
you can configure the device to use the HTTP probe method to detect the reachability of the portal
server.
• portal-heartbeat: Probes portal heartbeat packets. Portal servers periodically send portal heartbeat
packets to the access devices. If the access device receives a portal heartbeat packet from a portal
server within the specified interval, the access device considers that the probe succeeds and the

383
 portal server is reachable; otherwise, it considers that the probe fails and the portal server is
unreachable. This method is effective to only portal servers that support the portal heartbeat
function. Now, only the IMC portal server supports this function. To implement detection with this
method, you also need to configure the portal server heartbeat function on the IMC portal server
and make sure that the server heartbeat interval configured on the portal server is shorter than or
equal to the probe interval configured on the device.
action { log | permit-all | trap }: Specifies the actions to be taken when the status of a portal server
changes. The following actions are available:
• log: Specifies the action as sending a log message. When the status (reachable/unreachable) of a
portal server changes, the access device sends a log message. The log message contains the portal
server name and the current state and original state of the portal server.
• permit-all: Specifies the action as disabling portal authentication—enabling portal authentication
bypass. When the device detects that a portal server is unreachable, it disables portal
authentication on the interface referencing the portal server, allowing all portal users on this
interface to access network resources. When the access device receives the portal server heartbeat
packets or authentication packets (such as login requests and logout requests), it re-enables the
portal authentication function.
• trap: Specifies the action as sending a trap message. When the status (reachable/unreachable) of
a portal server changes, the access device sends a trap message to the network management
server (NMS). Trap message contains the portal server name and the current state of the portal
server.
interval interval: Interval at which probe attempts are made. The value range for the interval argument is
20 to 600 seconds, and the default is 20 seconds.
retry retries: Maximum number of probe attempts. The value range for the retries argument is 1 to 5, and
the default is 3. If the number of consecutive, failed probes reaches this value, the access device
considers that the portal server is unreachable.
Usage guidelines
You can specify one or more detection methods and the actions to be taken.
If both detection methods are specified, a portal server is regarded as unreachable as long as one
detection method fails, and an unreachable portal server is regarded as recovered only when both
detection methods succeed.
If multiple actions are specified, the system executes all the specified actions when the status of a portal
server changes.
Deleting a portal server on the device will delete the detection function for the portal server.
If you configure the detection function for a portal server for multiple times, the last configuration takes
effect. If you do not specify an optional parameter, the default setting of the parameter is used.
The portal server detection function takes effect only when the portal server is referenced on an interface.
Authentication-related packets from a portal server, such as logon requests and logoff requests, have the
same effect as the portal heartbeat packets for the portal server detection function.
Related command: display portal server.
Examples
# Configure the device to detect portal server pts:
• Specifying both the HTTP probe and portal heartbeat probe methods
• Setting the probe interval to 600 seconds

384
 • Specifying the device to send a server unreachable trap message, send a log message and disable
portal authentication to permit unauthenticated portal users, if two consecutive probes fail.
<Sysname> system-view
[Sysname] portal server pts server-detect method http portal-heartbeat action log
permit-all trap interval 600 retry 2

portal server user-sync

Use portal server user-sync to configure portal user information synchronization with a specific portal
server. When this function is configured, the device periodically checks and responds to the user
synchronization packet received from the specified portal server, so as to keep the consistency of the
online user information on the device and the portal server.
Use undo portal server user-sync to cancel the portal user information synchronization configuration with
the specified portal server.
Syntax
portal server server-name user-sync [ interval interval ] [ retry retries ]
undo portal server server-name user-sync
Default
The portal user synchronization function is not configured.
Views
System view
Default command level
2: System level
Parameters
server-name: Name of a portal server, a case-sensitive string of 1 to 32 characters. The specified portal
server must have existed.
user-sync: Enables the portal user synchronization function.
interval interval: Specifies the interval at which the device checks the user synchronization packets. The
value range for the interval argument is 60 to 3600 seconds, and the default is 300 seconds.
retry retries: Specifies the maximum number of consecutive failed checks. The value range for the retries
argument is 1 to 5, and the default is 4. If the access device finds that one of its users does not exist in
the user synchronization packets from the portal server within N consecutive probe intervals (N = retries),
it considers that the user does not exist on the portal server and logs the user off.
Usage guidelines
The user information synchronization function requires that a portal server supports the portal user
heartbeat function (now only the IMC portal server supports portal user heartbeat). To implement the
portal user synchronization function, you also need to configure the user heartbeat function on the portal
server and make sure that the user heartbeat interval configured on the portal server is shorter than or
equal to the synchronization probe interval configured on the device.
Deleting a portal server on the device will delete the portal user synchronization configuration with the
portal server.

385
 If you configure the user synchronization function for a portal server for multiple times, the last
configuration takes effect. If you do not specify an optional parameter, the default setting of the
parameter is used.
For redundant user information on the device—information of the users considered as nonexistent on the
portal server, the device deletes the information during the (N+1)th probe interval, where N equals to the
value of retries configured in the portal server user-sync command.
Examples
# Configure the device to synchronize portal user information with portal server pts:
• Setting the synchronization probe interval to 600 seconds
• Specifying the device to log off users if information of the users does not exist in the user
synchronization packets sent from the server in two consecutive probe intervals.
<Sysname> system-view
[Sysname] portal server pts user-sync interval 600 retry 2

portal web-proxy port

Use portal web-proxy port to add the port number of a Web proxy server, so that HTTP requests
forwarded by the Web proxy server trigger portal authentication.
Use undo portal web-proxy port to delete one or all Web proxy server port numbers.
Syntax
portal web-proxy port port-number
undo portal web-proxy port { port-number | all }
Default
No Web proxy server port number is configured on the device and proxied HTTP requests cannot trigger
portal authentication.
Views
System view
Default command level
2: System level
Parameters
port-number: Web proxy server port number in the range of 1 to 65535.
all: Specifies all Web proxy server port numbers.
Usage guidelines
Up to four Web proxy server port numbers can be added.
If a user's browser uses the Web Proxy Auto-Discovery (WPAD) protocol to discover Web proxy servers,
you must add the port numbers of the Web proxy servers on the device, and configure portal-free rules
to allow user packets destined for the IP address of the WPAD server to pass without authentication.
For Layer 2 portal authentication, you must add the port numbers of the Web proxy servers on the device,
and users must make sure that their browsers that use a Web proxy server do not use the proxy server for
the listening IP address of the local portal server. Thus, HTTP packets that the portal user sends to the local
portal server are not sent to the Web proxy server.
For Layer 3 portal authentication, note the following issues:

386
 • If the Web proxy server port 80 is added on the device, clients that do not use a proxy server can
trigger portal authentication only when they access a reachable host enabled with the HTTP service.
• Authorized ACLs to be assigned to the users who have passed portal authentication must contain a
rule that permits the Web proxy server's IP address. Otherwise, the user cannot receive heartbeat
packets from the remote portal server.
The following matrix shows the command and router compatibility:

Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000

portal web-proxy
No No No No Yes No No
port

Examples
# Add Web proxy server port number 8080 on the device, so that users using a Web proxy server with
the port number can be redirected to the portal authentication page.
<Sysname> system-view
[Sysname] portal web-proxy port 8080

reset portal connection statistics

Use reset portal connection statistics to clear portal connection statistics on a specific interface or all
interfaces.
Syntax
reset portal connection statistics { all | interface interface-type interface-number }
Views
User view
Default command level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
Examples
# Clear portal connection statistics on interface Ethernet 1/1.
<Sysname> reset portal connection statistics interface ethernet 1/1

reset portal server statistics

Use reset portal server statistics to clear portal server statistics on a specific interface or all interfaces.
Syntax
reset portal server statistics { all | interface interface-type interface-number }
Views
User view

387
Default command level
1: Monitor level
Parameters
all: Specifies all interfaces.
interface interface-type interface-number: Specifies an interface by its type and number.
Examples
# Clear portal server statistics on interface Ethernet 1/1.
<Sysname> reset portal server statistics interface ethernet 1/1

reset portal tcp-cheat statistics

Use reset portal tcp-cheat statistics to clear TCP spoofing statistics.
Syntax
reset portal tcp-cheat statistics
Views
User view
Default command level
1: Monitor level
Examples
# Clear TCP spoofing statistics.
<Sysname> reset portal tcp-cheat statistics

web-redirect
Use web-redirect to configure the mandatory webpage pushing function on an interface. After you
configure this function on an interface and set the redirection interval, a user on the interface is forced to
access a specific webpage when the user accesses network resources through Web for the first time.
After a specific period of time, namely, the redirection interval, if the user sends a Web access request
again, the system pushes the specified webpage to the user again.
Use undo web-redirect to restore the default.
Syntax
web-redirect url url-string [ interval interval ]
undo web-redirect
Default
This function is not configured on an interface.
Views
Interface view
Default command level
2: System level

388
Parameters
url-string: URL address to which a Web access request is to be redirected.
Interval: Redirection interval in the range of 60 to 86400 seconds. The default is 86400 seconds.
Usage guidelines
You cannot configure both the portal function and the mandatory webpage pushing function on an
interface. If you do so, the function configured later does not take effect.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the mandatory webpage pushing function on Ethernet 1/1, setting the redirection URL
address to http://192.0.0.1 and the interval to 3600 seconds.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] web-redirect url http://192.0.0.1 interval 3600

389
Firewall configuration commands

Packet-filter firewall configuration commands

display firewall ethernet-frame-filter
Use display firewall ethernet-frame-filter to view the Ethernet frame filtering statistics.
Syntax
display firewall ethernet-frame-filter { all | dlsw | interface interface-type interface-number } [ | { begin
| exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameter
all: Displays the Ethernet frame filtering statistics of all interfaces.
dlsw: Displays the Ethernet frame filtering statistics when data streams pass the DLSw module.
interface interface-type interface-number: Displays the Ethernet frame filtering statistics of the specified
interface.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Example
# Display the Ethernet frame filtering statistics on Ethernet 1/1.
<Sysname> display firewall ethernet-frame-filter interface ethernet 1/1
Interface: Ethernet1/1
In-bound Policy: acl 4000
From 2005-06-07 14:46:59 to 2005-06-07 16:16:23
0 packets, 0 bytes, 0% permitted,
0 packets, 0 bytes, 0% denied,
0 packets, 0 bytes, 0% permitted default,
0 packets, 0 bytes, 0% denied default,
Totally 0 packets, 0 bytes, 0% permitted,
Totally 0 packets, 0 bytes, 0% denied.
Out-bound Policy: acl 4000
From 2005-06-07 15:59:23 to 2005-06-07 16:16:23

390
 0 packets, 0 bytes, 0% permitted,
0 packets, 0 bytes, 0% denied,
0 packets, 0 bytes, 0% permitted default,
0 packets, 0 bytes, 0% denied default,
Totally 0 packets, 0 bytes, 0% permitted,
Totally 0 packets, 0 bytes, 0% denied.

Table 55 Command output

Field Description
Interface Name of the interface configured with Ethernet frame filtering.

In-bound Policy Indicates an inbound ACL rule has been configured on the interface.

Out-bound Policy Indicates an outbound ACL rule has been configured on the interface.

display firewall ipv6 statistics

Use display firewall ipv6 statistics to view the packet filtering statistics of the IPv6 firewall.
Syntax
display firewall ipv6 statistics { all | interface interface-type interface-number } [ | { begin | exclude |
include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
all: Displays the packet filtering statistics of all interfaces of the IPv6 firewall.
interface interface-type interface-number: Displays the packet filtering statistics of the specified interface
of the IPv6 firewall.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the packet filtering statistics of the IPv6 firewall.
<Sysname> display firewall ipv6 statistics interface ethernet 1/1
Interface: ethernet1/1
In-bound Policy: acl6 2000
From 2008-06-04 10:25:21 to 2008-06-04 10:35:57
0 packets, 0 bytes, 0% permitted
0 packets, 0 bytes, 0% denied
0 packets, 0 bytes, 0% permitted default

391
 0 packets, 0 bytes, 0% denied default
Totally 0 packets, 0 bytes, 0% permitted
Totally 0 packets, 0 bytes, 0% denied

Table 56 Command output

Field Description
Interface Interface configured with the IPv6 packet filtering function.

Indicates that an IPv6 ACL is configured in the inbound direction

In-bound Policy
of the interface.

Indicates that an IPv6 ACL is configured in the outbound

Out-bound Policy
direction of the interface.

acl6 IPv6 ACL number.

Indicates the packets permitted by IPv6 ACL rules: the number of

0 packets, 0 bytes, 0% permitted packets and bytes, and the percentage of the permitted to the
total.

Indicates the packets denied by IPv6 ACL rules: the number of

0 packets, 0 bytes, 0% denied
packets and bytes, and the percentage of the denied to the total.

Indicates the packets that matched no IPv6 ACL rule and were
permitted according to the default filtering rule: number of
0 packets, 0 bytes, 0% permitted default
packets and bytes, and the percentage of the permitted to the
total.

Indicates the packets that matched no IPv6 ACL rule and were
0 packets, 0 bytes, 0% denied default denied according to the default filtering rule: number of packets
and bytes, and the percentage of the denied to the total.

Indicates all permitted packets: the number of packets and

Totally 0 packets, 0 bytes, 0% permitted
bytes, and the percentage of all the permitted to the total.

Indicates all denied packets: the number of packets and bytes,

Totally 0 packets, 0 bytes, 0% denied
and the percentage of all the denied to the total.

display firewall-statistics
Use display firewall-statistics to view the packet filtering statistics of the IPv4 firewall.
Syntax
display firewall-statistics { all | fragments-inspect | interface interface-type interface-number } [ |
{ begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
all: Displays the packet filtering statistics of all interfaces of the IPv4 firewall.
fragments-inspect: Displays the statistics about fragments inspection.

392
 interface interface-type interface-number: Displays the packet filtering statistics of the specified interface
of the IPv4 firewall.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
At most 50 fragments with the same 16-bit identifier in IP header can be recorded.
Examples
# Display statistics about fragments inspection.
<Sysname> display firewall-statistics fragments-inspect
Fragments inspection is enabled.
The high-watermark for clamping is 2000.
The low-watermark for clamping is 1500.
Current records for fragments inspection is 0.

Table 57 Command output

Field Description
Fragments inspection is enabled The fragments inspection function of the firewall is enabled.

The high-watermark for clamping High threshold of the number of fragment status records.

The low-watermark for clamping Low threshold of the number of fragment status records.

Current records for fragments inspection The current number of records for fragments inspection.

Related commands
firewall fragments-inspect

firewall default
Use firewall default to specify the default firewall filtering action of the IPv4 firewall.
Syntax
firewall default { deny | permit }
Default
The default filtering action of the IPv4 firewall is permitting packets to pass (permit).
Views
System view
Default command level
2: System level

393
Parameters
deny: Specifies the filtering action as denying packets to pass the firewall.
permit: Specifies the filtering action as permitting packets to pass the firewall.
all: Specifies that the configuration applies to all interface cards.
slot slot-number: Specifies that the configuration applies to the interface card in the specified slot.
Examples
# Specify the default filtering action of the IPv4 firewall as denying packets to pass.
<Sysname> system-view
[Sysname] firewall default deny

firewall enable
Use firewall enable to enable the IPv4 firewall function.
Use undo firewall enable to disable the IPv4 firewall function.
Syntax
firewall enable
undo firewall enable
Default
The IPv4 firewall function is disabled.
Views
System view
Default command level
2: System level
Parameters
None
Examples
# Enable the IPv4 firewall function.
<Sysname> system-view
[Sysname] firewall enable

firewall ethernet-frame-filter
Use firewall ethernet-frame-filter to configure Ethernet frame filtering.
Use undo firewall ethernet-frame-filter to remove the Ethernet frame filtering.
Syntax
firewall ethernet-frame-filter { acl-number | name acl-name } { inbound | outbound }
undo firewall ethernet-frame-filter [ { acl-number | name acl-name } ] { inbound | outbound }
Views
Interface view

394
Default command level
2: System level
Parameters
acl-number: Ethernet frame header ACL number in the range of 4000 to 4999.
name acl-name: Specifies the Ethernet frame header ACL name, a case-insensitive string of 1 to 63
characters that must start with an alphabetical character a to z or A to Z. To avoid confusion, the word
all cannot be used as the ACL name.
inbound: Filters packets received by the interface.
outbound: Filters packets forwarded from the interface.
Usage guidelines
The following matrix shows the command and router compatibility:

Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000

firewall
Yes Yes No Yes Yes Yes Yes
ethernet-frame-filter

Ethernet frame filtering is not performed by default.

The Ethernet frame filtering function is effective only when the interface works in bridge group.
You can apply only one ACL in one direction of an interface to filter Ethernet frames.
Examples
# Configure Ethernet frame filtering rules in the inbound direction of Ethernet 1/1.
<Sysname> system-view
[Sysname] bridge enable
[Sysname] bridge 1 enable
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] bridge-set 1
[Sysname-Ethernet1/1] firewall ethernet-frame-filter 4001 inbound

firewall fragments-inspect
Use firewall fragments-inspect to enable fragments inspection.
Use undo firewall fragments-inspect to disable fragments inspection.
Syntax
firewall fragments-inspect
undo firewall fragments-inspect
Views
System view
Default command level
2: System level
Parameters
None

395
Usage guidelines
Be default, fragments inspection is disabled.
Examples
# Enable fragments inspection.
<Sysname> system-view
[Sysname] firewall fragments-inspect

Related commands
• display firewall-statistics fragments-inspect
• firewall packet-filter

firewall fragments-inspect { high | low }

Use firewall fragments-inspect { high | low } to set the high and low threshold values for fragments
inspection.
Use undo firewall fragments-inspect { high | low } to restore the defaults.
Syntax
firewall fragments-inspect { high | low } { number | default }
undo firewall fragments-inspect { high | low }
Default
The high threshold is 2000 and low threshold is 1500.
Views
System view
Default command level
2: System level
Parameters
high: Specifies the high threshold of the number of fragment status records.
low: Specifies the low threshold of the number of fragment status records.
number: Number of fragment status records.
default: Specifies the default number of fragment status records. With this keyword specified, the
specified threshold is restored to the default.
Usage guidelines
The low threshold must be smaller than or equal to the high threshold.
Examples
# Set the high threshold for fragment inspection to 3000 and restore the low threshold to the default.
<Sysname> system-view
[Sysname] firewall fragments-inspect high 3000
[Sysname] firewall fragments-inspect low default

Related commands
• display firewall-statistics fragments-inspect

396
 • firewall packet-filter

firewall ipv6 default

Use firewall ipv6 default to specify the default firewall filtering action of the IPv6 firewall.
Syntax
firewall ipv6 default { deny | permit }
Default
The default filtering action of IPv6 firewall is permitting packets to pass (permit).
Views
System view
Default command level
2: System level
Parameters
deny: Specifies the filtering action as denying packets to pass the firewall.
permit: Specifies the filtering action as permitting packets to pass the firewall.
Examples
# Specify the default filtering action of the IPv6 firewall as denying packets to pass.
<Sysname> system-view
[Sysname] firewall ipv6 default deny

firewall ipv6 enable

Use firewall ipv6 enable to enable the IPv6 firewall function.
Use undo firewall ipv6 enable to disable the IPv6 firewall function.
Syntax
firewall ipv6 enable
undo firewall ipv6 enable
Default
The IPv6 firewall function is disabled.
Views
System view
Default command level
2: System level
Examples
# Enable the IPv6 firewall function.
<Sysname> system-view
[Sysname] firewall ipv6 enable

397
firewall ipv6 fragments-inspect
Use firewall ipv6 fragments-inspect to enable IPv6 fragments inspection.
Use undo firewall ipv6 fragments-inspect to disable IPv6 fragments inspection.
Syntax
firewall ipv6 fragments-inspect
undo firewall ipv6 fragments-inspect
Default
IPv6 fragments inspection is disabled.
Views
System view
Default command level
2: System level
Examples
# Enable IPv6 fragments inspection.
<Sysname> system-view
[Sysname] firewall ipv6 fragments-inspect

firewall packet-filter
Use firewall packet-filter to configure IPv4 packet filtering on the interface.
Use undo firewall packet-filter to cancel the configuration.
Syntax
firewall packet-filter { acl-number | name acl-name } { inbound | outbound } [ match-fragments
{ exactly | normally } ]
undo firewall packet-filter { acl-number | name acl-name } { inbound | outbound }
Views
Interface view
Default command level
2: System level
Parameters
acl-number: Specifies a basic ACL number in the range of 2000 to 2999, an advanced ACL number in
the range of 3000 to 3999, or an Ethernet frame header ACL number in the range of 4000 to 4999.
name acl-name: Specifies the name of a basic or advanced IPv4 ACL; a case-insensitive string of 1 to 63
characters that must start with an alphabetical character a to z or A to Z. To avoid confusion, the word
all cannot be used as the ACL name.
inbound: Filters packets received by the interface.
outbound: Filters packets forwarded from the interface.
match-fragments { exactly | normally }: Specifies the fragment match mode (for advanced ACLs only).
The default match mode is normally.

398
 • exactly: Specifies the exact match mode.
• normally: Specifies the normal match mode.
Usage guidelines
Packets are not filtered on an interface by default.
You can apply only one IPv4 ACL in one direction of an interface to filter packets.
Examples
# Apply ACL 2001 to interface Serial 2/0 to filter outbound packets.
<Sysname> system-view
[Sysname] interface serial 2/0
[Sysname-Serial2/0] firewall packet-filter 2001 outbound

Related commands
firewall fragments-inspect

firewall packet-filter ipv6

Use firewall packet-filter ipv6 to configure IPv6 packet filtering on the interface.
Use undo firewall packet-filter ipv6 to remove the IPv6 packet filtering setting on the interface.
Syntax
firewall packet-filter ipv6 { acl6-number | name acl6-name } { inbound | outbound }
undo firewall packet-filter ipv6 [ { acl6-number | name acl6-name } ] { inbound | outbound }
Default
IPv6 packets are not filtered on the interface.
Views
Interface view
Default command level
2: System level
Parameters
acl6-number: Specifies a basic ACL number in the range of 2000 to 2999, or an advanced ACL number
in the range of 3000 to 3999.
name acl6-name: Specifies the name of a basic or advanced IPv6 ACL; a case-insensitive string of 1 to
63 characters that must start with an English letter a to z or A to Z. To avoid confusion, the word "all"
cannot be used as the ACL name.
inbound: Filters packets received by the interface.
outbound: Filters packets forwarded by the interface.
Usage guidelines
You can apply only one IPv6 ACL in one direction of an interface to filter packets.
Examples
# Apply IPv6 ACL 2500 to Ethernet 1/1 to filter outbound packets.
<Sysname> system-view
[Sysname] interface ethernet 1/1

399
 [Sysname-Ethernet1/1] firewall packet-filter ipv6 2500 outbound

reset firewall ethernet-frame-filter

Use reset firewall ethernet-frame-filter to clear the Ethernet frame filtering statistics.
Syntax
reset firewall ethernet-frame-filter { all | dlsw | interface interface-type interface-number }
Views
User view
Default command level
1: Monitor level
Parameters
all: Clears all Ethernet frame filtering statistics.
dlsw: Clears the Ethernet frame filtering statistics of the DLSw module.
interface interface-type interface-number: Clears the Ethernet frame filtering statistics on the specified
interface.
Examples
# Clear all the firewall statistic information.
<Sysname> reset firewall ethernet-frame-filter all

reset firewall ipv6 statistics

Use reset firewall ipv6 statistics to clear the packet filtering statistics of the IPv6 firewall.
Syntax
reset firewall ipv6 statistics { all | interface interface-type interface-number }
Views
User view
Default command level
1: Monitor level
Parameters
all: Clears the packet filtering statistics on all interfaces of the IPv6 firewall.
interface interface-type interface-number: Clears the packet filtering statistics on the specified interface of
the IPv6 firewall.
Examples
# Clear the packet filtering statistics on Ethernet 1/1 of the IPv6 firewall.
<Sysname> reset firewall ipv6 statistics interface ethernet 1/1

Related commands
display firewall ipv6 statistics

400
reset firewall-statistics
Use reset firewall-statistics to clear the packet filtering statistics of the IPv4 firewall.
Syntax
reset firewall-statistics { all | interface interface-type interface-number }
Views
User view
Default command level
1: Monitor level
Parameters
all: Clears the packet filtering statistics on all interfaces of the IPv4 firewall.
interface interface-type interface-number: Clears the packet filtering statistics on the specified interface of
the IPv4 firewall.
Examples
# Clear the packet filtering statistics of IPv4 firewall on Ethernet 1/1.
<Sysname> reset firewall-statistics interface ethernet 1/1

ASPF configuration commands

aging-time
Use aging-time to set the TCP session termination delay time, TCP session hold time, TCP session idle
timeout period, and UDP session idle timeout period.
Use undo aging-time to restore the defaults.
Syntax
aging-time { fin | syn | tcp | udp } seconds
undo aging-time { fin | syn | tcp | udp }
Default
The TCP session termination delay time, TCP session hold time, TCP session idle timeout period, and UDP
session idle timeout period are 5, 30, 3600 and 30 seconds respectively.
Views
ASPF policy view
Default command level
2: System level
Parameters
fin: Specifies the TCP session termination delay time after a FIN packet is detected. If the session still
exists after this period of time, it will be torn down.
syn: Specifies the TCP session hold time after a SYN is detected. If the session fails to reach the
established state within this period of time, it will be torn down.

401
 tcp: Specifies the TCP session idle timeout period.
udp: Specifies the UDP session idle timeout period.
seconds: Timeout period, in seconds. The value range is 5 to 43200.
Usage guidelines
Within the timeout period, the system maintains the session.
Examples
# Create an ASPF policy with the policy number 1, and enter ASPF policy view.
<Sysname> system-view
[Sysname] aspf-policy 1

# Set the TCP session termination delay time of the TCP session to 10 seconds.
[Sysname-aspf-policy-1] aging-time fin 10

# Set the TCP session hold time of the TCP session to 20 seconds.
[Sysname-aspf-policy-1] aging-time syn 20

# Set the TCP session idle timeout period to 3000 seconds.

[Sysname-aspf-policy-1] aging-time tcp 3000

# Set the UDP session idle timeout period to 110 seconds.

[Sysname-aspf-policy-1] aging-time udp 110

Related commands
• display aspf all
• display aspf interface
• display aspf policy
• display aspf session

aspf-policy
Use aspf-policy to create an ASPF policy and enter its view.
Use undo aspf-policy to remove an ASPF policy.
Syntax
aspf-policy aspf-policy-number
undo aspf-policy aspf-policy-number
Views
System view
Default command level
2: System level
Parameters
aspf-policy-number: ASPF policy number in the range of 1 to 99
Usage guidelines
A defined ASPF policy can be applied through its policy number.

402
Examples
# Create an ASPF policy and enter the corresponding ASPF policy view.
<Sysname> system-view
[Sysname] aspf-policy 1
[Sysname-aspf-policy-1]

detect
Use detect to configure ASPF detection for the application layer protocol or transport layer protocol.
Use undo detect to restore the default.
Syntax
detect protocol [ java-blocking acl-number ] [ aging-time seconds ]
undo detect protocol
Default
The timeout period for an application layer protocol is 3600 seconds, the ESP-based timeout period is 30
seconds, the TCP-based timeout period is 3600 seconds, and the UDP-based timeout period is 30
seconds.
Views
ASPF policy view
Default command level
2: System level
Parameters
protocol: Name of a protocol supported by the ASPF. Application layer protocols include BOOTP, FTP,
H323, HTTP, HTTPS, IKE, RTSP, SMTP, SSH, VAM, and transport layer protocols include ESP, TCP, and
UDP.
java-blocking acl-number: Blocks the Java Applets of packets to the specified network segment,
applicable to HTTP only. The acl-number argument refers to a basic IPv4 ACL number in the range of
2000 to 2999.
aging-time seconds: Configures the idle timeout period for the application layer protocol, in seconds.
The value range is 5 to 43200.
Usage guidelines
If the protocol type is HTTP, Java blocking is allowed.
If application layer protocol detection and general TCP/UDP detection are both enabled, application
layer protocol detection is given priority over general TCP/UDP detection.
ASPF uses timeouts to manage the session status information of a protocol so as to determine when to
terminate the status information management of a session or when to delete a session that cannot be
established. As a global configuration, the setting of a timeout applies to all sessions to protect system
resources from being maliciously seized.
A protocol idle timeout setting specified using the detect command has priority over a timeout setting
specified using the aging-time command.

403
Examples
# Specify ASPF policy 1 for the HTTP protocol, enable Java blocking, and configure ACL 2000 so that
the ASPF policy can filter Java applets from the server 10.1.1.1.
<Sysname> system-view
[Sysname] acl number 2000
[Sysname-acl-basic-2000] rule permit source 10.1.1.1 0
[Sysname-acl-basic-2000] rule deny source any
[Sysname-acl-basic-2000] quit
[Sysname] aspf-policy 1
[Sysname-aspf-policy-1] detect http java-blocking 2000

Related commands
• display aspf all
• display aspf interface
• display aspf policy
• display aspf session

display aspf all

Use display aspf all to view the information of all the ASPF policies and sessions.
Syntax
display aspf all [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the information of all the ASPF policies and sessions.
<Sysname> display aspf all
[ASPF Policy Configuration]
Policy Number 1:
Log: disable
SYN timeout: 30 s
FIN timeout: 5 s
TCP timeout: 3600 s
UDP timeout: 30 s

404
 Detect Protocols:
ftp timeout 3600 s
tcp timeout 3600 s

[Interface Configuration]
Interface InboundPolicy OutboundPolicy
---------------------------------------------------------------
Ethernet1/1 none 1
[Established Sessions]
Session Initiator Responder Application Status
--------------------------------------------------------------------------
73A4844 1.1.1.50:1025 2.2.2.1:21 ftp FTP_CONXN_UP

Table 58 Command output

Field Description
[ASPF Policy Configuration] ASPF policy configuration information.

Policy Number ASPF policy number.

SYN timeout SYN timeout value of the TCP session.

FIN timeout FIN timeout of the TCP session.

TCP timeout Idle timeout of the TCP session.

UDP timeout Idle timeout of the UDP session.

Detect Protocols Detect protocols.

[Interface Configuration] ASPF policy application information of the interface.

Interface Type and number of the Interface.

InboundPolicy Inbound ASPF policy.

OutboundPolicy Outbound ASPF policy.

Detect Protocols Detected protocols.

Session Session ID.

Initiator IP address and port number of the Initiator of the session.

Responder IP address and port number of the responder of the session.

Application Application protocol.

Status Session status.

display aspf interface

Use display aspf interface to view the ASPF policy configuration applied on interfaces.
Syntax
display aspf interface [ | { begin | exclude | include } regular-expression ]
Views
Any view

405
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the ASPF policies on interface.
<Sysname> display aspf interface
[Interface Configuration]
Interface InboundPolicy OutboundPolicy
---------------------------------------------------------------
Serial2/1 1 none

Table 59 Command output

Field Description
InboundPolicy Inbound ASPF policy.

OutboundPolicy Outbound ASPF policy.

display aspf policy

Use display aspf policy to view the information of an ASPF policy.
Syntax
display aspf policy aspf-policy-number [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
aspf-policy-number: ASPF policy number in the range of 1 to 99
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

406
Examples
# Display the configuration information of ASPF policy 1.
<Sysname> display aspf policy 1
[ASPF Policy Configuration]
Policy Number 1:
Log: disable
SYN timeout: 30 s
FIN timeout: 5 s
TCP timeout: 3600 s
UDP timeout: 30 s
Detect Protocols
ftp timeout 120 s
tcp timeout 3600 s

Table 60 Command output

Field Description
[ASPF Policy Configuration] ASPF policy configuration information.

Policy Number ASPF policy number.

SYN timeout TCP connection SYN status timeout time.

FIN timeout TCP session FIN status timeout time.

TCP timeout TCP session idle status timeout time.

UDP timeout UDP session idle status timeout time.

Detect Protocols Detection protocol.

display aspf session

Use display aspf session to view the information of the current ASPF session.
Syntax
display aspf session [ verbose ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
verbose: Displays the detailed information of the current session.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

407
Examples
# Display the related information of the current ASPF session.
<Sysname> display aspf session
[Established Sessions]
Session Initiator Responder Application Status
212BA84 169.254.1.121:1427 169.254.1.52:0 ftp-data TCP_DOWN
7148124 100.1.1.1:1027 200.1.1.2:21 ftp FTP_CONXN_UP

# Display the detailed information of the current ASPF session.

<Sysname> display aspf session verbose
[Session 0x7148124]
Initiator: 100.1.1.1:1027 Responder: 200.1.1.2:21
Application protocol: ftp Status: FTP_CONXN_UP
Transport protocol: 6 Port: 21
Child: 0x0 Parent: 0x0
Interface: Ethernet1/1 Direction: outbound
Timeout 01:00:00 Time left 01:00:00
Initiator Bytes/Packets sent: 350/8
Responder Bytes/Packets sent: 324/6
Initiator tcp SeqNumber/AckNumber: 141385146/134665684
Responder tcp SeqNumber/AckNumber: 134665683/141385146

Table 61 Command output

Field Description
Initiator IP address and port number of the initiator of the session.

Responder IP address and port number of the responder of the session.

Application protocol Application protocol.

Status Status of the session.

Transport protocol Protocol number of the transport layer.

Port Port number of the application layer protocol.

Child Child session.

Parent Parent session.

Interface: Ethernet1/1 The ASPF policy is applied to the inbound direction of Ethernet
Direction: outbound 1/1.

Timeout Timeout set for the protocol.

Time left Remaining timeout period.

Initiator Bytes/Packets sent Number of initiator bytes/packets sent.

Responder Bytes/Packets sent Number of responder bytes/packets sent.

TCP sequence number/acknowledgment number of the

Initiator tcp SeqNumber/AckNumber
initiator.

TCP sequence number/acknowledgment number of the

Responder tcp SeqNumber/AckNumber
responder.

408
display port-mapping
Use display port-mapping to view port mapping information.
Syntax
display port-mapping [ application-name | port port-number ] [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
application-name: Name of the application to be used for port mapping. Available applications include
FTP, H323, HTTP, HTTPS, IKE, RTSP, SMTP, SSH, and VAM.
port port-number: Specifies to display port mapping information on the specified port. The port number
is in the range of 0 to 65535.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display all the information about port mapping.
<Sysname> display port-mapping
SERVICE PORT ACL TYPE
-------------------------------------------------
ftp 21 system defined
h323 1720 system defined
http 80 system defined
rtsp 554 system defined
smtp 25 system defined
ike 500 system defined
https 443 system defined
vam 18000 system defined
ssh 22 system defined

Table 62 Command output

Field Description
SERVICE Application layer protocol that is mapped to a port.

PORT Number of the port for the application layer protocol.

ACL Number of the ACL specifying the host range.

409
 Field Description
TYPE Port mapping type, system predefined or user customized.

Related commands
port-mapping

firewall aspf
Use firewall aspf to apply the specified ASPF policy to the specified direction of the current interface.
Use undo firewall aspf to remove the specified ASPF policy on the current interface.
Syntax
firewall aspf aspf-policy-number { inbound | outbound }
undo firewall aspf aspf-policy-number { inbound | outbound }
Default
No ASPF policy is applied on the interface.
Views
Interface view
Default command level
2: System level
Parameters
aspf-policy-number: Specifies an ASPF policy number in the range of 1 to 99.
inbound: Applies the ASPF policy to inbound packets.
outbound: Applies the ASPF policy to outbound packets.
Usage guidelines
The following matrix shows the command and router compatibility:

Command MSR900 MSR93X MSR20-1X MSR20 MSR30 MSR50 MSR1000

firewall aspf Yes Yes No Yes Yes Yes Yes

Examples
# Apply ASPF policy 1 to the outbound direction of Ethernet 1/1.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] firewall aspf 1 outbound

log enable
Use log enable to enable the ASPF session logging function.
Use undo log enable to disable the ASPF session logging function.
Syntax
log enable

410
 undo log enable
Default
The ASPF session logging function is disabled.
Views
ASPF policy view
Default command level
2: System level
Examples
# Enable the ASPF session logging function.
<Sysname> system-view
[Sysname] aspf-policy 1
[Sysname-aspf-policy-1] log enable

Related commands
• display aspf all
• display aspf interface
• display aspf policy
• display aspf session

port-mapping
Use port-mapping to map a port to an application layer protocol.
Use undo port-mapping to remove a port mapping entry.
Syntax
port-mapping application-name port port-number [ acl acl-number ]
undo port-mapping [ application-name port port-number [ acl acl-number ] ]
Default
There is no mapping between the port and the application layer.
Views
System view
Default command level
2: System level
Parameters
application-name: Name of the application for port mapping. Available applications include FTP, H323,
HTTP, HTTPS, IKE, RTSP, SMTP, SSH, and VAM.
port port-number: Specifies the port that the application layer protocol is mapped to. The port number is
in the range of 0 to 65535.
acl acl-number: Specifies the IPv4 ACL for indicating the host range. The ACL number is in the range of
2000 to 2999.

411
Examples
# Map port 3456 to the FTP protocol.
<Sysname> system-view
[Sysname] port-mapping ftp port 3456

Related commands
display port-mapping

reset aspf session

Use reset aspf session to clear ASPF sessions.
Syntax
reset aspf session
Views
User view
Default command level
2: System level
Examples
# Clear ASPF sessions.
<Sysname> reset aspf session

412
SSH configuration commands

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about
FIPS mode, see Security Configuration Guide.
The following matrix shows the FIPS and hardware compatibility:

Hardware FIPS mode

MSR900 No.

MSR93X No.

MSR20-1X No.

MSR20 Yes.

MSR30 Yes (except the MSR30-16).

MSR50 Yes.

MSR1000 Yes.

SSH server configuration commands

display ssh server
Use the display ssh server command on an SSH server to display the SSH server status or sessions.
Syntax
display ssh server { session | status } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
session: Displays the SSH server sessions.
status: Displays the SSH server status.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

413
Examples
# Display the SSH server status.
<Sysname> display ssh server status
SSH Server: Disable
SSH version : 1.99
SSH authentication-timeout : 60 second(s)
SSH server key generating interval : 0 hour(s)
SSH Authentication retries : 3 time(s)
SFTP Server: Disable
SFTP Server Idle-Timeout: 10 minute(s)

Table 63 Command output

Field Description
SSH Server Whether the SSH server function is enabled.

SSH protocol version.

SSH version When the SSH supports SSH1, the protocol version is
1.99. Otherwise, the protocol version is 2.

SSH authentication-timeout Authentication timeout timer.

SSH server key generating interval SSH server key pair update interval.

SSH Authentication retries Maximum number of SSH authentication attempts.

SFTP Server Whether the Secure FTP (SFTP) server function is enabled.

SFTP Server Idle-Timeout SFTP connection idle timeout timer.

# Display the SSH server session information.

<Sysname> display ssh server session
Conn Ver Encry State Retry SerType Username
VTY 0 2.0 DES Established 0 SFTP client001

Table 64 Command output

Field Description
Conn Connected VTY channel.

Ver SSH server protocol version.

Encry Encryption algorithm.

Status of the session:

• Init—Initialization.
• Ver-exchange—Version negotiation.
• Keys-exchange—Keys exchange.
State
• Auth-request—Authentication request.
• Serv-request—Session service request.
• Established—The session is established.
• Disconnected—The session is disconnected.

Retry Number of authentication failures.

414
 Field Description
Service type:
• SFTP.
SerType
• Secure Telnet (Stelnet).
• Secure copy (SCP).
Username Name of a user for login.

Related commands
• ssh server authentication-retries
• ssh server authentication-timeout
• ssh server compatible-ssh1x enable
• ssh server enable
• ssh server rekey-interval

display ssh user-information

Use the display ssh user-information command on an SSH server to display information about SSH
users.
Syntax
display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
username: Specifies an SSH username, a string of 1 to 80 characters. If no SSH user is specified, this
command displays information about all SSH users.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
This command displays only information about SSH users configured by using the ssh user command on
the SSH server.
Examples
# Display information about all SSH users.
<Sysname> display ssh user-information
Total ssh users : 2

415
 Username Authentication-type User-public-key-name Service-type
yemx password null stelnet
test publickey pubkey sftp

Table 65 Command output

Field Description
Username Name of the user.

Authentication method:
• Password authentication.
Authentication-type • Publickey authentication.
• Password-publickey authentication.
• Any authentication.

Public key of the user or name of the PKI domain which verifies the client
User-public-key-name
certificate. If password authentication is used, this field displays null.

Service type: SFTP, Stelnet, SCP, and all. If all authentication methods are
Service-type
supported, this field displays all.

Related commands
ssh user

sftp server enable

Use sftp server enable to enable the SFTP server function.
Use undo sftp server enable to disable the SFTP server function.
Syntax
sftp server enable
undo sftp server enable
Default
The SFTP server function is disabled.
Views
System view
Default command level
3: Manage level
Examples
# Enable the SFTP server function.
<Sysname> system-view
[Sysname] sftp server enable

Related commands
display ssh server

416
sftp server idle-timeout
Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections.
Use undo sftp server idle-timeout to restore the default.
Syntax
sftp server idle-timeout time-out-value
undo sftp server idle-timeout
Default
The idle timeout timer is 10 minutes.
Views
System view
Default command level
3: Manage level
Parameters
time-out-value: Specifies a timeout timer in the range of 1 to 35791 minutes.
Usage guidelines
If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the
connection. If many SFTP connections are established, you can set a smaller value so that the connection
resources can be promptly released.
Examples
# Set the idle timeout timer for SFTP user connections to 500 minutes.
<Sysname> system-view
[Sysname] sftp server idle-timeout 500

Related commands
display ssh server

ssh server authentication-retries

Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH
users.
Use undo ssh server authentication-retries to restore the default.
Syntax
ssh server authentication-retries times
undo ssh server authentication-retries
Default
The maximum number of SSH connection authentication attempts is 3.
Views
System view

417
Default command level
3: Manage level
Parameters
times: Specifies the maximum number of authentication attempts, in the range of 1 to 5.
Usage guidelines
You can set this limit to prevent malicious hacking of usernames and passwords.
This configuration takes effect only on the users at next login.
Authentication fails if the number of authentication attempts (including both publickey and password
authentication) exceeds the upper limit configured by this command.
If the authentication method is password-publickey, the server first uses publickey authentication, and
then uses password authentication to authenticate SSH users. The process is considered one
authentication attempt.
Examples
# Set the maximum number of SSH connection authentication attempts to 4.
<Sysname> system-view
[Sysname] ssh server authentication-retries 4

Related commands
display ssh server

ssh server authentication-timeout

Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server.
Use undo ssh server authentication-timeout to restore the default.
Syntax
ssh server authentication-timeout time-out-value
undo ssh server authentication-timeout
Default
The authentication timeout timer is 60 seconds.
Views
System view
Default command level
3: Manage level
Parameters
time-out-value: Specifies an authentication timeout timer in the range of 1 to 120 seconds.
Usage guidelines
If a user does not finish the authentication when the timeout timer expires, the connection cannot be
established.
You can set a small value for this timer to prevent malicious occupation of TCP connections.

418
Examples
# Set the SSH user authentication timeout timer to 10 seconds.
<Sysname> system-view
[Sysname] ssh server authentication-timeout 10

Related commands
display ssh server

ssh server compatible-ssh1x enable

Use ssh server compatible-ssh1x enable to enable the SSH server to support SSH1 clients.
Use undo ssh server compatible-ssh1x to disable the SSH server from supporting SSH1 clients.
Syntax
ssh server compatible-ssh1x enable
undo ssh server compatible-ssh1x
Default
The SSH server supports SSH1 clients.
Views
System view
Default command level
3: Manage level
Usage guidelines
The configuration takes effect only on the clients at next login.
Examples
# Enable the SSH server to support SSH1 clients.
<Sysname> system-view
[Sysname] ssh server compatible-ssh1x enable

Related commands
display ssh server

ssh server enable

Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate
with the server.
Use undo ssh server enable to disable the SSH server function.
Syntax
ssh server enable
undo ssh server enable
Default
SSH server is disabled.

419
Views
System view
Default command level
3: Manage level
Examples
# Enable SSH server.
<Sysname> system-view
[Sysname] ssh server enable

Related commands
display ssh server

ssh server rekey-interval

Use ssh server rekey-interval to set the interval for updating the RSA server key pair.
Use undo ssh server rekey-interval to restore the default.
Syntax
ssh server rekey-interval hours
undo ssh server rekey-interval
Default
The interval for updating the RSA server key pair is 0. The system does not update the RSA server key
pair.
Views
System view
Default command level
3: Manage level
Parameters
hours: Specifies an interval for updating the server key pair, in the range of 1 to 24 hours.
Usage guidelines
This command is only available for SSH clients that use SSH1 client software.
Updating the RSA server key pair periodically can prevent malicious hacking of the key and enhance
security of the SSH connections.
The system does not update any DSA key pair periodically.
Examples
# Set the RSA server key pair update interval to 3 hours.
<Sysname> system-view
[Sysname] ssh server rekey-interval 3

Related commands
display ssh server

420
ssh user
Use ssh user to create an SSH user and specify the service type and authentication method.
Use undo ssh user to delete an SSH user.
Syntax
In non-FIPS mode:
ssh user username service-type stelnet authentication-type { password | { any | password-publickey |
publickey } assign { pki-domain pkiname | publickey keyname } }
ssh user username service-type { all | scp | sftp } authentication-type { password | { any |
password-publickey | publickey } assign { pki-domain pkiname | publickey keyname } work-directory
directory-name }
undo ssh user username
In FIPS mode:
ssh user username service-type stelnet authentication-type { password | password-publickey assign
publickey keyname }
ssh user username service-type { all | sftp } authentication-type { password | password-publickey
assign publickey keyname work-directory directory-name }
undo ssh user username
Views
System view
Default command level
3: Manage level
Parameters
username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters.
service-type: Specifies the service type of an SSH user:
• all: Specifies Stelnet, SFTP, and SCP.
• scp: Specifies the service type as SCP.
• sftp: Specifies the service type as SFTP.
• stelnet: Specifies the service type as Stelnet.
authentication-type: Specifies the authentication method of an SSH user:
• password: Performs password authentication. This authentication method features easy and fast
encryption, but it is vulnerable. It can work with AAA to implement user authentication,
authorization, and accounting.
• any: Performs either password authentication or publickey authentication. This method is not
supported in FIPS mode.
• password-publickey: Performs both password authentication and publickey authentication
(featuring higher security) if the client runs SSH2, and performs either type of authentication if the
client runs SSH1.
• publickey: Performs publickey authentication. This authentication method has the complicated and
slow encryption, but it provides strong authentication that can defend against brute-force attacks.
This authentication method is easy to use. If this method is configured, the authentication process

421
 completes automatically without the need of entering any password. This method is not supported
in FIPS mode.
assign: Specifies parameters that are used to verify the client.
• pki-domain pkiname: Specifies the PKI domain which verifies the client certificate. The pkiname
argument is a case-insensitive string of 1 to 15 characters. The server uses the CA certificate that is
saved in the PKI domain to verify one or multiple client certificates without saving clients' public keys
in advance.
• publickey keyname: Specifies the public key of the SSH user. The keyname argument represents an
existing public key to an SSH user, and is a case-sensitive string of 1 to 64 characters. The server
checks the validity of the user through the user's public key that has been locally saved. If the public
key file on the client changes, the server needs to update the local configuration promptly.
work-directory directory-name: Specifies the working directory for an SFTP user. The directory-name
argument is a string of 1 to 135 characters.
Usage guidelines
If the SSH server uses publickey authentication, you must create an SSH user account on the device. If the
SSH server uses password authentication, you do not need to create the user account on the device, but
you must configure the user account information on the device for local authentication, or on the remote
authentication server (such as a RADIUS server) for remote authentication.
If you use the ssh user command to specify a public key or PKI domain for a user multiple times, the most
recent configuration takes effect.
You can change parameters for an SSH user that has logged in, but your changes take effect on the user
at next login.
If an SFTP or SCP user has been assigned a public key or PKI domain, it is necessary to set a working
folder for the user.
The working folder of an SFTP or SCP user depends on the user authentication method:
• If the authentication method is password, the working folder is the AAA authorized one.
• If the authentication method is publickey or password-publickey, the working folder is the one set
by using the ssh user command.
Examples
# Create an SSH user named user1, setting the service type as sftp, the authentication method as
publickey, assigning a public key named key1 to the client, and the work folder of the SFTP server as
flash:
<Sysname> system-view
[Sysname] ssh user user1 service-type sftp authentication-type publickey assign publickey
key1 work-directory flash:

Related commands
• display ssh user-information
• pki domain

422
SSH client configuration commands
bye
Use bye to terminate the connection with the SFTP server and return to user view.
Syntax
bye
Views
SFTP client view
Default command level
3: Manage level
Usage guidelines
This command functions as the exit and quit commands.
Examples
# Terminate the connection with the SFTP server.
sftp-client> bye
Bye
Connection closed.
<Sysname>

cd
Use cd to change the working path on an SFTP server.
Syntax
cd [ remote-path ]
Views
SFTP client view
Default command level
3: Manage level
Parameters
remote-path: Specifies the name of a path on the server. If this argument is not specified, the command
displays the current working path.
Usage guidelines
You can use the cd .. command to return to the upper-level directory.
You can use the cd / command to return to the root directory of the system.
Examples
# Change the working path to new1.
sftp-client> cd new1
Current Directory is:
/new1

423
cdup
Use cdup to return to the upper-level directory.
Syntax
cdup
Views
SFTP client view
Default command level
3: Manage level
Examples
# Return to the upper-level directory from the current working directory /new1.
sftp-client> cdup
Current Directory is:
/

delete
Use delete to delete files from a server.
Syntax
delete remote-file&<1-10>
Views
SFTP client view
Default command level
3: Manage level
Parameters
remote-file&<1-10>: Specifies the names of files on the server. &<1-10> means that you can provide up to
10 filenames, which are separated by space.
Usage guidelines
This command functions as the remove command.
Examples
# Delete file temp.c from the server.
sftp-client> delete temp.c
The following files will be deleted:
/temp.c
Are you sure to delete it? [Y/N]:y
This operation might take a long time. Please wait...

File successfully Removed

dir
Use dir to display information about the files and sub-directories under a directory.

424
Syntax
dir [ -a | -l ] [ remote-path ]
Views
SFTP client view
Default command level
3: Manage level
Parameters
-a: Displays the names of the files and sub-directories under a directory.
-l: Displays the detailed information about the files and sub-directories under a directory in the form of a
list.
remote-path: Specifies the name of the directory to be queried.
Usage guidelines
If the –a and –l keywords are not specified, the command displays detailed information about the files
and sub-directories under a directory in the form of a list.
If the remote-path argument is not specified, the command displays information about the files and
sub-directories under the current working directory.
This command functions as the ls command.
Examples
# Display detailed information about the files and sub-directories under the current working directory in
the form of a list.
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

display sftp client source

Use display sftp client source to display the source IP address or source interface for the SFTP client.
Syntax
display sftp client source [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.

425
 begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If neither source IP address nor source interface is specified for the SFTP client, the system displays the
message "Neither source IP address nor source interface was specified for the SFTP client."
Examples
# Display the source IP address for the SFTP client.
<Sysname> display sftp client source
The source IP address you specified is 192.168.0.1

Related commands
sftp client source

display ssh client source

Use display ssh client source to display the source IP address or source interface for the Stelnet client.
Syntax
display ssh client source [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If neither source IP address nor source interface is specified for the Stelnet client, the system displays the
message "Neither source IP address nor source interface was specified for the Stelnet client."
Examples
# Display the source IP address or source interface for the Stelnet client.
<Sysname> display ssh client source
The source IP address you specified is 192.168.0.1

Related commands
ssh client source

426
display ssh server-info
Use display ssh server-info on a client to display mappings between SSH servers and their host public
keys on an SSH client.
Syntax
display ssh server-info [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the
server for the authentication. If the authentication fails, you can use this command to check the public key
of the server saved on the client.
Examples
# Display the mappings between SSH servers and their host public keys on the client.
<Sysname> display ssh server-info
Server Name(IP) Server public key name
______________________________________________________
192.168.0.1 abc_key01
192.168.0.2 abc_key02

Table 66 Command output

Field Description
Server Name(IP) Name or IP address of the server.

Server public key name Name of the host public key of the server.

Related commands
ssh client authentication server

exit
Use exit to terminate the connection with the remote SFTP server and return to user view.

427
Syntax
exit
Views
SFTP client view
Default command level
3: Manage level
Usage guidelines
This command functions as the bye and quit commands.
Examples
# Terminate the connection with the SFTP server.
sftp-client> exit
Bye
Connection closed.
<Sysname>

get
Use get to download a file from the SFTP server and save it locally.
Syntax
get remote-file [ local-file ]
Views
SFTP client view
Default command level
3: Manage level
Parameters
remote-file: Specifies the name of a file on the SFTP server.
local-file: Specifies the name for the local file. If this argument is not specified, the file will be saved
locally with the same name as that on the SFTP server.
Examples
# Download file temp1.c and save it as temp.c locally.
sftp-client> get temp1.c temp.c
Remote file:/temp1.c ---> Local file: temp.c
Downloading file successfully ended

help
Use help to display all commands or the help information of an SFTP client command.
Syntax
help [ all | command-name ]
Views
SFTP client view

428
Default command level
3: Manage level
Parameters
all: Displays all commands.
command-name: Specifies a command.
Usage guidelines
With neither the argument nor the keyword specified, the command displays all commands in a list.
Examples
# Display the help information of the get command.
sftp-client> help get
get remote-path [local-path] Download file.Default local-path is the same
as remote-path

ls
Use ls to display file and folder information under a directory.
Syntax
ls [ -a | -l ] [ remote-path ]
Views
SFTP client view
Default command level
3: Manage level
Parameters
-a: Displays the filenames and the folder names under a directory.
-l: Displays detailed information about the files and folders under a directory in the form of a list..
remote-path: Specifies the name of the directory to be queried.
Usage guidelines
If the –a and –l keywords are not specified, the command displays detailed information about files and
folders under the specified directory in the form of a list.
If the remote-path argument is not specified, the command displays the file and folder information under
the current working directory.
This command functions as the dir command.
Examples
# Display detailed information about files and folders under the current working directory in the form of
a list.
sftp-client> ls
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1

429
 drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

mkdir
Use mkdir to create a directory on the SFTP server.
Syntax
mkdir remote-path
Views
SFTP client view
Default command level
3: Manage level
Parameters
remote-path: Specifies the name of a directory on the SFTP server.
Examples
# Create a directory named test on the SFTP server.
sftp-client> mkdir test
New directory created

put
Use put to upload a local file to an SFTP server.
Syntax
put local-file [ remote-file ]
Views
SFTP client view
Default command level
3: Manage level
Parameters
local-file: Specifies the name of a local file.
remote-file: Specifies the name for the file on an SFTP server. If this argument is not specified, the file will
be saved remotely with the same name as the local one.
Examples
# Upload local file temp.c to the SFTP server and save it as temp1.c.
sftp-client> put temp.c temp1.c
Local file:temp.c ---> Remote file: /temp1.c
Uploading file successfully ended

pwd
Use pwd to display the current working directory of an SFTP server.

430
Syntax
pwd
Views
SFTP client view
Default command level
3: Manage level
Examples
# Display the current working directory of the SFTP server.
sftp-client> pwd
/

quit
Use quit to terminate the connection with an SFTP server and return to user view.
Syntax
quit
Views
SFTP client view
Default command level
3: Manage level
Usage guidelines
This command functions as the bye and exit commands.
Examples
# Terminate the connection with the SFTP server.
sftp-client> quit
Bye
Connection closed.
<Sysname>

remove
Use remove to delete files from a remote server.
Syntax
remove remote-file&<1-10>
Views
SFTP client view
Default command level
3: Manage level

431
Parameters
remote-file&<1-10>: Specifies the names of files on an SFTP server. &<1-10> means that you can provide
up to 10 filenames, which are separated by space.
Usage guidelines
This command functions as the delete command.
Examples
# Delete file temp.c from the server.
sftp-client> remove temp.c
The following files will be deleted:
/temp.c
Are you sure to delete it? [Y/N]:y
This operation might take a long time.Please wait...

File successfully Removed

rename
Use rename to change the name of a file or directory on an SFTP server.
Syntax
rename oldname newname
Views
SFTP client view
Default command level
3: Manage level
Parameters
oldname: Specifies the name of an existing file or directory.
newname: Specifies the new name for the file or directory.
Examples
# Change the name of a file on the SFTP server from temp1.c to temp2.c.
sftp-client> rename temp1.c temp2.c
File successfully renamed

rmdir
Use rmdir to delete the specified directories from an SFTP server.
Syntax
rmdir remote-path&<1-10>
Views
SFTP client view
Default command level
3: Manage level

432
Parameters
remote-path&<1-10>: Specifies the names of directories on the remote SFTP server. &<1-10> means that
you can provide up to 10 directory names that are separated by space.
Examples
# On the SFTP server, delete directory temp1 in the current directory.
sftp-client> rmdir temp1
Directory successfully removed

scp
Use scp to transfer files with an SCP server.
Syntax
In non-FIPS mode:
scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key { dsa
| rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1
| sha1-96 } ] *
In FIPS mode:
scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key rsa
| prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac
{ sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac
{ sha1 | sha1-96 } ] *
Default
The following matrix shows the default algorithms used in non-FIPS and FIPS modes:

Preferred algorithm In non-FIPS mode In FIPS mode

Public key algorithm dsa rsa

Preferred client-to-server encryption

aes128 aes128
algorithm

Preferred client-to-server HMAC

sha1-96 sha1-96
algorithm

Preferred key exchange algorithm dh-group-exchange dh-group14

Preferred server-to-client encryption

aes128 aes128
algorithm

Preferred server-to-client HMAC

sha1-96 sha1-96
algorithm

Views
User view
Default command level
3: Manage level

433
Parameters
ipv6: Specifies the type of the server as IPv6. If this keyword is not specified, the server is an IPv4 server.
server: Specifies an IPv4 or IPv6 server by its address or host name. For an IPv4 server, it is a
case-insensitive string of 1 to 20 characters. For an IPv6 server, it is a case-insensitive string of 1 to 46
characters.
port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.
get: Downloads the file.
put: Uploads the file.
source-file-path: Specifies the directory of the source file.
destination-file-path: Specifies the directory of the target file. If this argument is not specified, the
directory names of the source and target files are same.
identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.
• dsa: Specifies the public key algorithm dsa. This keyword is not available in FIPS mode.
• rsa: Specifies the public key algorithm rsa.
prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is
not used.
• zlib: Specifies the compression algorithm ZLIB.
• zlib-openssh: Specifies the compression algorithm [email protected].
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.
• 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode.
• aes128: Specifies the encryption algorithm aes128-cbc.
• aes256: Specifies the encryption algorithm aes256-cbc. This keyword is only available in FIPS
mode.
• des: Specifies the encryption algorithm des-cbc. This keyword is not available in FIPS mode.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96.
• md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode.
• md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not available in FIPS mode.
• sha1: Specifies the HMAC algorithm hmac-sha1.
• sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange.
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
This keyword is not available in FIPS mode.
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not
available in FIPS mode.
• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96.
Usage guidelines
When the client's authentication method is publickey, the client must get the local private key for digital
signature. In non-FIPS mode, because the publickey authentication uses either RSA or DSA algorithm, you

434
 must specify an algorithm of the client (by using the identity-key keyword) in order to get the correct data
for the local private key.
Examples
# Connect to the SCP server 192.168.0.1, download the file remote.bin from the server, and save it locally
to the file local.bin
<Sysname> scp 192.168.0.1 get remote.bin local.bin

sftp
Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view.
Syntax
In non-FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |
prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 |
md5-96 | sha1 | sha1-96 } ] *
In FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-ctos-cipher
{ aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher
{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *
Default
The following matrix shows the default algorithms used in non-FIPS and FIPS and modes:

Preferred algorithm In non-FIPS mode In FIPS mode

Public key algorithm dsa rsa

Preferred client-to-server encryption

aes128 aes128
algorithm

Preferred client-to-server HMAC

sha1-96 sha1-96
algorithm

Preferred key exchange algorithm dh-group-exchange dh-group14

Preferred server-to-client encryption

aes128 aes128
algorithm

Preferred server-to-client HMAC

sha1-96 sha1-96
algorithm

Views
User view
Default command level
3: Manage level
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 20 characters.
port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.

435
 vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the server belongs, where the
vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public
network, do not specify this option.
identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.
• dsa: Specifies the public key algorithm dsa. This keyword is not available in FIPS mode.
• rsa: Specifies the public key algorithm rsa.
prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is
not used.
• zlib: Specifies the compression algorithm ZLIB.
• zlib-openssh: Specifies the compression algorithm [email protected].
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.
• 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode.
• aes128: Specifies the encryption algorithm aes128-cbc.
• aes256: Specifies the encryption algorithm aes256-cbc. This keyword is only available in FIPS
mode.
• des: Specifies the encryption algorithm des-cbc. This keyword is not available in FIPS mode.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default algorithm is
sha1-96.
• md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode.
• md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not available in FIPS mode.
• sha1: Specifies the HMAC algorithm hmac-sha1.
• sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange
in non-FIPS mode, and dh-group14 in FIPS mode.
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
This keyword is not available in FIPS mode.
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not
available in FIPS mode.
• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default algorithm is
aes128.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default algorithm is
sha1-96.
Usage guidelines
When the server adopts publickey authentication to authenticate a client, the client must get the local
private key for digital signature. In non-FIPS mode, because the publickey authentication uses either RSA
or DSA algorithm, you must specify the public key algorithm of the client (by using the identity-key
keyword) in order to get the correct local private key.
Examples
# Connect to SFTP server 10.1.1.2, using the following connection scheme:
• The preferred key exchange algorithm is dh-group1.

436
 • The preferred server-to-client encryption algorithm is aes128.
• The preferred client-to-server HMAC algorithm is md5.
• The preferred server-to-client HMAC algorithm is sha1-96.
<Sysname> sftp 10.1.1.2 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac
md5 prefer-stoc-hmac sha1-96
Input Username:

sftp client ipv6 source

Use sftp client ipv6 source to specify the source IPv6 address or source interface for the SFTP client.
Use undo sftp client ipv6 source to remove the configuration.
Syntax
sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }
undo sftp client ipv6 source
Default
An SFTP client uses the IPv6 address of the interface specified by the route of the device to access the
SFTP server.
Views
System view
Default command level
3: Manage level
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the
manageability of SFTP clients in the authentication service, HP recommends that you specify a loopback
interface or dialer interface as the source interface.
Examples
# Specify the source IPv6 address of the SFTP client as 2:2::2:2.
<Sysname> system-view
[Sysname] sftp client ipv6 source ipv6 2:2::2:2

Related commands
display sftp client source

sftp client source

Use sftp client source to specify the source IPv4 address or interface of an SFTP client.
Use undo sftp client source to remove the configuration.
Syntax
sftp client source { interface interface-type interface-number | ip ip-address }

437
 undo sftp client source
Default
An SFTP client uses the IP address of the interface specified by the route of the device to access the SFTP
server.
Views
System view
Default command level
3: Manage level
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the
manageability of SFTP clients in the authentication service, HP recommends that you specify a loopback
interface or dialer interface as the source interface.
Examples
# Specify the source IP address of the SFTP client as 192.168.0.1.
<Sysname> system-view
[Sysname] sftp client source ip 192.168.0.1

Related commands
display sftp client source

sftp ipv6
Use sftp ipv6 to establish a connection to an IPv6 SFTP server and enter SFTP client view.
Syntax
In non-FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |
prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 |
md5-96 | sha1 | sha1-96 } ] *
In FIPS mode:
sftp ipv6 server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } |
prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 }
| prefer-stoc-hmac { sha1 | sha1-96 } ] *
Default
The following matrix shows the default algorithms used in non-FIPS and FIPS and modes:

Preferred algorithm In non-FIPS mode In FIPS mode

Public key algorithm dsa rsa

438
 Preferred algorithm In non-FIPS mode In FIPS mode
Preferred client-to-server encryption
aes128 aes128
algorithm

Preferred client-to-server HMAC

sha1-96 sha1-96
algorithm

Preferred key exchange algorithm dh-group-exchange dh-group14

Preferred server-to-client encryption

aes128 aes128
algorithm

Preferred server-to-client HMAC

sha1-96 sha1-96
algorithm

Views
User view
Default command level
3: Manage level
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 46 characters.
port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the server belongs, where the
vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public
network, do not specify this option.
identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.
• dsa: Specifies the public key algorithm dsa. This keyword is not available in FIPS mode.
• rsa: Specifies the public key algorithm rsa.
prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is
not used.
• zlib: Specifies the compression algorithm ZLIB.
• zlib-openssh: Specifies the compression algorithm [email protected].
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default algorithm is
aes128.
• 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode.
• aes128: Specifies the encryption algorithm aes128-cbc.
• aes256: Specifies the encryption algorithm aes256-cbc. This keyword is only available in FIPS
mode.
• des: Specifies the encryption algorithm des-cbc. This keyword is not available in FIPS mode.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default algorithm is
sha1-96.
• md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode.
• md5-96: HMAC algorithm hmac-md5-96. This keyword is not available in FIPS mode.
• sha1: Specifies the HMAC algorithm hmac-sha1.
• sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

439
 prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange
in non-FIPS mode, and dh-group14 in FIPS mode.
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
This keyword is not available in FIPS mode.
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not
available in FIPS mode.
• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default algorithm is
aes128.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default algorithm is
sha1-96.
Usage guidelines
When the server adopts publickey authentication to authenticate a client, the client must get the local
private key for digital signature. In non-FIPS mode, because the publickey authentication uses either RSA
or DSA algorithm, you must specify the public key algorithm of the client (by using the identity-key
keyword) in order to get the correct local private key.
Examples
# Connect to server 2:5::8:9, using the following connection scheme:
• The preferred key exchange algorithm is dh-group1.
• The preferred server-to-client encryption algorithm is aes128.
• The preferred client-to-server HMAC algorithm is md5.
• The preferred server-to-client HMAC algorithm is sha1-96.
<Sysname> sftp ipv6 2:5::8:9 prefer-kex dh-group1 prefer-stoc-cipher aes128
prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96
Input Username:

ssh client authentication server

Use ssh client authentication server on the client to configure the host public key of a specified server so
that the client can determine whether the server is trustworthy.
Use undo ssh client authentication server to remove the configuration.
Syntax
ssh client authentication server server assign publickey keyname
undo ssh client authentication server server assign publickey
Default
No host public key of a server is configured. When the client logs into a server, it uses the IP address or
host name of the server as the public key name.
Views
System view
Default command level
2: System level

440
Parameters
server: Specifies a server by its IP address or host name, a string of 1 to 80 characters.
assign publickey keyname: Specifies the name of the host public key of the server, a string of 1 to 64
characters.
Usage guidelines
If the client does not support first-time authentication, it will reject unauthenticated servers. In this case,
you need to configure the public keys of the servers and specify the mappings between public keys and
servers on the client, so that the client uses the correct public key of a server to authenticate the server.
The specified host public key of the server must already exist.
Examples
# Configure the public key of the server at 192.168.0.1 to be key1.
<Sysname> system-view
[Sysname] ssh client authentication server 192.168.0.1 assign publickey key1

Related commands
ssh client first-time enable

ssh client first-time enable

Use ssh client first-time enable to enable the first-time authentication function.
Use undo ssh client first-time to disable the function.
Syntax
ssh client first-time enable
undo ssh client first-time
Default
The function is enabled.
Views
System view
Default command level
2: System level
Usage guidelines
Without first-time authentication, a client not configured with the server's host public key does not access
the server. To access the server, a user must configure in advance the server's host public key locally and
specify the public key name for authentication.
With first-time authentication, when an SSH client not configured with the server's host public key
accesses the server for the first time, the user can continue accessing the server, and save the server's host
public key on the client. When accessing the server again, the client uses the saved server host public key
to authenticate the server.
Because the server might update its key pairs periodically, a client must obtain the most recent host public
key of the server for successful authentication of the server.
Examples
# Enable the first-time authentication function.

441
 <Sysname> system-view
[Sysname] ssh client first-time enable

ssh client ipv6 source

Use ssh client ipv6 source to specify the source IPv6 address or source interface for the Stelnet client.
Use undo ssh client ipv6 source to remove the configuration.
Syntax
ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }
undo ssh client ipv6 source
Default
An Stelnet client uses the IPv6 address of the interface specified by the route of the device to access the
Stelnet server.
Views
System view
Default command level
3: Manage level
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve
the manageability of Stelnet clients in the authentication service, HP recommends that you specify a
loopback interface or dialer interface as the source interface.
Examples
# Specify the source IPv6 address as 2:2::2:2 for the Stelnet client.
<Sysname> system-view
[Sysname] ssh client ipv6 source ipv6 2:2::2:2

Related commands
display ssh client source

ssh client source

Use ssh client source to specify the source IPv4 address or source interface of the Stelnet client.
Use undo ssh client source to remove the configuration.
Syntax
ssh client source { interface interface-type interface-number | ip ip-address }
undo ssh client source

442
Default
An Stelnet client uses the IP address of the interface specified by the route of the device to access the
Stelnet server.
Views
System view
Default command level
3: Manage level
Parameters
interface interface-type interface-number: Specifies a source interface by its type and number.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve
the manageability of Stelnet clients in the authentication service, HP recommends that you specify a
loopback interface or dialer interface as the source interface.
Examples
# Specify the source IPv4 address of the Stelnet client as 192.168.0.1.
<Sysname> system-view
[Sysname] ssh client source ip 192.168.0.1

Related commands
display ssh client source

ssh2
Use ssh2 to establish a connection to an IPv4 Stelnet server and specify the public key algorithm, the
preferred key exchange algorithm, the preferred encryption algorithms, and preferred HMAC algorithms
between the client and server.
Syntax
In non-FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |
prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 |
md5-96 | sha1 | sha1-96 } ] *
In FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-ctos-cipher
{ aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher
{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *
Default
The following matrix shows the default algorithms used in non-FIPS and FIPS and modes:

443
 Preferred algorithm In non-FIPS mode In FIPS mode
Public key algorithm dsa rsa

Preferred client-to-server encryption

aes128 aes128
algorithm

Preferred client-to-server HMAC

sha1-96 sha1-96
algorithm

Preferred key exchange algorithm dh-group-exchange dh-group14

Preferred server-to-client encryption

aes128 aes128
algorithm

Preferred server-to-client HMAC

sha1-96 sha1-96
algorithm

Views
User view
Default command level
0: Visit level
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 20 characters.
port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the server belongs, where the
vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public
network, do not specify this option.
identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.
• dsa: Specifies the public key algorithm dsa. This keyword is not available in FIPS mode.
• rsa: Specifies the public key algorithm rsa.
prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is
not used.
• zlib: Specifies the compression algorithm ZLIB.
• zlib-openssh: Specifies the compression algorithm [email protected].
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default algorithm is
aes128.
• 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode.
• aes128: Specifies the encryption algorithm aes128-cbc.
• aes256: Specifies the encryption algorithm aes256-cbc. This keyword is only available in FIPS
mode.
• des: Specifies the encryption algorithm des-cbc. This keyword is not available in FIPS mode.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default algorithm is
sha1-96.
• md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode.
• md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not available in FIPS mode.
• sha1: Specifies the HMAC algorithm hmac-sha1.

444
 • sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange
in non-FIPS mode, and dh-group14 in FIPS mode.
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
This keyword is not available in FIPS mode.
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not
available in FIPS mode.
• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default algorithm is
aes128.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default algorithm is
sha1-96.
Usage guidelines
When the client's authentication method is publickey, the client must get the local private key for digital
signature. In non-FIPS mode, because the publickey authentication uses either RSA or DSA algorithm, you
must specify the public key algorithm of the client (by using the identity-key keyword) to get the correct
local private key.
Examples
# Log in to Stelnet server 10.214.50.51, using the following connection scheme:
• The preferred key exchange algorithm is dh-group1.
• The preferred server-to-client encryption algorithm is aes128.
• The preferred client-to-server HMAC algorithm is md5.
• The preferred server-to-client HMAC algorithm is sha1-96.
<Sysname> ssh2 10.214.50.51 prefer-kex dh-group1 prefer-stoc-cipher aes128
prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96

ssh2 ipv6
Use ssh2 ipv6 to establish a connection to an IPv6 Stelnet server and specify public key algorithm, the
preferred key exchange algorithm, the preferred encryption algorithms, and preferred HMAC algorithms
between the client and server.
Syntax
In non-FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |
prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } |
prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1
| dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 |
md5-96 | sha1 | sha1-96 } ] *
In FIPS mode:
ssh2 ipv6 server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } |
prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 }
| prefer-stoc-hmac { sha1 | sha1-96 } ] *

445
Default
The following matrix shows the default algorithms used in non-FIPS and FIPS and modes:

Preferred algorithm In non-FIPS mode In FIPS mode

Public key algorithm dsa rsa

Preferred client-to-server encryption

aes128 aes128
algorithm

Preferred client-to-server HMAC

sha1-96 sha1-96
algorithm

Preferred key exchange algorithm dh-group-exchange dh-group14

Preferred server-to-client encryption

aes128 aes128
algorithm

Preferred server-to-client HMAC

sha1-96 sha1-96
algorithm

Views
User view
Default command level
0: Visit level
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 46 characters.
port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the server belongs, where the
vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the server is on the public
network, do not specify this option.
identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.
• dsa: Specifies the public key algorithm dsa. This keyword is not available in FIPS mode.
• rsa: Specifies the public key algorithm rsa.
prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is
not used.
• zlib: Specifies the compression algorithm ZLIB.
• zlib-openssh: Specifies the compression algorithm [email protected].
prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default algorithm is
aes128.
• 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not available in FIPS mode.
• aes128: Specifies the encryption algorithm aes128-cbc.
• aes256: Specifies the encryption algorithm aes256-cbc. This keyword is only available in FIPS
mode.
• des: Specifies the encryption algorithm des-cbc. This keyword is not available in FIPS mode.
prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default algorithm is
sha1-96.

446
 • md5: Specifies the HMAC algorithm hmac-md5. This keyword is not available in FIPS mode.
• md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not available in FIPS mode.
• sha1: Specifies the HMAC algorithm hmac-sha1.
• sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange
in non-FIPS mode, and dh-group14 in FIPS mode.
• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.
This keyword is not available in FIPS mode.
• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not
available in FIPS mode.
• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default algorithm is
aes128.
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default algorithm is
sha1-96.
Usage guidelines
When the client's authentication method is publickey, the client must get the local private key for digital
signature. In non-FIPS mode, because the publickey authentication uses either RSA or DSA algorithm, you
must specify the public key algorithm of the client (by using the identity-key keyword) to get the correct
local private key.
Examples
# Log in to Stelnet server 2000::1, using the following connection scheme:
• The preferred key exchange algorithm is dh-group1.
• The preferred server-to-client encryption algorithm is aes128.
• The preferred client-to-server HMAC algorithm is md5.
• The preferred server-to-client HMAC algorithm is sha1-96.
<Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group1 prefer-stoc-cipher aes128
prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96

447
SSL configuration commands

For encryption, SSL needs an encryption daughter card. MSR900, MSR93X and MSR20-1X routers do
not support encryption daughter cards.
The following matrix shows the FIPS and hardware compatibility:

Hardware FIPS mode

MSR900 No.

MSR93X No.

MSR20-1X No.

MSR20 Yes.

MSR30 Yes (except the MSR30-16).

MSR50 Yes.

MSR1000 Yes.

ciphersuite
Use ciphersuite to specify the cipher suites for an SSL server policy to support.
Syntax
In non-FIPS mode:
ciphersuite [ rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha |
rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha ] *
In FIPS mode:
ciphersuite [ dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha ] *
Default
An SSL server policy supports all cipher suites.
Views
SSL server policy view
Default command level
2: System level
Parameters
dhe_rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of DH_RSA, the data encryption
algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.
dhe_rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of DH_RSA, the data encryption
algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.

448
 rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
3DES_EDE_CBC, and the MAC algorithm of SHA.
rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
128-bit AES_CBC, and the MAC algorithm of SHA.
rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
256-bit AES_CBC, and the MAC algorithm of SHA.
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
DES_CBC, and the MAC algorithm of SHA.
rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
128-bit RC4, and the MAC algorithm of MD5.
rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit
RC4, and the MAC algorithm of SHA.
Usage guidelines
With no keyword specified, the command configures an SSL server policy to support all cipher suites.
If you execute the command multiple times, the most recent configuration takes effect.
Examples
# Configure SSL server policy policy1 to support cipher suites rsa_rc4_128_md5 and rsa_rc4_128_sha.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] ciphersuite rsa_rc4_128_md5 rsa_rc4_128_sha

Related commands
display ssl server-policy

client-verify enable
Use client-verify enable to configure the SSL server to require the client to pass certificate-based
authentication.
Use undo client-verify enable to restore the default.
Syntax
client-verify enable
undo client-verify enable
Default
The SSL server does not require certificate-based SSL client authentication.
Views
SSL server policy view
Default command level
2: System level
Usage guidelines
If you configure the client-verify enable command and enable the SSL client weak authentication function,
whether the client must be authenticated is up to the client. If the client chooses to be authenticated, the

449
 client must pass authentication before accessing the SSL server; otherwise, the client can access the SSL
server without authentication.
If you configure the client-verify enable command but disable the SSL client weak authentication function,
the SSL client must pass authentication before accessing the SSL server.
Examples
# Configure the SSL server to require certificate-based SSL client authentication.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify enable

Related commands
• client-verify weaken
• display ssl server-policy

client-verify weaken
Use client-verify weaken to enable SSL client weak authentication.
Use undo client-verify weaken to restore the default.
Syntax
client-verify weaken
undo client-verify weaken
Default
SSL client weak authentication is disabled.
Views
SSL server policy view
Default command level
2: System level
Usage guidelines
The client-verify weaken command takes effect only when the SSL server requires certificate-based client
authentication.
If the SSL server requires certificate-based client authentication and the SSL client weak authentication
function is enabled, whether the client must be authenticated is up to the client. If the client chooses to be
authenticated, the client must pass authentication before accessing the SSL server; otherwise, the client
can access the SSL server without authentication.
If the SSL server requires certificate-based client authentication and SSL client weak authentication is
disabled, the SSL client must pass authentication before accessing the SSL server.
Examples
# Enable SSL client weak authentication.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] client-verify enable
[Sysname-ssl-server-policy-policy1] client-verify weaken

450
Related commands
• client-verify enable
• display ssl server-policy

close-mode wait
Use close-mode wait to set the SSL connection close mode to wait mode. In this mode, after sending a
close-notify alert message to a client, the server does not close the connection until it receives a
close-notify alert message from the client.
Use undo close-mode wait to restore the default.
Syntax
close-mode wait
undo close-mode wait
Default
An SSL server sends a close-notify alert message to the client and closes the connection without waiting
for the close-notify alert message from the client.
Views
SSL server policy view
Default command level
2: System level
Examples
# Set the SSL connection close mode to wait.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] close-mode wait

Related commands
display ssl server-policy

display ssl client-policy

Use display ssl client-policy to view information about one or all SSL client policies.
Syntax
display ssl client-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 16 characters.
all: Displays information about all SSL client policies.

451
 |: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about SSL client policy policy1.
<Sysname> display ssl client-policy policy1
SSL Client Policy: policy1
SSL Version: SSL 3.0
PKI Domain: 1
Prefer Ciphersuite:
RSA_RC4_128_MD5
Server-verify: enabled

Table 67 Command output

Field Description
SSL Client Policy SSL client policy name.

SSL Version Version of the protocol used by the SSL client policy, SSL 3.0 or TLS 1.0.

PKI Domain PKI domain of the SSL client policy.

Prefer Ciphersuite Preferred cipher suite of the SSL client policy.

Server-verify Whether server authentication is enabled for the SSL client policy.

display ssl server-policy

Use display ssl server-policy to view information about one or all SSL server policies.
Syntax
display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 16 characters.
all: Displays information about all SSL server policies.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.

452
 include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about SSL server policy policy1.
<Sysname> display ssl server-policy policy1
SSL Server Policy: policy1
PKI Domain: domain1
Ciphersuite:
RSA_RC4_128_MD5
RSA_RC4_128_SHA
RSA_DES_CBC_SHA
RSA_3DES_EDE_CBC_SHA
RSA_AES_128_CBC_SHA
RSA_AES_256_CBC_SHA
Handshake Timeout: 3600
Close-mode: wait disabled
Session Timeout: 3600
Session Cachesize: 500
Client-verify: disabled
Client-verify weaken: disabled

Table 68 Command output

Field Description
SSL Server Policy SSL server policy name.

PKI domain used by the SSL server policy.

PKI Domain If no PKI domain is specified for the SSL server policy, this field is blank, and the
SSL server generates and signs a certificate for itself and does not obtain a
certificate from a CA server.

Ciphersuite Cipher suites supported by the SSL server policy.

Handshake Timeout Handshake timeout time of the SSL server policy, in seconds.

Close mode of the SSL server policy:

• wait disabled—In this mode, the server sends a close-notify alert message to
the client and then closes the connection immediately without waiting for the
Close-mode close-notify alert message of the client.
• wait enabled—In this mode, the server sends a close-notify alert message to
the client and then waits for the close-notify alert message of the client. The
server closes the connection only after receiving the expected message.

Session Timeout Session timeout time of the SSL server policy, in seconds.

Session Cachesize Maximum number of buffered sessions of the SSL server policy.

Client-verify Whether the SSL server policy requires the client to be authenticated.

handshake timeout
Use handshake timeout to set the handshake timeout time for an SSL server policy.
Use undo handshake timeout to restore the default.

453
Syntax
handshake timeout time
undo handshake timeout
Default
The handshake timeout time is 3600 seconds.
Views
SSL server policy view
Default command level
2: System level
Parameters
time: Specifies the handshake timeout time in seconds. The value range is 180 to 7200.
Usage guidelines
If the SSL server receives no packet from the SSL client before the handshake timeout time expires, the SSL
server terminates the handshake process.
Examples
# Set the handshake timeout time of SSL server policy policy1 to 3000 seconds.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] handshake timeout 3000

Related commands
display ssl server-policy

pki-domain
Use pki-domain to specify a PKI domain for an SSL server policy or SSL client policy.
Use undo pki-domain to restore the default.
Syntax
pki-domain domain-name
undo pki-domain
Default
No PKI domain is configured for an SSL server policy or SSL client policy.
Views
SSL server policy view, SSL client policy view
Default command level
2: System level
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 15 characters.

454
Usage guidelines
If you do not specify a PKI domain for an SSL server policy, the SSL server generates and signs a
certificate for itself rather than obtaining one from a CA server.
Examples
# Configure SSL server policy policy1 to use PKI domain server-domain.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] pki-domain server-domain

# Configure SSL client policy policy1 to use PKI domain client-domain.

<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] pki-domain client-domain

Related commands
• display ssl server-policy
• display ssl client-policy

prefer-cipher
Use prefer-cipher to specify the preferred cipher suite for an SSL client policy.
Use undo prefer-cipher to restore the default.
Syntax
In non-FIPS mode:
prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha |
rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha }
undo prefer-cipher
In FIPS mode:
prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha |
rsa_aes_256_cbc_sha }
undo prefer-cipher
Default
The preferred cipher suite for an SSL client policy is rsa_rc4_128_md5.
Views
SSL client policy view
Default command level
2: System level
Parameters
dhe_rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of DH_RSA, the data encryption
algorithm of 128-bit AES_CBC, and the MAC algorithm of SHA.
dhe_rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of DH_RSA, the data encryption
algorithm of 256-bit AES_CBC, and the MAC algorithm of SHA.

455
 rsa_3des_ede_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
3DES_EDE_CBC, and the MAC algorithm of SHA.
rsa_aes_128_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
128-bit AES_CBC, and the MAC algorithm of SHA.
rsa_aes_256_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
256-bit AES_CBC, and the MAC algorithm of SHA.
rsa_des_cbc_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
DES_CBC, and the MAC algorithm of SHA.
rsa_rc4_128_md5: Specifies the key exchange algorithm of RSA, the data encryption algorithm of
128-bit RC4, and the MAC algorithm of MD5.
rsa_rc4_128_sha: Specifies the key exchange algorithm of RSA, the data encryption algorithm of 128-bit
RC4, and the MAC algorithm of SHA.
Examples
# Set the preferred cipher suite for SSL client policy policy1 to rsa_aes_128_cbc_sha.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] prefer-cipher rsa_aes_128_cbc_sha

Related commands
display ssl client-policy

server-verify enable
Use server-verify enable to enable certificate-based SSL server authentication so that the SSL client
authenticates the server by the server’s certificate during the SSL handshake process.
Use undo server-verify enable to disable certificate-based SSL server authentication. When
certificate-based SSL server authentication is disabled, it is assumed that the SSL server is valid.
Syntax
server-verify enable
undo server-verify enable
Default
Certificate-based SSL server authentication is enabled.
Views
SSL client policy view
Default command level
2: System level
Examples
# Enable certificate-based SSL server authentication.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] server-verify enable

456
Related commands
display ssl client-policy

session
Use session to set the maximum number of cached sessions and the caching timeout time.
Use undo session to restore the default.
Syntax
session { cachesize size | timeout time } *
undo session { cachesize | timeout } *
Default
The maximum number of cached sessions is 500 and the caching timeout time is 3600 seconds.
Views
SSL server policy view
Default command level
2: System level
Parameters
cachesize size: Specifies the maximum number of cached sessions. The value range is 100 to 1000.
timeout time: Specifies the caching timeout time in seconds. The value range is 1800 to 72000.
Usage guidelines
It is a complicated process to use the SSL handshake protocol to negotiate session parameters and
establish sessions. To simplify the process, SSL allows reusing negotiated session parameters to establish
sessions. This feature requires that the SSL server maintain information about existing sessions.
The number of cached sessions and the session information caching time are limited:
• If the number of sessions in the cache reaches the maximum, SSL rejects to cache new sessions.
• If a session has been cached for a period equal to the caching timeout time, SSL removes the
information of the session.
Examples
# Set the caching timeout time to 4000 seconds and the maximum number of cached sessions to 600.
<Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1] session timeout 4000 cachesize 600

Related commands
display ssl server-policy

ssl client-policy
Use ssl client-policy to create an SSL policy and enter its view.
Use undo ssl client-policy to delete a specified SSL client policy or all SSL client policies.

457
Syntax
ssl client-policy policy-name
undo ssl client-policy { policy-name | all }
Views
System view
Default command level
2: System level
Parameters
policy-name: SSL client policy name, a case-insensitive string of 1 to 16 characters, which cannot be a,
al, or all.
all: Specifies all SSL client policies.
Examples
# Create SSL client policy policy1 and enter its view.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1]

Related commands
display ssl client-policy

ssl server-policy
Use ssl server-policy to create an SSL server policy and enter its view.
Use undo ssl server-policy to delete a specified SSL server policy or all SSL server policies.
Syntax
ssl server-policy policy-name
undo ssl server-policy { policy-name | all }
Views
System view
Default command level
2: System level
Parameters
policy-name: SSL server policy name, a case-insensitive string of 1 to 16 characters, which cannot be a,
al, or all.
all: Specifies all SSL server policies.
Usage guidelines
You cannot delete an SSL server policy that has been associated with one or more application layer
protocols.
Examples
# Create SSL server policy policy1 and enter its view.

458
 <Sysname> system-view
[Sysname] ssl server-policy policy1
[Sysname-ssl-server-policy-policy1]

Related commands
display ssl server-policy

version
Use version to specify the SSL protocol version for an SSL client policy.
Use undo version to restore the default.
Syntax
In non-FIPS mode:
version { ssl3.0 | tls1.0 }
undo version
In FIPS mode:
version tls1.0
undo version
Default
The SSL protocol version for an SSL client policy is TLS 1.0.
Views
SSL client policy view
Default command level
2: System level
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
Examples
# Specify the SSL protocol version for SSL client policy policy1 as SSL 3.0.
<Sysname> system-view
[Sysname] ssl client-policy policy1
[Sysname-ssl-client-policy-policy1] version ssl3.0

Related commands
display ssl client-policy

459
SSL VPN configuration commands

ssl-vpn enable
Use ssl-vpn enable to enable the SSL VPN service.
Use undo ssl-vpn enable to disable the SSL VPN service.
Syntax
ssl-vpn enable
undo ssl-vpn enable
Default
The SSL VPN service is disabled.
Views
System view
Default command level
2: System level
Usage guidelines
Before you execute this command, make sure an SSL server policy has been specified for the SSL VPN
service by using the ssl-vpn server-policy command.
Examples
# Specify the SSL server policy svpn and port 3001 for the SSL VPN service, and then enable the SSL VPN
service.
<Sysname> system-view
[Sysname] ssl server-policy svpn
[Sysname-ssl-server-policy-svpn] pki-domain domain1
[Sysname-ssl-server-policy-svpn] quit
[Sysname] ssl-vpn server-policy svpn port 3001
[Sysname] ssl-vpn enable

Related commands
ssl-vpn server-policy

ssl-vpn server-policy
Use ssl-vpn server-policy to specify the SSL server policy and port to be used by the SSL VPN service.
Use undo ssl-vpn server-policy to restore the default.
Syntax
ssl-vpn server-policy server-policy-name [ port port-number ]
undo ssl-vpn server-policy

460
Default
No SSL server policy is specified for the SSL VPN service.
Views
System view
Default command level
2: System level
Parameters
server-policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 16
characters.
port port-number: Specifies the port number to be used by the SSL VPN service. The value range is 1 to
65535, and the default is 443.
Usage guidelines
The specified SSL server policy must have been created.
Examples
# Specify the SSL server policy svpn and port 3001 for the SSL VPN service.
<Sysname> system-view
[Sysname] ssl server-policy svpn
[Sysname-ssl-server-policy-svpn] pki-domain domain1
[Sysname-ssl-server-policy-svpn] quit
[Sysname] ssl-vpn server-policy svpn port 3001

461
User profile configuration commands

display user-profile
Use display user-profile to display information about all user profiles that have been created.
Syntax
display user-profile [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about all user profiles that have been created.
<Sysname> display user-profile
Status User profile
enabled a123
----Total user profiles: 1-------
----Enabled user profiles: 1-------

Table 69 Command output

Field Description
Status Status of the user profile, enabled or disabled.

User profile User profile name.

Total user profiles Total number of user profiles that have been created.

Enabled user profiles Total number of user profiles that have been enabled.

user-profile enable
Use user-profile enable to enable a user profile that has been created.
Use undo user-profile enable to disable the specified user profile.

462
Syntax
user-profile profile-name enable
undo user-profile profile-name enable
Default
A created user profile is disabled.
Views
System view
Default command level
2: System level
Parameters
profile-name: Specifies a user profile name, a case-sensitive string of 1 to 31 characters. It can only
contain English letters, digits, and underlines, and it must start with an English letter. The user profile must
already exist.
Usage guidelines
Only enabled user profiles can be applied to authenticated users.
Disabling a user profile logs out users that are using the user profile. To edit or remove the configurations
in a user profile, first disable the user profile.
Examples
# Enable user profile a123.
<Sysname> system-view
[Sysname] user-profile a123 enable

user-profile
Use user-profile to create a user profile and enter user profile view. If the specified user profile has been
created, you directly enter user profile view.
Use undo user-profile to remove an existing disabled user profile. You cannot remove a user profile that
is enabled.
Syntax
user-profile profile-name
undo user-profile profile-name
Default
No user profiles exist on the device.
Views
System view
Default command level
2: System level

463
Parameters
profile-name: Assigns a name to the user profile. The name is a case-sensitive string of 1 to 31 characters.
It can only contain English letters, digits, and underlines, and it must start with an English letter. A user
profile name must be globally unique.
Examples
# Create user profile a123.
<Sysname> system-view
[Sysname] user-profile a123
[Sysname-user-profile-a123]

# Enter the user profile view of a123.

<Sysname> system-view
[Sysname] user-profile a123
[Sysname-user-profile-a123]

Related commands
user-profile enable

464
ARP attack protection configuration commands

IP flood protection configuration commands

arp source-suppression enable
Use arp source-suppression enable to enable the ARP source suppression function.
Use undo arp source-suppression enable to disable the function.
Syntax
arp source-suppression enable
undo arp source-suppression enable
Default
The ARP source suppression function is disabled.
Views
System view
Default command level
2: System level
Examples
# Enable the ARP source suppression function.
<Sysname> system-view
[Sysname] arp source-suppression enable

Related commands
display arp source-suppression

arp source-suppression limit

Use arp source-suppression limit to set the maximum number of unresolvable IP packets that be received
from a device in 5 seconds. Unresolvable IP packets refer to packets that cannot be resolved by ARP.
Use undo arp source-suppression limit to restore the default.
Syntax
arp source-suppression limit limit-value
undo arp source-suppression limit
Default
The maximum number is 10.
Views
System view

465
Default command level
2: System level
Parameters
limit-value: Sets the maximum number of unresolvable packets that can be received from a device in 5
seconds. The value range is 2 to 1024.
Usage guidelines
If the number of unresolvable packets from a host within 5 seconds exceeds the specified threshold, the
device stops resolving packets from the host until the 5 seconds elapse.
Examples
# Set the maximum number of unresolvable packets that the device can receive in 5 seconds to 100.
<Sysname> system-view
[Sysname] arp source-suppression limit 100

Related commands
display arp source-suppression

display arp source-suppression

Use display arp source-suppression to display information about the current ARP source suppression
configuration.
Syntax
display arp source-suppression [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about the current ARP source suppression configuration.
<Sysname> display arp source-suppression
ARP source suppression is enabled
Current suppression limit: 100
Current cache length: 16

466
 Table 70 Command output

Field Description
Maximum number of packets with the same source IP address but
Current suppression limit unresolvable destination IP addresses that the device can receive in 5
seconds.

Current cache length Size of cache used to record source suppression information.

Source MAC-based ARP attack detection

configuration commands
arp anti-attack source-mac
Use arp anti-attack source-mac to enable the source MAC-based ARP attack detection and specify a
handling method.
Use undo arp anti-attack source-mac to restore the default.
Syntax
arp anti-attack source-mac { filter | monitor }
undo arp anti-attack source-mac [ filter | monitor ]
Default
The source MAC-based ARP attack detection is disabled.
Views
System view
Default command level
2: System level
Parameters
filter: Generates log messages and discards subsequent ARP packets from the MAC address.
monitor: Only generates log message.
Usage guidelines
This function enables the router to check the source MAC address of ARP packets received from the same
MAC address within 5 seconds against a specific threshold. If the threshold is exceeded, the router takes
the preconfigured method to handle the attack.
If neither the filter nor the monitor keyword is specified in the undo arp anti-attack source-mac command,
both handling methods are disabled.
Examples
# Enable the source MAC-based ARP attack detection and specify the filter handling method.
<Sysname> system-view
[Sysname] arp anti-attack source-mac filter

467
arp anti-attack source-mac aging-time
Use arp anti-attack source-mac aging-time to configure the age time for source MAC-based ARP attack
detection entries.
Use undo arp anti-attack source-mac aging-time to restore the default.
Syntax
arp anti-attack source-mac aging-time time
undo arp anti-attack source-mac aging-time
Default
The age time for ARP attack entries is 300 seconds (5 minutes).
Views
System view
Default command level
2: System level
Parameters
time: Specifies the age time for ARP attack entries, in the range of 60 to 6000 seconds.
Examples
# Set the age time for ARP attack entries to 60 seconds.
<Sysname> system-view
[Sysname] arp anti-attack source-mac aging-time 60

arp anti-attack source-mac exclude-mac

Use arp anti-attack source-mac exclude-mac to exclude specific MAC addresses from source
MAC-based ARP attack detection.
Use undo arp anti-attack source-mac exclude-mac to remove the specified MAC addresses.
Syntax
arp anti-attack source-mac exclude-mac mac-address&<1-n>
undo arp anti-attack source-mac exclude-mac [ mac-address&<1-n> ]
Default
No MAC address is excluded from source MAC-based ARP attack detection.
Views
System view
Default command level
2: System level
Parameters
mac-address&<1-n>: Specifies a MAC address list. The mac-address argument indicates an excluded
MAC address in the format H-H-H. &<1-n> indicates the number of protected MAC addresses that you
can exclude. The value range for the n argument is 1 to 64.

468
Usage guidelines
If no MAC address is specified in the undo arp anti-attack source-mac exclude-mac command, all
excluded MAC addresses are removed.
Examples
# Exclude a MAC address from source MAC-based ARP attack detection.
<Sysname> system-view
[Sysname] arp anti-attack source-mac exclude-mac 2-2-2

arp anti-attack source-mac threshold

Use arp anti-attack source-mac threshold to configure the threshold for source MAC-based ARP attack
detection. If the number of ARP packets from a MAC address within 5 seconds exceeds this threshold, the
device recognizes this as an attack.
Use undo arp anti-attack source-mac threshold to restore the default.
Syntax
arp anti-attack source-mac threshold threshold-value
undo arp anti-attack source-mac threshold
Default
The threshold for source MAC-based ARP attack detection is 50.
Views
System view
Default command level
2: System level
Parameters
threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range is
10 to 100.
Examples
# Configure the threshold for source MAC-based ARP attack detection as 30.
<Sysname> system-view
[Sysname] arp anti-attack source-mac threshold 30

display arp anti-attack source-mac

Use display arp anti-attack source-mac to display ARP attack entries detected by source MAC-based
ARP attack detection.
Syntax
display arp anti-attack source-mac [ interface interface-type interface-number ] [ | { begin | exclude |
include } regular-expression ]
Views
Any view

469
Default command level
1: Monitor level
Parameters
interface interface-type interface-number: Displays ARP attack entries detected on the interface.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any interface, the display arp anti-attack source-mac command displays ARP attack
entries detected on all interfaces.
Examples
# Display the ARP attack entries detected by source MAC-based ARP attack detection.
<Sysname> display arp anti-attack source-mac
Source-MAC VLAN ID Interface Aging-time
23f3-1122-3344 4094 GE1/1 10
23f3-1122-3355 4094 GE1/2 30
23f3-1122-33ff 4094 GE1/3 25
23f3-1122-33ad 4094 GE1/4 30
23f3-1122-33ce 4094 GE1/5 2

ARP packet source MAC consistency check

configuration commands
arp anti-attack valid-ack enable
Use arp anti-attack valid-check enable to enable ARP packet source MAC address consistency check on
the gateway.
Use undo arp anti-attack valid-check enable to restore the default.
Syntax
arp anti-attack valid-check enable
undo arp anti-attack valid-check enable
Default
ARP packet source MAC address consistency check is disabled.
Views
System view

470
Default command level
2: System level
Usage guidelines
After you execute the arp anti-attack valid-check enable command, the gateway device can filter out
ARP packets with the source MAC address in the Ethernet header different from the sender MAC address
in the ARP message.
Examples
# Enable ARP packet source MAC address consistency check.
<Sysname> system-view
[Sysname] arp anti-attack valid-check enable

ARP active acknowledgement configuration

commands
arp anti-attack active-ack enable
Use arp anti-attack active-ack enable to enable the ARP active acknowledgement function.
Use undo arp anti-attack active-ack enable to restore the default.
Syntax
arp anti-attack active-ack enable
undo arp anti-attack active-ack enable
Default
The ARP active acknowledgement function is disabled.
Views
System view
Default command level
2: System level
Usage guidelines
This feature is configured on gateway devices to identify invalid ARP packets.
Examples
# Enable the ARP active acknowledgement function.
<Sysname> system-view
[Sysname] arp anti-attack active-ack enable

471
ARP automatic scanning and fixed ARP
configuration commands
arp fixup
Use arp fixup to change the existing dynamic ARP entries into static ARP entries. You can use this
command again to change the dynamic ARP entries learned later into static.
Syntax
arp fixup
Views
System view
Default command level
2: System level
Usage guidelines
The static ARP entries changed from dynamic ARP entries have the same attributes as the manually
configured static ARP entries.
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static
ARP entries that the device supports. As a result, the device might fail to change all dynamic ARP entries
into static ARP entries.
Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S.
When the dynamic ARP entries are changed into static, new dynamic ARP entries might be created
(suppose the number is M) and some of the dynamic ARP entries might be aged out (suppose the number
is N). After the process is complete, the number of static ARP entries is D + S + M – N.
To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address
[ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp
static command.
Examples
# Enable fixed ARP.
<Sysname> system-view
[Sysname] arp fixup

arp scan
Use arp scan to enable ARP automatic scanning in the specified address range for neighbors.
Syntax
arp scan [ start-ip-address to end-ip-address ]
Views
Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view, VLAN interface view
Default command level
2: System level

472
Parameters
start-ip-address: Specifies the start IP address of the scanning range.
end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher
than or equal to the start IP address.
Usage guidelines
If you specify the start IP and end IP addresses, the device scans the specific address range for neighbors
and learns their ARP entries, so that the scanning time is reduced. If the specified address range contains
multiple network segments, the sender IP address in the ARP request is the interface address on the
smallest network segment.
If you do not specify an address range, the device only scans the network where the primary IP address
of the interface resides for neighbors. The sender IP address in the ARP requests is the primary IP address
of the interface.
The start IP address and end IP address must be on the same network as the primary IP address or
manually configured secondary IP addresses of the interface.
IP addresses already exist in ARP entries are not scanned.
ARP automatic scanning might take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP
entries are created based on ARP replies received before the scan is terminated.
Examples
# Configure the device to scan the network where the primary IP address of Ethernet 1/1 resides for
neighbors.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] arp scan

# Configure the device to scan the specific address range for neighbors.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] arp scan 1.1.1.1 to 1.1.1.20

473
IP source guard configuration commands

display ip source binding

Use display ip source binding to display IPv4 source guard binding entries.
Syntax
display ip source binding [ static ] [ interface interface-type interface-number | ip-address ip-address |
mac-address mac-address ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
static: Displays static IPv4 source guard binding entries.
interface interface-type interface-number: Displays IPv4 source guard binding entries of the interface
specified by its type and number.
ip-address ip-address: Displays IPv4 source guard binding entries of an IP address.
mac-address mac-address: Displays IPv4 source guard binding entries of an MAC address (in the format
H-H-H).
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify the static keyword, the command displays all static and dynamic IPv4 source guard
binding entries. If you do not specify any other parameters either, the command displays static and
dynamic IPv4 binding entries on all ports.
If you specify the static keyword, the command displays static IPv4 source guard binding entries. If you
do not specify any other parameters, the command displays static IPv4 binding entries on all ports.
The following matrix shows the command and router compatibility:

Hardware Command compatibility

MSR900 No.

MSR93X No.

MSR20-1X No.

474
 Hardware Command compatibility
MSR20 No.

Yes on the following models:

• MSR30 routers installed with MIM-FSW or DMIM-FSW modules.
MSR30
• MSR30-11E Layer 2 fixed Ethernet ports.
• MSR30-11F Layer 2 fixed Ethernet ports.
MSR50 Yes on MSR50 routers installed with FIC-FSW or DFIC-FSW modules.

MSR1000 Yes on Layer 2 fixed Ethernet ports.

Examples
# Display all IPv4 source guard binding entries.
<Sysname> display ip source binding
Total entries found: 3
MAC Address IP Address VLAN Interface Type
040a-0000-4000 10.1.0.9 2 Eth1/1 Static
040a-0000-3000 10.1.0.8 2 Eth1/1 DHCP-SNP
040a-0000-2000 10.1.0.7 2 Eth1/1 DHCP-SNP

# Display all static IPv4 source guard binding entries.

<Sysname> display ip source binding static
Total entries found: 2
MAC Address IP Address VLAN Interface Type
040a-0000-0012 10.1.0.12 6 Eth1/3 Static
040a-0000-0013 10.1.0.12 6 Eth1/3 Static

Table 71 Command output

Field Description
Total entries found Total number of IPv4 source guard binding entries.

MAC address of the IPv4 source guard binding entry. If no MAC address
MAC Address
is bound in the entry, this field displays N/A.

IP address of the IPv4 source guard binding entry. If no IP address is

IP Address
bound in the entry, this field displays N/A.

VLAN bound to the IPv4 source guard binding entry. If no VLAN

VLAN
information exists in the entry, this field displays N/A.

Interface Interface of the IPv4 source guard binding entry.

Type of the IPv4 source guard binding entry:

• Static—Static entry.
Type • DHCP-SNP—Entry generated based on a DHCP snooping entry. The
IP source guard function uses DHCP snooping entries to generate
dynamic binding entries.

Related commands
• ip verify source
• ip source binding

475
ip source binding
Use ip source binding to configure a static IPv4 source guard binding entry on a port.
Use undo ip source binding to delete a static IPv4 source guard binding entry from a port.
Syntax
ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address |
mac-address mac-address } [ vlan vlan-id ]
undo ip source binding { ip-address ip-address | ip-address ip-address mac-address mac-address |
mac-address mac-address } [ vlan vlan-id ]
Default
No static IPv4 binding entry exists on a port.
Views
Layer 2 Ethernet port view
Default command level
2: System level
Parameters
ip-address ip-address: Specifies the IPv4 address for the static binding entry. The IPv4 address cannot be
127.x.x.x, 0.0.0.0, or a multicast IP address.
mac-address mac-address: Specifies the MAC address for the static binding in the format H-H-H. The
MAC address cannot be all 0s, all Fs (a broadcast address), or a multicast address.
vlan vlan-id: Specifies the VLAN for the static binding. vlan-id is the ID of the VLAN to be bound, in the
range of 1 to 4094.
Usage guidelines
You cannot configure the same static binding entry on one port, but you can configure the same static
entry on different ports.
You cannot configure a static binding entry on a link aggregation member port.
The following matrix shows the command and router compatibility:

Maximum static
Hardware Command compatibility Supported keywords
binding entries

MSR900 Yes on Layer 2 fixed Ethernet ports. mac-address 8

MSR93X No. N/A N/A

MSR20-1X No. N/A N/A

MSR20 No. N/A N/A

• ip-address
Yes on MSR30 routers installed with
• mac-address 8
MIM-FSW or DMIM-FSW modules.
MSR30 • vlan
Yes on MSR30-10 router installed
mac-address 256
with XMIM-FSW modules.

476
 Maximum static
Hardware Command compatibility Supported keywords
binding entries
• ip-address
Yes on MSR30-11E Layer 2 fixed
• mac-address 192
Ethernet ports.
• vlan
Yes on MSR30-11F Layer 2 fixed • ip-address
384
Ethernet ports. • mac-address
• ip-address
Yes on MSR50 routers installed with
MSR50 • mac-address 8
FIC-FSW or DFIC-FSW modules.
• vlan
MSR1000 Yes on Layer 2 fixed Ethernet ports. mac-address 200

Examples
# Configure a static IPv4 IP-MAC binding entry on port Ethernet 1/1.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] ip source binding ip-address 192.168.0.1 mac-address 0001-0001-0001

Related commands
display ip source binding static

ip verify source
Use ip verify source to enable the IPv4 source guard function on a port and specify the elements to be
included in the port's dynamic binding entries.
Use undo ip verify source to restore the default.
Syntax
ip verify source { ip-address | ip-address mac-address | mac-address }
undo ip verify source
Default
The IPv4 source guard function is disabled on a port.
Views
Ethernet interface view, port group view
Default command level
2: System level
Parameters
ip-address: Binds source IPv4 addresses to the port.
ip-address mac-address: Binds source IPv4 addresses and MAC addresses to the port.
mac-address: Binds source MAC addresses to the port.
Usage guidelines
You cannot configure IPv4 source guard on a port that is in a link aggregation group.

477
 After you configure the IPv4 source guard function on a port, IPv4 source guard dynamically generates
IPv4 source guard binding entries based on the DHCP snooping entries (on a Layer 2 Ethernet port), and
all static IPv4 source guard binding entries on the port become effective.
The keywords specified in the ip verify source command are only for instructing the generation of
dynamic IPv4 source guard binding entries. It does not affect static IP source guard binding entries.
When using a static source guard binding entry, a port does not take the keywords into consideration.
The following matrix shows the command and router compatibility:

Support for generating dynamic

Hardware Command compatibility
binding entries
MSR900 Yes. No.

Yes.
MSR93X Yes on Layer 2 fixed Ethernet ports.
Supports only MAC-port binding entries.

MSR20-1X No. N/A

MSR20 No. N/A

Yes on the following models:

.Yes.
• MSR30 routers installed with MIM-FSW or
MSR30 DMIM-FSW modules. The bindings on MSR30-11F Layer 2 fixed
Ethernet ports do not include VLAN
• MSR30-11E Layer 2 fixed Ethernet ports.
information.
• MSR30-11F Layer 2 fixed Ethernet ports.
Yes on MSR50 routers installed with FIC-FSW or
MSR50 Yes.
DFIC-FSW modules.

MSR1000 Yes on MSR1000 Layer 2 fixed Ethernet ports. No.

Examples
# Configure IPv4 source guard on Layer 2 Ethernet port Ethernet 1/1 to filter packets based on the source
IPv4 address and MAC address.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] ip verify source ip-address mac-address

Related commands
display ip source binding

ip verify source max-entries

Use ip verify source max-entries to set the maximum number of static and dynamic IPv4 source guard
binding entries on a port.
Use undo ip verify source max-entries to remove the restriction on the number of static and dynamic IPv4
source guard binding entries on a port.
Syntax
ip verify source max-entries number
undo ip verify source max-entries

478
Default
The maximum number of IPv4 source guard binding entries allowed on a port is not set.
Views
Layer 2 Ethernet port view
Default command level
2: System level
Parameters
number: Maximum number of IPv4 source guard binding entries allowed on a port.
Usage guidelines
When the number of IPv4 binding entries on a port reaches the maximum, the router does not generates
more IPv4 binding entries on the port.
If the maximum number of IPv4 binding entries to be configured is smaller than the number of existing
IPv4 binding entries on the port, the maximum number can be configured successfully and the existing
entries will not be affected. New IPv4 binding entries, however, cannot be added any more unless the
number of IPv4 binding entries on the port drops below the configured maximum.
The following matrix shows the command and router compatibility:

Hardware Command compatibility Maximum binding entries

MSR900 Yes. 8.

MSR93X Yes. 4.

MSR20-1X No. N/A

MSR20 No. N/A

• MSR-11E router: 192.
• MSR-11F router: 384.
• MSR30 router installed with XMIM-FSW
MSR30 Yes.
modules: 256.
• MSR30 router installed with
MIM/DMIM-FSW modules: 8.

Yes on MSR50 routers installed with

MSR50 8.
FIC-FSW or DFIC-FSW modules.

MSR1000 Yes. 200.

Examples
# Set the maximum number of IPv4 source guard binding entries to 5 on port Ethernet 1/1.
<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] ip verify source max-entries 5

479
Attack detection and protection configuration
commands

attack-defense apply policy

Use attack-defense apply policy to apply an attack protection policy to an interface.
Use undo attack-defense apply policy to restore the default.
Syntax
attack-defense apply policy policy-number
undo attack-defense apply policy
Default
No attack protection policy is applied to an interface.
Views
Interface view
Default command level
2: System level
Parameters
policy-number: Specifies the sequence number of an attack protection policy, in the range of 1 to 128.
Usage guidelines
The attack protection policy to be applied to an interface must already be created by using the
attack-defense policy command.
One interface can be configured with only one attack protection policy. If you apply multiple policies to
an interface, only the last one takes effect. However, one policy can be applied to multiple interfaces.
Examples
# Apply attack protection policy 1 to interface GigabitEthernet 1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] attack-defense apply policy 1

Related commands
• attack-defense policy
• display attack-defense policy

attack-defense policy
Use attack-defense policy to create an attack protection policy and enter attack protection policy view.
Use undo attack-defense policy to remove an attack protection policy.

480
Syntax
attack-defense policy policy-number [ interface interface-type interface-number ]
undo attack-defense policy policy-number [ interface interface-type interface-number ]
Default
No attack protection policy is created.
Views
System view
Default command level
2: System level
Parameters
policy-number: Specifies the sequence number of an attack protection policy, in the range of 1 to 128.
interface interface-type interface-number: Specifies the interface that uses the policy exclusively. If you
specify an interface, the policy is applied to the interface only. Otherwise, the policy is applied to
multiple interfaces.
Examples
# Create attack protection policy 1.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1]

Related commands
display attack-defense policy

blacklist enable
Use blacklist enable to enable the blacklist function.
Use undo blacklist enable to restore the default.
Syntax
blacklist enable
undo blacklist enable
Default
The blacklist function is disabled.
Views
System view
Default command level
2: System level
Usage guidelines
After the blacklist function is enabled, you can add blacklist entries manually or configure the device to
add blacklist entries automatically. The auto-blacklist function must cooperate with the scanning attack

481
 protection function or the user login authentication function. For configuration information about
scanning attack protection, see the defense scan add-to-blacklist command.
Examples
# Enable the blacklist function.
<Sysname> system-view
[Sysname] blacklist enable

Related commands
• defense scan
• display attack-defense policy

blacklist ip
Use blacklist ip to add a blacklist entry. After an IP address is added to the blacklist, the device filters all
packets from it.
Use undo blacklist to delete blacklist entries or cancel the aging time configuration of a blacklist entry.
Syntax
blacklist ip source-ip-address [ timeout minutes ]
undo blacklist { all | ip source-ip-address [ timeout ] }
Views
System view
Default command level
2: System level
Parameters
source-ip-address: Specifies the IP address to be added to the blacklist, used to match the source IP
address of packets. This IP address cannot be a broadcast address, 127.0.0.0/8, a class D address, or
a class E address.
all: Specifies all blacklist entries.
timeout minutes: Specifies an aging time for the blacklist entry. minutes indicates the aging time and are
in the range of 1 to 1000, in minutes. If you do not specify the aging time, the blacklist entry never gets
aged and always exists unless you delete it manually.
Usage guidelines
You can use the undo blacklist ip source-ip-address timeout command to cancel the aging time specified
for a manually added blacklist entry. After the configuration, this blacklist entry never gets aged.
All blacklist entries can take effect only when the blacklist function is enabled.
You can modify the aging time of an existing blacklist entry, and the modification takes effect
immediately.
Examples
# Add IP address 192.168.1.2 to the blacklist, and configure its aging time as 20 minutes.
<Sysname> system-view
[Sysname] blacklist ip 192.168.1.2 timeout 20

482
Related commands
• blacklist enable
• display blacklist

defense icmp-flood action drop-packet

Use defense icmp-flood action drop-packet to configure the device to drop ICMP flood attack packets.
Use undo defense icmp-flood action to restore the default.
Syntax
defense icmp-flood action drop-packet
undo defense icmp-flood action
Default
The device only outputs alarm logs if detecting an ICMP flood attack.
Views
Attack protection policy view
Default command level
2: System level
Examples
# Configure attack protection policy 1 to drop ICMP flood attack packets.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense icmp-flood action drop-packet

Related commands
• defense icmp-flood enable
• defense icmp-flood ip
• defense icmp-flood rate-threshold
• display attack-defense policy

defense icmp-flood enable

Use defense icmp-flood enable to enable ICMP flood attack protection.
Use undo defense icmp-flood enable to restore the default.
Syntax
defense icmp-flood enable
undo defense icmp-flood enable
Default
ICMP flood attack protection is disabled.
Views
Attack protection policy view

483
Default command level
2: System level
Examples
# Enable ICMP flood attack protection in attack protection policy 1.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense icmp-flood enable

Related commands
• defense icmp-flood action drop-packet
• defense icmp-flood ip
• defense icmp-flood rate-threshold
• display attack-defense policy

defense icmp-flood ip
Use defense icmp-flood ip to configure the action and silence thresholds for ICMP flood attack protection
of a specific IP address.
Use undo defense icmp-flood ip to remove the configuration.
Syntax
defense icmp-flood ip ip-address rate-threshold high rate-number [ low rate-number ]
undo defense icmp-flood ip ip-address [ rate-threshold ]
Default
No ICMP flood attack protection thresholds are configured for an IP address.
Views
Attack protection policy view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address to be protected. This IP address cannot be a broadcast address,
127.0.0.0/8, a class D address, or a class E address.
high rate-number: Sets the action threshold for ICMP flood attack protection of the specified IP address.
The rate-number argument indicates the number of ICMP packets sent to the specified IP address per
second and is in the range of from 1 to 65535. With the ICMP flood attack protection enabled, the
device enters attack detection state. When the device detects that the sending rate of ICMP packets
destined for the specified IP address constantly reaches or exceeds the specified action threshold, the
device considers the IP address to be under attack, enters attack protection state, and takes protection
actions as configured.
low rate-number: Sets the silence threshold for ICMP flood attack protection of the specified IP address.
The rate-number argument indicates the number of ICMP packets sent to the specified IP address per
second and is in the range of from 1 to 65535. The default value of the silence threshold is 3/4 of the
action threshold. When the device is in attack protection state, if it detects that the sending rate of ICMP

484
 packets destined for the specified IP address drops below the silence threshold, it considers that the
attack is over, returns to attack detection state, and stops the protection actions.
Usage guidelines
You can configure ICMP flood attack protection thresholds for a maximum of 32 IP addresses in an attack
protection policy.
Examples
# Enable ICMP flood attack protection for IP address 192.168.1.2, and set the action threshold to 2000
packets per second and the silence threshold to 1000 packets per second.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense icmp-flood ip 192.168.1.2 rate-threshold high
2000 low 1000

Related commands
• defense icmp-flood action drop-packet
• defense icmp-flood enable
• display attack-defense policy

defense icmp-flood rate-threshold

Use defense icmp-flood rate-threshold to configure the global action and silence thresholds for ICMP
flood attack protection. The device uses the global attack protection thresholds to protect IP addresses for
which you do not configure attack protection parameters specifically.
Use undo defense icmp-flood rate-threshold to restore the default.
Syntax
defense icmp-flood rate-threshold high rate-number [ low rate-number ]
undo defense icmp-flood rate-threshold
Default
The global action threshold is 1000 packet per second and the global silence threshold is 750 packets
per second.
Views
Attack protection policy view
Default command level
2: System level
Parameters
high rate-number: Sets the global action threshold for ICMP flood attack protection. The rate-number
argument indicates the number of ICMP packets sent to an IP address per second and is in the range of
from 1 to 65535. With ICMP flood attack enabled, the device enters attack detection state. When the
device detects that the sending rate of ICMP packets destined for an IP address constantly reaches or
exceeds the specified action threshold, the device considers the IP address to be under attack, enters
attack protection state, and takes protection actions as configured.
low rate-number: Sets the global silence threshold for ICMP flood attack protection. The rate-number
argument indicates the number of ICMP packets sent to an IP address per second and is in the range of
from 1 to 65535. When the device is in attack protection state, if it detects that the sending rate of ICMP

485
 packets destined for an IP address drops below the silence threshold, it considers that the attack to the
IP address is over, returns to attack detection state, and stops the protection actions.
Usage guidelines
Adjust the thresholds according to the actual network conditions. Usually, ICMP traffic is smaller than TCP
traffic and UDP traffic. You can set a smaller action threshold for ICMP flood protection. If the link
bandwidth of the protected network is small, set a smaller silence threshold to help release the traffic
pressure.
Examples
# Set the global action threshold to 3000 packets per second and the global silence threshold to 1000
packets per second for ICMP flood attack.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense icmp-flood rate-threshold high 3000 low 1000

Related commands
• defense icmp-flood action drop-packet
• defense icmp-flood enable
• display attack-defense policy

defense scan add-to-blacklist

Use defense scan add-to-blacklist to enable the blacklist function for scanning attack protection.
Use undo defense scan add-to-blacklist to restore the default.
Syntax
defense scan add-to-blacklist
undo defense scan add-to-blacklist
Default
The blacklist function for scanning attack protection is not enabled.
Views
Attack protection policy view
Default command level
2: System level
Usage guidelines
With scanning attack protection enabled, a device checks the connection rate by IP address. If the
connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate
command), the device considers the IP address a scanning attack source and drops subsequent packets
from the IP address until it finds that the rate is less than the threshold. At the same time, if the blacklist
function for scanning attack protection is also enabled, the device adds the source IP address to the
blacklist, which then filters packets until the blacklist entry is aged out (the aging time is set by the defense
scan blacklist-timeout command).
The blacklist entries added by the scanning attack protection function take effect only after you enable
the blacklist function for the device by using the blacklist enable command.

486
 If you delete an entry blacklisted by scanning attack protection short after the entry is added (within 1
second), the system does not add the entry again. This is because the system considers the subsequent
packets matching the entry the packets of the same attack.
Examples
# Enable scanning attack protection.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense scan enable

# Set the connection rate threshold for triggering scanning attack protection to 2000 connections per
second.
[Sysname-attack-defense-policy-1] defense scan max-rate 2000

# Enable the blacklist function for scanning attack protection, and specify the blacklist entry aging time
as 20 minutes.
[Sysname-attack-defense-policy-1] defense scan add-to-blacklist
[Sysname-attack-defense-policy-1] defense scan blacklist-timeout 20
[Sysname-attack-defense-policy-1] quit

# Enable the blacklist function globally to make the blacklist function for scanning attack protection take
effect.
[Sysname] blacklist enable

Related commands
• blacklist enable
• defense scan blacklist-timeout
• defense scan enable
• defense scan max-rate

defense scan blacklist-timeout

Use defense scan blacklist-timeout to specify the aging time for entries blacklisted by scanning attack
protection.
Use undo defense scan blacklist-timeout to restore the default, which is 10 minutes.
Syntax
defense scan blacklist-timeout minutes
undo defense scan blacklist-timeout
Views
Attack protection policy view
Default command level
2: System level
Parameters
minutes: Specifies the aging time of blacklist entries, in the range of 1 to 1000 minutes.
Examples
# Set the aging time for entries blacklisted by the scanning attack protection function to 20 minutes.
<Sysname> system-view

487
 [Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense scan blacklist-timeout 20

Related commands
• blacklist enable
• defense scan add-to-blacklist
• defense scan enable
• defense scan max-rate

defense scan enable

Use defense scan enable to enable scanning attack protection.
Use undo defense scan enable to restore the default.
Syntax
defense scan enable
undo defense scan enable
Default
Scanning attack protection is disabled.
Views
Attack protection policy view
Default command level
2: System level
Usage guidelines
With scanning attack protection enabled, a device checks the connection rate by IP address. If the
connection rate of an IP address reaches or exceeds the threshold (set by the defense scan max-rate
command), the device considers the IP address a scanning attack source and drops subsequent packets
from the IP address until it finds that the rate is less than the threshold.
Examples
# Enable scanning attack protection.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense scan enable

Related commands
• blacklist enable
• defense scan add-to-blacklist
• defense scan blacklist-timeout
• defense scan max-rate

defense scan max-rate

Use defense scan max-rate to specify the threshold of connection establishment rate that triggers
scanning attack prevention.

488
 Use undo defense scan max-rate to restore the default, which is 4000 connections per second.
Syntax
defense scan max-rate rate-number
undo defense scan max-rate
Views
Attack protection policy view
Default command level
2: System level
Parameters
rate-number: Specifies the threshold of the connection establishment rate (number of connections
established in a second) that triggers scanning attack protection, in the range of 1 to 10000.
Usage guidelines
With scanning attack protection enabled, a device checks the connection rate by IP address. If the
connection rate of an IP address reaches or exceeds the threshold, the device considers the IP address a
scanning attack source and drops subsequent packets from the IP address until it finds that the rate is less
than the threshold.
Examples
# Enable scanning attack protection.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense scan enable

# Set the connection rate threshold for triggering scanning attack protection to 2000 connections per
second.
[Sysname-attack-defense-policy-1] defense scan max-rate 2000

Related commands
• blacklist enable
• defense scan add-to-blacklist
• defense scan blacklist-timeout
• defense scan enable

defense syn-flood action

Use defense syn-flood action to specify the actions to be taken in response to SYN flood attack packets.
Use undo defense syn-flood action to restore the default.
Syntax
defense syn-flood action drop-packet
undo defense syn-flood action
Default
The device only outputs alarm logs when detecting an attack.

489
Views
Attack protection policy view
Default command level
2: System level
Parameters
drop-packet: Drops all subsequence connection requests to the attacked IP address.
Examples
# Configure the SYN flood protection policy to drop SYN flood attack packets.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense syn-flood action drop-packet

Related commands
• defense syn-flood enable
• display attack-defense policy

defense syn-flood enable

Use defense syn-flood enable to enable SYN flood attack protection.
Use undo defense syn-flood enable to restore the default.
Syntax
defense syn-flood enable
undo defense syn-flood enable
Default
SYN flood attack protection is disabled.
Views
Attack protection policy view
Default command level
2: System level
Examples
# Enable SYN flood attack protection in attack protection policy 1.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense syn-flood enable

Related commands
• defense syn-flood
• display attack-defense policy

defense syn-flood ip
Use defense syn-flood ip to configure the action and silence thresholds for SYN flood attack protection
of a specific IP address.

490
 Use undo defense syn-flood ip to remove the configuration.
Syntax
defense syn-flood ip ip-address rate-threshold high rate-number [ low rate-number ]
undo defense syn-flood ip ip-address [ rate-threshold ]
Default
No SYN flood attack protection thresholds are configured for an IP address.
Views
Attack protection policy view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address to be protected. This IP address cannot be a broadcast address,
127.0.0.0/8, a class D address, or a class E address.
high rate-number: Sets the action threshold for SYN flood attack protection of the specified IP address.
The rate-number argument indicates the number of SYN packets sent to the specified IP address per
second and is in the range of 1 to 65535. With SYN flood attack protection enabled, the device enters
attack detection state. When the device detects that the sending rate of SYN packets destined for the
specified IP address constantly reaches or exceeds the specified action threshold, the device considers
the IP address to be under attack, enters attack protection state, and takes protection actions as
configured.
low rate-number: Sets the silence threshold for SYN flood attack protection of the specified IP address.
The rate-number argument indicates the number of SYN packets sent to the specified IP address per
second and is in the range of 1 to 65535. The default value of the silence threshold is 3/4 of the action
threshold. When the device is in attack protection state, if it detects that the sending rate of SYN packets
destined for the specified IP address drops below the silence threshold, it considers that the attack is over,
returns to attack detection state, and stops taking the protection measures.
Usage guidelines
You can specify multiple protected IP addresses in each attack protection policy.
Examples
# Configure SYN flood attack protection for IP address 192.168.1.2, and set the action threshold to 2000
packets per second and the silence threshold to 1000 packets per second.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense syn-flood ip 192.168.1.2 rate-threshold high
2000 low 1000

Related commands
• defense syn-flood action
• defense syn-flood enable
• display attack-defense policy

491
defense syn-flood rate-threshold
Use defense syn-flood rate-threshold to configure the global action and silence thresholds for SYN flood
attack protection. The device uses the global attack protection thresholds to protect the IP addresses for
which you do not configure attack protection parameters specifically.
Use undo defense syn-flood rate-threshold to restore the default.
Syntax
defense syn-flood rate-threshold high rate-number [ low rate-number ]
undo defense syn-flood rate-threshold
Default
The global action threshold is 1000 packets per second and the global silence threshold is 750 packets
per second.
Views
Attack protection policy view
Default command level
2: System level
Parameters
high rate-number: Sets the global action threshold for SYN flood attack protection. The rate-number
argument indicates the number of SYN packets sent to an IP address per second and is in the range of
1 to 65535. With the SYN flood attack protection enabled, the device enters attack detection state.
When the device detects that the sending rate of SYN packets destined for an IP address constantly
reaches or exceeds the specified action threshold, the device considers the IP address to be under attack,
enters attack protection state, and takes protection actions as configured.
low rate-number: Sets the global silence threshold for SYN flood attack protection. The rate-number
argument indicates the number of SYN packets sent to an IP address per second and is in the range of
1 to 65535. When the device is in attack protection state, if it detects that the sending rate of SYN
packets destined for an IP address drops below the silence threshold, it considers that the attack to the
IP address is over, returns to attack detection state, and stops the protection actions.
Usage guidelines
Adjust the thresholds according to your actual network conditions. For the protected objects that usually
have high SYN traffic, for example, HTTP server or FTP server, set a bigger action threshold to avoid
impact on normal services. For poor network conditions, or attack-sensitive networks, you can set a
smaller action threshold. If the link bandwidth of the protected network is small, you can set a smaller
silence threshold to help release the network traffic pressure.
Examples
# Configure SYN flood attack protection, set the global action threshold to 3000 packets per second and
the global silence threshold to 1000 packets per second.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense syn-flood rate-threshold high 3000 low 1000

Related commands
• defense syn-flood enable
• display attack-defense policy

492
defense udp-flood action drop-packet
Use defense udp-flood action drop-packet to configure the device to drop UDP flood attack packets.
Use undo defense udp-flood action to restore the default.
Syntax
defense udp-flood action drop-packet
undo defense udp-flood action
Default
The device only outputs alarm logs if it detects a UDP flood attack.
Views
Attack protection policy view
Default command level
2: System level
Examples
# Configure attack protection policy 1 to drop UDP flood packets.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense udp-flood action drop-packet

Related commands
• defense udp-flood enable
• defense udp-flood ip
• defense udp-flood rate-threshold
• display attack-defense policy

defense udp-flood enable

Use defense udp-flood enable to enable UDP flood attack protection.
Use undo defense udp-flood enable to restore the default.
Syntax
defense udp-flood enable
undo defense udp-flood enable
Default
UDP flood attack protection is disabled.
Views
Attack protection policy view
Default command level
2: System level
Examples
# Enable UDP flood attack protection in attack protection policy 1.

493
 <Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense udp-flood enable

Related commands
• defense udp-flood action drop-packet
• defense udp-flood rate-threshold
• defense udp-flood ip
• display attack-defense policy

defense udp-flood ip
Use defense udp-flood ip to configure the action and silence thresholds for UDP flood attack protection
of a specific IP address.
Use undo defense udp-flood ip to remove the configuration.
Syntax
defense udp-flood ip ip-address rate-threshold high rate-number [ low rate-number ]
undo defense udp-flood ip ip-address [ rate-threshold ]
Default
No UDP flood attack protection thresholds are configured for an IP address.
Views
Attack protection policy view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address to be protected. This IP address cannot be a broadcast address,
127.0.0.0/8, a class D address, or a class E address.
high rate-number: Sets the action threshold for UDP flood attack protection of the specified IP address.
The rate-number argument indicates the number of UDP packets sent to the specified IP address per
second and is in the range of 1 to 65535. With the UDP flood attack protection enabled, the device
enters attack detection state. When the device detects that the sending rate of UDP packets destined for
the specified IP address constantly reaches or exceeds the specified action threshold, the device
considers the IP address to be under attack, enters attack protection state, and takes protection actions
as configured.
low rate-number: Sets the silence threshold for UDP flood attack protection of the specified IP address.
The rate-number argument indicates the number of UDP packets sent to the specified IP address per
second and is in the range of 1 to 65535. The default value of the silence threshold is 3/4 of the action
threshold. When the device is in attack protection state, if it detects that the sending rate of UDP packets
destined for the specified IP address drops below the silence threshold, it considers that the attack is over,
returns to attack detection state, and stops the protection measures.
Usage guidelines
You can configure UDP flood attack protection thresholds for a maximum of 32 IP addresses in each
attack protection policy.

494
Examples
# Configure UDP flood attack protection for IP address 192.168.1.2, and set the action threshold to 2000
packets per second and the silence threshold to 1000 packets per second.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense udp-flood ip 192.168.1.2 rate-threshold high
2000 low 1000

Related commands
• defense udp-flood action drop-packet
• defense udp-flood enable
• display attack-defense policy

defense udp-flood rate-threshold

Use defense udp-flood rate-threshold to configure the global action and silence thresholds for UDP flood
attack protection. The device uses the global attack protection thresholds to protect the IP addresses for
which you do not configure attack protection parameters specifically.
Use undo defense udp-flood rate-threshold to restore the default.
Syntax
defense udp-flood rate-threshold high rate-number [ low rate-number ]
undo defense udp-flood rate-threshold
Default
The global action threshold is 1000 packets per second and the global silence threshold is 750 packets
per second.
Views
Attack protection policy view
Default command level
2: System level
Parameters
high rate-number: Sets the global action threshold for UDP flood attack protection. The rate-number
argument indicates the number of UDP packets sent to an IP address per second and is in the range of
1 to 65535. With the UDP flood attack protection enabled, the device enters attack detection state.
When the device detects that the sending rate of UDP packets destined for an IP address constantly
reaches or exceeds the specified action threshold, the device considers the IP address to be under attack,
enters attack protection state, and takes protection actions as configured.
low rate-number: Sets the global silence threshold for UDP flood attack protection. The rate-number
argument indicates the number of UDP packets sent to an IP address per second and is in the range of
1 to 65535. When the device is in attack protection state, if it detects that the sending rate of UDP
packets destined for an IP address drops below the silence threshold, it considers that the attack to the
IP address is over, returns to attack detection state, and stops the protection actions.
Usage guidelines
Adjust the thresholds according to your actual network conditions. For the protected objects that usually
have high UDP traffic, set a bigger action threshold to avoid impact on normal services. For poor network

495
 conditions, or attack-sensitive networks, you can set a smaller action threshold. If the link bandwidth of
the protected network is small, you can set a smaller silence threshold to help release the network traffic
pressure.
Examples
# Configure UDP flood attack protection, set the global action threshold to 3000 packets per second and
the global silence threshold to 1000 packets per second.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] defense udp-flood rate-threshold high 3000 low 1000

Related commands
• defense udp-flood action drop-packet
• defense udp-flood enable
• display attack-defense policy

display attack-defense policy

Use display attack-defense policy to display configuration information about one or all attack protection
policies.
Syntax
display attack-defense policy [ policy-number ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
policy-number: Specifies the sequence number of an attack protection policy, in the range of 1 to 128.
If you do not specify this argument, this command displays all brief information about attack protection
policies.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display configuration information about attack protection policy 1.
<Sysname> display attack-defense policy 1
Attack-defense Policy Information
------------------------------------------------------------
Policy number : 1
Bound interfaces : GigabitEthernet1/1
------------------------------------------------------------

496
Smurf attack-defense : Enabled
ICMP redirect attack-defense : Disabled
ICMP unreachable attack-defense : Disabled
Large ICMP attack-defense : Enabled
Max-length : 250 bytes
TCP flag attack-defense : Enabled
Tracert attack-defense : Enabled
Fraggle attack-defense : Enabled
WinNuke attack-defense : Enabled
LAND attack-defense : Enabled
Source route attack-defense : Enabled
Route record attack-defense : Enabled
Scan attack-defense : Enabled
Add to blacklist : Enabled
Blacklist timeout : 10 minutes
Max-rate : 1000 connections/s
Signature-detect action : Drop-packet
--------------------------------------------------------------------------
ICMP flood attack-defense : Enabled
ICMP flood action : Syslog
ICMP flood high-rate : 2000 packets/s
ICMP flood low-rate : 750 packets/s
ICMP flood attack-defense for specific IP addresses:
IP High-rate(packets/s) Low-rate(packets/s)
192.168.1.1 1000 500
192.168.2.1 2000 1000
--------------------------------------------------------------------------
UDP flood attack-defense : Enabled
UDP flood action : Drop-packet
UDP flood high-rate : 2000 packets/s
UDP flood low-rate : 750 packets/s
UDP Flood attack-defense for specific IP addresses:
IP High-rate(packets/s) Low-rate(packets/s)
192.168.1.1 1000 500
192.168.2.1 2000 500
--------------------------------------------------------------------------
SYN flood attack-defense : Enabled
SYN flood action : Drop-packet
SYN flood high-rate : 2000 packets/s
SYN flood low-rate : 750 packets/s
SYN Flood attack-defense for specific IP addresses:
IP High-rate(packets/s) Low-rate(packets/s)
192.168.1.1 1000 750
192.168.2.1 2000 1000

Table 72 Command output

Filed Description
Policy number Sequence number of the attack protection policy.

497
Filed Description
Bound interfaces Interfaces to which the attack protection policy is applied.

Smurf attack-defense Indicates whether Smurf attack protection is enabled.

ICMP redirect attack-defense Indicates whether ICMP redirect attack protection is enabled.

Indicates whether ICMP unreachable attack protection is

ICMP unreachable attack-defense
enabled.

Large ICMP attack-defense Indicates whether large ICMP attack protection is enabled.

Max-length Maximum length allowed for an ICMP packet.

TCP flag attack-defense Indicates whether TCP flag attack protection is enabled.

Tracert attack-defense Indicates whether tracert attack protection is enabled.

Fraggle attack-defense Indicates whether Fraggle attack protection is enabled.

WinNuke attack-defense Indicates whether WinNuke attack protection is enabled.

LAND attack-defense Indicates whether Land attack protection is enabled.

Source route attack-defense Indicates whether Source Route attack protection is enabled.

Route record attack-defense Indicates whether Route Record attack protection is enabled.

Scan attack-defense Indicates whether scanning attack protection is enabled.

Indicates whether the blacklist function is enabled for scanning

Add to blacklist
attack protection.

Blacklist timeout Aging time of the blacklist entries.

Max-rate Threshold for the connection establishment rate.

Action to be taken when a single-packet attack is detected. It

Signature-detect action can be Drop-packet (dropping subsequent packets) or Syslog
(outputting an alarm log).

ICMP flood attack-defense Indicates whether ICMP flood attack protection is enabled.

Action to be taken when an ICMP flood attack is detected. It can

ICMP flood action be Drop-packet (dropping subsequent packets) or Syslog
(outputting an alarm log).

ICMP flood high-rate Global action threshold for ICMP flood attack protection.

ICMP flood low-rate Global silence threshold for ICMP flood attack protection.

ICMP flood attack-defense for specific IP

ICMP flood attack protection settings for specific IP addresses.
addresses

UDP flood attack-defense Indicates whether UDP flood attack is enabled.

Action to be taken when a UDP flood attack is detected. It can

UDP flood action be Drop-packet (dropping subsequent packets) or Syslog
(outputting an alarm log).

UDP flood high-rate Global action threshold for UDP flood attack protection.

UDP flood low-rate Global silence threshold for UDP flood attack protection.

UDP flood attack on IP UDP flood attack protection settings for specific IP addresses.

SYN flood attack-defense Indicates whether SYN flood attack is enabled.

498
 Filed Description
Action to be taken when a SYN flood attack is detected. It can
SYN flood action be Drop-packet (dropping subsequent packets) or Syslog
(outputting an alarm log).

SYN flood high-rate Global action threshold for SYN flood attack protection.

SYN flood low-rate Global silence threshold for SYN flood attack protection.

SYN flood attack on IP SYN flood attack protection settings for specific IP addresses.

# Display summary configuration information about all attack protection policies.

<Sysname> display attack-defense policy
Attack-defense Policy Brief Information
--------------------------------------------------------------------------
Policy Number Bound Interface
1 GigabitEthernet1/1
50 None
128 GigabitEthernet1/2

Related commands
attack-defense policy

display attack-defense statistics interface

Use display attack-defense statistics interface to display the attack protection statistics of an interface.
Syntax
display attack-defense statistics interface interface-type interface-number [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
interface-type interface-number: Specifies an interface by its type and number.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the attack protection statistics of interface GigabitEthernet 1/1.
<Sysname> display attack-defense statistics interface gigabitethernet 1/1
Attack-defense Statistics Information

499
 ------------------------------------------------------------
Interface : GigabitEthernet1/1
------------------------------------------------------------
Attack policy number : 1
Fraggle attacks : 1
Fraggle packets dropped : 100
ICMP redirect attacks : 1
ICMP redirect packets dropped : 100
ICMP unreachable attacks : 1
ICMP unreachable packets dropped : 100
LAND attacks : 1
LAND attack packets dropped : 100
Large ICMP attacks : 1
Large ICMP packets dropped : 100
Route record attacks : 1
Route record packets dropped : 100
Source route attacks : 1
Source route packets dropped : 100
Smurf attacks : 1
Smurf packets dropped : 100
TCP flag attacks : 1
TCP flag packets dropped : 100
Tracert attacks : 1
Tracert packets dropped : 100
WinNuke attacks : 1
WinNuke packets dropped : 100
Scan attacks : 1
Scan attack packets dropped : 100
SYN flood attacks : 1
SYN flood packets dropped : 100
ICMP flood attacks : 1
ICMP flood packets dropped : 100
UDP flood attacks : 1
UDP flood packets dropped : 100

Table 73 Command output

Field Description
Sequence number of the attack protection policy applied to
Attack policy number
the interface.

Fraggle attacks Number of detected Fraggle attacks.

Fraggle packets dropped Number of Fraggle packets dropped.

ICMP redirect attacks Number of detected ICMP redirect attacks.

ICMP redirect packets dropped Number of ICMP redirect packets dropped.

ICMP unreachable attacks Number of detected ICMP unreachable attacks.

ICMP unreachable packets dropped Number of ICMP unreachable packets dropped.

LAND attacks Number of detected Land attacks.

500
 Field Description
LAND attack packets dropped Number of Land packets dropped.

Large ICMP attacks Number of detected large ICMP attacks.

Large ICMP packets dropped Number of large ICMP packets dropped.

Route record attacks Number of detected Route Record attacks.

Route record packets dropped Number of Route Record attack packets dropped.

Source route attacks Number of detected Source Route attacks.

Source route packets dropped Number of Source Route attack packets dropped.

Smurf attacks Number of detected Smurf attacks.

Smurf attack packets dropped Number of Smurf attack packets dropped.

TCP flag attacks Number of detected TCP flag attacks.

TCP flag packets dropped Number of TCP flag packets dropped.

Tracert attacks Number of detected Tracert attacks.

Tracert packets dropped Number of Tracert packets dropped.

WinNuke attacks Number of detected WinNuke attacks.

WinNuke packets dropped Number of WinNuke packets dropped.

Scan attacks Number of detected scanning attacks.

Scan attack packets dropped Number of scanning attack packets dropped.

SYN flood attacks Number of detected SYN flood attacks.

SYN flood attack packets dropped Number of SYN flood attack packets dropped.

ICMP flood attacks Number of detected ICMP flood attacks.

ICMP flood attack packets dropped Number of ICMP flood attack packets dropped.

UDP flood attacks Number of detected UDP flood attacks.

UDP flood attack packets dropped Number of UDP flood attack packets dropped.

Related commands
• attack-defense apply policy
• attack-defense policy

display blacklist
Use display blacklist to display information about one or all blacklist entries.
Syntax
display blacklist { all | ip source-ip-address } [ vd vd-name ] [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level

501
Parameters
ip source-ip-address: Displays information about the blacklist entry for an IP address. source-ip-address
indicates the IP address, which cannot be a broadcast address, 127.0.0.0/8, a class D address, or a
class E address.
all: Displays information about all blacklist entries.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about all blacklist entries.
<Sysname> display blacklist all
Blacklist information
------------------------------------------------------------------------------
Blacklist : enabled
Blacklist items : 1
------------------------------------------------------------------------------
IP Type Aging started Aging finished Dropped packets
YYYY/MM/DD hh:mm:ss YYYY/MM/DD hh:mm:ss
2.2.1.2 manual 2008/08/27 19:15:39 Never 0
1.1.1.2 auto 2008/09/01 18:26:31 2008/09/01 18:36:31 4294967295
1.1.1.3 manual 2008/09/02 06:13:20 2008/09/02 07:54:47 4294967295
--------------------------------------------------------------------------

Table 74 Command output

Field Description
Blacklist Indicates whether the blacklist function is enabled.

Blacklist items Number of blacklist entries.

IP IP address of the blacklist entry.

Type of the blacklist entry:

• manual—The entry was added manually.
Type
• auto—The entry was added automatically by the scanning
attack protection function.

Aging started Time when the blacklist entry is added.

Aging time of the blacklist entry. Never means that the entry never
Aging finished
gets aged.

Dropped packets Number of packets from the IP address that have been dropped.

Related commands
• blacklist enable
• blacklist ip

502
display flow-statistics statistics
Use display flow-statistics statistics to display traffic statistics on interfaces based on IP addresses.
Syntax
display flow-statistics statistics { destination-ip dest-ip-address | source-ip src-ip-address } [ vpn-instance
vpn-instance-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
destination-ip dest-ip-address: Displays statistics of the traffic destined for the specified destination IP
address. dest-ip-address indicates the destination IP address, which cannot be a broadcast address,
127.0.0.0, a class D address, or a class E address
source-ip src-ip-address: Displays statistics of the traffic that is from the specified source IP address.
src-ip-address indicates the source IP address, which cannot be a broadcast address, 127.0.0.0, a class
D address, or a class E address.
vpn-instance vpn-instance-name: Displays statistics of the traffic that belongs to the specified VPN.
vpn-instance-name indicates the VPN instance name of an MPLS L3VPN, a case-sensitive string of 1 to
31 characters. If the object to be displayed belongs to the public network, do not specify this option.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the traffic statistics of source IP address 192.168.1.2.
<Sysname> display flow-statistics statistics source-ip 192.168.1.2
Flow Statistics Information
-----------------------------------------------------------
IP Address : 192.168.1.2
-----------------------------------------------------------
Total number of existing sessions : 70
Session establishment rate : 10/s
TCP sessions : 10
Half-open TCP sessions : 10
Half-close TCP sessions : 10
TCP session establishment rate : 10/s
UDP sessions : 10
UDP session establishment rate : 10/s
ICMP sessions : 10
ICMP session establishment rate : 10/s

503
 RAWIP sessions : 10
RAWIP session establishment rate : 10/s

Table 75 Command output

Field Description
IP Address Source IP address.

Total number of existing sessions Total number of connections.

Session establishment rate Connection establishment rate.

TCP sessions Number of TCP connections.

Half-open TCP sessions Number of half-open connections.

Half-close TCP sessions Number of half-close connections.

TCP session establishment rate TCP connection establishment rate.

UDP sessions Number of UDP connections.

UDP session establishment rate UDP connection establishment rate.

ICMP sessions Number of ICMP connections.

ICMP session establishment rate ICMP connection establishment rate.

RAWIP sessions Number of RAWIP connections.

RAWIP session establishment rate RAWIP connection establishment rate.

display flow-statistics statistics interface

Use display flow-statistics statistics interface to display the traffic statistics of an interface.
Syntax
display flow-statistics statistics interface interface-type interface-number { inbound | outbound } [ |
{ begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
interface-type interface-number: Specifies an interface by its type and number.
inbound: Displays traffic statistics in the inbound direction of an interface.
outbound: Displays traffic statistics in the outbound direction of an interface.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

504
Examples
# Display the inbound traffic statistics of interface GigabitEthernet 1/1.
<Sysname> display flow-statistics statistics interface gigabitethernet 1/1 inbound
Flow Statistics Information
------------------------------------------------------------
Interface : GigabitEthernet1/1
------------------------------------------------------------
Total number of existing sessions : 70
Session establishment rate : 10/s
TCP sessions : 10
Half-open TCP sessions : 10
Half-close TCP sessions : 10
TCP session establishment rate : 10/s
UDP sessions : 10
UDP session establishment rate : 10/s
ICMP sessions : 10
ICMP session establishment rate : 10/s
RAWIP sessions : 10
RAWIP session establishment rate : 10/s

Table 76 Command output

Field Description
Total number of existing sessions Total number of connections.

Session establishment rate Connection establishment rate.

TCP sessions Number of TCP connections.

Half-open TCP sessions Number of half-open connections.

Half-close TCP sessions Number of half-close connections.

TCP session establishment rate TCP connection establishment rate.

UDP sessions Number of UDP connections.

UDP session establishment rate UDP connection establishment rate.

ICMP sessions Number of ICMP connections.

ICMP session establishment rate ICMP connection establishment rate.

RAWIP sessions Number of RAWIP connections.

RAWIP session establishment rate RAWIP connection establishment rate.

flow-statistics enable
Use flow-statistics enable to enable traffic statistics collection on an interface.
Use undo flow-statistics enable to restore the default.
Syntax
flow-statistics enable { destination-ip | inbound | outbound | source-ip }
undo flow-statistics enable { destination-ip | inbound | outbound | source-ip }

505
Default
The traffic statistics collection function is disabled on an interface.
Views
Interface view
Default command level
2: System level
Parameters
destination-ip: Collects statistics on packets sent out of the current interface by destination IP address.
inbound: Collects statistics on packets received on the interface.
outbound: Collects statistics on packets sent out of the interface.
source-ip: Collects statistics on packets received on the current interface by source IP address.
Usage guidelines
You can enable multiple types of traffic statistics collections on an interface, and then use related display
commands to view the statistics collection results of each type.
Examples
# On interface GigabitEthernet 1/1, enable the traffic statistics collection by destination IP address.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1
[Sysname-GigabitEthernet1/1] flow-statistics enable destination-ip

# You can use the following command to view statistics on packets sent out of the interface with the
destination IP address being 2.2.2.2 (you can specify the destination IP address as needed).
[Sysname-GigabitEthernet1/1] display flow-statistics statistics destination-ip 2.2.2.2

Related commands
display flow-statistics statistics

reset attack-defense statistics interface

Use reset attack-defense statistics interface to clear the attack protection statistics of an interface.
Syntax
reset attack-defense statistics interface interface-type interface-number
Views
User view
Default command level
1: Monitor level
Parameters
interface-type interface-number: Specifies an interface by its type and number.
Examples
# Clear the attack protection statistics of interface GigabitEthernet 1/1.
<Sysname> reset attack-defense statistics interface gigabitethernet 1/1

506
Related commands
display attack-defense statistics interface

signature-detect
Use signature-detect to enable signature detection of a single-packet attack.
Use undo signature-detect to disable signature detection of a single-packet attack.
Syntax
signature-detect { fraggle | icmp-redirect | icmp-unreachable | land | large-icmp | route-record |
smurf | source-route | tcp-flag | tracert | winnuke } enable
undo signature-detect { fraggle | icmp-redirect | icmp-unreachable | land | large-icmp | route-record
| smurf | source-route | tcp-flag | tracert | winnuke } enable
Default
Signature detection of all type of attacks is disabled.
Views
Attack protection policy view
Default command level
2: System level
Parameters
fraggle: Specifies the Fraggle packet attack.
icmp-redirect: Specifies the ICMP redirect packet attack.
icmp-unreachable: Specifies the ICMP unreachable packet attack.
land: Specifies the Land packet attack.
large-icmp: Specifies the large ICMP packet attack.
route-record: Specifies the route record packet attack.
smurf: Specifies the Smurf packet attack.
source-route: Specifies the source route packet attack.
tcp-flag: Specifies the TCP flag packet attack.
tracert: Specifies the Tracert packet attack.
winnuke: Specifies the Winnuke packet attack.
Examples
# Enable signature detection of Fraggle attack in attack protection policy 1.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] signature-detect fraggle enable

Related commands
display attack-defense policy

507
signature-detect action drop-packet
Use signature-detect action drop-packet to configure the device to drop single-packet attack packets.
Use undo signature-detect action to restore the default.
Syntax
signature-detect action drop-packet
undo signature-detect action
Default
The device only outputs alarm logs if it detects a single-packet attack.
Views
Attack protection policy view
Default command level
2: System level
Examples
# Configure attack protection policy 1 to drop single-packet attack packets.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] signature-detect action drop-packet

Related commands
display attack-defense policy

signature-detect large-icmp max-length

Use signature-detect large-icmp max-length to specify the ICMP packet length threshold that triggers
large ICMP attack protection.
Use undo signature-detect large-icmp max-length to restore the default.
Syntax
signature-detect large-icmp max-length length
undo signature-detect large-icmp max-length
Default
An ICMP packet length of 4000 bytes triggers large ICMP attack protection.
Views
Attack protection policy view
Default command level
2: System level
Parameters
length: Specifies the maximum length of an ICMP packet, in the range of 28 to 65534 bytes.

508
Usage guidelines
With signature detection of large ICMP attack enabled, a device considers all ICMP packets longer than
the specified maximum length as large ICMP attack packets.
This command is effective only when signature detection of large ICMP attack is enabled.
Examples
# Enable signature detection of large ICMP attack, set the ICMP packet length threshold that triggers
large ICMP attack protection to 5000 bytes, and configure the device to drop ICMP packets longer than
the specified maximum length.
<Sysname> system-view
[Sysname] attack-defense policy 1
[Sysname-attack-defense-policy-1] signature-detect large-icmp enable
[Sysname-attack-defense-policy-1] signature-detect large-icmp max-length 5000
[Sysname-attack-defense-policy-1] signature-detect action drop-packet

Related commands
• display attack-defense policy
• signature-detect large-icmp enable

509
TCP attack protection configuration commands

display tcp status

Use display tcp status to display status of all TCP connections for monitoring TCP connections.
Syntax
display tcp status [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display status of all TCP connections.
<Sysname> display tcp status
*: TCP MD5 Connection
TCPCB Local Add:port Foreign Add:port State
03e37dc4 0.0.0.0:4001 0.0.0.0:0 Listening
04217174 100.0.0.204:23 100.0.0.253:65508 Established

Table 77 Command output

Field Description
If the status information for a TCP connection contains an asterisk (*), the TCP
*: TCP MD5 Connection
adopts the MD5 algorithm for authentication.

TCPCB TCP control block.

Local Add:port Local IP address and port number.

Foreign Add:port Remote IP address and port number.

State State of the TCP connection.

tcp anti-naptha enable

Use tcp anti-naptha enable to enable the protection against Naptha attack.

510
 Use undo tcp anti-naptha enable to disable the protection against Naptha attack.
Syntax
tcp anti-naptha enable
undo tcp anti-naptha enable
Default
The protection against Naptha attack is disabled.
Views
System view
Default command level
2: System level
Usage guidelines
The configurations made by using the tcp state and tcp timer check-state commands are removed after
the protection against Naptha attack is disabled.
Examples
# Enable the protection against Naptha attack.
<Sysname> system-view
[Sysname] tcp anti-naptha enable

tcp state
Use tcp state to configure the maximum number of TCP connections in a state. When this number is
exceeded, the aging of TCP connections in this state is accelerated.
Use undo tcp state to restore the default.
Syntax
tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received } connection-number
number
undo tcp state { closing | established | fin-wait-1 | fin-wait-2 | last-ack | syn-received }
connection-number
Default
The maximum number of TCP connections in each state is 5.
Views
System view
Default command level
2: System level
Parameters
closing: Specifies the CLOSING state of a TCP connection.
established: Specifies the ESTABLISHED state of a TCP connection.
fin-wait-1: Specifies the FIN_WAIT_1 state of a TCP connection.
fin-wait-2: Specifies the FIN_WAIT_2 state of a TCP connection.

511
 last-ack: Specifies the LAST_ACK state of a TCP connection.
syn-received: Specifies the SYN_RECEIVED state of a TCP connection.
connection-number number: Specifies the maximum number of TCP connections in a certain state. The
argument number is in the range of 0 to 500.
Usage guidelines
You must enable the protection against Naptha attack before executing this command. Otherwise, an
error is prompted.
You can respectively configure the maximum number of TCP connections in each state.
If the maximum number of TCP connections in a state is 0, the aging of TCP connections in this state is
not accelerated.
Examples
# Set the maximum number of TCP connections in ESTABLISHED state to 100.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
[Sysname] tcp state established connection-number 100

Related commands
tcp anti-naptha enable

tcp syn-cookie enable

Use tcp syn-cookie enable to enable the SYN Cookie feature to protect the device against SYN Flood
attacks.
Use undo tcp syn-cookie enable to disable the SYN Cookie feature.
Syntax
tcp syn-cookie enable
undo tcp syn-cookie enable
Default
The SYN Cookie feature is enabled.
Views
System view
Default command level
2: System level
Examples
# Enable the SYN Cookie feature.
<Sysname> system-view
[Sysname] tcp syn-cookie enable

tcp timer check-state

Use tcp timer check-state to configure the TCP connection state check interval.
Use undo tcp timer check-state to restore the default.

512
Syntax
tcp timer check-state time-value
undo tcp timer check-state
Default
The TCP connection state check interval is 30 seconds.
Views
System view
Default command level
2: System level
Parameters
time-value: Specifies the TCP connection state check interval in seconds, in the range of 1 to 60.
Usage guidelines
The device periodically checks the number of TCP connections in each state. If it detects that the number
of TCP connections in a state exceeds the maximum number, it accelerates the aging of TCP connections
in such a state.
You need to enable the protection against Naptha attack before executing this command. Otherwise, an
error is prompted.
Example
# Set the TCP connection state check interval to 40 seconds.
<Sysname> system-view
[Sysname] tcp anti-naptha enable
[Sysname] tcp timer check-state 40

Related commands
tcp anti-naptha enable

513
Connection limit configuration commands

connection-limit default action

Use connection-limit default action to specify the default connection limit action, that is, to specify
whether to limit connections that do not match the connection limit rule in the policy.
Use undo connection-limit default action to restore the default.
Syntax
connection-limit default action { deny | permit }
undo connection-limit default action [ permit ]
Default
The device does not limit connections that do not match the connection limit rules in the policy.
Views
Connection limit policy view
Default command level
2: System level
Parameters
deny: Does not limit connections that do not match the connection limit rules in the policy.
permit: Uses the default connection limit settings to limit connections that do not match the connection
limit rules in the policy.
Examples
# Configure the default connection limit action as permit.
<Sysname> system-view
[Sysname] connection-limit policy 1
[Sysname-connection-limit-policy-1] connection-limit default action permit

connection-limit default amount

Use connection-limit default amount to set the default connection limit parameters.
Use undo connection-limit default amount to restore the defaults.
Syntax
connection-limit default amount upper-limit max-amount lower-limit min-amount
undo connection-limit default amount [ upper-limit max-amount lower-limit min-amount ]
Default
The upper connection limit is 50, and the lower connection limit is 20.
Views
Connection limit policy view

514
Default command level
2: System level
Parameters
upper-limit max-amount: Specifies the upper connection limit in the range of 1 to 4294967295.
lower-limit min-amount: Specifies the lower connection limit in the range of 0 to 4294967294.
min-amount must be less than max-amount.
Examples
# Set the default upper connection limit to 200 and the lower connection limit to 50.
<Sysname> system-view
[Sysname] connection-limit policy 1
[Sysname-connection-limit-policy-1] connection-limit default amount upper-limit 200
lower-limit 50

connection-limit policy
Use connection-limit policy to create a connection limit policy and enter connection limit policy view.
Use undo connection-limit policy to delete the specified or all connection limit policies.
Syntax
connection-limit policy policy-number
undo connection-limit policy { policy-number | all }
Default
A connection limit policy uses the default connection limit settings.
Views
System view
Default command level
2: System level
Parameters
policy-number: Specifies the number of a connection limit policy, in the range of 0 to 19.
all: Specifies all connection limit policies.
Usage guidelines
A connection limit policy contains a set of rules for limiting the number of connections of a specific user.
A policy number uniquely identifies a connection limit policy. Policies are matched by number in
descending order.
After applying a connection limit policy to a NAT module, you cannot modify the connection limit rules
in the policy, but can add and remove connection limit rules.
Examples
# Create a connection limit policy numbered 1 and enter its view.
<Sysname> system-view
[Sysname] connection-limit policy 1
[Sysname-connection-limit-policy-1]

515
display connection-limit policy
Use display connection-limit policy to display information about a specific or all connection limit policies.
Syntax
display connection-limit policy { policy-number | all } [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
policy-number: Specifies the connection limit policy number in the range of 0 to 19.
all: Displays all connection limit policies.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about all connection limit policies.
<Sysname> display connection-limit policy all
There is 1 policy:
Connection-limit policy 1, refcount 0 ,3 limits
limit 1 acl 2000 per-source amount 1111 10
limit 2 acl 2001 per-destination amount 300 20
limit 3 acl 2002 per-service amount 400 50

Table 78 Command output

Field Description
Connection-limit policy Number of the connection limit policy.

refcount 1, 2 limits Number of times that the policy is applied and number of rules in the policy.

limit xxx Rule in the policy. For more information, see the limit acl command.

Related commands
limit acl

display connection-limit statistics

Use display connection-limit statistics to display connection limit statistics.

516
Syntax
display connection-limit statistics [ source src-address { mask-length | mask } ] [ destination dst-address
{ mask-length | mask } ] [ destination-port { eq | gt | lt | neq | range } port-number ] [ vpn-instance
vpn-instance-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
source src-address: Specifies the source IP address of the connections.
destination dst-address: Specifies the destination IP address of the connections.
mask-length: Specifies the mask length in the range 1 to 32.
mask: Specifies the network mask.
destination-port: Specifies destination ports of connections.
{ eq | gt | lt | neq | range }: Specifies the Specifies an operator for matching destination ports.
• eq: Equal to the specified port number.
• gt: Greater than the specified port number.
• lt: Less than the specified port number.
• neq: Not equal to the specified port number.
• range: Specifies a port range.
port-number: Specifies the port number in the range of 0 to 65535. When the range keyword is specified,
set a port range in the format start-port end-port, where the start-port must be less than or equal to the
end-port.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the connections belong, where the
vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the connections are in the
public network, do not specify this keyword and argument combination.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display connection limit statistics.
<Sysname> display connection-limit statistics
source-ip dest-ip dest-port vpn-instance
192.168.0.210 --- --- ---
--------------------------------------------------------------------------
NAT amount upper-limit lower-limit limit-flag
2 200 100 0

517
 Table 79 Command output

Field Description
source-ip Source IP address. "---" means no such information is available.

dest-ip Destination IP address. "---" means no such information is available.

dest-port Destination port number. "---" means no such information is available.

vpn-instance MPLS L3VPN instance. "---" means that the connection belongs to the public network.

NAT The NAT module to which the connection limit policy applies.

amount Number of connections established.

upper-limit Upper limit on the number of connections.

lower-limit Lower limit on the number of connections.

limit-flag Whether new connections are allowed, 0 means yes, 1 means no.

display nat connection-limit

Use display nat connection-limit to display NAT connection limit statistics.
Syntax
display nat connection-limit [ source src-address { mask-length | mask } ] [ destination dst-address
{ mask-length | mask } ] [ destination-port { eq | gt | lt | neq | range } port-number ] [ vpn-instance
vpn-instance-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
source src-address: Specifies the source IP address of the connections.
destination dst-address: Specifies the destination IP address of the connections.
mask-length: Specifies the length of network mask, in the range 1 to 32.
mask: Specifies the network mask.
destination-port: Specifies destination ports of connections.
{ eq | gt | lt | neq | range }: Specifies an operator for matching destination ports.
• eq: Equal to the specified port number.
• gt: Greater than the specified port number.
• lt: Less than the specified port number.
• neq: Not equal to the specified port number.
• range: Specifies a port range.
port-number: Specifies the port number in the range of 0 to 65535. When the range keyword is specified,
set a port range in the format start-port end-port, where the start-port must be less than or equal to the
end-port.

518
 vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the connections belong, where the
vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the connections are in the
public network, do not specify this keyword and argument combination.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display NAT connection limit statistics.
<Sysname> display nat connection-limit
source-ip dest-ip dest-port vpn-instance
192.168.0.210 --- --- ---
--------------------------------------------------------------------------
NAT amount upper-limit lower-limit limit-flag
2 50 20 0

Table 80 Command output

Field Description
source-ip Source IP address of the connection. "---" means that no such information is not available.

Destination IP address of the connection. "---" means that no such information is not
dest-ip
available.

dest-port Destination port of the connection. "---" means that no such information is not available.

MPLS L3VPN that the connection belongs to. "---" means that the connection belongs to a
vpn-instance
public network.

NAT Indicates that the connection is created through NAT.

amount Number of active connections.

upper-limit Upper limit on the number of connections.

lower-limit Lower limit on the number of connections.

limit-flag Whether new connections are allowed to establish: 0 means yes, 1 means no.

limit acl
Use limit acl to configure an ACL-based connection limit rule.
Use undo limit to remove a connection limit rule.
Syntax
limit limit-id acl acl-number [ { per-destination | per-service | per-source } * amount max-amount
min-amount ]
undo limit limit-id [ acl acl-number [ { per-destination | per-service | per-source } * amount max-amount
min-amount ] ]

519
Views
Connection limit policy view
Default command level
2: System level
Parameters
limit-id: Specifies the ID of a rule in the connection limit policy, in the range of 0 to 255.
acl-number: Specifies an ACL number in the range of 2000 to 3999. Connections matching this ACL are
to be limited.
per-destination: Limits connections by destination IP address.
per-service: Limits connections by service type or application.
per-source: Limits connections by source IP address.
amount: Limits the number of connections.
max-amount: Specifies the upper connection limit in the range of 1 to 4294967295.
min-amount: Specifies the lower connection limit in the range of 0 to 4294967294. It must be smaller
than the upper limit.
Usage guidelines
If you do not specify any optional parameters, the device uses the default connection limit settings (upper
and lower limits) to limit connections by source IP address. For more information about default
connection limit parameters, see the connection-limit default amount command.
If multiple keywords among per-destination, per-service, and per-source are specified, the specified
keywords take effect in combination. For example, with both per-destination and per-service limit types
specified, the limit rule collects statistics on and limits the connections of the same service that are
destined to the same destination IP address.
Examples
# Configure a rule for connection limit policy 1 to limit connections initiated from 192.168.0.0/24 by
destination IP address, setting the upper and lower connection limits to 200 and 100 respectively.
<Sysname> system-view
[Sysname] acl number 2001
[Sysname-acl-basic-2001] rule permit source 192.168.0.0 0.0.0.255
[Sysname-acl-basic-2001] quit
[Sysname] connection-limit policy 1
[Sysname-connection-limit-policy-1] limit 1 acl 2001 per-destination amount 200 100

Related commands
• connection-limit policy
• display connection-limit policy
• display nat connection-limit

nat connection-limit-policy
Use nat connection-limit-policy to apply a connection limit policy to the NAT module.
Use undo nat connection-limit-policy to remove the application.

520
Syntax
nat connection-limit-policy policy-number
undo nat connection-limit-policy policy-number
Views
System view
Default command level
2: System level
Parameters
policy-number: Specifies the number of an existing connection limit policy, in the range of 0 to 19.
Usage guidelines
To modify a connection limit rule in the policy that is already applied to the NAT module, use the undo
nat connection-limit policy command to remove the application first.
Examples
# Apply connection limit policy 1 to the NAT module.
<Sysname> system-view
[Sysname] nat connection-limit-policy 1

# Remove the application of connection limit policy 1 from the NAT module.
<Sysname> system-view
[Sysname] undo nat connection-limit-policy 1

521
Password control configuration commands

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about
FIPS mode, see Security Configuration Guide.
The following matrix shows the FIPS and hardware compatibility:

Hardware FIPS mode

MSR900 No.

MSR93X No.

MSR20-1X No.

MSR20 Yes.

MSR30 Yes (except the MSR30-16).

MSR50 Yes.

MSR1000 Yes.

display password-control
Use display password-control to display password control configuration.
Syntax
display password-control [ super ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
super: Displays the password control information of the super passwords. Without this keyword, the
command displays the global password control configurations.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the global password control configuration.
<Sysname> display password-control

522
Global password control configurations:
Password control: Disabled
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)
Password history: Enabled (max history records:4)
Early notice on password expiration: 7 days
User authentication timeout: 60 seconds
Maximum failed login attempts: 3 times
Login attempt-failed action: Lock for 1 minutes
Minimum password update time: 24 hours
User account idle-time: 90 days
Login with aged password: 3 times in 30 days
Password complexity: Disabled (username checking)
Disabled (repeated characters checking)

# Display the password control configuration for super passwords.

<Sysname> display password-control super
Super password control configurations:
Password aging: Enabled (90 days)
Password length: Enabled (10 characters)
Password composition: Enabled (1 types, 1 characters per type)

Table 81 Command output

Field Description
Password control Whether the password control feature is enabled.

Password aging Whether password aging is enabled and, if enabled, the aging time.

Whether the minimum password length restriction function is enabled

Password length
and, if enabled, the setting.

Whether the password composition restriction function is enabled and,

Password composition
if enabled, the settings.

Whether the password history function is enabled and, if enabled, the

Password history
setting.

Number of days during which the user is notified of the pending

Early notice on password expiration
password expiration.

User authentication timeout Password authentication timeout time.

Allowed maximum number of consecutive failed login attempts for FTP

Maximum failed login attempts
and VTY users.

Action to be taken after a user fails to login for the specified number of
Login attempt-failed action
attempts.

Minimum password update time Minimum password update interval.

User account idle-time Maximum account idle time.

Number of times and maximum number of days a user can log in using
Login with aged password
an expired password.

523
 Field Description
Whether the following password complexity checking is enabled:
• username checking—Checks whether a password contains the
username or the reverse of the username.
Password complexity
• repeated characters checking—Checks whether a password
contains any character that is repeated consecutively three or more
times.

display password-control blacklist

Use display password-control blacklist to display information about users added to the password control
blacklist due to authentication failure.
Syntax
display password-control blacklist [ user-name name | ip ipv4-address | ipv6 ipv6-address ] [ | { begin
| exclude | include } regular-expression ]
Views
Any view
Default command level
2: System level
Parameters
user-name name: Specifies a user by the name, a string of 1 to 80 characters.
ip ipv4-address: Specifies the IPv4 address of a user.
ip ipv6-address: Specifies the IPv6 address of a user.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
With no arguments provided, this command displays information about all users in the password control
blacklist.
Examples
# Display information about users in the password control blacklist.
<Sysname> display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 1 Lock flag: unlock

Total 1 blacklist item(s) matched. 1 listed.

524
 Table 82 Command output

Field Description
Username Username of the user.

IP IP address of the user.

Login failed times Number of login failures.

Whether the user is prohibited from logging in:

• unlock—Not prohibited.
Lock flag
• lock—Prohibited temporarily or permanently, depending on the
password-control login-attempt command.

password
Use password to set a password for a local user in interactive mode.
Use undo password to remove the password for a local user.
Syntax
password
undo password
Views
Local user view
Default command level
2: System level
Usage guidelines
The following character types are available for a local user password:
• Uppercase letters A to Z.
• Lowercase letters a to z.
• Digits 0 to 9.
• Special characters in Table 83.
Table 83 Special characters

Character name Symbol Character name Symbol

Ampersand sign & Apostrophe '

Asterisk * At sign @

Back quote ` Back slash \

Blank space N/A Caret ^

Colon : Comma ,

Dollar sign $ Dot .

Equal sign = Exclamation point !

Left angle bracket < Left brace {

Left bracket [ Left parenthesis (

525
 Character name Symbol Character name Symbol
Minus sign - Percent sign %

Plus sign + Pound sign #

Quotation marks " Right angle bracket >

Right brace } Right bracket ]

Right parenthesis ) Semi-colon ;

Slash / Tilde ~

Underscore _ Vertical bar |

A local user password configured in interactive mode must meet the password control requirement. For
example, if the minimum password length is set to 8, the password must contain at least 8 characters.
Examples
# Set a password for local user test in interactive mode.
<Sysname> system-view
[Sysname] local-user test
[Sysname-luser-test] password
Password:**********
Confirm :**********
Updating user(s) information, please wait....

password-control { aging | composition | history | length }

enable
Use password-control { aging | composition | history | length } enable to enable the password aging,
composition restriction, history, or minimum password length restriction function.
Use undo password-control { aging | composition | history | length } enable to disable the specified
function.
Syntax
password-control { aging | composition | history | length } enable
undo password-control { aging | composition | history | length } enable
Default
The four password control functions are all enabled.
Views
System view
Default command level
2: System level
Parameters
aging: Enables the password aging function.
composition: Enables the password composition restriction function.
history: Enables the password history function.

526
 length: Enables the minimum password length restriction function.
Usage guidelines
For these four functions to take effect, the password control feature must be enabled globally.
You must enable a function for its relevant configurations to take effect. For example, if the minimum
password length restriction function is not enabled, the setting by the password-control length command
does not take effect.
The system stops recording history passwords after you execute the undo password-control history
enable command, but it does not delete the prior records.
If the global password control feature is enabled but the minimum password length restriction function is
disabled, the following rules apply:
• In non-FIPS mode, a password must contain at least four characters and at least four characters must
be different.
• In FIPS mode, a password must contain at least eight characters and at least four characters must be
different.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable

# Enable the password composition restriction function.

[Sysname] password-control composition enable

# Enable the password aging function.

[Sysname] password-control aging enable

# Enable the minimum password length restriction function.

[Sysname] password-control length enable

# Enable the password history function.

[Sysname] password-control history enable

Related commands
• password-control enable
• display password-control

password-control aging
Use password-control aging to set the password aging time.
Use undo password-control aging to restore the default.
Syntax
password-control aging aging-time
undo password-control aging
Default
A password expires after 90 days. The password aging time for a user group equals the global setting.
The password aging time for a local user equals that of the user group to which the local user belongs.

527
Views
System view, user group view, local user view
Default command level
2: System level
Parameters
aging-time: Specifies the password aging time in days, in the range of 1 to 365.
Usage guidelines
The aging time depends on the view:
• The time in system view has global significance and applies to all user groups.
• The time in user group view applies to all local users in the user group.
• The time in local user view applies only to the local user.
A password aging time with a smaller application scope has higher priority. The system prefers to use the
password aging time in local user view for a local user. If no password aging time is configured for the
local user, the system uses the password aging time for the user group to which the local user belongs.
If no password aging time is configured for the user group, the system uses the global password aging
time.
Examples
# Globally set the passwords to expire after 80 days.
<Sysname> system-view
[Sysname] password-control aging 80

# Set the passwords for user group test to expire after 90 days.
[Sysname] user-group test
[Sysname-ugroup-test] password-control aging 90
[Sysname-ugroup-test] quit

# Set the password for local user abc to expire after 100 days.
[Sysname] local-user abc
[Sysname-luser-abc] password-control aging 100

Related commands
• display password-control
• local-user
• user-group

password-control alert-before-expire
Use password-control alert-before-expire to set the number of days before a user's password expires
during which the user is notified of the pending password expiration.
Use undo password-control alert-before-expire to restore the default.
Syntax
password-control alert-before-expire alert-time
undo password-control alert-before-expire

528
Default
A user is notified of pending password expiration 7 days before the user's password expires.
Views
System view
Default command level
2: System level
Parameters
alert-time: Specifies the number of days before a user's password expires during which the user is
notified of the pending password expiration. The value range is 1 to 30.
Examples
# Configure the device to notify a user about pending password expiration 10 days before the user's
password expires.
<Sysname> system-view
[Sysname] password-control alert-before-expire 10

password-control authentication-timeout
Use password-control authentication-timeout to set the user authentication timeout time.
Use undo password-control authentication-timeout to restore the default.
Syntax
password-control authentication-timeout authentication-timeout
undo password-control authentication-timeout
Default
The user authentication timeout time is 60 seconds.
Views
System view
Default command level
2: System level
Parameters
authentication-timeout: Specifies the user authentication timeout time in seconds, in the range of 30 to
120.
Examples
# Set the user authentication timeout time to 40 seconds.
<Sysname> system-view
[Sysname] password-control authentication-timeout 40

password-control complexity
Use password-control complexity to configure the password complexity checking policy.
Use undo password-control complexity check to remove a password complexity checking item.

529
Syntax
password-control complexity { same-character | user-name } check
undo password-control complexity { same-character | user-name } check
Default
No user password complexity checking is performed, and a password can contain the username, the
reverse of the username, or a character repeated three or more times consecutively.
Views
System view
Default command level
2: System level
Parameters
same-character: Refuses a password that contains any character repeated consecutively three or more
times.
user-name: Refuses a password that contains the username or the reverse of the username.
Usage guidelines
You can enable both username checking and repeated character checking.
After the password complexity checking is enabled, complexity-incompliant passwords will be refused.
Examples
# Configure the password complexity checking policy, refusing any password that contains the username
or the reverse of the username.
<Sysname> system-view
[Sysname] password-control complexity user-name check

Related commands
display password-control

password-control composition
Use password-control composition to configure the password composition policy.
Use undo password-control composition to restore the default.
Syntax
password-control composition type-number type-number [ type-length type-length ]
undo password-control composition
Default
In non-FIPS mode, the password using the global composition policy must contain at least one character
type from uppercase letters, lowercase letters, digits or special characters (see "password"), and at least
one character for each type.
In FIPS mode, the password using the global composition policy must contain four character types and
at least one character for each type.

530
 In both non-FIPS and FIPS modes, the password composition policy for a user group is the same as the
global policy, and the password composition policy for a local user is the same as that of the user group
to which the local user belongs.
Views
System view, user group view, local user view
Default command level
2: System level
Parameters
type-number type-number: Specifies the minimum number of character types in the password. The value
range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode.
type-length type-length: Specifies the minimum number of characters that are from each character type.
The value range for the type-length argument is 1 to 63 in non-FIPS mode, and 1 to 15 in FIPS mode.
Usage guidelines
The password composition policy depends on the view:
• The policy in system view has global significance and applies to all user groups.
• The policy in user group view applies to all local users in the user group.
• The policy in local user view applies only to the local user.
A password composition policy with a smaller application scope has higher priority. The system prefers
to use the password composition policy in local user view for a local user. If no policy is configured for
the local user, the system uses the policy for the user group to which the local user belongs. If no policy
is configured for the user group, the system uses the global policy.
Examples
# Specify that all passwords must each contain at least three character types and at least five characters
for each type.
<Sysname> system-view
[Sysname] password-control composition type-number 3 type-length 5

# Specify that the passwords of user group test must each contain at least three character types and at
least five characters for each type.
[Sysname] user-group test
[Sysname-ugroup-test] password-control composition type-number 3 type-length 5
[Sysname-ugroup-test] quit

# Specify that the passwords of local user abc must each contain at least three character types and at
least five characters for each type.
[Sysname] local-user abc
[Sysname-luser-abc] password-control composition type-number 3 type-length 5

Related commands
• display password-control
• local-user
• user-group

password-control enable
Use password-control enable to enable the password control feature globally.

531
 Use undo password-control enable to disable the password control feature globally.
Syntax
password-control enable
undo password-control enable
Default
In non-FIPS mode, the password control feature is disabled globally.
In FIPS mode, the password control feature is enabled globally and cannot be disabled.
Views
System view
Default command level
2: System level
Usage guidelines
The password control functions take effect only after the password control feature is enabled globally.
In FIPS mode, you cannot disable the global password control feature even after you execute the undo
password-control enable command.
Examples
# Enable the password control feature globally.
<Sysname> system-view
[Sysname] password-control enable

Related commands
display password-control

password-control expired-user-login
Use password-control expired-user-login to set the maximum number of days and maximum number of
times that a user can log in after the password expires.
Use undo password-control expired-user-login to restore the defaults.
Syntax
password-control expired-user-login delay delay times times
undo password-control expired-user-login
Default
A user can log in three times within 30 days after the password expires.
Views
System view
Default command level
2: System level
Parameters
delay: Specifies the maximum number of days during which a user can log in using an expired password.
It must be in the range of 1 to 90.

532
 times: Specifies the maximum number of times a user can log in after the password expires. The value
range is 0 to 10, and 0 means that a user cannot log in after the password expires.
Examples
# Specify that a user can log in 5 times within 60 days after the password expires.
<Sysname> system-view
[Sysname] password-control expired-user-login delay 60 times 5

Related commands
display password-control

password-control history
Use password-control history to set the maximum number of history password records for each user.
Use undo password-control history to restore the default.
Syntax
password-control history max-record-num
undo password-control history
Default
The maximum number of history password records for each user is 4.
Views
System view
Default command level
2: System level
Parameters
max-record-num: Specifies the maximum number of history password records for each user. The value
range is 2 to 15.
Examples
# Set the maximum number of history password records for each user to 10.
<Sysname> system-view
[Sysname] password-control history 10

password-control length
Use password-control length to set the minimum password length.
Use undo password-control length to restore the default.
Syntax
password-control length length
undo password-control length
Default
The global minimum password length is 10 characters. The minimum password length for a user group
equals the global setting. The minimum password length for a local user equals that of the user group to
which the local user belongs.

533
Views
System view, user group view, local user view
Default command level
2: System level
Parameters
length: Specifies the minimum password length in characters. The value range is 4 to 32 in non-FIPS
mode, and 8 to 32 in FIPS mode.
Usage guidelines
In non-FIPS mode, the minimum password length for a user group and a local user is four characters.
In FIPS mode, the minimum password length for a user group and a local user is eight characters.
The minimum length setting depends on the view:
• The setting in system view has global significance and applies to all user groups.
• The setting in user group view applies to all local users in the user group.
• The setting in local user view applies only to the local user.
A minimum password length with a smaller application scope has higher priority. The system prefers to
use the minimum password length in local user view for a local user. If no minimum password length is
configured for the local user, the system uses the minimum password length for the user group to which
the local user belongs. If no minimum password length is configured for the user group, the system uses
the global minimum password length.
Examples
# Set the global minimum password length to 9 characters.
<Sysname> system-view
[Sysname] password-control length 9

# Set the minimum password length to 9 characters for user group test.
[Sysname] user-group test
[Sysname-ugroup-test] password-control length 9
[Sysname-ugroup-test] quit

# Set the minimum password length to 9 characters for local user abc.
[Sysname] local-user abc
[Sysname-luser-abc] password-control length 9

Related commands
• display password-control
• local-user
• user-group

password-control login idle-time

Use password-control login idle-time to set the maximum account idle time. If a user account is idle for
this period of time, you can no longer use this account to log in to the device.
Use undo password-control login idle-time to restore the default.

534
Syntax
password-control login idle-time idle-time
undo password-control login idle-time
Default
You cannot use a user account to log in to the device if the account has been idle for 90 days.
Views
System view
Default command level
2: System level
Parameters
idle-time: Specifies the maximum account idle time in days, in the range of 0 to 365. 0 means no
restriction for account idle time.
Examples
# Set the maximum account idle time to 30 days.
<Sysname> system-view
[Sysname] password-control login idle-time 30

Related commands
display password-control

password-control login-attempt
Use password-control login-attempt to specify the maximum number of consecutive failed login attempts
and the action to be taken when a user fails to log in after the specified number of attempts.
Use undo password-control login-attempt to restore the default.
Syntax
password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ]
undo password-control login-attempt
Default
The maximum number of consecutive failed login attempts is 3, and a user failing to log in after the
specified number of attempts must wait for 1 minute before trying again.
Views
System view
Default command level
2: System level
Parameters
login-times: Specifies the maximum number of consecutive failed login attempts, in the range of 2 to 10.
exceed: Specifies the action to be taken when a user fails to log in after the specified number of attempts.
lock: Permanently prohibits a user who fails to log in after the specified number of attempts from logging
in.

535
 lock-time time: Forces a user who fails to log in after the specified number of attempts to wait for a period
of time before trying again. The time argument is in minutes and in the range of 1 to 360.
unlock: Allows a user who fails to log in after the specified number of attempts to continue trying to log
in.
Usage guidelines
If prohibited permanently, a user can log in only after you remove the user from the password control
blacklist.
If prohibited temporarily, a user can log in again after the lock time elapses or an administrator removes
the user from the password control blacklist.
If not prohibited to log in, a user is removed from the password control blacklist as long as the user logs
in successfully or after the blacklist aging time (1 minute) elapses.
Examples
# Set the maximum number of login attempts to 4 and permanently prohibit a user from logging in if the
user fails to log in after four attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 4 exceed lock

Later, if a user fails to log in after four attempts, you can find it in the password control blacklist, with its
status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 4 Lock flag: lock

Total 1 blacklist item(s) matched. 1 listed.

The user can no longer log in.

# Set the maximum number of login attempts to 2 and prohibit a user from logging in within 3 minutes
if the user fails to log in after two attempts.
<Sysname> system-view
[Sysname] password-control login-attempt 2 exceed lock-time 3

Later, if a user tries to log in but fails two times, you can find it in the password control blacklist, with its
status changed from unlock to lock:
[Sysname] display password-control blacklist
Username: test
IP: 192.168.44.1 Login failed times: 2 Lock flag: lock

Total 1 blacklist item(s) matched. 1 listed.

After 3 minutes, the user is removed from the password control blacklist and can log in again.
Related commands
• display password-control
• display password-control blacklist
• reset password-control blacklist

536
password-control password update interval
Use password-control password update interval to set the minimum password update interval, that is,
the minimum interval at which users can change their passwords.
Use undo password-control password update interval to restore the default.
Syntax
password-control password update interval interval
undo password-control password update interval
Default
The minimum password update interval is 24 hours.
Views
System view
Default command level
2: System level
Parameters
interval: Specifies the minimum password update interval in hours, in the range of 0 to 168. 0 means no
requirements for password update interval.
Usage guidelines
This function is not effective in the case that a user is prompted to change the password when the user
logs in for the first time or after the password is aged out.
Examples
# Set the minimum password update interval to 36 hours.
<Sysname> system-view
[Sysname] password-control password update interval 36

Related commands
display password-control

password-control super aging

Use password-control super aging to set the aging time for super passwords.
Use undo password-control super aging to restore the default.
Syntax
password-control super aging aging-time
undo password-control super aging
Default
The aging time of super passwords is the same as the global setting.
Views
System view

537
Default command level
2: System level
Parameters
aging-time: Specifies the super password aging time in days, in the range of 1 to 365.
Usage guidelines
If you do not specify an aging time for super passwords, the system applies the global password aging
time to super passwords.
If you have specified an aging time for super passwords, the system applies the aging time to super
passwords.
Examples
# Set the aging time for super passwords to 10 days.
<Sysname> system-view
[Sysname] password-control super aging 10

Related commands
password-control aging

password-control super composition

Use password-control super composition to configure the composition policy for super passwords.
Use undo password-control super composition to restore the default.
Syntax
password-control super composition type-number type-number [ type-length type-length ]
undo password-control super composition
Default
The composition policy of the super passwords is the same as the global settings.
Views
System view
Default command level
2: System level
Parameters
type-number type-number: Specifies the minimum number of character types in a super password. The
value range for the type-number argument is 1 to 4 in non-FIPS mode and fixed at 4 in FIPS mode.
type-length type-length: Specifies the minimum number of characters that are from each character type
in a super password. The value range for the type-length argument is 1 to 16 in non-FIPS mode, and 1
to 4 in FIPS mode.
Usage guidelines
If you do not specify a composition policy for super passwords, the system applies the global password
composition policy to super passwords.
If you have specified a composition policy for super passwords, the system applies the composition
policy to super passwords.

538
Examples
# Specify that each super password must contain at least three character types and at least five
characters for each type.
<Sysname> system-view
[Sysname] password-control super composition type-number 3 type-length 5

Related commands
password-control composition

password-control super length

Use password-control super length to set the minimum length for super passwords.
Use undo password-control super length to restore the default.
Syntax
password-control super length length
undo password-control super length
Default
In non-FIPS mode, the minimum super password length is four characters.
In FIPS mode, the minimum super password length is eight characters.
The minimum password length of super passwords is the same as the global setting.
Views
System view
Default command level
2: System level
Parameters
length: Specifies the minimum length for super passwords in characters. The value range is 4 to 16 in
non-FIPS mode, and 8 to 16 in FIPS mode.
Usage guidelines
If you do not specify the minimum length of super passwords, the system applies the global minimum
password length to super passwords.
If you have specified the minimum length of super passwords, the system applies the specified minimum
length to super passwords.
Examples
# Set the minimum length for super passwords to 10 characters.
<Sysname> system-view
[Sysname] password-control super length 10

Related commands
password-control length

reset password-control blacklist

Use reset password-control blacklist to remove all or one user from the password control blacklist.

539
Syntax
reset password-control blacklist [ all | user-name name ]
Views
User view
Default command level
3: Manage level
Parameters
all: Clears all users in the password control blacklist.
user-name name: Specifies the user to be removed from the password control blacklist. The name
argument is the username, a case-sensitive string of 1 to 80 characters.
Examples
# Delete the user named test from the password control blacklist.
<Sysname> reset password-control blacklist user-name test
Are you sure to delete the specified user in blacklist? [Y/N]:

Related commands
display password-control blacklist

reset password-control history-record

Use reset password-control history-record to delete history password records.
Syntax
reset password-control history-record [ user-name name | super [ level level ] ]
Views
User view
Default command level
3: Manage level
Parameters
user-name name: Specifies the username of the user whose password records are to be deleted. The
name argument is a case-sensitive string of 1 to 80 characters.
super: Deletes the history records of the super password specified by the level level option or the history
records of all super passwords.
level level: Specifies a user level in the range of 1 to 3.
Usage guidelines
With no arguments or keywords specified, this command deletes the history password records of all local
users.
With the super keyword specified but the level argument not specified, this command deletes the history
records of all super passwords.
Examples
# Clear the history password records of all local users (enter Y to confirm).
<Sysname> reset password-control history-record

540
Are you sure to delete all local user's history records? [Y/N]:

541
HABP configuration commands

display habp
Use display habp to display HABP configuration information.
Syntax
display habp [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If the HABP function is not enabled on the device, this command does not display the HABP configuration.
It only displays the running status of the HABP function.
Examples
# Display HABP configuration information.
<Sysname> display habp
Global HABP information:
HABP Mode: Server
Sending HABP request packets every 20 seconds
Bypass VLAN: 2

Table 84 Command output

Field Description
HABP Mode HABP mode of the current device: Server or Client.

The HABP server sends HABP request packets in

Sending HABP request packets every 20 seconds
20-second intervals.

Bypass VLAN ID of the VLAN in which HABP packets are transmitted.

542
display habp table
Use display habp table to display HABP MAC address table entries.
Syntax
display habp table [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
This command applies only to an HABP server to display the MAC address entries collected by the HABP
server.
Examples
# On the HABP server, display HABP MAC address table entries.
<Sysname> display habp table
MAC Holdtime Receive Port
001f-3c00-0030 53 Ethernet1/1

Table 85 Command output

Field Description
MAC MAC address.

Lifetime of an entry in seconds. The initial value is three times the interval to send
Holdtime
HABP request packets. An entry will age out if it is not updated during the period.

Receive Port Port that learned the MAC address.

display habp traffic

Use display habp traffic to display HABP packet statistics.
Syntax
display habp traffic [ | { begin | exclude | include } regular-expression ]
Views
Any view

543
Default command level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display HABP packet statistics.
<Sysname> display habp traffic
HABP counters :
Packets output: 48, Input: 36
ID error: 0, Type error: 0, Version error: 0
Sent failed: 0

Table 86 Command output

Field Description
Packets output Number of HABP packets sent.

Input Number of HABP packets received.

ID error Number of packets with an incorrect ID.

Type error Number of packets with an incorrect type.

Version error Number of packets with an incorrect version number.

Sent failed Number of packets that failed to be sent.

habp client vlan

Use habp client vlan to specify the VLAN to which the HABP client belongs. HABP packets are to be
transmitted in this VLAN.
Use undo habp client to restore the default.
Syntax
habp client vlan vlan-id
undo habp client
Default
An HABP client belongs to VLAN 1.
Views
System view
Default command level
2: System level

544
Parameters
vlan-id: Specifies the ID of the VLAN in which HABP packets are to be transmitted. The value range is 1
to 4094.
Examples
# Specify the HABP client to belong to VLAN 2.
<Sysname> system-view
[Sysname] habp client vlan 2

habp enable
Use habp enable to enable HABP.
Use undo habp enable to disable HABP.
Syntax
habp enable
undo habp enable
Default
HABP is enabled.
Views
System view
Default command level
2: System level
Examples
# Enable HABP.
<Sysname> system-view
[Sysname] habp enable

habp server vlan

Use habp server vlan to configure HABP to operate in server mode and specify the VLAN in which HABP
packets are to be transmitted.
Use undo habp server to configure HABP to operate in the default mode.
Syntax
habp server vlan vlan-id
undo habp server
Default
HABP operates in client mode.
Views
System view
Default command level
2: System level

545
Parameters
vlan-id: Specifies the ID of the VLAN in which HABP packets are to be transmitted. The value range is 1
to 4094.
Usage guidelines
In a cluster, if a member device with 802.1X authentication or MAC authentication enabled is attached
to some other member devices of the cluster, you must also configure HABP server on this device.
Otherwise, the cluster management device will not be able to manage the devices attached to this
member device. For information about the cluster function, see Network Management and Monitoring
Configuration Guide.
Examples
# Configure HABP to operate in server mode and specify the VLAN for HABP packets as VLAN 2.
<Sysname> system-view
[Sysname] habp server vlan 2

habp timer
Use habp timer to set the interval at which the device sends HABP request packets.
Use undo habp timer to restore the default.
Syntax
habp timer interval
undo habp timer
Default
The default interval is 20 seconds.
Views
System view
Default command level
2: System level
Parameters
interval: Specifies the interval (in seconds) at which the device sends HABP request packets. The value
range is 5 to 600.
Usage guidelines
This command is required only on the HABP server.
Examples
# Set the interval at which the device sends HABP request packets to 50 seconds.
<Sysname> system-view
[Sysname] habp timer 50

546
URPF configuration commands

ip urpf
Use ip urpf to enable URPF check on an interface to prevent source address spoofing attacks.
Use undo ip urpf to disable URPF check.
Syntax
ip urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]
undo ip urpf
Default
URPF check is disabled.
Views
Interface view
Default command level
2: System level
Parameters
loose: Enables loose URPF check. To pass loose URPF check, the source address of a packet must match
the destination address of a FIB entry.
strict: Enables strict URPF check. To pass strict URPF check, the source address and receiving interface of
a packet must match the destination address and output interface of a FIB entry.
allow-default-route: Allows using the default route for URPF check.
acl acl-number: ACL number in the range of 2000 to 3999.
• For a basic ACL, the value range is 2000 to 2999.
• For an advanced ACL, the value range is 3000 to 3999.
Usage guidelines
Configuring URPF in interface view takes effect only on the interface.
You can use the display ip interface command to view statistics about packets discarded by URPF.
Examples
# Configure strict URPF check on interface Ethernet 1/2, which allows using the default route and uses
ACL 2999 to match packets.
<Sysname> system-view
[Sysname] interface ethernet 1/2
[Sysname-Ethernet1/2] ip urpf strict allow-default-route acl 2999

# Enable loose URPF check on Ethernet 1/1.

<Sysname> system-view
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] ip urpf loose

547
WLAN client isolation commands

wlan-client-isolation enable
Use wlan-client-isolation enable to enable WLAN client isolation.
Use undo wlan-client-isolation enable to disable WLAN client isolation.
Syntax
wlan-client-isolation enable
undo wlan-client-isolation enable
Default
WLAN client isolation is disabled.
Views
System view
Default command level
2: System level
Examples
# Disable WLAN client isolation.
<Sysname> system-view
[Sysname] undo wlan-client-isolation enable

548
Group domain VPN commands

KS configuration commands
display gdoi ks
Use display gdoi ks to display GDOI KS information.
Syntax
display gdoi ks [ group group-name ]
Views
User view
Default command level
1: Monitor level
Parameters
group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
If you do not specify this option, the command displays KS information for all GDOI KS groups.
Examples
# Display KS information for the GDOI KS group abc.
<Sysname> display gdoi ks group abc
Group Name: abc
Group identity : 8
Group members : 0
Redundancy : Enabled
Local address : 105.112.100.2
Local version : 1.0
Local priority : 10
Local role : Primary
Hello interval : 20 sec
Hello number : 3
Retransmit interval : 10 sec
Retransmit attempts : 2
Rekey transport type : Multicast
Rekey lifetime : 300 sec
Rekey retransmit period : 10 sec
Rekey retransmit attempts : 2

IPsec sequence number : 1

IPsec rekey lifetime : 300 sec
Profile name : profile-wwl
ACL configured : xf

549
# Display KS information for all GDOI KS groups.
<Sysname> display gdoi ks
Group Name: abc
Group identity : 8
Group members : 0
Redundancy : Enabled
Local address : 105.112.100.2
Local version : 1.0
Local priority : 10
Local role : Primary
Hello interval : 20 sec
Hello number : 3
Retransmit interval : 10 sec
Retransmit attempts : 2
Rekey transport type : Multicast
Rekey lifetime : 300 sec
Rekey retransmit period : 10 sec
Rekey retransmit attempts: 2

IPsec sequence number : 1

IPsec rekey lifetime : 300 sec
Profile name : profile-wwl
ACL configured : xf

Group Name: xyz

Group identity : 18
Group members : 0
Redundancy : Enabled
Local address : 105.112.100.2
Local version : 1.0
Local priority : 10
Local role : Primary
Hello interval : 20 sec
Hello number : 3
Retransmit interval : 10 sec
Retransmit attempts : 2
Rekey transport type : Multicast
Rekey lifetime : 300 sec
Rekey retransmit period : 10 sec
Rekey retransmit attempts: 2

IPsec sequence number : 1

IPsec rekey lifetime : 300 sec
Profile name : profile-xyz
ACL configured : xyz

IPsec sequence number : 2

IPsec rekey lifetime : 300 sec

550
 Profile name : profile-xyz2
ACL configured : 3001

Table 87 Command output

Field Description
Group Name Name of the GDOI KS group.

GDOI KS group identity, a number or an IPv4 address. If no identity is

Group identity
configured, this field is blank.

Group members Number of online GMs in the GDOI KS group.

Redundancy Redundancy information for the GDOI KS group.

Role of the local KS in the redundancy:

• Primary—Primary KS.
Local role • Secondary—Secondary KS.
• Initial—In initializing state.
• Electing—Electing the primary KS.

Hello interval Redundancy hello packet sending interval, in seconds.

Number of consecutive failures in receiving redundancy hello packets from the

Hello number primary KS. If the number is reached, the secondary KS considers itself
disconnected from the primary KS.

Retransmit interval Redundancy protocol packet retransmission interval, in seconds.

Retransmit attempts Number of redundancy protocol packet retransmissions.

Rekey transport type Rekey transport type: Multicast or Unicast.

IPsec sequence number Sequence number of the IPsec policy.

IPsec SA lifetime. When the lifetime is about to expire, the KS sends rekey
IPsec rekey lifetime
messages to update the TEK.

Profile name Name of the IPsec profile referenced.

ACL configured Name or number of the ACL referenced.

display gdoi ks acl

Use display gdoi ks acl to display ACLs referenced by GDOI KS groups.
Syntax
display gdoi ks acl [ group group-name ]
Views
User view
Default command level
1: Monitor level
Parameters
group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
If you do not specify this option, the command displays ACLs referenced by all GDOI KS groups.

551
Examples
# Display ACLs referenced by the GDOI KS group abc.
<Sysname> display gdoi ks acl group abc
Group Name: abc
ACL abc
rule 0 permit ip source 1.1.1.2 0 destination 2.2.2.3 0
rule 1 permit tcp source 1.1.0.0 0.0.255.255 destination 2.2.0.0 0.0.255.255
rule 2 permit ip

# Display ACLs referenced by all GDOI KS groups.

<Sysname> display gdoi ks acl
Group Name: abc
ACL abc
rule 0 permit ip source 1.1.1.2 0 destination 2.2.2.3 0
rule 1 permit tcp source 1.1.0.0 0.0.255.255 destination 2.2.0.0 0.0.255.255
rule 2 permit ip

Group Name: xyz

ACL 3000
rule 0 permit ip source 1.1.2.2 0 destination 2.2.3.3 0
rule 2 deny ip
ACL xyz
rule 0 permit ip source 1.1.3.0 0.0.0.255 destination 2.2.4.0 0.0.0.255

Table 88 Command output

Field Description
Group Name GDOI KS group name.

rule Rule in the ACL.

display gdoi ks members

Use display gdoi ks members to display information about online GMs in GDOI KS groups.
Syntax
display gdoi ks members [ group group-name ] [ ip ip-address ]
Views
User view
Default command level
1: Monitor level
Parameters
group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
ip ip-address: Specifies a GM by its IP address.

552
Usage guidelines
If you do not specify the group group-name option, the command displays information about online GMs
with the specified IP address in all GDOI KS groups.
If you do not specify the ip ip-address option, the command displays information about all online GMs
in the specified GDOI KS group.
If you do not specify any parameter, the command displays information about all online GMs in all
GDOI KS groups.
Examples
# Display information about all online GMs in all GDOI KS groups.
<Sysname> display gdoi ks members
Group Name: farg
Group member ID : 80.1.1.98
Group member version : 1.0
Group ID : 7777
Key server ID : 90.1.1.1
Rekeys sent : 0
Rekey retries : 0
Rekey ACKs received : 0
Rekey ACKs missed : 0

Group Name: abcd

Group member ID : 80.1.1.100
Group member version : 1.0
Group ID : 8888
Key server ID : 90.1.1.1

Group member ID : 80.1.1.101

Group member version : Unknown
Group ID : 8888
Key server ID : 90.1.1.1

Table 89 Command output

Field Description
Group Name GDOI KS group name.

Group member ID ID of the GM in the GDOI KS group.

Group member version GM version. If no GM version is obtained, this field displays Unknown.

Group ID ID of the GDOI KS group.

Key server ID ID of the KS with which the GM will register itself.

Rekeys sent Number of rekey messages sent successfully.

Rekeys retries Number of rekey messages retransmitted.

Rekey ACKs received Number of rekey ACKs received.

Rekey ACLs missed Number of rekey ACKs missed.

553
display gdoi ks policy
Use display gdoi ks policy to display policy information for GDOI KS groups.
Syntax
display gdoi ks policy [ group group-name ]
Views
User view
Default command level
1: Monitor level
Parameters
group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
If you do not specify this option, the command displays policy information for all GDOI KS groups.
Examples
# Display policy information for all GDOI KS groups.
<Sysname> display gdoi ks policy
Group Name: GDOI-GROUP8
Server IP: 90.1.1.1

Group Name: farg

Server IP: 90.1.1.1
KEK policy:
Rekey transport type : Unicast
SPI : 0xB2DAFC4C36ABC9D416BB15614DCE9F60
Encryption algorithm : AES-CBC-128
Lifetime : 30000 sec
Remaining lifetime : 5995 sec
Signature algorithm : RSA
Signature key name : REKEYRSA

TEK policy:
Encapsulation : Tunnel
SPI : 0x3EE98709
ACL : frag
Transform : ESP-ENCRYPT-DES ESP-AUTH-MD5
Lifetime : 50000 sec
Remaining lifetime : 25996 sec

Table 90 Command output

Field Description
Group Name GDOI KS group name.

IP address of the local GDOI KS, which is the IP address configured by the source
Server IP
address command.

Rekey transport type Rekey transport type: Multicast or Unicast.

554
 Field Description
SPI SPI of the rekey SA or that of the IPsec SA.

Lifetime KEK or TEK lifetime.

Remaining lifetime Remaining time of the KEK or TEK lifetime.

Signature key name Name of the key pair used for signature.

Encapsulation IPsec encapsulation mode for IP packets: Tunnel or Transport.

ACL Number or name of the ACL referenced.

Transform Name of the IPsec transform set referenced.

display gdoi ks redundancy

Use display gdoi ks redundancy to display redundancy information for GDOI KS groups.
Syntax
display gdoi ks redundancy [ group group-name ]
Views
User view
Default command level
1: Monitor level
Parameters
group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
If you do not specify this option, the command displays redundancy information for all GDOI KS groups.
Examples
# Display redundancy information for all GDOI KS groups.
<Sysname> display gdoi ks redundancy
Group Name :handl
Local address : 105.112.200.1
Local version : 1.0
Local priority : 10
Local role : Initial
Primary address :

Group Name :lsxn

Local address : 105.112.100.2
Local version : 1.0
Local priority : 10
Local role : Primary
Primary address : 105.112.100.2

Peers:
Peer address : 174.1.1.1
Peer version : Unknown
Peer priority : Unknown

555
 Peer role : Unknown
Peer status : Down

Peer address : 172.1.1.1

Peer version : 1.0
Peer priority : 100
Peer role : Secondary
Peer status : Ready

Table 91 Command output

Field Description
Group Name GDOI KS group name.

Role of the local KS in the redundancy:

• Primary—Primary KS.
Local role • Secondary—Secondary KS.
• Initial—In initializing state.
• Electing—Electing the primary KS.

Primary address IP address of the primary KS.

Peers Peer KS information.

Peer address Peer KS address.

Peer version Peer KS version.

Peer priority Peer KS priority.

Role of the peer KS:

• Secondary
Peer KS role
• Primary
• Unknown
Peer KS status:
• Down
Peer KS status • Connected
• Exchange—Exchanging data with the local KS.
• Ready

display gdoi ks rekey

Use display gdoi ks rekey to display rekey information for GDOI KS groups.
Syntax
display gdoi ks rekey [ group group-name ]
Views
User view
Default command level
1: Monitor level

556
Parameters
group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
If you do not specify this option, the command displays rekey information for all GDOI KS groups.
Examples
# Display rekey information for all GDOI KS groups.
<Sysname> display gdoi ks rekey
Group Name: handl
Rekey transport type : Multicast
Number of rekeys sent : 0
Number of rekeys retransmitted : 0
Retransmit period : 10 sec
Number of retransmissions : 10
Multicast destination address : 230.1.1.1
KEK rekey lifetime : 10000 sec
Remaining lifetime : 6092 sec
IPsec 1 lifetime : 86400 sec
Remaining lifetime : 1234 sec

Group Name:abcd
Rekey transport type : Unicast
Number of rekeys sent : 0
Number of rekeys retransmitted : 0
Retransmit period : 10 sec
Number of retransmissions : 2
KEK rekey lifetime : 0 sec
IPsec 1 lifetime : 1000 sec

Group Name:test
Rekey transport type : Multicast
Number of rekeys sent : 0
Number of rekeys retransmitted : 0
Retransmit period : 10 sec
Number of retransmissions : 1
Multicast destination address : 239.192.1.190

KEK rekey lifetime : 0 sec

IPsec 1 lifetime : 300 sec
IPsec 2 lifetime : 30000 sec
IPsec 3 lifetime : 300 sec
IPsec 4 lifetime : 300 sec
IPsec 5 lifetime : 300 sec
IPsec 6 lifetime : 300 sec
IPsec 7 lifetime : 300 sec
IPsec 8 lifetime : 300 sec

557
 Table 92 Command output

Field Description
Group Name GDOI KS group name.

IPsec 1 lifetime SA lifetime of IPsec policy 1, in seconds.

Remaining lifetime Remaining time of the KEK or IPsec SA, in seconds.

gdoi ks group
Use gdoi ks group to create a GDOI KS group and enter GDOI KS group view.
Use undo gdoi ks group to delete a GDOI KS group.
Syntax
gdoi ks group group-name
undo gdoi ks group group-name
Default
No GDOI KS group exists.
Views
System view
Default command level
2: System level
Parameters
group-name: Specifies a name for the GDOI KS group, a case-sensitive string of 1 to 63 characters.
Examples
# Create a GDOI KS group named abc, and enter its view.
<Sysname> system-view
[Sysname] gdoi ks group abc
[Sysname-gdoi-ks-group-abc]

Related commands
display gdoi ks

gdoi ks redundancy port

Use gdoi ks redundancy port to configure the UDP port number for listening to redundancy protocol
packets.
Use undo gdoi ks redundancy port to restore the default.
Syntax
gdoi ks redundancy port port-number
undo gdoi ks redundancy port
Default
The GDOI KS listens to UDP port 19000 for redundancy protocol packets.

558
Views
System view
Default command level
2: System level
Parameters
port-number: Specifies a UDP port number in the range of 1 to 65535.
Usage guidelines
A GDOI KS uses the UDP port number configured in this command to send and receive redundancy
protocol packets to and from the other KSs. All KSs in the same GDOI KS group must use the same UDP
port number. Otherwise, redundancy protocol packets cannot be exchanged between the KSs.
Examples
# Set the UDP port number for listening to redundancy protocol packets to 20000.
<Sysname> system-view
[Sysname] gdoi ks redundancy port 20000

Related commands
gdoi ks group

gdoi ks rekey
Use gdoi ks rekey to enforce rekey.
Syntax
gdoi ks rekey [ group group-name ]
Views
User view
Default command level
2: System level
Parameters
group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
If you do not specify this option, the command clears KS information for all GDOI KS groups on the local
KS.
Usage guidelines
A rekey refers to the process that a GDOI KS updates the TEK or KEK key and then sends the updated key
to GMs.
Typically, a GDOI KS performs rekeys periodically. A KEK rekey interval is configured by the rekey
lifetime command. A TEK rekey interval is determined by the IPsec SA lifetime. To trigger GDOI KSs to
perform rekeys immediately, execute this command.
You can use the display gdoi ks rekey command and the display gdoi ks policy command to view rekey
statistics and key information.
Examples
# Enforce the GDOI KS group abc to rekey.
<Sysname> gdoi ks rekey group abc

559
identity address
Use identity address to configure an IP address for the GDOI KS group.
Use undo identity to delete the IP address of the GDOI KS group.
Syntax
identity address address
undo identity
Default
No IP address is configured for a GDOI KS group.
Views
GDOI KS group view
Default command level
2: System level
Parameters
address: Specifies any valid IPv4 address to identify the GDOI KS group.
Usage guidelines
You can configure only one type of ID (either an IP address or a number) for a GDOI KS group. A GDOI
KS group uses the IP address or the number, whichever is configured later.
Examples
# Configure the IP address of the GDOI KS group abc as 202.202.202.10.
<Sysname> system-view
[Sysname]gdoi ks group abc
[Sysname-gdoi-ks-group-abc] identity address 202.202.202.10

Related commands
• identity number
• gdoi ks group

identity number
Use identity number to configure a number for the GDOI KS group.
Use undo identity to delete the GDOI KS group number.
Syntax
identity number number
undo identity
Default
No number is configured for a GDOI KS group number.
Views
GDOI KS group view

560
Default command level
2: System level
Parameters
number: Specifies a number in the range of 0 to 2147483647 to identify the GDOI KS group.
Usage guidelines
You can configure only one type of ID (either an IP address or a number) for a GDOI KS group. A GDOI
KS group uses the IP address or the number, whichever is configured later.
Examples
# Configure the number of the GDOI KS group abc as 123456.
<Sysname> system-view
[Sysname]gdoi ks group abc
[Sysname-gdoi-ks-group-abc] identity number 123456

Related commands
• identity address
• gdoi ks group

ipsec
Use ipsec to create an IPsec policy for the GDOI KS group and enter GDOI KS IPsec policy view.
Use undo ipsec to delete an IPsec policy for the GDOI KS group.
Syntax
ipsec sequence-number
undo ipsec sequence-number
Default
No IPsec policy is created for a GDOI KS group.
Views
GDOI KS group view
Default command level
2: System level
Parameters
sequence-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535.
Usage guidelines
You can create multiple IPsec policies for a GDOI KS group. An IPsec policy with a smaller number has
a higher priority. A KS can send multiple IPsec policies to GMs at a time, and GMs use the IPsec policies
from the one with the highest priority.
Deleting an IPsec policy from a GDOI KS group also deletes the TEK that corresponds to that IPsec policy.
Examples
# Create IPsec policy 10 for the GDOI KS group abc and enter its view.
<Sysname> system-view
[Sysname] gdoi ks group abc

561
 [Sysname-gdoi-ks-group-abc] ipsec 10
[Sysname-gdoi-ks-group-abc-ipsec-10]

Related commands
gdoi ks group

local priority
Use local priority to configure the GDOI KS local priority.
Use undo local priority to restore the default.
Syntax
local priority priority
undo local
Default
The local priority of the GDOI KS is 1.
Views
GDOI KS group view
Default command level
2: System level
Parameters
priority: Specifies the local priority of the GDOI KS, in the range of 1 to 65535. A higher number
represents a higher priority.
Usage guidelines
The GDOI KS local priority takes effect only when GDOI KS redundancy is enabled with the redundancy
enable command.
The local priority specifies the priority of the local KS for primary KS election. A KS with a higher local
priority is more likely to be elected as the primary KS. If multiple KSs have the same priority, the KS with
the highest IP address is elected as the primary KS. When a KS is added to a GDOI KS group that
already has a primary KS, the KS can only be the secondary KS even through its priority is higher than
the primary KS priority.
Examples
# Enable GDOI KS group redundancy, and set the GDOI KS local priority to 10.
<Sysname> system-view
[Sysname] gdoi ks group abc
[Sysname-gdoi-ks-group-abc] redundancy enable
[Sysname-gdoi-ks-group-abc] local priority 10
[Sysname-gdoi-ks-group-abc]

Related commands
• gdoi ks group
• redundancy enable

562
peer address
Use peer address to specify the IP address of a peer KS.
Use undo peer address to delete a peer KS IP address.
Syntax
peer address ip-address
undo peer address ip-address
Default
No IP address of a peer KS is specified.
Views
GDOI KS group view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address of a peer KS.
Usage guidelines
You can specify multiple peer KS IP addresses by executing this command multiple times.
The peer IP address configuration takes effect only when KS redundancy is enabled with the redundancy
enable command.
In a GDOI KS redundancy scenario, the IP address of a peer KS specified on the local KS must be the
same as the source address that the peer KS uses to send redundancy protocol packets.
Examples
# Enable GDOI KS group redundancy, and specify 13.1.1.1 as a peer KS address.
<Sysname> system-view
[Sysname]gdoi ks group abc
[Sysname-gdoi-ks-group-abc] redundancy enable
[Sysname-gdoi-ks-group-abc] peer address 13.1.1.1
[Sysname-gdoi-ks-group-abc]

Related commands
• gdoi ks group
• redundancy enable
• source address

profile (GDOI KS group IPsec policy view)

Use profile to specify the IPsec profile to be referenced by the GDOI KS group IPsec policy.
Use undo profile to remove the IPsec profile referenced by the GDOI KS group IPsec policy.
Syntax
profile ipsec-profile-name
undo profile

563
Default
A GDOI KS group IPsec policy does not reference any IPsec profile.
Views
GDOI KS group IPsec policy view
Default command level
2: System level
Parameters
ipsec-profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 15 characters.
Examples
# Create IPsec policy 10 for GDOI KS group abc, and reference IPsec profile profile1 for the IPsec policy.
<Sysname> system-view
[Sysname]gdoi ks group abc
[Sysname-gdoi-ks-group-abc] ipsec 10
[Sysname-gdoi-ks-group-abc-ipsec-10] profile profile1
[Sysname-gdoi-ks-group-abc-ipsec-10]

Related commands
• gdoi ks group
• ipsec

redundancy enable
Use redundancy enable to enable GDOI KS redundancy.
Use undo redundancy enable to disable GDOI KS redundancy.
Syntax
redundancy enable
undo redundancy enable
Default
GDOI KS redundancy is disabled.
Views
GDOI KS group view
Default command level
2: System level
Usage guidelines
GDOI KS redundancy enables a group of KSs to work together for high availability and load sharing.
One KS is the primary KS, and others are secondary KSs. Secondary KSs back up data for the primary
KS and can accept registrations from GMs.
Examples
# Enable GDOI KS redundancy in GDOI KS group abc.
<Sysname> system-view
[Sysname]gdoi ks group abc

564
 [Sysname-gdoi-ks-group-abc] redundancy enable
[Sysname-gdoi-ks-group-abc]

Related commands
gdoi ks group

redundancy hello
Use redundancy hello to configure the redundancy hello packet sending interval, and the maximum
number of consecutive failures allowed in receiving redundancy hello packets before the secondary KS
considers itself disconnected from the primary KS.
Use undo redundancy enable to restore the default.
Syntax
redundancy hello { interval interval | number number } *
undo redundancy hello [ interval | number ]
Default
As the primary KS, the device sends redundancy hello packets regularly at an interval of 20 seconds. As
a secondary KS, the device initiates primary KS re-election when it failed to receive redundancy hello
packets from the primary KS for 3 times consecutively.
Views
GDOI KS group view
Default command level
2: System level
Parameters
interval interval: Specifies the redundancy hello packet sending interval in the range of 20 to 60
seconds.
number number: Specifies the maximum number of consecutive failures allowed in receiving redundancy
hello packets, in the range of 3 to 10.
Usage guidelines
The primary KS periodically sends hello packets to all secondary KSs to inform the secondary KSs of the
keepalive status. The secondary KSs are not required to respond to the hello packets.
After primary KS selection, the primary KS informs the secondary KS of the keepalive time. If a secondary
KS does not receive the redundancy hello packets from the primary KS after the configured number of
attempts, it considers itself disconnected from the primary KS, and triggers primary KS re-election.
When the primary KS detects a disconnection from a secondary KS, it informs the secondary KS of the
disconnection through hello packets. The secondary KS tries to reestablish a connection with the primary
KS if it receives the hello packet. If the connection cannot be established, primary KS re-election is
triggered.
Do not set a long hello packet sending interval. Otherwise, secondary KSs cannot timely detect a
primary KS failure or a link failure.
You can increase the value of the number argument for KSs connected to not-so-good links to avoid
unnecessary primary KS re-elections caused by link transmission failures.

565
Examples
# Set the redundancy hello packet sending interval to 30 seconds, and the maximum number of
consecutive failures in receiving redundancy hello packets to 3.
<Sysname> system-view
[Sysname] gdoi ks group abc
[Sysname-gdoi-ks-group-abc] redundancy hello interval 30 number 3

Related commands
display gdoi ks

redundancy retransmit
Use redundancy retransmit to configure the redundancy protocol packet retransmission interval and the
maximum number of retransmissions.
Use undo redundancy retransmit to restore the default.
Syntax
redundancy retransmit { interval interval | number number } *
undo redundancy retransmit [ interval | number ]
Default
The retransmission interval is 10 seconds, and the maximum number of retransmissions is 2.
Views
GDOI KS group view
Default command level
2: System level
Parameters
interval interval: Specifies the redundancy protocol packet retransmission interval in the range of 10 to
60 seconds.
number number: Specifies the maximum number of retransmissions, in the range of 2 to 5.
Usage guidelines
During KS election and data exchange, the local KS sends redundancy protocol packets (expect hello
packets) to peer KSs. If the local KS does not receive a response from a peer KS within the retransmission
interval, the local KS retransmits the packets to the peer KS. If the maximum number of retransmissions is
exceeded, the local KS sets the peer KS state to Down. Packets to be retransmitted include priority
requests, main advertisement packets, data mergence packets, data updates, and data synchronization
packets.
On a not-so-good network, you can increase the retransmission interval or retransmission number to
avoid KS split. If a KS loses contact with the primary KS, it will split from the KS group and elect itself as
the primary KS. Then, the KS group might have multiple primary KSs.
Examples
# Set the redundancy protocol packets retransmission interval to 30 seconds, and the maximum number
of retransmissions to 3.
<Sysname> system-view
[Sysname] gdoi ks group abc

566
 [Sysname-gdoi-ks-group-abc] redundancy retransmit interval 30 number 3

Related commands
display gdoi ks

rekey acl
Use rekey acl to specify the rekey ACL, which specifies the source and destination addresses for multicast
rekey messages.
Use undo rekey acl to remove the rekey ACL.
Syntax
rekey acl { access-list-number | name access-list-name }
undo rekey acl
Default
No source or destination address is specified for multicast rekey messages.
Views
GDOI KS group view
Default command level
2: System level
Parameters
access-list-number: Specifies an ACL by its number in the range of 3000 to 3999.
name access-list-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If multicast rekey method is used, you must specify the rekey ACL. Otherwise, the KS cannot generate the
KEK or send rekey messages.
If the source address command is configured, the source address of the multicast rekey message is that
configured by the source address command.
If the source address command is not configured, you must specify a source address in the first rule of the
rekey ACL. The multicast rekey messages use the specified source address.
The KS ignores the permit or deny keyword in rules of the rekey ACL.
Examples
# Specify ACL 3000 as the rekey ACL for the GDOI KS group abc.
<Sysname> system-view
[Sysname]gdoi ks group abc
[Sysname-gdoi-ks-group-abc] rekey acl 3000

Related commands
• gdoi ks group
• source address

rekey authentication
Use rekey authentication to specify the key pair to be used by the KS during a rekey.

567
 Use undo rekey authentication to remove the specified key pair.
Syntax
rekey authentication public-key rsa key-name
undo rekey authentication
Default
No key pair is specified for a rekey.
Views
GDOI KS group view
Default command level
2: System level
Parameters
public-key: Specifies the local key pair.
rsa: Specifies the public key algorithm as RSA.
key-name: Specifies the key pair name, a case-insensitive string of 1 to 64 characters.
Usage guidelines
The KS sends the public key of the key pair to GMs in rekey messages. The GMs use the public key to
authenticate the rekey messages from the KS.
Examples
# Specify the rekey key pair as mykey for the GDOI KS group abc.
<Sysname> system-view
[Sysname]gdoi ks group abc
[Sysname-gdoi-ks-group-abc] rekey authentication public-key rsa mykey

Related commands
gdoi ks group

rekey encryption
Use rekey encryption to specify the rekey encryption algorithm.
Use undo rekey encryption to restore the default.
Syntax
rekey encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc }
undo rekey encryption
Default
The encryption algorithm is 3des-cbc.
Views
GDOI KS group view
Default command level
2: System level

568
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the rekey encryption algorithm as AES-CBC-192 for the GDOI KS group abc.
<Sysname> system-view
[Sysname] gdoi ks group abc
[Sysname-gdoi-ks-group-abc] rekey encryption aes-cbc-192

Related commands
gdoi ks group

rekey lifetime
Use rekey lifetime to configure the KEK lifetime.
Use undo rekey lifetime to restore the default.
Syntax
rekey lifetime seconds number-of-seconds
undo rekey lifetime seconds
Default
The KEK lifetime is 86400 seconds.
Views
GDOI KS group view
Default command level
2: System level
Parameters
seconds number-of-seconds: Specifies a time-based lifetime for KEKs, in the range of 300 to 86400
seconds.
Usage guidelines
The TEK lifetime is the IPsec SA lifetime, which is determined by the IPsec SA lifetime configured in the
IPsec profile.
Examples
# Configure the KEK lifetime as 3600 seconds for the GDOI KS group abc.
<Sysname> system-view
[Sysname]gdoi ks group abc
[Sysname-gdoi-ks-group-abc] rekey lifetime seconds 3600

Related commands
gdoi ks group

rekey retransmit
Use rekey retransmit to specify the interval between rekey retransmissions and the maximum number of
retransmissions.

569
Syntax
rekey retransmit { interval interval | number number } *
undo rekey retransmit [ interval | number ]
Default
The retransmission interval is 10 seconds, and the maximum number of retransmissions is 2.
Views
GDOI KS group view
Default command level
2: System level
Parameters
interval interval: Specifies the rekey retransmission interval in the range of 10 to 60 seconds. The default
interval is 10 seconds.
number number: Specifies the maximum number of rekey retransmissions, in the range of 1 to 10. The
default value is 2.
Examples
# Specify the rekey retransmission interval as 30 seconds and the maximum number of retransmissions
as 3 for the GDOI KS group abc.
<Sysname> system-view
[Sysname] gdoi ks group abc
[Sysname-gdoi-ks-group-abc] rekey retransmit 30 number 3

Related commands
gdoi ks group

rekey transport unicast

Use rekey transport unicast to enable unicasting rekey messages.
Use undo rekey transport unicast to restore the default.
Syntax
rekey transport unicast
undo rekey transport unicast
Default
The KS multicasts rekey messages.
Views
GDOI KS group view
Default command level
2: System level
Examples
# Configure the GDOI KS group abc to unicast rekey messages.
<Sysname> system-view
[Sysname]gdoi ks group abc

570
 [Sysname-gdoi-ks-group-abc] rekey transport unicast

Related commands
gdoi ks group

reset gdoi ks
Use reset gdoi ks to clear GDOI KS group information, including keys, online GMs, and the role in
redundancy backup.
Syntax
reset gdoi ks [ group group-name ]
Views
User view
Default command level
2: System level
Parameters
group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
If you do not specify this option, the command clears KS information for all local GDOI KS groups.
Usage guidelines
If GDOI KS redundancy is enabled, executing this command triggers a primary KS election.
Examples
# Clear information about the GDOI KS group abc.
<Sysname> reset gdoi ks group abc

reset gdoi ks members

Use reset gdoi ks members to clear GM information saved on the KS, including the GM registration
information and the TEKs/KEKs sent to GMs.
Syntax
reset gdoi ks members [ group group-name ]
Views
User view
Default command level
2: System level
Parameters
group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
If you do not specify this option, the command clears GM information for all GDOI KS groups.
Usage guidelines
This command takes effect only on the primary KS.
Examples
# Clear GM information for the GDOI KS group abc.

571
 <Sysname> reset gdoi ks members group abc

reset gdoi ks redundancy role

Use reset gdoi ks redundancy role to reset GDOI KS redundancy roles.
Syntax
reset gdoi ks redundancy role [ group group-name ]
Views
User view
Default command level
2: System level
Parameters
group group-name: Specifies a GDOI KS group by its name, a case-sensitive string of 1 to 63 characters.
Usage guidelines
If you specify a GDOI KS group, the command resets KS redundancy roles in the specified GDOI KS
group. If you do not specify a GDOI KS group, the command resets KS redundancy roles in all GDOI KS
groups.
Examples
# Reset KS redundancy roles in the GDOI KS group abc.
<Sysname> reset gdoi ks redundancy role group abc

security acl (GDOI KS group IPsec policy view)

Use security acl to reference an ACL for the GDOI KS IPsec policy.
Use undo security acl to remove the referenced ACL.
Syntax
security acl { access-list-number | name access-list-name }
undo security acl
Default
No ACL is referenced.
Views
GDOI KS group IPsec policy view
Default command level
2: System level
Parameters
access-list-number: Specifies an ACL by its number in the range of 3000 to 3999.
name access-list-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The GDOI KS sends the ACL to GMs, which use the ACL to filter traffic, so as to determine the traffic to
be protected by TEKs.

572
Examples
# Configure IPsec policy 10 for the GDOI KS group abc, and then reference ACL 3000 for the IPsec
policy.
<Sysname> system-view
[Sysname]gdoi ks group abc
[Sysname-gdoi-ks-group-abc] ipsec 10
[Sysname-gdoi-ks-group-abc-ipsec-10] security acl 3000
[Sysname-gdoi-ks-group-abc-ipsec-10]

Related commands
• gdoi ks group
• ipsec

source address
Use source address to specify the source address for packets sent by the KS.
Use undo source address to delete the source address specified for the KS.
Syntax
source address ip-address
undo source address
Default
No source address is specified. The KS uses the source address specified in the first rule of the rekey ACL
as the source address of sent packets.
Views
GDOI KS group view
Default command level
2: System level
Parameters
ip-address: Specifies any valid IPv4 address.
Usage guidelines
Perform this task to specify the source address for GROUPKEY-PUSH protocol packets and redundancy
protocol packets sent by the KS.
Examples
# Specify the source address for the GDOI KS group abc as 11.1.1.1.
<Sysname> system-view
[Sysname]gdoi ks group abc
[Sysname-gdoi-ks-group-abc]source address 11.1.1.1

Related commands
• gdoi ks group
• rekey acl
• rekey transport unicast
• redundancy

573
GM configuration commands
client registration interface
Use client registration interface to specify a registration interface for the GM in a GDOI GM group. The
GM uses the registration interface to send packets to the KS.
Use undo client registration interface to delete the registration interface specified for the GM.
Syntax
client registration interface interface-type interface-number
undo client registration interface
Default
The registration interface of a GM is the output interface of the route from the GM to the KS.
Views
GDOI GM group view
Default command level
2: System level
Parameters
interface-type interface-number: Specifies a registration interface by the interface type and number.
Examples
# In GDOI GM group abc, specify interface Ethernet 1/1 as the registration interface for the GM.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc] client registration interface ethernet 1/1

Related commands
gdoi gm group

display gdoi gm
Use display gdoi gm to display GDOI GM group information, including GDOI configuration parameters,
negotiation parameters, and the IPsec information obtained after successful registrations.
Syntax
display gdoi gm [ group group-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
group group-name: Displays information about the specified GDOI GM group. The group-name
argument represents the GDOI GM group name, a case-sensitive string of 1 to 63 characters. If you do
not specify this option, the command displays information about all GDOI GM groups.

574
 |: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display information about all GDOI GM groups.
<Sysname> display gdoi gm
Group Name: GDOI-GROUP1

Group Identity : 12345

Rekeys Received : 1
IPsec SA Direction : Both

Group Server List : 90.1.1.1

90.1.1.10

Group Member : 80.1.1.1

VPN instance : vpn1
Registration status : Registered
Registered with : 90.1.1.1
Re-register in : 346 sec
Succeeded registrations : 1125
Attempted registrations : 1133
Last rekey from : 90.1.1.1
Last rekey seq num : 3
Multicast rekeys received: 1
Allowable rekey cipher : Any
Allowable rekey hash : Any
Allowable transform : Any

Rekeys Cumulative
Total received : 5
After latest registration: 3
Rekey received (hh:mm:ss): 00:02:11

ACL Downloaded From KS 90.1.1.1:

rule 0 deny udp source-port eq 848 destination-port eq 848
rule 1 deny ospf
rule 2 permit icmp

KEK Policy:
Rekey transport type : Multicast
Lifetime (sec) : 159
Encrypt algorithm : AES

575
 Key size : 128
Sig hash algorithm : SHA1
Sig key length (bit) : 1024

TEK Policy:
Interface Ethernet1/1:
IPsec SA:
SPI: 0x9AE5951E(2598737182)
Transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA timing:
remaining key lifetime (sec): 190
Anti-replay detection: Disabled

IPsec SA:
SPI: 0x12C55CFF(314924287)
Transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA timing:
remaining key lifetime (sec): 402
Anti-replay detection: Disabled

Table 93 Command output

Field Description
Group Name GDOI GM group name.

Group Identity GDOI GM group ID (a number or an IPv4 address).

Rekeys Received Number of rekey messages received.

IPsec SA direction: Both or Inbound (not supported at

IPsec SA Direction
present).

KS IP address list in the GDOI GM group. The list can

Group Server List
contain eight addresses at most.

Group Member IP address of the GM.

VPN instance name of the MPLS L3VPN to which the GM

VPN instance
belongs.

Registration status: Registered, Registering, or Not

Registration status
registered.

Registered with IP address of the KS with which the GM registers.

Re-register in Period of time after which the GM re-registers with a KS.

Succeeded registrations Number of successful registrations.

Attempted registrations Number of registration attempts.

The KS from which the GM receives the last rekey

Last rekey from
message.

Last rekey seq num Sequence number of the last received rekey message.

576
Field Description
Number of multicast rekeys received. This field is
Multicast rekeys received displayed only when the GDOI GM group is a multicast
group.

Number of unicast rekeys received. This field is displayed

Unicast rekeys received
only when the GDOI GM group is a unicast group.

Number of rekey ACK messages sent. This field is

Rekey ACKs sent displayed only when the GDOI GM group is a unicast
group.

The rekey encryption algorithm that the GM allows. Any

Allowable rekey cipher
indicates that the GM allows all encryption algorithms.

The rekey hash algorithm that the GM allows. Any

Allowable rekey hash
indicates that the GM allows all hash algorithms.

The rekey transform mode that the GM allows. Any

Allowable transform
indicates that the GM allows all transform modes.

Rekeys Cumulative Rekey statistics.

Total received Total number of rekeys that the GM has received.

Number of rekeys that the GM has received after the last

After latest registration
successful registration.

The field is displays when a rekey is received. It indicates

Rekey received ( hh:mm:ss)
the key lifetime after the rekey operation.

This field is displayed when no rekey is received. The

Rekey received
value for this field is None.

Number of rekey ACK messages sent. This field is

Total rekey ACKs sent
displayed only in unicast mode.

The ACL information downloaded from the KS at

ACL Downloaded From KS 90.1.1.1
90.1.1.1.

Indicates that any UDP packets whose source and

rule 0 deny udp source-port eq 848
destination port numbers are both 848 do not need to be
destination-port eq 848
protected by IPsec.

Indicates that OSPF protocol packets do not need to be

rule 1 deny ospf
protected by IPsec.

Indicates that any ICMP packets need to be protected by

rule 2 permit icmp
IPsec.

Rekey transport type Transport type of rekey messages: Multicast or Unicast.

Lifetime (sec) KEK lifetime, in seconds.

Encrypt algorithm KEK encryption algorithm.

Key size KEK key length.

Sig hash algorithm KEK signature hash algorithm.

Sig key length (bit) KEK signature key length, in bits.

Interface Name of the interface bound to the TEK.

Transform Transform set.

577
 Field Description
Time-based anti-replay window size, in seconds.
anti-replay window size(time based) This field is displayed only when anti-replay detection is
enabled.

Traffic-based anti-replay window size: 32, 64, 128,

256, 512, or 1024, in packets.
anti-replay window size(counter based)
This field is displayed only when anti-replay detection is
enabled.

display gdoi gm acl

Use display gdoi gm acl to display ACL information for GMs.
Syntax
display gdoi gm acl [ download | local ] [ group group-name ] [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
download: Displays the ACL information that the GM downloaded from the KS.
local: Displays the ACL information locally configured on the GM.
group group-name: Displays ACL information for GMs of a GDOI GM group. The group-name argument
is the GDOI GM group name, a case-sensitive string of 1 to 63 characters. If you do not specify this
option, the command displays ACL information for all GMs.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify any parameter, the command displays information about all ACLs for all GMs,
including the downloaded ACLs and the locally configured ACLs. A locally configured ACL refers to the
ACL referenced by the GDOI IPsec policy.
Examples
# Display information about all ACLs for all GMs.
<Sysname> display gdoi gm acl
Group Name: abc
ACL Downloaded From KS 12.1.1.100:
rule 0 permit ip

578
 rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255

ACL Configured Locally:

IPsec Policy Name: gdoi-group1
ACL Identifier: 3001
rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

Group Name: 123

ACL Downloaded From KS 12.1.1.100:
rule 1 permit ip source 13.1.1.0 0.0.0.255 destination 13.1.2.0 0.0.0.255

# Display the ACL information that GMs downloaded from the KS.
<Sysname> display gdoi gm acl download
Group Name: abc
ACL Downloaded From KS 12.1.1.100:
rule 0 permit ip
rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255

# Display the ACL information locally configured on GMs.

<Sysname> display gdoi gm acl local
Group Name: abc
ACL Configured Locally:
IPsec Policy Name: gdoi-group1
ACL Identifier: 3001
rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

Table 94 Command output

Field Description
Group Name GDOI GM group name.

rule 0 permit ip Indicates that IPsec protects any IP packets.

rule 1 permit ip source 12.1.1.0 0.0.0.255 Indicates that IPsec protects IP packets whose source and
destination 12.1.1.0 0.0.0.255 destination addresses are within subnet 12.1.1.0/24.

Indicates that IPsec does not protect IP packets whose

rule 0 deny ip source 10.1.1.0 0.0.0.255
source and destination addresses are within subnet
destination 10.1.1.0 0.0.0.255
10.1.1.0/24.

display gdoi gm ipsec sa

Use display gdoi gm ipsec sa to display IPsec SA information obtained by GMs.
Syntax
display gdoi gm ipsec sa [ group group-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level

579
Parameters
group group-name: Displays IPsec SA information obtained by GMs of a GDOI GM group. The
group-name argument is the GDOI GM group name, a case-sensitive string of 1 to 63 characters. If you
do not specify this option, the command displays IPsec SA information obtained by all GMs.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display IPsec SA information obtained by all GMs.
<Sysname> display gdoi gm ipsec sa
SA created for group abc:
Interface Ethernet0/0;
Interface Ethernet0/1:
IPsec SA:
SPI: 0x9AE5951E(2598737182)
Transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA timing:
remaining key lifetime (sec): 12
Anti-replay detection: Disabled

SA created for group hh:

Interface Ethernet0/0;
Interface Ethernet0/1:
IPsec SA:
SPI: 0xDCC66F7B(3703992187)
Transform: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
SA timing:
remaining key lifetime (sec): 190
Anti-replay detection: Disabled

Table 95 Command output

Field Description
Interface Name of the interface bound to the IPsec SA.

Transform Transform set.

remaining key lifetime (sec) Remaining lifetime of the IPsec SA, in seconds.

Time-based anti-replay window size, in seconds. This

anti-replay window size(time based) field is displayed only when anti-replay detection is
enabled.

Traffic-based anti-replay window size: 32, 64, 128,

anti-replay window size(counter based) 256, 512, or 1024, in packets. This field is displayed
only when anti-replay detection is enabled.

580
display gdoi gm members
Use display gdoi gm members to display brief information about GMs.
Syntax
display gdoi gm members [ group group-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
group group-name: Displays brief GM information about a GDOI GM group. The group-name argument
is the GDOI GM group name, a case-sensitive string of 1 to 63 characters. If you do not specify this
option, the command displays information about brief information about all GMs.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display brief information about all GMs.
<Sysname> display gdoi gm members
Group Member Information For Group GDOI-GROUP1:
IPsec SA Direction : Both

Group Member : 80.1.1.1

VPN instance : vpn1
Registration status : Registered
Registered with : 90.1.1.1
Re-register in : 308 sec
Succeeded registrations : 1131
Attempted registrations : 1139
Last rekey from : 90.1.1.1
Last rekey seq num : 3
Multicast rekeys received: 1
Allowable rekey cipher : Any
Allowable rekey hash : Any
Allowable transform : Any

Table 96 Command output

Field Description
IPsec SA direction: Both or Inbound (not supported at
IPsec SA Direction
present).

581
 Field Description
Group Member IP address of the GM.

VPN instance name of the MPLS L3VPN to which the GM

VPN instance
belongs.

Registration status: Registered, Registering, or Not

Registration status
registered.

Registered with IP address of the KS with which the GM registers.

Re-register in Period of time after which the GM re-registers with a KS.

Succeeded registrations Number of successful registrations.

Attempted registrations Number of registration attempts.

The KS from which the GM receives the last rekey

Last rekey from
message.

Last rekey seq num Sequence number of the last received rekey message.

Number of multicast rekeys received. This field is

Multicast rekeys received displayed only when the GDOI GM group is a multicast
group.

Number of unicast rekeys received. This field is displayed

Unicast rekeys received
only when the GDOI GM group is a unicast group.

Number of rekey ACK messages sent. This field is

Rekey ACKs sent displayed only when the GDOI GM group is a unicast
group.

The field is displays when a rekey is received. It indicates

Rekey received ( hh:mm:ss)
the key lifetime after the rekey operation.

This field is displayed when no rekey is received. The

Rekey received
value for this field is None.

The rekey encryption algorithm that the GM allows. Any

Allowable rekey cipher
indicates that the GM allows all encryption algorithms.

The rekey hash algorithm that the GM allows. Any

Allowable rekey hash
indicates that the GM allows all hash algorithms.

The rekey transform mode that the GM allows. Any

Allowable transform
indicates that the GM allows all transform modes.

display gdoi gm pubkey

Use display gdoi gm pubkey to display the public key information received by GMs.
Syntax
display gdoi gm pubkey [ group group-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level

582
Parameters
group group-name: Displays the public key information received by GMs of a GDOI GM group. The
group-name argument is the GDOI GM group name, a case-sensitive string of 1 to 63 characters. If you
do not specify this option, the command displays the public key information received by all GMs.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the public key information received by all GMs.
<Sysname> display gdoi gm pubkey
Group Name: GDOI-GROUP1
KS IPv4 Address: 90.1.1.1
Conn-ID: 2044 My Cookie: 7C9CB398 His Cookie: 4E54C7EA
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00BB0F5B
6B5788E7 6220C0C1 C4BCAAD7 D81322FF 7DB9436E 46E308DA D589243B 64946D2D
FC502F64 7F38DDF5 E999F8F7 4A247508 9AF7765B F0B080AC 11CC08E4 B48A976F
D3721818 B66201F0 BD1987BE DD28D533 C38E7D42 939D2B71 3FAAA17A 128DF862
E45C531D A0C8593E D7D602E9 7A7E675A 94AF6B25 2972CF85 94E601BD 19020301
0001

Table 97 Command output

Field Description
Group Name GDOI GM group name.

Conn-ID ID of the rekey SA.

My Cookie Local cookie of the rekey SA.

His Cookie Peer cookie of the rekey SA.

display gdoi gm rekey

Use display gdoi gm rekey to display rekey information for GMs.
Syntax
display gdoi gm rekey [ verbose ] [ group group-name ] [ | { begin | exclude | include }
regular-expression ]
Views
Any view
Default command level
1: Monitor level

583
Parameters
verbose: Displays the detailed rekey information for GMs. If you do not specify this keyword, the
command displays the brief rekey information for GMs.
group group-name: Displays rekey information for GMs of a GDOI GM group. The group-name
argument is the GDOI GM group name, a case-sensitive string of 1 to 63 characters. If you do not specify
this option, the command displays rekey information for all GMs.
|: Filters command output by specifying a regular expression. For more information about regular
expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display brief rekey information for all GMs.
<Sysname> display gdoi gm rekey
Group Name: abc (Unicast)
Number of rekeys received (cumulative) : 9
Number of rekeys received after registration : 9
Number of rekey ACKs sent : 105

Group Name: 123 (Multicast)

Number of rekeys received (cumulative) : 9
Number of rekeys received after registration : 9
Multicast destination address : 239.192.1.190

# Display detailed rekey information for all GMs.

<Sysname> display gdoi gm rekey verbose
Group Name: GDOI-GROUP1 (Multicast)
Number of rekeys received (cumulative) : 1904
Number of rekeys received after registration : 889
Multicast destination address : 239.192.1.190

Rekey (KEK) SA Information:

Destination Source Conn-ID My Cookie His Cookie
New : 239.192.1.190 90.1.1.1 9646 14406D26 8C58E504
Current : 239.192.1.190 90.1.1.1 9646 14406D26 8C58E504
Previous : --- --- --- --- ---

Table 98 Command output

Field Description
Group Name GDOI GM group name.

Unicast Indicates the rekey transport type is unicast.

Multicast Indicates the rekey transport type is multicast.

584
 Field Description
Multicast destination address Multicast destination address of the rekey messages.

Rekey (KEK) SA information SA that protects the rekey messages.

Destination Destination IP address of the rekey SA.

Source Source IP address of the rekey SA.

Conn-ID ID of the rekey SA.

My Cookie Local cookie of the rekey SA.

His Cookie Peer cookie of the rekey SA.

New Information about the new rekey SA.

Current Information about the currently used rekey SA.

Previous Information about the rekey SA used last time.

gdoi gm group
Use gdoi gm group to create a GDOI GM group and enter GDOI GM group view.
Use undo gdoi gm group to delete a GDOI GM group.
Syntax
gdoi gm group group-name
undo gdoi gm group group-name
Default
No GDOI GM group exists.
Views
System view
Default command level
2: System level
Parameters
group-name: Specifies a name for the GDOI GM group, a case-sensitive string of 1 to 63 characters.
Usage guidelines
A GDOI GM group includes the information that the GM uses to register with a KS, such as the group ID,
KS address, and registration interface.
The device supports 64 GDOI GM groups at most.
Examples
# Create a GDOI GM group named abc, and enter its view.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc]

Related commands
display gdoi gm

585
group
Use group to specify the GDOI GM group to be referenced by the GDOI IPsec policy.
Use undo group to remove the GDOI GM group referenced by the GDOI IPsec policy.
Syntax
group group-name
undo group
Default
A GDOI IPsec policy does not reference any GDOI GM group.
Views
GDOI IPsec policy entry view
Default command level
2: System level
Parameters
group-name: Specifies the name of a GDOI GM group, a case-sensitive string of 1 to 63 characters. The
group must have existed.
Usage guidelines
A GDOI IPsec policy can reference only one GDOI GM group. If you configure this command for
multiple times, the last configuration takes effect.
GDOI IPsec policy entries of different GDOI IPsec policies can reference the same GDOI GM group, but
those of the same GDOI IPsec policy cannot.
Examples
# Configure a GDOI IPsec policy entry and enter its view. The IPsec policy name is map and the entry
sequence number is 1.
<Sysname> system-view
[Sysname] ipsec policy map 1 gdoi

# Reference GDOI GM group abc for the GDOI IPsec policy entry.
[Sysname-ipsec-policy-gdoi-map-1] group abc

Related commands
gdoi gm group

identity
Use identity to configure an ID for the GDOI GM group.
Use undo identity to delete the GDOI GM group ID.
Syntax
identity { address ip-address | number number }
undo identity
Default
No ID is configured for a GDOI GM group.

586
Views
GDOI GM group view
Default command level
2: System level
Parameters
address ip-address: Specifies any valid IPv4 address to identify the GDOI GM group.
number number: Specifies a number in the range of 0 to 2147483647 to identify the GDOI GM group.
Usage guidelines
You can configure only one type of ID (either an IP address or a number) for a GDOI GM group. If you
execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the ID of GDOI GM group abc to 123456.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc] identity number 123456

# Configure the ID of GDOI GM group def as 202.202.202.10.

<Sysname> system-view
[Sysname] gdoi gm group def
[Sysname-gdoi-gm-group-def] identity address 202.202.202.10

Related commands
display gdoi gm

reset gdoi gm
Use reset gdoi gm to clear GDOI information that GMs downloaded from a KS, including the IKE SA,
rekey SA, IPsec SA, and ACL, and trigger the GMs to re-register with the KS.
Syntax
reset gdoi gm [ group group-name ]
Views
User view
Default command level
2: System level
Parameters
group group-name: Clears the GDOI information for GMs in a GDOI GM group. The group-name
argument specifies the name of a GDOI GM group, a case-sensitive string of 1 to 63 characters. If you
do not specify this option, the command displays GDOI information for all GMs.
Examples
# Clear the GDOI information for all GMs, and trigger the GMs to re-register with the KS.
<Sysname> reset gdoi gm

# Clear the GDOI information for GMs in GDOI GM group abc, and trigger the GMs to re-register with
the KS.

587
 <Sysname> reset gdoi gm group abc

Related commands
display gdoi gm

server address
Use server address to specify the IP address of the KS with which a GM will register itself.
Use undo server address to delete the specified KS IP address.
Syntax
server address ip-address
undo server address ip-address
Default
No KS IP address is specified.
Views
GDOI GM group view
Default command level
2: System level
Parameters
ip-address: Specifies the IP address of the KS.
Usage guidelines
You must specify KSs for GMs in a GDOI GM group.
A GDOI GM group can have up to eight KS addresses. A GM first sends a registration request to the
first-specified KS. If the registration does not succeed before the register timer expires, the GM registers
with other KSs one by one in the order they are configured until the registration succeeds. If all
registration attempts fail, the GM repeats the registration process.
Examples
# Specify two KS addresses, 3.3.3.3 and 3.3.3.4, for GDOI GM group abc.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc] server address 3.3.3.3
[Sysname-gdoi-gm-group-abc] server address 3.3.3.4

Related commands
display gdoi gm

588
FIPS commands

The following matrix shows the FIPS and hardware compatibility:

Hardware FIPS mode

MSR900 No

MSR93X No

MSR20-1X No

MSR20 Yes

MSR30 Yes (except the MSR30-16)

MSR50 Yes

MSR1000 Yes

display fips status

Use display fips status to display the current FIPS mode state.
Syntax
display fips status
Views
Any view
Default command level
1: Monitor level
Examples
# Display the current FIPS mode state.
<Sysname> display fips status
FIPS mode is enabled

Related commands
fips mode enable

fips mode enable

Use the fips mode enable command to enable FIPS mode.
Use the undo fips mode enable command to disable FIPS mode.
Syntax
fips mode enable
undo fips mode enable

589
Default
The FIPS mode is disabled.
Views
System view
Default command level
2: System level
Usage guidelines
The FIPS mode complies with FIPS 140-2.
To enter the FIPS mode, follow these steps:
1. Enable FIPS mode.
2. Enable the password control function.
3. Configure a username and password used to log in to the device.
The password must include at least 10 characters that must contain uppercase and lowercase
letters, digits, and special characters.
4. Set the user level to 3, and service type to Terminal or Web.
5. Delete all MD5-based digital certificates.
6. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
7. Save the configuration.
Before the device reboots, you must perform the following operations:
8. Configure a username and password used to log in to the device.
The password must include at least 6 characters that must contain uppercase and lowercase letters,
digits, and special characters.
9. Delete all MD5-based digital certificates.
10. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
Save the configuration and reboot the router. After the reboot, the router is working in FIPS 140-2 mode.
In CC certificate, this is equal to work according to CC standard.
When the system enters the FIPS mode, the following changes occur:
• The FTP/TFTP server is disabled.
• The Telnet server is disabled.
• The HTTP server is disabled.
• SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
• The SSL server only supports TLS1.0.
• The SSH server does not support SSHv1 clients.
• RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus
length from 1024 to 2048 bits.
• SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
Examples
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable

590
 [Sysname] FIPS mode change requires a device reboot. Continue?[Y/N]:y
Change the configuration to meet FIPS mode requirements, save the configuration
to the next-startup configuration file, and then reboot to enter FIPS mode.

# Disable FIPS mode.

<Sysname> system-view
[Sysname] undo fips mode enable
[Sysname] FIPS mode change requires a device reboot. Continue?[Y/N]:y
Change the configuration to meet non-FIPS mode requirements, save the configurat
ion to the next-startup configuration file, and then reboot to enter non-FIPS mo
de.

Related commands
display fips status

fips self-test
Use the fips self-test command to trigger a self-test on the cryptographic algorithms.
Syntax
fips self-test
Views
System view
Default command level
3: Manage level
Usage guidelines
To examine whether the cryptography modules operate correctly, you can use this command to trigger a
self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test.
If the self-test fails, the router automatically reboots.
Examples
# Trigger a self-test on the cryptographic algorithms.
<Sysname> system-view
[Sysname] fips self-test
Self-tests are running. Please wait...
Self-tests succeeded.

591
Support and other resources

Contacting HP
For worldwide technical support information, see the HP support website:
http://www.hp.com/support
Before contacting HP, collect the following information:
• Product model names and numbers
• Technical support registration number (if applicable)
• Product serial numbers
• Error messages
• Operating system type and revision level
• Detailed questions

Subscription service
HP recommends that you register your product at the Subscriber's Choice for Business website:
http://www.hp.com/go/wwalerts
After registering, you will receive email notification of product enhancements, new driver versions,
firmware updates, and other product resources.

Related information
Documents
To find related documents, browse to the Manuals page of the HP Business Support Center website:
http://www.hp.com/support/manuals
• For related documentation, navigate to the Networking section, and select a networking category.
• For a complete list of acronyms and their definitions, see HP FlexNetwork Technology Acronyms.

Websites
• HP.com http://www.hp.com
• HP Networking http://www.hp.com/go/networking
• HP manuals http://www.hp.com/support/manuals
• HP download drivers and software http://www.hp.com/support/downloads
• HP software depot http://www.software.hp.com
• HP Education http://www.hp.com/learn

592
Conventions
This section describes the conventions used in this documentation set.

Command conventions

Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[] Square brackets enclose syntax choices (keywords or arguments) that are optional.

Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.

Square brackets enclose a set of optional syntax choices separated by vertical bars, from
[ x | y | ... ]
which you select one or none.

Asterisk-marked braces enclose a set of required syntax choices separated by vertical

{ x | y | ... } *
bars, from which you select at least one.

Asterisk-marked square brackets enclose optional syntax choices separated by vertical

[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.

The argument or keyword and argument combination before the ampersand (&) sign can
&<1-n>
be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description
Window names, button names, field names, and menu items are in bold text. For
Boldface
example, the New User window appears; click OK.

> Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Symbols

Convention Description
An alert that calls attention to important information that if not understood or followed can
WARNING result in personal injury.

An alert that calls attention to important information that if not understood or followed can
CAUTION result in data loss, data corruption, or damage to hardware or software.

IMPORTANT An alert that calls attention to essential information.

NOTE An alert that contains additional or supplementary information.

TIP An alert that provides helpful information.

593
Network topology icons

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports
Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the switching engine

on a unified wired-WLAN switch.

Represents an access point.

Represents a security product, such as a firewall, a UTM, or a load-balancing or security

card that is installed in a device.

Represents a security card, such as a firewall card, a load-balancing card, or a

NetStream card.

Port numbering in examples

The port numbers in this document are for illustration only and might be unavailable on your device.

594
Index

ABCDEFGHIKLMNOPQRSTUVW
A authentication login,15
authentication portal,16
aaa nas-id profile,1
authentication ppp,17
access-limit,42
authentication ssl-vpn,18
access-limit enable,2
authentication super,19
access-user detect,350
authentication voip,19
accounting command,2
authentication-algorithm,239
accounting default,3
authentication-method,240
accounting dvpn,4
authorization command,20
accounting lan-access,5
authorization default,21
accounting login,6
authorization dvpn,22
accounting optional,7
authorization lan-access,23
accounting portal,8
authorization login,25
accounting ppp,9
authorization portal,26
accounting ssl-vpn,10
authorization ppp,27
accounting voip,11
authorization ssl-vpn,28
accounting-on enable,56
authorization voip,29
address,267
authorization-attribute (local user view/user group
aging-time,401
view),43
ah authentication-algorithm,179
authorization-attribute (RADIUS-server user view),114
arp anti-attack active-ack enable,471
authorization-attribute user-profile,30
arp anti-attack source-mac,467
B
arp anti-attack source-mac aging-time,468
arp anti-attack source-mac exclude-mac,468 bind-attribute,45
arp anti-attack source-mac threshold,469 blacklist enable,481
arp anti-attack valid-ack enable,470 blacklist ip,482
arp fixup,472 bye,423
arp scan,472 C
arp source-suppression enable,465
ca identifier,307
arp source-suppression limit,465
cd,423
aspf-policy,402
cdup,424
attack-defense apply policy,480
certificate domain,240
attack-defense policy,480
certificate request entity,308
attribute,306
certificate request from,308
attribute 25 car,57
certificate request mode,309
authentication (ikev2 profile view),267
certificate request polling,310
authentication default,12
certificate request url,311
authentication dvpn,13
ciphersuite,448
authentication lan-access,14

595
client configuration address respond,269 display aspf interface,405
client registration interface,574 display aspf policy,406
client-verify enable,449 display aspf session,407
client-verify weaken,450 display attack-defense policy,496
close-mode wait,451 display attack-defense statistics interface,499
common-name,311 display blacklist,501
connect auto,269 display connection,32
connection-limit default action,514 display connection-limit policy,516
connection-limit default amount,514 display connection-limit statistics,516
connection-limit policy,515 display domain,33
connection-name,180 display dot1x,119
country,312 display fips status,589
crl check,313 display firewall ethernet-frame-filter,390
crl update-period,313 display firewall ipv6 statistics,391
crl url,314 display firewall-statistics,392
cryptoengine enable,180 display flow-statistics statistics,503
cut connection,30 display flow-statistics statistics interface,504
D display gdoi gm,574
display gdoi gm acl,578
data-flow-format (HWTACACS scheme view),91
display gdoi gm ipsec sa,579
data-flow-format (RADIUS scheme view),58
display gdoi gm members,581
defense icmp-flood action drop-packet,483
display gdoi gm pubkey,582
defense icmp-flood enable,483
display gdoi gm rekey,583
defense icmp-flood ip,484
display gdoi ks,549
defense icmp-flood rate-threshold,485
display gdoi ks acl,551
defense scan add-to-blacklist,486
display gdoi ks members,552
defense scan blacklist-timeout,487
display gdoi ks policy,554
defense scan enable,488
display gdoi ks redundancy,555
defense scan max-rate,488
display gdoi ks rekey,556
defense syn-flood action,489
display habp,542
defense syn-flood enable,490
display habp table,543
defense syn-flood ip,490
display habp traffic,543
defense syn-flood rate-threshold,492
display hwtacacs,91
defense udp-flood action drop-packet,493
display ike dpd,242
defense udp-flood enable,493
display ike peer,243
defense udp-flood ip,494
display ike proposal,244
defense udp-flood rate-threshold,495
display ike sa,245
delete,424
display ikev2 policy,270
description (RADIUS-server user view),115
display ikev2 profile,271
detect,403
display ikev2 proposal,272
dh,241
display ikev2 sa,274
dir,424
display ikev2 statistics,276
display arp anti-attack source-mac,469
display ip source binding,474
display arp source-suppression,466
display ipsec policy,181
display aspf all,404
display ipsec policy-template,185

596
display ipsec profile,187 Documents,592
display ipsec sa,190 domain,35
display ipsec session,191 domain default enable,36
display ipsec statistics,193 domain if-unknown,37
display ipsec transform-set,194 dot1x,122
display ipsec tunnel,196 dot1x authentication-method,124
display local-user,46 dot1x auth-fail vlan,125
display mac-authentication,146 dot1x critical recovery-action,127
display nat connection-limit,518 dot1x critical vlan,126
display password-control,522 dot1x domain-delimiter,127
display password-control blacklist,524 dot1x free-ip,143
display pki certificate,314 dot1x guest-vlan,128
display pki certificate access-control-policy,316 dot1x handshake,130
display pki certificate attribute-group,317 dot1x handshake secure,130
display pki crl domain,318 dot1x mandatory-domain,131
display portal acl,351 dot1x max-user,132
display portal connection statistics,353 dot1x multicast-trigger,133
display portal free-rule,356 dot1x port-control,134
display portal interface,357 dot1x port-method,135
display portal local-server,358 dot1x quiet-period,136
display portal server,359 dot1x re-authenticate,137
display portal server statistics,360 dot1x retry,137
display portal tcp-cheat statistics,363 dot1x supp-proxy-check,138
display portal user,365 dot1x timer,139
display port-mapping,409 dot1x timer ead-timeout,144
display port-security,156 dot1x unicast-trigger,141
display port-security mac-address block,158 dot1x url,145
display port-security mac-address security,160 dpd,249
display port-security preshared-key user,162 dpd (IKEv2 profile view),277
display public-key local public,332 E
display public-key peer,334
encapsulation-mode,197
display radius scheme,59
encryption,278
display radius statistics,61
encryption-algorithm,249
display sftp client source,425
esn enable,198
display ssh client source,426
esp authentication-algorithm,199
display ssh server,413
esp encryption-algorithm,200
display ssh server-info,427
exchange-mode,250
display ssh user-information,415
exit,427
display ssl client-policy,451
expiration-date (local user view),49
display ssl server-policy,452
expiration-date (RADIUS-server user view),115
display stop-accounting-buffer (for HWTACACS),95
display stop-accounting-buffer (for RADIUS),64 F
display tcp status,510 fips mode enable,589
display user-group,48 fips self-test,591
display user-profile,462 firewall aspf,410

597
firewall default,393 ike proposal,255
firewall enable,394 ike sa keepalive-timer interval,255
firewall ethernet-frame-filter,394 ike sa keepalive-timer timeout,256
firewall fragments-inspect,395 ike sa nat-keepalive-timer interval,257
firewall fragments-inspect { high | low },396 ike-peer (IPsec policy view/IPsec policy template
firewall ipv6 default,397 view/IPsec profile view),201
firewall ipv6 enable,397 ikev2 { ip-pool | ipv6-pool },283
firewall ipv6 fragments-inspect,398 ikev2 cookie-challenge,284
firewall packet-filter,398 ikev2 dpd,284
firewall packet-filter ipv6,399 ikev2 keyring,285
flow-statistics enable,505 ikev2 limit,286
fqdn,319 ikev2 policy,287
ikev2 profile (IPsec policy view/IPsec policy template
G
view/IPsec profile view),202
gdoi gm group,585 ikev2 profile (system view),288
gdoi ks group,558 ikev2 proposal,289
gdoi ks redundancy port,558 integrity,291
gdoi ks rekey,559 interval-time,257
get,428 ip (PKI entity view),320
group,586 ip pool,39
group,50 ip source binding,476
group (ikev2 proposal view),279 ip urpf,547
H ip verify source,477
habp client vlan,544 ip verify source max-entries,478
habp enable,545 ip-mask,292
habp server vlan,545 ip-pool,293
habp timer,546 ipsec,561

handshake timeout,453 ipsec anti-replay check,203

help,428 ipsec anti-replay window,203
hostname,280 ipsec binding policy,204
hwtacacs nas-ip,96 ipsec cpu-backup enable,206
hwtacacs scheme,97 ipsec decrypt check,206
ipsec fragmentation before-encryption,207
I
ipsec invalid-spi-recovery enable,207
identity,586 ipsec no-nat-process enable,208
identity (IKEv2 peer view),281 ipsec policy (interface view),209
identity address,560 ipsec policy (system view),209
identity local,282 ipsec policy isakmp template,210
identity number,560 ipsec policy local-address,211
idle-cut enable,38 ipsec policy-template,212
id-type,251 ipsec profile (system view),213
ike dpd,252 ipsec profile (tunnel interface view),214
ike local-name,253 ipsec sa global-duration,214
ike next-payload check disabled,254 ipsec session idle-time,215
ike peer (system view),254 ipsec transform-set,216

598
ipv6-mask,293 password (local user view),52
ipv6-pool,294 password (RADIUS-server user view),116
K password-control { aging | composition | history |
length } enable,526
key (HWTACACS scheme view),97
password-control aging,527
key (RADIUS scheme view),66
password-control alert-before-expire,528
keyring,295
password-control authentication-timeout,529
L password-control complexity,529
ldap-server,320 password-control composition,530
lifetime,295 password-control enable,531
limit acl,519 password-control expired-user-login,532
local,258 password-control history,533
local priority,562 password-control length,533
local-address,258 password-control login idle-time,534
local-address,216 password-control login-attempt,535
locality,321 password-control password update interval,537
local-name,259 password-control super aging,537
local-user,51 password-control super composition,538
log enable,410 password-control super length,539
ls,429 peer,260
peer (IKEv2 keyring view),299
M
peer address,563
mac-authentication,148 peer-public-key end,335
mac-authentication domain,149 pfs,217
mac-authentication host-mode multi-vlan,150 pki certificate access-control-policy,323
mac-authentication max-user,151 pki certificate attribute-group,323
mac-authentication timer,151 pki delete-certificate,324
mac-authentication timer auth-delay,152 pki domain,324
mac-authentication user-name-format,153 pki domain (IKEv2 profile view),300
match,296 pki entity,325
match address local,298 pki import-certificate,326
mkdir,430 pki request-certificate domain,326
N pki retrieval-certificate,327
nas-id bind vlan,40 pki retrieval-crl domain,328
nas-ip (HWTACACS scheme view),98 pki validate-certificate,328
nas-ip (RADIUS scheme view),67 pki-domain,454
nat connection-limit-policy,520 policy enable,218
nat keepalive,298 portal auth-network,366
nat traversal,260 portal auth-network destination,367
portal delete-user,368
O
portal domain,368
organization,322 portal free-rule,369
organization-unit,322 portal local-server,370
P portal local-server bind,371
password,525 portal local-server enable,372

599
portal local-server ip,373 public-key local destroy,339
portal max-user,374 public-key local export,340
portal move-mode auto,375 public-key local export public dsa,341
portal nas-id-profile,376 public-key local export public rsa,343
portal nas-ip,377 public-key local import,344
portal nas-port-id,377 public-key peer,345
portal nas-port-type,378 public-key peer import sshkey,346
portal offline-detect interval,379 public-key rsa,346
portal redirect-url,379 public-key-code begin,336
portal server,380 public-key-code end,336
portal server banner,381 put,430
portal server method,382 pwd,430
portal server server-detect,383 Q
portal server user-sync,385
qos pre-classify,219
portal web-proxy port,386
quit,431
port-mapping,411
port-security authorization ignore,163 R
port-security enable,163 radius client,71
port-security intrusion-mode,164 radius nas-ip,72
port-security mac-address aging-type inactivity,165 radius scheme,73
port-security mac-address dynamic,166 radius trap,74
port-security mac-address security,166 radius-server client-ip,117
port-security max-mac-count,168 radius-server user,118
port-security ntk-mode,169 redundancy enable,564
port-security oui,170 redundancy hello,565
port-security port-mode,171 redundancy retransmit,566
port-security preshared-key,175 rekey acl,567
port-security timer autolearn aging,174 rekey authentication,567
port-security timer disableport,176 rekey encryption,568
port-security trap,177 rekey lifetime,569
port-security tx-key-type 11key,178 rekey retransmit,569
prefer-cipher,455 rekey transport unicast,570
pre-shared-key,261 remote-address,262
pre-shared-key (IKEv2 peer view),301 remote-address,219
prf (IKEv2 proposal view),302 remote-name,263
primary accounting (HWTACACS scheme view),99 remove,431
primary accounting (RADIUS scheme view),68 rename,432
primary authentication (HWTACACS scheme reset aspf session,412
view),101 reset attack-defense statistics interface,506
primary authentication (RADIUS scheme view),69 reset dot1x statistics,141
primary authorization,102 reset firewall ethernet-frame-filter,400
profile (GDOI KS group IPsec policy view),563 reset firewall ipv6 statistics,400
proposal (IKE peer view),262 reset firewall-statistics,401
proposal (IKEv2 policy view),303 reset gdoi gm,587
public-key local create,337 reset gdoi ks,571

600
reset gdoi ks members,571 security acl,233
reset gdoi ks redundancy role,572 security acl (GDOI KS group IPsec policy view),572
reset hwtacacs statistics,103 security-policy-server,83
reset ike sa,264 self-service-url enable,40
reset ikev2 sa,304 server address,588
reset ikev2 statistics,304 server-type (RADIUS scheme view),83
reset ipsec sa,220 server-verify enable,456
reset ipsec session,221 service-type,53
reset ipsec statistics,222 session,457
reset mac-authentication statistics,154 session-time include-idle-time,41
reset password-control blacklist,539 sftp,435
reset password-control history-record,540 sftp client ipv6 source,437
reset portal connection statistics,387 sftp client source,437
reset portal server statistics,387 sftp ipv6,438
reset portal tcp-cheat statistics,388 sftp server enable,416
reset radius statistics,75 sftp server idle-timeout,417
reset stop-accounting-buffer (for HWTACACS),104 signature-detect,507
reset stop-accounting-buffer (for RADIUS),75 signature-detect action drop-packet,508
retry,76 signature-detect large-icmp max-length,508
retry realtime-accounting,77 source address,573
retry stop-accounting (HWTACACS scheme view),104 ssh client authentication server,440
retry stop-accounting (RADIUS scheme view),78 ssh client first-time enable,441
reverse-route,222 ssh client ipv6 source,442
reverse-route preference,226 ssh client source,442
reverse-route tag,226 ssh server authentication-retries,417
rmdir,432 ssh server authentication-timeout,418
root-certificate fingerprint,329 ssh server compatible-ssh1x enable,419
rsh,348 ssh server enable,419
rule (PKI CERT ACP view),330 ssh server rekey-interval,420
S ssh user,421
ssh2,443
sa authentication-hex,227
ssh2 ipv6,445
sa duration,228
ssl client-policy,457
sa duration,265
ssl server-policy,458
sa encryption-hex,229
ssl-vpn enable,460
sa spi,230
ssl-vpn server-policy,460
sa string-key,232
state,330
scp,433
state (ISP domain view),42
secondary accounting (HWTACACS scheme
state (local user view),54
view),105
state primary,84
secondary accounting (RADIUS scheme view),78
state secondary,85
secondary authentication (HWTACACS scheme
view),106 stop-accounting-buffer enable (HWTACACS scheme
view),109
secondary authentication (RADIUS scheme view),80
stop-accounting-buffer enable (RADIUS scheme
secondary authorization,108
view),86

601
Subscription service,592 tunnel remote,237
T U
tcp anti-naptha enable,510 user-group,55
tcp state,511 user-name-format (HWTACACS scheme view),112
tcp syn-cookie enable,512 user-name-format (RADIUS scheme view),89
tcp timer check-state,512 user-profile,463
tfc enable (IPsec policy view/ IPsec policy template user-profile enable,462
view/IPsec profile view),234
V
time-out,266
validity-date,55
timer quiet (HWTACACS scheme view),110
version,459
timer quiet (RADIUS scheme view),86
vpn-instance (HWTACACS scheme view),113
timer realtime-accounting (HWTACACS scheme
view),111 vpn-instance (RADIUS scheme view),90
timer realtime-accounting (RADIUS scheme view),87 W
timer response-timeout (HWTACACS scheme view),111 web-redirect,388
timer response-timeout (RADIUS scheme view),88 Websites,592
transform,235 wlan-client-isolation enable,548
transform-set,236
tunnel local,237

602