Hp Msr series Installation manual

HP MSR Router Series

Security

Command Reference(V7)

Part number: 5998-6475

Software version: CMW710-R0106

Document version: 6PW101-20140807

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without

prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS

MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained

herein or for incidental or consequential damages in connection with the furnishing, performance, or use

of this material.

The only warranties for HP products and services are set forth in the express warranty statements

accompanying such products and services. Nothing herein should be construed as constituting an

additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Contents

Legal and notice information·········································································································································i

AAA commands ··························································································································································· 1

General AAA commands ·················································································································································1

aaa session-limit ·······················································································································································1

access-limit enable ···················································································································································2

accounting command···············································································································································2

accounting default····················································································································································3

accounting lan-access ··············································································································································4

accounting login·······················································································································································6

accounting portal ·····················································································································································7

accounting ppp·························································································································································8

authentication default···············································································································································9

authentication lan-access······································································································································ 11

authentication login··············································································································································· 12

authentication portal ············································································································································· 13

authentication ppp ················································································································································ 14

authentication super ·············································································································································· 16

authorization command········································································································································ 17

authorization default ············································································································································· 18

authorization lan-access ······································································································································· 20

authorization login ················································································································································ 21

authorization portal··············································································································································· 22

authorization ppp·················································································································································· 23

authorization-attribute (ISP domain view) ··········································································································· 25

display domain······················································································································································ 26

domain ··································································································································································· 28

domain default enable·········································································································································· 29

domain if-unknown················································································································································ 29

session-time include-idle-time································································································································ 30

state (ISP domain view)········································································································································· 31

Local user commands····················································································································································· 32

access-limit ····························································································································································· 32

authorization-attribute (local user view/user group view) ················································································ 33

bind-attribute ·························································································································································· 34

display local-user··················································································································································· 35

display user-group················································································································································· 38

group ······································································································································································ 39

local-user ································································································································································ 40

password································································································································································ 41

service-type····························································································································································· 42

state (local user view)············································································································································ 43

user-group ······························································································································································ 44

RADIUS commands ························································································································································ 45

accounting-on enable············································································································································ 45

attribute 15 check-mode ······································································································································· 46

attribute 25 car······················································································································································ 47

client ······································································································································································· 47

data-flow-format (RADIUS scheme view)············································································································· 48

display radius scheme ·········································································································································· 49

display radius statistics ········································································································································· 52

key (RADIUS scheme view)··································································································································· 53

nas-ip (RADIUS scheme view) ······························································································································ 54

port·········································································································································································· 55

primary accounting (RADIUS scheme view) ······································································································· 56

primary authentication (RADIUS scheme view)·································································································· 58

radius-server test-profile ········································································································································ 59

radius dynamic-author server······························································································································· 60

radius dscp····························································································································································· 61

radius nas-ip··························································································································································· 61

radius session-control enable ······························································································································· 63

radius scheme························································································································································ 63

reset radius statistics·············································································································································· 64

retry········································································································································································· 64

retry realtime-accounting ······································································································································ 65

secondary accounting (RADIUS scheme view)··································································································· 66

secondary authentication (RADIUS scheme view) ····························································································· 68

security-policy-server ············································································································································· 70

snmp-agent trap enable radius ···························································································································· 70

state primary ·························································································································································· 71

state secondary······················································································································································ 72

timer quiet (RADIUS scheme view) ······················································································································ 74

timer realtime-accounting (RADIUS scheme view) ····························································································· 74

timer response-timeout (RADIUS scheme view) ·································································································· 75

user-name-format (RADIUS scheme view) ··········································································································· 76

vpn-instance (RADIUS scheme view) ··················································································································· 77

HWTACACS commands ··············································································································································· 78

data-flow-format (HWTACACS scheme view)···································································································· 78

display hwtacacs scheme····································································································································· 79

hwtacacs nas-ip ····················································································································································· 80

hwtacacs scheme··················································································································································· 82

key (HWTACACS scheme view)·························································································································· 82

nas-ip (HWTACACS scheme view) ····················································································································· 84

primary accounting (HWTACACS scheme view) ······························································································ 85

primary authentication (HWTACACS scheme view)························································································· 86

primary authorization ··········································································································································· 88

reset hwtacacs statistics ········································································································································ 89

secondary accounting (HWTACACS scheme view)·························································································· 90

secondary authentication (HWTACACS scheme view)····················································································· 91

secondary authorization······································································································································· 93

timer quiet (HWTACACS scheme view) ············································································································· 95

timer realtime-accounting (HWTACACS scheme view)····················································································· 95

timer response-timeout (HWTACACS scheme view) ························································································· 96

user-name-format (HWTACACS scheme view) ·································································································· 97

vpn-instance (HWTACACS scheme view) ·········································································································· 98

LDAP commands····························································································································································· 98

authentication-server ············································································································································· 98

display ldap scheme ············································································································································· 99

ip ···········································································································································································101

ipv6·······································································································································································101

ldap scheme·························································································································································102

ldap server ···························································································································································103

login-dn·································································································································································104

iii

login-password ····················································································································································104

protocol-version ···················································································································································105

search-base-dn ·····················································································································································106

search-scope ························································································································································107

server-timeout ·······················································································································································107

user-parameters ···················································································································································108

802.1X commands ················································································································································· 110

display dot1x ·······················································································································································110

display dot1x connection ···································································································································113

dot1x·····································································································································································116

dot1x authentication-method······························································································································117

dot1x auth-fail vlan··············································································································································118

dot1x critical vlan················································································································································119

dot1x domain-delimiter·······································································································································119

dot1x guest-vlan ··················································································································································120

dot1x handshake·················································································································································121

dot1x handshake secure·····································································································································122

dot1x mandatory-domain ···································································································································123

dot1x max-user ····················································································································································123

dot1x multicast-trigger·········································································································································124

dot1x port-control ················································································································································125

dot1x port-method ···············································································································································126

dot1x quiet-period···············································································································································126

dot1x re-authenticate ··········································································································································127

dot1x re-authenticate server-unreachable keep-online ····················································································128

dot1x retry····························································································································································128

dot1x smarton······················································································································································129

dot1x smarton password ····································································································································130

dot1x smarton retry·············································································································································131

dot1x smarton switchid·······································································································································132

dot1x smarton timer supp-timeout······················································································································132

dot1x timer···························································································································································133

dot1x unicast-trigger ···········································································································································135

reset dot1x guest-vlan ·········································································································································136

reset dot1x statistics ············································································································································136

MAC authentication commands····························································································································· 137

display mac-authentication·································································································································137

display mac-authentication connection ·············································································································139

mac-authentication ··············································································································································141

mac-authentication domain ································································································································142

mac-authentication host-mode····························································································································143

mac-authentication max-user ······························································································································144

mac-authentication re-authenticate server-unreachable keep-online ······························································144

mac-authentication timer·····································································································································145

mac-authentication timer auth-delay··················································································································146

mac-authentication user-name-format ················································································································147

reset mac-authentication statistics ······················································································································148

Portal commands····················································································································································· 150

display portal interface·······································································································································150

display portal packet statistics ···························································································································152

display portal rule ···············································································································································154

display portal server ···········································································································································158

display portal user···············································································································································160

display portal web-server ···································································································································161

portal { bas-ip | bas-ipv6 }·································································································································165

portal apply web-server······································································································································166

portal delete-user ·················································································································································167

portal domain ······················································································································································168

portal enable························································································································································168

portal fail-permit server ·······································································································································169

portal free-all except destination························································································································170

portal free-rule······················································································································································171

portal free-rule source ·········································································································································173

portal ipv6 free-all except destination···············································································································173

portal ipv6 layer3 source ···································································································································174

portal ipv6 user-detect ········································································································································175

portal layer3 source············································································································································177

portal max-user ····················································································································································178

portal roaming enable ········································································································································178

portal server ·························································································································································179

portal user-detect ·················································································································································180

portal web-server·················································································································································181

reset portal packet statistics································································································································182

server-detect (portal authentication server view) ······························································································182

server-detect (portal Web server view) ·············································································································183

url ··········································································································································································184

url-parameter························································································································································185

user-sync ·······························································································································································186

vpn-instance ·························································································································································187

Port security commands ·········································································································································· 189

display port-security ············································································································································189

display port-security mac-address block ···········································································································191

display port-security mac-address security········································································································193

port-security authorization ignore······················································································································195

port-security enable ·············································································································································196

port-security intrusion-mode ································································································································196

port-security mac-address security ·····················································································································197

port-security mac-move permit····························································································································199

port-security max-mac-count ·······························································································································200

port-security ntk-mode ·········································································································································201

port-security oui ···················································································································································201

port-security port-mode········································································································································202

port-security timer autolearn aging····················································································································205

port-security timer disableport····························································································································206

Password control commands·································································································································· 207

display password-control····································································································································207

display password-control blacklist·····················································································································208

password-control { aging | composition | history | length } enable····························································209

password-control aging ······································································································································210

password-control alert-before-expire ·················································································································212

password-control complexity······························································································································212

password-control composition····························································································································213

password-control enable·····································································································································215

password-control expired-user-login··················································································································216

password-control history ·····································································································································217

password-control length······································································································································218

password-control login idle-time ························································································································219

password-control login-attempt ··························································································································220

password-control super aging····························································································································222

password-control super composition ·················································································································222

password-control super length ···························································································································223

password-control update-interval ·······················································································································224

reset password-control blacklist ·························································································································225

reset password-control history-record················································································································225

Public key management commands······················································································································· 227

display public-key local public···························································································································227

display public-key peer·······································································································································231

peer-public-key end ·············································································································································232

public-key local create ········································································································································233

public-key local destroy ······································································································································236

public-key local export dsa ································································································································238

public-key local export rsa ·································································································································240

public-key peer ····················································································································································242

public-key peer import sshkey····························································································································243

PKI commands························································································································································· 244

attribute·································································································································································244

ca identifier ··························································································································································245

certificate request entity ······································································································································246

certificate request from ·······································································································································247

certificate request mode······································································································································248

certificate request polling ···································································································································249

certificate request url···········································································································································250

common-name······················································································································································251

country··································································································································································251

crl check ·······························································································································································252

crl url·····································································································································································252

display pki certificate access-control-policy······································································································254

display pki certificate attribute-group················································································································255

display pki certificate domain····························································································································256

display pki certificate request-status ··················································································································260

display pki crl ······················································································································································262

fqdn·······································································································································································263

ldap-server····························································································································································265

locality ··································································································································································266

organization·························································································································································266

organization-unit··················································································································································267

pki abort-certificate-request ································································································································267

pki certificate access-control-policy ···················································································································268

pki certificate attribute-group ·····························································································································269

pki delete-certificate ············································································································································269

pki domain ···························································································································································271

pki entity·······························································································································································271

pki export ·····························································································································································272

pki import ·····························································································································································279

pki request-certificate ··········································································································································283

pki retrieve-certificate··········································································································································284

pki retrieve-crl ······················································································································································285

pki storage ···························································································································································286

pki validate-certificate ·········································································································································287

public-key dsa······················································································································································289

public-key rsa·······················································································································································290

root-certificate fingerprint····································································································································291

rule ········································································································································································293

source ···································································································································································294

state·······································································································································································295

usage ····································································································································································295

IPsec commands······················································································································································ 297

ah authentication-algorithm································································································································297

description····························································································································································298

display ipsec { ipv6-policy | policy }················································································································298

display ipsec { ipv6-policy-template | policy-template } ·················································································303

display ipsec profile············································································································································304

display ipsec sa···················································································································································306

display ipsec statistics·········································································································································309

display ipsec transform-set ·································································································································311

display ipsec tunnel·············································································································································312

encapsulation-mode ············································································································································315

esp authentication-algorithm ······························································································································316

esp encryption-algorithm ····································································································································317

ike-profile······························································································································································318

ipsec anti-replay check ·······································································································································319

ipsec anti-replay window ···································································································································320

ipsec apply···························································································································································320

ipsec decrypt-check enable ································································································································321

ipsec logging packet enable······························································································································322

ipsec df-bit····························································································································································322

ipsec global-df-bit ················································································································································323

ipsec { ipv6-policy | policy }······························································································································324

ipsec { ipv6-policy | policy } isakmp template·································································································325

ipsec { ipv6-policy | policy } local-address······································································································326

ipsec { ipv6-policy-template | policy-template } policy-template ····································································327

ipsec profile ·························································································································································328

ipsec sa global-duration ·····································································································································329

ipsec sa idle-time ·················································································································································330

ipsec transform-set ···············································································································································331

local-address ························································································································································332

pfs ·········································································································································································332

protocol ································································································································································333

qos pre-classify ····················································································································································334

remote-address·····················································································································································335

reset ipsec sa ·······················································································································································336

reset ipsec statistics ·············································································································································337

reverse-route dynamic ·········································································································································338

reverse-route preference ·····································································································································339

reverse-route tag ··················································································································································340

sa duration ···························································································································································340

sa hex-key authentication ···································································································································341

sa hex-key encryption ·········································································································································342

sa idle-time ···························································································································································344

vii

sa spi ····································································································································································344

sa string-key ·························································································································································345

security acl ···························································································································································347

snmp-agent trap enable ipsec····························································································································348

transform-set ·························································································································································349

IKE commands························································································································································· 351

authentication-algorithm ·····································································································································351

authentication-method·········································································································································351

certificate domain················································································································································352

dh··········································································································································································353

display ike proposal············································································································································354

display ike sa·······················································································································································355

dpd········································································································································································358

encryption-algorithm············································································································································359

exchange-mode ···················································································································································360

ike dpd ·································································································································································361

ike identity····························································································································································362

ike invalid-spi-recovery enable···························································································································363

ike keepalive interval ··········································································································································364

ike keepalive timeout ··········································································································································364

ike keychain·························································································································································365

ike limit ·································································································································································366

ike nat-keepalive··················································································································································367

ike profile ·····························································································································································367

ike proposal ·························································································································································368

ike signature-identity from-certificate ·················································································································369

inside-vpn ·····························································································································································370

keychain ·······························································································································································371

local-identity ·························································································································································371

match local address (IKE keychain view)··········································································································372

match local address (IKE profile view)··············································································································373

match remote ·······················································································································································374

pre-shared-key······················································································································································376

priority (IKE keychain view)································································································································377

priority (IKE profile view)····································································································································378

proposal ·······························································································································································378

reset ike sa ···························································································································································379

reset ike statistics ·················································································································································380

snmp-agent trap enable ike································································································································381

SSH commands ······················································································································································· 383

SSH server commands·················································································································································383

display ssh server ················································································································································383

display ssh user-information ·······························································································································384

sftp server enable ················································································································································385

sftp server idle-timeout·········································································································································386

ssh server acl ·······················································································································································386

ssh server authentication-retries ·························································································································387

ssh server authentication-timeout························································································································388

ssh server compatible-ssh1x enable ··················································································································389

ssh server dscp·····················································································································································389

ssh server enable·················································································································································390

ssh server ipv6 acl···············································································································································391

viii

ssh server ipv6 dscp············································································································································392

ssh server rekey-interval ······································································································································392

ssh user·································································································································································393

SSH client commands ··················································································································································395

bye ········································································································································································395

cd ··········································································································································································396

cdup······································································································································································396

delete ····································································································································································397

dir··········································································································································································397

display sftp client source·····································································································································398

display ssh client source ·····································································································································399

exit ········································································································································································399

get ·········································································································································································400

help ·······································································································································································400

ls············································································································································································401

mkdir·····································································································································································402

put ·········································································································································································402

pwd·······································································································································································403

quit ········································································································································································403

remove··································································································································································403

rename··································································································································································404

rmdir ·····································································································································································404

scp·········································································································································································405

scp ipv6································································································································································407

sftp·········································································································································································409

sftp client ipv6 source ·········································································································································411

sftp client source ··················································································································································412

sftp ipv6································································································································································413

ssh client ipv6 source··········································································································································415

ssh client source···················································································································································416

ssh2·······································································································································································416

ssh2 ipv6······························································································································································418

SSL commands························································································································································· 421

SSL server policy configuration commands···············································································································421

ciphersuite ····························································································································································421

client-verify enable ··············································································································································423

display ssl server-policy ······································································································································423

pki-domain (SSL server policy view) ··················································································································424

session cachesize ················································································································································425

ssl server-policy····················································································································································425

SSL client policy configuration commands ················································································································426

display ssl client-policy········································································································································426

pki-domain (SSL client policy view) ···················································································································427

prefer-cipher·························································································································································428

server-verify enable ·············································································································································429

ssl client-policy ·····················································································································································430

version ··································································································································································431

ASPF commands······················································································································································ 432

aspf apply policy·················································································································································432

aspf policy····························································································································································433

detect ····································································································································································433

display aspf all ····················································································································································435

display aspf interface··········································································································································436

display aspf policy ··············································································································································436

display aspf session ············································································································································437

icmp-error drop····················································································································································440

reset aspf session·················································································································································441

tcp syn-check························································································································································442

APR commands························································································································································ 443

app-group·····························································································································································443

application statistics enable ·······························································································································443

copy app-group···················································································································································445

display app-group ···············································································································································446

display application··············································································································································448

display application statistics·······························································································································450

display application statistics top························································································································453

display port-mapping pre-defined ·····················································································································455

display port-mapping user-defined ····················································································································456

include application··············································································································································457

port-mapping ·······················································································································································458

port-mapping acl ·················································································································································459

port-mapping host ···············································································································································460

port-mapping subnet ···········································································································································461

reset application statistics···································································································································463

Session management commands··························································································································· 464

display session aging-time application ·············································································································464

display session aging-time state·························································································································465

display session relation-table ·····························································································································466

display session statistics······································································································································468

display session table ···········································································································································470

reset session table ipv4·······································································································································476

reset session table ipv6·······································································································································477

reset session table ···············································································································································478

reset session statistics ··········································································································································478

reset session relation-table··································································································································479

session aging-time application···························································································································480

session aging-time state ······································································································································481

session log bytes-active·······································································································································483

session log enable···············································································································································483

session log packets-active···································································································································484

session log time-active ········································································································································485

session persistent acl···········································································································································486

Connection limit commands ··································································································································· 488

connection-limit apply ·········································································································································488

connection-limit apply global ·····························································································································489

connection-limit ····················································································································································489

display connection-limit·······································································································································490

display connection-limit ipv6-stat-nodes ············································································································493

display connection-limit statistics ·······················································································································495

display connection-limit stat-nodes·····················································································································496

limit ·······································································································································································499

reset connection-limit statistics····························································································································501

Object group commands········································································································································ 502

display object group ···········································································································································502

network (IPv4 address object group view) ·······································································································504

network (IPv6 address object group view) ·······································································································506

object-group·························································································································································508

port (port object group view) ·····························································································································509

service (service object group view) ···················································································································511

IP source guard commands ···································································································································· 514

display ip source binding···································································································································514

display ipv6 source binding·······························································································································516

ip source binding (interface view) ·····················································································································517

ip verify source ····················································································································································518

ipv6 source binding (interface view)·················································································································519

ipv6 verify source ················································································································································520

ARP attack protection commands ·························································································································· 522

Unresolvable IP attack protection commands ···········································································································522

arp resolving-route enable··································································································································522

arp source-suppression enable ··························································································································522

arp source-suppression limit ·······························································································································523

display arp source-suppression··························································································································524

Source MAC-based ARP attack detection commands······························································································524

arp source-mac ····················································································································································524

arp source-mac aging-time ·································································································································525

arp source-mac exclude-mac······························································································································526

arp source-mac threshold ···································································································································526

display arp source-mac·······································································································································527

ARP packet source MAC consistency check commands··························································································528

arp valid-check enable ·······································································································································528

ARP active acknowledgement commands·················································································································528

arp active-ack enable··········································································································································528

Authorized ARP commands·········································································································································529

arp authorized enable ········································································································································529

ARP detection commands············································································································································530

arp detection enable···········································································································································530

arp detection trust················································································································································530

arp detection validate·········································································································································531

arp restricted-forwarding enable ·······················································································································531

display arp detection ··········································································································································532

display arp detection statistics ···························································································································532

reset arp detection statistics································································································································533

ARP scanning and fixed ARP commands ··················································································································534

arp fixup·······························································································································································534

arp scan ·······························································································································································534

ARP gateway protection commands ··························································································································535

arp filter source····················································································································································535

ARP filtering commands···············································································································································536

arp filter binding··················································································································································536

IPv4 uRPF commands ·············································································································································· 538

display ip urpf······················································································································································538

ip urpf ···································································································································································539

IPv6 uRPF commands ·············································································································································· 541

display ipv6 urpf ·················································································································································541

ipv6 urpf·······························································································································································542

Crypto engine commands ······································································································································ 544

crypto-engine accelerator disable ·····················································································································544

display crypto-engine··········································································································································544

display crypto-engine statistics···························································································································546

reset crypto-engine statistics ·······························································································································547

FIPS commands ······················································································································································· 549

display fips status ················································································································································549

fips mode enable·················································································································································549

fips self-test ···························································································································································551

Attack detection and prevention commands········································································································· 555

ack-flood action ···················································································································································555

ack-flood detect ···················································································································································556

ack-flood detect non-specific ······························································································································557

ack-flood threshold ··············································································································································558

attack-defense apply policy································································································································558

attack-defense local apply policy ······················································································································559

attack-defense policy···········································································································································560

attack-defense signature log non-aggregate ····································································································561

blacklist enable····················································································································································561

blacklist global enable········································································································································562

blacklist ip ····························································································································································563

blacklist ipv6························································································································································564

blacklist logging enable ·····································································································································565

client-verify dns enable ·······································································································································566

client-verify http enable·······································································································································566

client-verify protected ip······································································································································567

client-verify protected ipv6 ·································································································································568

client-verify tcp enable ········································································································································569

display attack-defense flood statistics ip ···········································································································570

display attack-defense flood statistics ipv6·······································································································573

display attack-defense policy ·····························································································································575

display attack-defense policy ip·························································································································580

display attack-defense policy ipv6 ····················································································································582

display attack-defense scan attacker ip ············································································································584

display attack-defense scan attacker ipv6········································································································585

display attack-defense scan victim ip ················································································································587

display attack-defense scan victim ipv6············································································································588

display attack-defense statistics interface··········································································································590

display attack-defense statistics local ················································································································594

display blacklist ip···············································································································································599

display blacklist ipv6 ··········································································································································600

display client-verify protected ip ························································································································602

display client-verify protected ipv6····················································································································605

display client-verify trusted ip·····························································································································608

display client-verify trusted ipv6·························································································································610

dns-flood action ···················································································································································613

dns-flood detect····················································································································································614

dns-flood detect non-specific ······························································································································615

dns-flood port·······················································································································································616

dns-flood threshold ··············································································································································617

exempt acl····························································································································································617

fin-flood action ·····················································································································································618

fin-flood detect ·····················································································································································619

xii

fin-flood detect non-specific································································································································620

fin-flood threshold················································································································································621

http-flood action···················································································································································622

http-flood detect ···················································································································································623

http-flood detect non-specific······························································································································624

http-flood port·······················································································································································625

http-flood threshold··············································································································································626

icmp-flood action·················································································································································627

icmp-flood detect ip·············································································································································627

icmp-flood detect non-specific····························································································································628

icmp-flood threshold············································································································································629

icmpv6-flood action·············································································································································630

icmpv6-flood detect ipv6 ····································································································································631

icmpv6-flood detect non-specific························································································································632

icmpv6-flood threshold········································································································································633

reset attack-defense policy flood························································································································633

reset attack-defense statistics interface··············································································································634

reset attack-defense statistics local·····················································································································634

reset blacklist ip ···················································································································································635

reset blacklist ipv6···············································································································································636

reset blacklist statistics·········································································································································636

reset client-verify protected statistics··················································································································637

reset client-verify trusted······································································································································637

rst-flood action ·····················································································································································638

rst-flood detect······················································································································································639

rst-flood detect non-specific ································································································································640

rst-flood threshold ················································································································································641

scan detect ···························································································································································641

signature { large-icmp | large-icmpv6 } max-length························································································643

signature detect ···················································································································································644

signature level action ··········································································································································647

signature level detect ··········································································································································648

syn-ack-flood action·············································································································································649

syn-ack-flood detect ·············································································································································649

syn-ack-flood detect non-specific························································································································651

syn-ack-flood threshold········································································································································651

syn-flood action····················································································································································652

syn-flood detect····················································································································································653

syn-flood detect non-specific·······························································································································654

syn-flood threshold···············································································································································655

udp-flood action···················································································································································656

udp-flood detect···················································································································································657

udp-flood detect non-specific······························································································································658

udp-flood threshold··············································································································································658

Support and other resources ·································································································································· 660

Contacting HP ······························································································································································660

Subscription service ············································································································································660

Related information······················································································································································660

Documents····························································································································································660

Websites·······························································································································································660

Conventions ··································································································································································661

Index ········································································································································································ 663

AAA commands

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,

commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about

FIPS mode, see Security Configuration Guide.

General AAA commands

aaa session-limit

Use aaa session-limit to set the maximum number of concurrent users who can log on to the device

through the specified method.

Use undo aaa session-limit to restore the default maximum number of concurrent users for the specified

Syntax

In non-FIPS mode:

aaa session-limit { ftp | ssh | telnet } max-sessions

undo aaa session-limit { ftp | ssh | telnet }

In FIPS mode:

aaa session-limit ssh max-sessions

undo aaa session-limit ssh

Default

The maximum number of concurrent users is 32 for each user type.

Views

System view

Predefined user roles

network-admin

Parameters

ftp: FTP users.

ssh: SSH users.

telnet: Telnet users.

max-sessions: Specifies the maximum number of concurrent login users. The value range is 1 to 32.

Usage guidelines

After the maximum number of concurrent login users for a user type exceeds the upper limit, the system

denies the subsequent users of this type.

Examples

# Set the maximum number of concurrent FTP users to 4.

<Sysname> system-view

[Sysname] aaa session-limit ftp 4

access-limit enable

Use access-limit enable to set the maximum number of online users in an ISP domain. After the number

of online users reaches the allowed maximum number, no more users are accepted.

Use undo access-limit enable to restore the default.

Syntax

access-limit enable max-user-number

undo access-limit enable

Default

There is no limit to the number of online users in an ISP domain.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

max-user-number: Maximum number of online users that the ISP domain can accept. The value range is

1 to 2147483646.

Usage guidelines

Setting an online user limit prevents user connections from competing for network resources and helps

maintain reliable system performance.

Examples

# Set a limit of 500 user connections for ISP domain test.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] access-limit enable 500

Related commands

display domain

accounting command

Use accounting command to specify the command line accounting method.

Use undo accounting command to restore the default.

Syntax

accounting command hwtacacs-scheme hwtacacs-scheme-name

undo accounting command

Default

The default accounting method of the ISP domain is used for command line accounting.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a

case-insensitive string of 1 to 32 characters.

Usage guidelines

The command line accounting function works with the accounting server to record all commands that

have been successfully executed on the device.

Command line accounting can use only a remote HWTACACS server.

Examples

# Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting command hwtacacs-scheme hwtac

Related commands

•accounting default

•command accounting (Fundamentals Command Reference)

•hwtacacs scheme

accounting default

Use accounting default to specify the default accounting method for an ISP domain.

Use undo accounting default to restore the default.

Syntax

In non-FIPS mode:

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]

[local ][none ]|local [none ] | none |radius-scheme radius-scheme-name [ hwtacacs-scheme

hwtacacs-scheme-name ] [ local ] [ none ] }

undo accounting default

In FIPS mode:

accounting default { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]

[local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ]

[local ] }

undo accounting default

Default

The default accounting method of an ISP domain is local.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a

case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of

1 to 32 characters.

Usage guidelines

The default accounting method is used for all users who support this method and do not have an

accounting method configured.

Local accounting is only used for monitoring and controlling the number of local user connections. It does

not provide the statistics function that the accounting feature generally provides.

You can specify one primary default accounting method and multiple backup default accounting

methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For

example, the accounting default radius-scheme radius-scheme-name local none command specifies the

primary default RADIUS accounting method and two backup methods (local accounting and no

accounting). The device performs RADIUS accounting by default and performs local accounting when

the RADIUS server is invalid. The device does not perform accounting when both of the previous methods

are invalid.

Examples

# Configure the default accounting method for ISP domain test to use RADIUS scheme rd and use local

accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting default radius-scheme rd local

Related commands

•hwtacacs scheme

•local-user

•radius scheme

accounting lan-access

Use accounting lan-access to configure the accounting method for LAN users.

Use undo accounting lan-access to restore the default.

Syntax

In non-FIPS mode:

accounting lan-access { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo accounting lan-access

In FIPS mode:

accounting lan-access { local | radius-scheme radius-scheme-name [ local ] }

undo accounting lan-access

Default

The default accounting method for the ISP domain is used for LAN users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of

1 to 32 characters.

Usage guidelines

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For

example, the accounting lan-access radius-scheme radius-scheme-name local none command specifies

a primary RADIUS accounting method and two backup methods (local accounting and no accounting).

The device performs RADIUS accounting by default and performs local accounting when the RADIUS

server is invalid. The device does not perform accounting when both of the previous methods are invalid.

Examples

# Configure ISP domain test to use local accounting for LAN users.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access local

# Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local

accounting as the backup.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] accounting lan-access radius-scheme rd local

Related commands

•accounting default

•local-user

•radius scheme

accounting login

Use accounting login to specify the accounting method for login users.

Use undo accounting login to restore the default.

Syntax

In non-FIPS mode:

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]

[local ][none ]|local [none ] | none |radius-scheme radius-scheme-name [ hwtacacs-scheme

hwtacacs-scheme-name ] [ local ] [ none ]}

undo accounting login

In FIPS mode:

accounting login { hwtacacs-scheme hwtacacs-scheme-name [ radius-scheme radius-scheme-name ]

[local ] | local | radius-scheme radius-scheme-name [ hwtacacs-scheme hwtacacs-scheme-name ]

[local ] }

undo accounting login

Default

The default accounting method of the ISP domain is used for login users.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

hwtacacs-scheme hwtacacs-scheme-name: Specifies an HWTACACS scheme by its name, a

case-insensitive string of 1 to 32 characters.

local: Performs local accounting.

none: Does not perform accounting.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of

1 to 32 characters.

Usage guidelines

Accounting is not supported for FTP, SFTP, and SCP users.

You can specify one primary accounting method and multiple backup accounting methods.

When the primary method is invalid, the device attempts to use the backup methods in sequence. For

example, the accounting login radius-scheme radius-scheme-name local none command specifies a

primary default RADIUS accounting method and two backup methods (local accounting and no

accounting). The device performs RADIUS accounting by default and performs local accounting when

the RADIUS server is invalid. The device does not perform accounting when both of the previous methods

are invalid.

Examples

# Configure ISP domain test to use local accounting for login users.

<Sysname> system-view

Other manuals for MSR SERIES

Table of contents

Popular Network Router manuals by other brands

ANTAIRA

ANTAIRA ARY-7235-AC-PD Hardware manual

Cisco

Cisco 12010 series Maintenance manual

Asus

Asus RT-AX92U quick start guide

Ezviz

Ezviz W3R user manual

NETGEAR

NETGEAR RangeMax WNR834B user manual

NETGEAR

NETGEAR Nighthawk AC2600 quick start

ADC

ADC CopperTen Modular Jack Specification sheet

Advantech

Advantech B+B SmartWorx LR77 v2 Configuration manual

LevelOne

LevelOne PLI-2030 user manual

Technicolor

Technicolor DGA4134 quick start guide

Teltonika

Teltonika RUT9 Series user manual

Billion

Billion myGuard 7202 user manual

SSV Embedded Systems

SSV Embedded Systems IGW/936-L First steps

Huawei

Huawei AR500 Feature descriptions

Draytek

Draytek Vigor2962 Series quick start guide

D-Link

D-Link DWR-922 Quick installation guide

Cradlepoint

Cradlepoint MBR1400 Series Setup guide

ELAD

ELAD Tmate2 user manual

HP MSR SERIES Installation manual

Popular Network Router manuals by other brands