HP FlexNetwork MSR Series Installation manual
HPE FlexNetwork MSR Router Series
Comware 7 Security Command Reference
Part number: 5200-3000
Software version: MSR-CMW710-R0413
Document version: 6W102-20170101
© Copyright 2017Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are trademarks of the Microsoft group of companies.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
AAA commands···············································································1
General AAA commands···············································································································1
aaa nas-id profile···················································································································1
aaa session-limit ···················································································································1
accounting advpn··················································································································2
accounting command·············································································································3
accounting default ·················································································································4
accounting ipoe·····················································································································5
accounting lan-access············································································································7
accounting login····················································································································8
accounting portal················································································································· 10
accounting ppp ··················································································································· 11
accounting quota-out ··········································································································· 13
accounting start-fail·············································································································· 13
accounting update-fail·········································································································· 14
authentication advpn············································································································ 14
authentication default··········································································································· 16
authentication ike ················································································································ 17
authentication ipoe ·············································································································· 18
authentication lan-access······································································································ 19
authentication login·············································································································· 20
authentication portal ············································································································ 21
authentication ppp··············································································································· 23
authentication super ············································································································ 24
authorization advpn ············································································································· 25
authorization command ········································································································ 26
authorization default ············································································································ 27
authorization ike·················································································································· 29
authorization ipoe················································································································ 29
authorization lan-access······································································································· 30
authorization login ··············································································································· 32
authorization portal·············································································································· 33
authorization ppp················································································································· 34
authorization-attribute (ISP domain view)················································································· 35
display domain···················································································································· 37
domain······························································································································ 41
domain default enable·········································································································· 42
domain if-unknown ·············································································································· 43
ita-policy···························································································································· 44
nas-id bind vlan··················································································································· 45
service-type (ISP domain view)······························································································ 45
session-time include-idle-time································································································ 46
state (ISP domain view)········································································································ 47
user-address-type ··············································································································· 48
Local user commands················································································································· 48
access-limit························································································································ 48
authorization-attribute (local user view/user group view) ····························································· 49
bind-attribute······················································································································ 52
company···························································································································· 53
description ························································································································· 54
display local-guest waiting-approval························································································ 54
display local-user ················································································································ 55
display user-group··············································································································· 59
email································································································································· 61
full-name ··························································································································· 61
group································································································································ 62
local-guest auto-delete enable······························································································· 62
ii
local-guest email format········································································································ 63
local-guest email sender······································································································· 64
local-guest email smtp-server ································································································ 65
local-guest generate ············································································································ 65
local-guest manager-email···································································································· 67
local-guest send-email ········································································································· 68
local-guest timer·················································································································· 68
local-user··························································································································· 69
local-user-export ················································································································· 70
local-user-import ················································································································· 71
password··························································································································· 73
phone ······························································································································· 74
reset local-guest waiting-approval··························································································· 75
service-type (local user view)·································································································75
sponsor-department············································································································· 77
sponsor-email····················································································································· 77
sponsor-full-name················································································································ 78
state (local user view) ·········································································································· 78
user-group ························································································································· 79
validity-datetime·················································································································· 80
RADIUS commands ··················································································································· 81
aaa device-id······················································································································ 81
accounting-on enable··········································································································· 81
accounting-on extended ······································································································· 82
attribute 15 check-mode ······································································································· 83
attribute 25 car···················································································································· 84
attribute remanent-volume ···································································································· 84
client································································································································· 85
data-flow-format (RADIUS scheme view)················································································· 86
display radius scheme·········································································································· 87
display radius statistics········································································································· 90
key (RADIUS scheme view) ·································································································· 91
nas-ip (RADIUS scheme view)······························································································· 92
port··································································································································· 93
primary accounting (RADIUS scheme view) ············································································· 94
primary authentication (RADIUS scheme view)·········································································95
radius dscp ························································································································ 97
radius dynamic-author server ································································································ 97
radius nas-ip ······················································································································ 98
radius scheme···················································································································· 99
radius session-control client ································································································ 100
radius session-control enable ······························································································ 101
radius-server test-profile····································································································· 101
reset radius statistics ········································································································· 102
retry································································································································ 103
retry realtime-accounting ···································································································· 104
secondary accounting (RADIUS scheme view) ······································································· 104
secondary authentication (RADIUS scheme view) ··································································· 106
snmp-agent trap enable radius····························································································· 108
state primary ···················································································································· 109
state secondary ················································································································ 110
timer quiet (RADIUS scheme view)······················································································· 111
timer realtime-accounting (RADIUS scheme view)··································································· 112
timer response-timeout (RADIUS scheme view)······································································ 113
user-name-format (RADIUS scheme view)············································································· 114
vpn-instance (RADIUS scheme view)···················································································· 114
HWTACACS commands ··········································································································· 115
data-flow-format (HWTACACS scheme view) ········································································· 115
display hwtacacs scheme ··································································································· 116
hwtacacs nas-ip················································································································ 118
hwtacacs scheme·············································································································· 119
key (HWTACACS scheme view) ·························································································· 120
iii
nas-ip (HWTACACS scheme view)······················································································· 121
primary accounting (HWTACACS scheme view) ····································································· 122
primary authentication (HWTACACS scheme view)································································· 123
primary authorization ········································································································· 125
reset hwtacacs statistics····································································································· 126
secondary accounting (HWTACACS scheme view)·································································· 127
secondary authentication (HWTACACS scheme view) ····························································· 128
secondary authorization······································································································ 130
timer quiet (HWTACACS scheme view)················································································· 131
timer realtime-accounting (HWTACACS scheme view)····························································· 132
timer response-timeout (HWTACACS scheme view)································································ 133
user-name-format (HWTACACS scheme view)······································································· 133
vpn-instance (HWTACACS scheme view)·············································································· 134
LDAP commands····················································································································· 135
attribute-map···················································································································· 135
authentication-server ········································································································· 136
authorization-server··········································································································· 136
display ldap scheme ·········································································································· 137
ip···································································································································· 139
ipv6 ································································································································ 140
ldap attribute-map ············································································································· 140
ldap scheme····················································································································· 141
ldap server······················································································································· 142
login-dn··························································································································· 142
login-password ················································································································· 143
map································································································································ 144
protocol-version ················································································································ 145
search-base-dn················································································································· 146
search-scope···················································································································· 146
server-timeout ·················································································································· 147
user-parameters················································································································ 147
ITA policy commands················································································································ 148
accounting-level················································································································ 148
accounting-merge enable···································································································· 149
accounting-method············································································································ 150
ita policy·························································································································· 151
traffic-quota-out················································································································· 151
traffic-separate·················································································································· 152
802.1X commands ······································································· 153
display dot1x···················································································································· 153
display dot1x connection····································································································· 158
dot1x ······························································································································ 163
dot1x authentication-method ······························································································· 163
dot1x auth-fail vlan ············································································································ 164
dot1x critical vlan··············································································································· 165
dot1x domain-delimiter······································································································· 166
dot1x ead-assistant enable·································································································· 167
dot1x ead-assistant free-ip·································································································· 168
dot1x ead-assistant url ······································································································· 169
dot1x guest-vlan················································································································ 170
dot1x handshake··············································································································· 170
dot1x handshake reply enable ····························································································· 171
dot1x handshake secure····································································································· 172
dot1x mandatory-domain ···································································································· 173
dot1x max-user················································································································· 173
dot1x multicast-trigger········································································································ 174
dot1x port-control ·············································································································· 175
dot1x port-method ············································································································· 175
dot1x quiet-period·············································································································· 176
dot1x re-authenticate ········································································································· 177
dot1x re-authenticate server-unreachable keep-online······························································ 178
iv
dot1x retry························································································································ 178
dot1x smarton··················································································································· 179
dot1x smarton password····································································································· 180
dot1x smarton retry············································································································ 181
dot1x smarton switchid······································································································· 181
dot1x smarton timer supp-timeout························································································· 182
dot1x timer······················································································································· 183
dot1x unicast-trigger ·········································································································· 185
reset dot1x guest-vlan········································································································ 186
reset dot1x statistics ·········································································································· 186
MAC authentication commands······················································· 188
display mac-authentication·································································································· 188
display mac-authentication connection ·················································································· 191
mac-authentication ············································································································ 196
mac-authentication carry user-ip ·························································································· 196
mac-authentication domain ································································································· 197
mac-authentication host-mode····························································································· 198
mac-authentication max-user······························································································· 198
mac-authentication re-authenticate server-unreachable keep-online ··········································· 199
mac-authentication timer····································································································· 200
mac-authentication timer auth-delay ····················································································· 201
mac-authentication user-name-format ··················································································· 202
reset mac-authentication statistics························································································ 203
Portal commands········································································· 204
aaa-fail nobinding enable···································································································· 204
aging-time························································································································ 205
app-id ····························································································································· 205
app-key··························································································································· 206
authentication-timeout········································································································ 207
auth-url···························································································································· 208
binding-retry····················································································································· 209
captive-bypass enable········································································································ 209
default-logon-page············································································································· 210
display portal···················································································································· 211
display portal extend-auth-server·························································································· 217
display portal local-binding mac-address················································································ 218
display portal mac-trigger-server ·························································································· 219
display portal packet statistics······························································································ 221
display portal redirect statistics ···························································································· 224
display portal rule·············································································································· 225
display portal safe-redirect statistics······················································································ 235
display portal server··········································································································· 238
display portal user ············································································································· 239
display portal web-server···································································································· 248
display web-redirect rule····································································································· 249
exclude-attribute ··············································································································· 252
free-traffic threshold··········································································································· 254
if-match··························································································································· 255
ip (MAC binding server view)······························································································· 257
ip (portal authentication server view)····················································································· 257
ipv6 ································································································································ 258
local-binding aging-time······································································································ 259
local-binding enable··········································································································· 260
logon-page bind················································································································ 261
mail-protocol ···················································································································· 262
nas-port-type···················································································································· 263
port (MAC binding server view)···························································································· 264
port (portal authentication server view) ·················································································· 264
portal { bas-ip | bas-ipv6 } ··································································································· 265
portal { ipv4-max-user | ipv6-max-user }················································································· 266
v
portal apply mac-trigger-server ···························································································· 267
portal apply web-server ······································································································ 268
portal authorization strict-checking························································································ 269
portal client-traffic-report interval ·························································································· 270
portal delete-user ·············································································································· 271
portal device-id ················································································································· 271
portal domain ··················································································································· 272
portal enable ···················································································································· 273
portal extend-auth domain··································································································· 274
portal extend-auth-server···································································································· 275
portal fail-permit server······································································································· 276
portal fail-permit web-server ································································································ 277
portal free-all except destination··························································································· 278
portal free-rule·················································································································· 279
portal free-rule destination··································································································· 281
portal free-rule source········································································································ 282
portal host-check enable····································································································· 283
portal ipv6 free-all except destination ···················································································· 284
portal ipv6 layer3 source····································································································· 284
portal ipv6 user-detect········································································································ 285
portal layer3 source ··········································································································· 287
portal local-web-server······································································································· 287
portal mac-trigger-server····································································································· 289
portal max-user················································································································· 289
portal nas-id profile············································································································ 290
portal nas-port-id format ····································································································· 291
portal nas-port-type············································································································ 292
portal outbound-filter enable································································································ 293
portal pre-auth domain ······································································································· 294
portal packet log enable······································································································ 295
portal pre-auth ip-pool········································································································ 296
portal redirect log enable ···································································································· 296
portal refresh enable·········································································································· 297
portal roaming enable ········································································································ 298
portal safe-redirect enable··································································································· 298
portal safe-redirect forbidden-url··························································································· 299
portal safe-redirect method·································································································· 300
portal safe-redirect user-agent····························································································· 301
portal server····················································································································· 302
portal temp-pass enable ····································································································· 303
portal traffic-accounting disable···························································································· 303
portal user-detect ·············································································································· 304
portal user-dhcp-only ········································································································· 305
portal user-logoff after-client-offline enable············································································· 306
portal user log enable········································································································· 307
portal web-server ·············································································································· 308
redirect-url ······················································································································· 308
reset portal packet statistics ································································································ 309
reset portal redirect statistics······························································································· 310
reset portal safe-redirect statistics ························································································ 311
server-detect (portal authentication server view)······································································ 311
server-detect (portal Web server view) ·················································································· 312
server-type (MAC binding server view)·················································································· 313
server-type(portal server view/portal Web server view)····························································· 314
tcp-port···························································································································· 315
url··································································································································· 315
url-parameter···················································································································· 316
user-sync························································································································· 318
version···························································································································· 319
vpn-instance····················································································································· 320
web-redirect url················································································································· 320
vi
Port security commands ································································ 322
display port-security··········································································································· 322
display port-security mac-address block ················································································ 325
display port-security mac-address security············································································· 328
port-security authorization ignore·························································································· 330
port-security authorization-fail offline····················································································· 331
port-security enable ··········································································································· 331
port-security intrusion-mode ································································································ 332
port-security mac-address aging-type inactivity······································································· 333
port-security mac-address dynamic······················································································· 334
port-security mac-address security ······················································································· 335
port-security mac-move permit····························································································· 336
port-security max-mac-count ······························································································· 337
port-security nas-id-profile··································································································· 338
port-security ntk-mode········································································································ 339
port-security oui ················································································································ 340
port-security port-mode ······································································································ 341
port-security timer autolearn aging························································································ 343
port-security timer disableport······························································································ 344
snmp-agent trap enable port-security ···················································································· 345
User profile commands·································································· 347
display user-profile ············································································································ 347
user-profile······················································································································· 352
Password control commands·························································· 353
display password-control ···································································································· 353
display password-control blacklist························································································· 354
password-control { aging | composition | history | length } enable················································ 355
password-control aging ······································································································ 356
password-control alert-before-expire····················································································· 358
password-control complexity ······························································································· 358
password-control composition······························································································ 359
password-control enable····································································································· 361
password-control expired-user-login······················································································ 362
password-control history····································································································· 363
password-control length······································································································ 364
password-control login idle-time ··························································································· 365
password-control login-attempt ···························································································· 366
password-control super aging······························································································ 368
password-control super composition ····················································································· 368
password-control super length····························································································· 369
password-control update-interval·························································································· 370
reset password-control blacklist ··························································································· 371
reset password-control history-record···················································································· 371
Keychain commands····································································· 373
accept-lifetime utc ············································································································· 373
authentication-algorithm ····································································································· 374
display keychain················································································································ 374
key ································································································································· 376
keychain·························································································································· 376
key-string························································································································· 377
send-lifetime utc················································································································ 378
Public key management commands················································· 380
display public-key local public······························································································ 380
display public-key peer······································································································· 383
peer-public-key end ··········································································································· 385
public-key local create········································································································ 386
public-key local destroy ······································································································ 389
vii
public-key local export dsa·································································································· 391
public-key local export ecdsa······························································································· 393
public-key local export rsa··································································································· 394
public-key peer ················································································································· 396
public-key peer import sshkey······························································································ 397
PKI commands············································································ 398
attribute··························································································································· 398
ca identifier ······················································································································ 399
certificate request entity······································································································ 400
certificate request from······································································································· 401
certificate request mode ····································································································· 401
certificate request polling ···································································································· 403
certificate request url·········································································································· 404
common-name·················································································································· 405
country···························································································································· 405
crl check·························································································································· 406
crl url ······························································································································ 406
display pki certificate access-control-policy············································································· 407
display pki certificate attribute-group ····················································································· 408
display pki certificate domain······························································································· 410
display pki certificate renew-status························································································ 414
display pki certificate request-status······················································································ 416
display pki crl domain········································································································· 417
fqdn································································································································ 419
ip···································································································································· 420
ldap-server······················································································································· 420
locality····························································································································· 421
organization ····················································································································· 422
organization-unit ··············································································································· 422
pki abort-certificate-request································································································· 423
pki certificate access-control-policy······················································································· 424
pki certificate attribute-group ······························································································· 424
pki delete-certificate··········································································································· 425
pki domain ······················································································································· 427
pki entity·························································································································· 427
pki export························································································································· 428
pki import························································································································· 435
pki request-certificate········································································································· 439
pki retrieve-certificate········································································································· 440
pki retrieve-crl··················································································································· 442
pki storage······················································································································· 443
pki validate-certificate········································································································· 444
public-key dsa ·················································································································· 446
public-key ecdsa ··············································································································· 447
public-key rsa··················································································································· 448
root-certificate fingerprint ···································································································· 449
rule································································································································· 451
source····························································································································· 452
state ······························································································································· 453
subject-dn························································································································ 453
usage······························································································································ 454
IPsec commands ········································································· 456
ah authentication-algorithm ································································································· 456
description ······················································································································· 457
display ipsec { ipv6-policy | policy } ······················································································· 457
display ipsec { ipv6-policy-template | policy-template }······························································ 462
display ipsec profile ··········································································································· 464
display ipsec sa ················································································································ 465
display ipsec statistics········································································································ 470
display ipsec transform-set·································································································· 471
viii
display ipsec tunnel ··········································································································· 473
encapsulation-mode ·········································································································· 475
esn enable······················································································································· 476
esp authentication-algorithm································································································ 477
esp encryption-algorithm····································································································· 478
ike-profile························································································································· 480
ikev2-profile ····················································································································· 480
ipsec anti-replay check······································································································· 481
ipsec anti-replay window····································································································· 482
ipsec apply······················································································································· 482
ipsec decrypt-check enable································································································· 483
ipsec df-bit ······················································································································· 484
ipsec fragmentation ··········································································································· 485
ipsec global-df-bit·············································································································· 485
ipsec limit max-tunnel········································································································· 486
ipsec logging negotiation enable ·························································································· 487
ipsec logging packet enable ································································································ 487
ipsec { ipv6-policy | policy }·································································································· 488
ipsec { ipv6-policy | policy } isakmp template··········································································· 489
ipsec { ipv6-policy | policy } local-address··············································································· 490
ipsec { ipv6-policy-template | policy-template } ········································································ 491
ipsec profile······················································································································ 492
ipsec redundancy enable···································································································· 493
ipsec sa global-duration······································································································ 493
ipsec sa idle-time ·············································································································· 494
ipsec transform-set············································································································ 495
local-address···················································································································· 496
pfs·································································································································· 496
protocol··························································································································· 497
qos pre-classify················································································································· 498
redundancy replay-interval·································································································· 499
remote-address················································································································· 500
reset ipsec sa ··················································································································· 501
reset ipsec statistics··········································································································· 502
reverse-route dynamic········································································································ 503
reverse-route preference ···································································································· 504
reverse-route tag··············································································································· 504
sa duration······················································································································· 505
sa hex-key authentication ··································································································· 506
sa hex-key encryption ········································································································ 507
sa idle-time ······················································································································ 508
sa spi······························································································································ 509
sa string-key····················································································································· 510
security acl······················································································································· 512
snmp-agent trap enable ipsec······························································································ 513
tfc enable························································································································· 514
transform-set···················································································································· 515
tunnel protection ipsec ······································································································· 516
IKE commands············································································ 517
aaa authorization··············································································································· 517
authentication-algorithm ····································································································· 518
authentication-method········································································································ 519
certificate domain·············································································································· 519
client-authentication··········································································································· 521
description ······················································································································· 521
dh··································································································································· 522
display ike proposal··········································································································· 523
display ike sa···················································································································· 524
display ike statistics··········································································································· 527
dpd································································································································· 528
encryption-algorithm ·········································································································· 529
ix
exchange-mode················································································································ 530
ike address-group·············································································································· 531
ike dpd···························································································································· 532
ike identity························································································································ 532
ike invalid-spi-recovery enable····························································································· 533
ike keepalive interval·········································································································· 534
ike keepalive timeout ········································································································· 535
ike keychain····················································································································· 535
ike limit···························································································································· 536
ike logging negotiation enable······························································································ 537
ike nat-keepalive··············································································································· 538
ike profile························································································································· 538
ike proposal ····················································································································· 539
ike signature-identity from-certificate····················································································· 540
inside-vpn························································································································ 540
keychain·························································································································· 541
local-identity····················································································································· 542
match local address (IKE keychain view) ··············································································· 543
match local address (IKE profile view)··················································································· 544
match remote ··················································································································· 545
pre-shared-key ················································································································· 546
priority (IKE keychain view) ································································································· 547
priority (IKE profile view)····································································································· 548
proposal ·························································································································· 549
reset ike sa ······················································································································ 549
reset ike statistics·············································································································· 550
sa duration······················································································································· 551
snmp-agent trap enable ike································································································· 551
IKEv2 commands········································································· 553
aaa authorization··············································································································· 553
address··························································································································· 554
authentication-method········································································································ 554
certificate domain·············································································································· 556
config-exchange················································································································ 557
display ikev2 policy············································································································ 558
display ikev2 profile ··········································································································· 559
display ikev2 proposal········································································································ 560
display ikev2 sa ················································································································ 561
display ikev2 statistics········································································································ 565
dh··································································································································· 566
dpd································································································································· 567
encryption························································································································ 568
hostname························································································································· 569
identity ···························································································································· 570
identity local ····················································································································· 571
ikev2 address-group ·········································································································· 572
ikev2 cookie-challenge······································································································· 572
ikev2 dpd························································································································· 573
ikev2 ipv6-address-group···································································································· 574
ikev2 keychain·················································································································· 575
ikev2 nat-keepalive············································································································ 576
ikev2 policy······················································································································ 576
ikev2 profile······················································································································ 577
ikev2 proposal ·················································································································· 578
inside-vrf·························································································································· 579
integrity ··························································································································· 580
keychain·························································································································· 581
match local (IKEv2 profile view) ··························································································· 581
match local address (IKEv2 policy view) ················································································ 582
match remote ··················································································································· 583
match vrf (IKEv2 policy view)······························································································· 585
x
match vrf (IKEv2 profile view) ······························································································ 585
nat-keepalive···················································································································· 586
peer································································································································ 587
pre-shared-key ················································································································· 588
prf ·································································································································· 589
priority (IKEv2 policy view) ·································································································· 590
priority (IKEv2 profile view)·································································································· 591
proposal ·························································································································· 591
reset ikev2 sa··················································································································· 592
reset ikev2 statistics··········································································································· 593
sa duration······················································································································· 593
SSH commands··········································································· 595
SSH server commands ············································································································· 595
display ssh server·············································································································· 595
display ssh user-information································································································ 597
scp server enable·············································································································· 598
sftp server enable·············································································································· 599
sftp server idle-timeout······································································································· 599
ssh ip alias······················································································································· 600
ssh redirect disconnect······································································································· 601
ssh redirect enable ············································································································ 602
ssh redirect listen-port········································································································ 603
ssh redirect timeout ··········································································································· 604
ssh server acl··················································································································· 604
ssh server authentication-retries··························································································· 605
ssh server authentication-timeout························································································· 606
ssh server compatible-ssh1x enable ····················································································· 607
ssh server dscp················································································································· 608
ssh server enable·············································································································· 608
ssh server ipv6 acl············································································································· 609
ssh server ipv6 dscp·········································································································· 610
ssh server rekey-interval····································································································· 610
ssh user ·························································································································· 611
SSH client commands··············································································································· 614
bye································································································································· 614
cd··································································································································· 614
cdup ······························································································································· 615
delete······························································································································ 615
dir··································································································································· 615
display sftp client source····································································································· 616
display ssh client source····································································································· 617
exit································································································································· 617
get·································································································································· 618
help································································································································ 618
ls···································································································································· 619
mkdir ······························································································································ 620
put·································································································································· 620
pwd ································································································································ 621
quit································································································································· 621
remove···························································································································· 622
rename···························································································································· 622
rmdir······························································································································· 622
scp································································································································· 623
scp ipv6··························································································································· 625
sftp································································································································· 627
sftp client ipv6 source········································································································· 629
sftp client source··············································································································· 630
sftp ipv6··························································································································· 630
ssh client ipv6 source········································································································· 633
ssh client source ··············································································································· 633
ssh2 ······························································································································· 634
xi
ssh2 ipv6························································································································· 636
SSH2 commands····················································································································· 639
display ssh2 algorithm········································································································ 639
ssh2 algorithm cipher········································································································· 639
ssh2 algorithm key-exchange ······························································································ 640
ssh2 algorithm mac············································································································ 641
ssh2 algorithm public-key···································································································· 642
SSL commands ··········································································· 644
certificate-chain-sending enable··························································································· 644
ciphersuite ······················································································································· 644
client-verify······················································································································· 646
display ssl client-policy······································································································· 647
display ssl server-policy······································································································ 648
pki-domain······················································································································· 649
prefer-cipher····················································································································· 649
server-verify enable ··········································································································· 651
session···························································································································· 652
ssl client-policy ················································································································· 652
ssl renegotiation disable ····································································································· 653
ssl server-policy················································································································ 654
ssl version ssl3.0 disable···································································································· 654
version···························································································································· 655
ASPF commands········································································· 657
aspf apply policy (interface view)·························································································· 657
aspf apply policy (zone pair view)························································································· 658
aspf icmp-error reply·········································································································· 659
aspf policy························································································································ 659
detect······························································································································ 660
display aspf all·················································································································· 661
display aspf interface ········································································································· 662
display aspf policy············································································································· 663
display aspf session··········································································································· 664
icmp-error drop ················································································································· 670
reset aspf session ············································································································· 671
tcp syn-check ··················································································································· 671
APR commands··········································································· 673
app-group························································································································ 673
application statistics enable································································································· 674
apr signature auto-update··································································································· 675
apr signature auto-update-now ···························································································· 675
apr signature rollback········································································································· 676
apr signature update·········································································································· 676
copy app-group················································································································· 679
description (application group view) ······················································································ 679
description (NBAR rule view)······························································································· 680
destination ······················································································································· 680
direction ·························································································································· 681
disable ···························································································································· 682
display app-group·············································································································· 682
display application············································································································· 684
display application statistics ································································································ 687
display application statistics top ··························································································· 690
display apr signature information·························································································· 693
display port-mapping pre-defined ························································································· 693
display port-mapping user-defined························································································ 694
include application············································································································· 695
nbar application ················································································································ 696
override-current ················································································································ 697
port-mapping···················································································································· 698
xii
port-mapping acl ··············································································································· 699
port-mapping host ············································································································· 700
port-mapping subnet·········································································································· 701
reset application statistics ··································································································· 703
service-port······················································································································ 703
signature ························································································································· 704
source····························································································································· 705
update schedule················································································································ 706
Session management commands···················································· 708
display session aging-time application··················································································· 708
display session aging-time state··························································································· 709
display session relation-table······························································································· 710
display session statistics ipv4 ······························································································ 712
display session statistics ipv6 ······························································································ 714
display session statistics multicast························································································ 716
display session statistics summary ······················································································· 718
display session table ipv4 ··································································································· 719
display session table ipv6 ··································································································· 724
display session table multicast ipv4······················································································· 728
display session table multicast ipv6······················································································· 734
reset session relation-table·································································································· 741
reset session statistics ······································································································· 742
reset session statistics multicast··························································································· 743
reset session table············································································································· 743
reset session table ipv4······································································································ 744
reset session table ipv6······································································································ 745
reset session table multicast································································································ 746
reset session table multicast ipv4 ························································································· 747
reset session table multicast ipv6 ························································································· 748
session aging-time application····························································································· 750
session aging-time state····································································································· 752
session log bytes-active······································································································ 753
session log enable············································································································· 754
session log flow-begin········································································································ 755
session log flow-end ·········································································································· 756
session log packets-active ·································································································· 756
session log time-active······································································································· 757
session persistent acl········································································································· 758
session state-machine mode loose······················································································· 759
session statistics enable····································································································· 759
Connection limit commands···························································· 761
connection-limit················································································································· 761
connection-limit apply········································································································· 762
connection-limit apply global································································································ 762
description ······················································································································· 763
display connection-limit ······································································································ 764
display connection-limit ipv6-stat-nodes················································································· 767
display connection-limit statistics·························································································· 770
display connection-limit stat-nodes ······················································································· 772
limit ································································································································ 776
reset connection-limit statistics····························································································· 779
Object group commands································································ 781
description ······················································································································· 781
display object-group··········································································································· 781
network (IPv4 address object group view)·············································································· 783
network (IPv6 address object group view)·············································································· 785
object-group····················································································································· 786
port (port object group view)································································································ 788
service (service object group view) ······················································································· 789
xiii
Object policy commands································································ 792
accelerate························································································································ 792
description ······················································································································· 793
display object-policy accelerate···························································································· 793
display object-policy ip ······································································································· 794
display object-policy ipv6 ···································································································· 795
display object-policy statistics zone-pair security ····································································· 796
display object-policy zone-pair security·················································································· 797
move rule························································································································· 798
object-policy apply ip·········································································································· 799
object-policy apply ipv6 ······································································································ 799
object-policy ip·················································································································· 800
object-policy ipv6··············································································································· 801
reset object-policy statistics································································································· 802
rule (IPv4 object policy view) ······························································································· 802
rule (IPv6 object policy view) ······························································································· 804
rule comment ··················································································································· 806
Attack detection and prevention commands······································· 808
ack-flood action················································································································· 808
ack-flood detect ················································································································ 809
ack-flood detect non-specific ······························································································· 810
ack-flood threshold ············································································································ 810
attack-defense apply policy ································································································· 811
attack-defense local apply policy·························································································· 812
attack-defense login reauthentication-delay············································································ 813
attack-defense policy ········································································································· 813
attack-defense signature log non-aggregate··········································································· 814
blacklist enable················································································································· 815
blacklist global enable········································································································ 815
blacklist ip························································································································ 816
blacklist ipv6····················································································································· 817
blacklist logging enable ······································································································ 818
blacklist object-group ········································································································· 819
blacklist user ···················································································································· 819
client-verify dns enable······································································································· 820
client-verify http enable······································································································· 821
client-verify protected ip······································································································ 822
client-verify protected ipv6··································································································· 823
client-verify tcp enable········································································································ 824
display attack-defense flood statistics ip ················································································ 825
display attack-defense flood statistics ipv6 ············································································· 828
display attack-defense policy······························································································· 831
display attack-defense policy ip···························································································· 835
display attack-defense policy ipv6························································································· 838
display attack-defense scan attacker ip ················································································· 840
display attack-defense scan attacker ipv6 ·············································································· 843
display attack-defense scan victim ip ···················································································· 845
display attack-defense scan victim ipv6 ················································································· 847
display attack-defense statistics interface··············································································· 849
display attack-defense statistics local···················································································· 855
display blacklist ip·············································································································· 860
display blacklist ipv6 ·········································································································· 862
display blacklist user·········································································································· 864
display client-verify protected ip ··························································································· 865
display client-verify protected ipv6 ························································································ 870
display client-verify trusted ip······························································································· 874
display client-verify trusted ipv6···························································································· 878
dns-flood action ················································································································ 882
dns-flood detect ················································································································ 883
dns-flood detect non-specific······························································································· 884
xiv
dns-flood port ··················································································································· 884
dns-flood threshold············································································································ 885
exempt acl ······················································································································· 886
fin-flood action·················································································································· 887
fin-flood detect·················································································································· 888
fin-flood detect non-specific································································································· 889
fin-flood threshold·············································································································· 890
http-flood action ················································································································ 891
http-flood detect················································································································ 891
http-flood detect non-specific······························································································· 893
http-flood port··················································································································· 893
http-flood threshold············································································································ 894
icmp-flood action··············································································································· 895
icmp-flood detect ip············································································································ 896
icmp-flood detect non-specific······························································································ 897
icmp-flood threshold ·········································································································· 897
icmpv6-flood action············································································································ 898
icmpv6-flood detect ipv6····································································································· 899
icmpv6-flood detect non-specific ·························································································· 900
icmpv6-flood threshold ······································································································· 900
reset attack-defense policy flood ·························································································· 901
reset attack-defense statistics interface ················································································· 902
reset attack-defense statistics local······················································································· 902
reset blacklist ip ················································································································ 903
reset blacklist ipv6············································································································· 903
reset blacklist statistics······································································································· 904
reset client-verify protected statistics····················································································· 904
reset client-verify trusted····································································································· 905
rst-flood action·················································································································· 905
rst-flood detect·················································································································· 906
rst-flood detect non-specific································································································· 907
rst-flood threshold·············································································································· 908
scan detect ······················································································································ 909
signature { large-icmp | large-icmpv6 } max-length··································································· 910
signature detect ················································································································ 911
signature level action ········································································································· 914
signature level detect········································································································· 915
syn-ack-flood action··········································································································· 915
syn-ack-flood detect··········································································································· 916
syn-ack-flood detect non-specific·························································································· 917
syn-ack-flood threshold ······································································································ 918
syn-flood action················································································································· 919
syn-flood detect ················································································································ 920
syn-flood detect non-specific ······························································································· 921
syn-flood threshold············································································································ 922
udp-flood action ················································································································ 922
udp-flood detect················································································································ 923
udp-flood detect non-specific······························································································· 924
udp-flood threshold············································································································ 925
whitelist enable················································································································· 926
whitelist global enable········································································································ 926
whitelist object-group ········································································································· 927
IP source guard commands···························································· 928
display ip source binding····································································································· 928
display ipv6 source binding ································································································· 930
ip source binding (interface view) ························································································· 932
ip verify source ················································································································· 933
ipv6 source binding (interface view) ······················································································ 933
ipv6 verify source ·············································································································· 934
xv
ARP attack protection commands···················································· 936
Unresolvable IP attack protection commands ················································································ 936
arp resolving-route enable··································································································· 936
arp resolving-route probe-count ··························································································· 936
arp resolving-route probe-interval························································································· 937
arp source-suppression enable···························································································· 938
arp source-suppression limit································································································ 938
display arp source-suppression···························································································· 939
Source MAC-based ARP attack detection commands····································································· 939
arp source-mac················································································································· 939
arp source-mac aging-time·································································································· 940
arp source-mac exclude-mac······························································································· 941
arp source-mac threshold ··································································································· 941
display arp source-mac ······································································································ 942
ARP packet source MAC consistency check commands·································································· 943
arp valid-check enable ······································································································· 943
ARP active acknowledgement commands ···················································································· 943
arp active-ack enable········································································································· 943
Authorized ARP commands ······································································································· 944
arp authorized enable ········································································································ 944
ARP attack detection commands ································································································ 944
arp detection enable ·········································································································· 945
arp detection rule ·············································································································· 945
arp detection trust·············································································································· 946
arp detection validate········································································································· 947
arp restricted-forwarding enable··························································································· 948
display arp detection·········································································································· 948
display arp detection statistics ····························································································· 949
reset arp detection statistics ································································································ 949
ARP scanning and fixed ARP commands ····················································································· 950
arp fixup ·························································································································· 950
arp scan ·························································································································· 951
ARP gateway protection commands ···························································································· 952
arp filter source················································································································· 952
ARP filtering commands············································································································ 952
arp filter binding ················································································································ 952
IPv4 uRPF commands ·································································· 954
display ip urpf··················································································································· 954
ip urpf ····························································································································· 955
IPv6 uRPF commands ·································································· 957
display ipv6 urpf················································································································ 957
ipv6 urpf ·························································································································· 958
Crypto engine commands ······························································ 960
display crypto-engine········································································································· 960
display crypto-engine statistics····························································································· 961
reset crypto-engine statistics ······························································································· 965
FIPS commands ·········································································· 967
display fips status·············································································································· 967
fips mode enable··············································································································· 967
fips self-test······················································································································ 969
Document conventions and icons ···················································· 973
Conventions···························································································································· 973
Network topology icons ············································································································· 974
Support and other resources··························································· 975
Accessing Hewlett Packard Enterprise Support·············································································· 975
xvi
Accessing updates··················································································································· 975
Websites ························································································································· 976
Customer self repair ·········································································································· 976
Remote support ················································································································ 976
Documentation feedback ···································································································· 976
Index························································································· 978
1
AAA commands
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more
information about FIPS mode, see Security Configuration Guide.
General AAA commands
aaa nas-id profile
Use aaa nas-id profile to create a NAS-ID profile and enter its view, or enter the view of an existing
NAS-ID profile.
Use undo aaa nas-id profile to delete a NAS-ID profile.
Syntax
aaa nas-id profile profile-name
undo aaa nas-id profile profile-name
Default
No NAS-ID profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies the NAS-ID profile name, a case-insensitive string of 1 to 31 characters.
Usage guidelines
Configure a NAS-ID profile to maintain NAS-ID and VLAN bindings on the device.
Examples
# Create a NAS-ID profile named aaa.
<Sysname> system-view
[Sysname] aaa nas-id profile aaa
[Sysname-nas-id-prof-aaa]
Related commands
nas-id bind vlan
port-security nas-id-profile
portal nas-id-profile
aaa session-limit
Use aaa session-limit to set the maximum number of concurrent users who can log on to the device
through the specified method.
Use undo aaa session-limit to restore the default maximum number of concurrent users for the
specified login method.
2
Syntax
In non-FIPS mode:
aaa session-limit { ftp | http | https | ssh | telnet } max-sessions
undo aaa session-limit { ftp | http | https | ssh | telnet }
In FIPS mode:
aaa session-limit { https | ssh } max-sessions
undo aaa session-limit { https | ssh }
Default
The maximum number of concurrent users is 32 for the FTP, SSH, and Telnet services.
The maximum number of concurrent users is 64 for the HTTP and HTTPS services.
Views
System view
Predefined user roles
network-admin
Parameters
ftp: FTP users.
http: HTTP users.
https: HTTPS users.
ssh: SSH users.
telnet: Telnet users.
max-sessions: Specifies the maximum number of concurrent login users. The value range for this
argument is from 1 to 32 for the FTP, SSH, and Telnet services, and is from 1 to 64 for the HTTP and
HTTPS services.
Usage guidelines
After the maximum number of concurrent login users for a user type exceeds the upper limit, the
system denies the subsequent users of this type.
Examples
# Set the maximum number of concurrent FTP users to 4.
<Sysname> system-view
[Sysname] aaa session-limit ftp 4
accounting advpn
Use accounting advpn to configure the accounting method for ADVPN users.
Use undo accounting advpn to restore the default.
Syntax
In non-FIPS mode:
accounting advpn { local [none ] | none |radius-scheme radius-scheme-name [ local ] [ none ] }
undo accounting advpn
In FIPS mode:
accounting advpn { local |radius-scheme radius-scheme-name [ local ] }
Other manuals for FlexNetwork MSR Series
2
Table of contents
Other HP Network Router manuals
HP
HP MSR SERIES User manual
HP
HP 12500 Series User manual
HP
HP Pavilion a6600 User manual
HP
HP MSR930 Series User manual
HP
HP FlexNetwork HSR6800 User manual
HP
HP HPE 6125G User instructions
HP
HP 7000dl Series User manual
HP
HP StorageWorks MPX200 Programming manual
HP
HP ProCurve 2510G Series User manual
HP
HP ProCurve Secure 7102dl Assembly instructions
Popular Network Router manuals by other brands
Cisco
Cisco 826 quick start guide
D-Link
D-Link DWM-312W Quick installation guide
Cisco
Cisco SGE2000 Administration guide
PacketFront
PacketFront CPS 200 installation guide
Mitsubishi Electric
Mitsubishi Electric AT-50A installation guide
NETGEAR
NETGEAR DG834GVv2 - ADSL2+ Modem And Wireless Router Reference manual
