HP 6125XLG R2306-HP 6125XLG Blade Switch Security Command Reference
HP 6125XLG Manual
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 6125XLG manual content summary:
- HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 1
HP 6125XLG Blade Switch Security Command Reference Part number: 5998-3738 Software version: Release 2306 Document version: 6W100-20130912 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 2
, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 3
17 domain default enable 18 state (ISP domain view 18 Local user commands 19 authorization-attribute 19 bind-attribute 21 display local-user 22 display user-group 24 group 25 local-user 25 password 27 service-type 28 state (local user view 29 user-group 30 RADIUS commands 30 accounting - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 4
76 ip 77 ipv6 78 ldap scheme 79 ldap server 79 login-dn 80 login-password 81 protocol-version 82 search-base-dn 82 search-scope 83 server-timeout 84 user-parameters 84 802.1X commands 86 display dot1x 86 dot1x 88 dot1x authentication-method 89 dot1x handshake 90 dot1x mandatory - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 5
security 116 port-security max-mac-count 118 port-security ntk-mode 119 port-security oui 119 port-security port-mode 120 port-security timer autolearn aging 123 port-security timer disableport 123 Password control commands 125 display password-control 125 display password-control blacklist - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 6
-timeout 165 ssh server compatible-ssh1x enable 166 ssh server enable 166 ssh server ipv6 acl 167 ssh server rekey-interval 168 ssh user 169 SSH client commands 171 bye 171 cd 171 cdup 172 delete 172 dir 173 display sftp client source 174 display ssh client source 174 exit 175 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 7
arp source-suppression enable 206 arp source-suppression limit 207 display arp source-suppression 208 ARP packet rate limit commands 208 arp rate-limit 208 Source MAC-based ARP attack detection commands 209 arp source-mac 209 arp source-mac aging-time 210 arp source-mac exclude-mac 210 arp - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 8
269 sa hex-key encryption 270 sa idle-time 271 sa spi 272 sa string-key 273 security acl 274 transform-set 275 IKE commands 277 authentication-algorithm 277 authentication-method 277 dh 278 display ike proposal 279 display ike sa 280 dpd 283 encryption-algorithm 284 exchange-mode - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 9
pre-shared-key 301 priority (IKE keychain view 302 priority (IKE profile view 303 proposal 303 reset ike sa 304 sa duration 305 Support and other resources 306 Contacting HP 306 Subscription service 306 Related information 306 Documents 306 Websites 306 Conventions 307 Index 309 vii - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 10
# Configure ISP domain test to use HWTACACS scheme hwtac for command line accounting. system-view [Sysname] domain test [Sysname-isp-test] accounting command hwtacacs-scheme hwtac Related commands • accounting default • command accounting (Fundamentals Command Reference) • hwtacacs - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 11
of 1 to 32 characters. Usage guidelines The default accounting method is used for all users who support this method and do not have a specific accounting method configured. Local accounting is only used for monitoring and controlling the number of local user connections, but does not provide the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 12
-view [Sysname] domain test [Sysname-isp-test] accounting default radius-scheme rd local Related commands • hwtacacs scheme • local-user • radius scheme accounting lan-access Use accounting lan-access to configure the accounting method for LAN users. Use undo accounting lan-access to restore the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 13
-access local # Configure ISP domain test to use RADIUS accounting scheme rd for LAN users and use local accounting as the backup. system-view [Sysname] domain test [Sysname-isp-test] accounting lan-access radius-scheme rd local Related commands • accounting default • local-user • radius - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 14
accounting login local # Configure ISP domain test to use RADIUS scheme rd for login user accounting and use local accounting as the backup. system-view [Sysname] domain test [Sysname-isp-test] accounting login radius-scheme rd local Related commands • accounting default • hwtacacs scheme - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 15
default authentication method is used for all users who support this method and do not have a specific authentication method configured. You can specify multiple default the authentication default radius-scheme radius-scheme-name local none command specifies a primary default RADIUS authentication - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 16
With this command, the device performs RADIUS authentication by default, performs local authentication when the RADIUS server is invalid, and does not perform authentication when both of the previous methods are invalid. Examples # Configure ISP domain test to use local authentication for LAN users - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 17
Related commands • authentication default • local-user • radius scheme authentication login Use authentication login to specify the authentication method for login users. Use undo authentication login to restore the default. Syntax In non-FIPS mode: authentication login { hwtacacs-scheme hwtacacs- - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 18
login local # Configure ISP domain test to use RADIUS scheme rd for login users and use local authentication as the backup. system-view [Sysname] domain test [Sysname-isp-test] authentication login radius-scheme rd local Related commands • authentication default • hwtacacs scheme - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 19
. Examples # Configure ISP domain test to use HWTACACS scheme tac for user role authentication. system-view [Sysname] super authentication-mode scheme [Sysname] domain test [Sysname-domain-test] authentication super hwtacacs-scheme tac Related commands • authentication default • hwtacacs - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 20
command local # Configure ISP domain test to use HWTACACS scheme hwtac for command command hwtacacs-scheme hwtac local Related commands • authorization accounting (Fundamentals Command Reference) • hwtacacs scheme • local-user authorization default Use authorization default to specify the default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 21
information about the default user role, see Fundamentals Configuration Guide. radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters. Usage guidelines The default authorization method is used for all users who support this method and - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 22
-isp-test] authorization default radius-scheme rd local Related commands • hwtacacs scheme • local-user • radius scheme authorization lan-access Use authorization lan-access to configure the authorization method for LAN users. Use undo authorization lan-access to restore the default. Syntax In non - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 23
. none: Does not perform authorization. After passing authentication, FTP users use the root directory of the device as the work directory but cannot access it, and other login users get the default user role. For more information about the default user role, see Fundamentals Configuration Guide. 14 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 24
] domain test [Sysname-isp-test] authorization login radius-scheme rd local Related commands • authorization default • hwtacacs scheme • local-user • radius scheme display domain Use display domain to display the ISP domain configuration. Syntax display domain [ isp-name ] Views Any view Predefined - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 25
the ISP domain. Limit to the number of user connections. If the number is not limited, this field displays Disabled. Number of online users. Default authentication method. Default authorization method. Default accounting method. Authentication method for login users. Authorization method for login - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 26
isp-name Default There is a system-defined ISP domain named system. Views System view Predefined user roles network- configuration. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 27
. To delete the ISP domain that is used as the default ISP domain, you must change it to a non-default ISP domain first by using the undo domain default enable command. Examples # Create an ISP domain named test, and configure it as the default ISP domain. system-view [Sysname] domain test - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 28
configure authorization attributes for a local user or user group. After the local user or a local user in the user group passes authentication, the device assigns these attributes to the user. Use undo authorization-attribute to restore the default. Syntax authorization-attribute { acl acl-number - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 29
string of 1 to 63 characters. The default user role for a local user created by a network-admin user is network-operator. Up to 64 user roles can be specified for a user. For user role-related commands, see Fundamentals Command Reference for RBAC commands. This option is available only in local - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 30
* Default No binding attribute is configured for a local user. Views Local user view Predefined user roles network-admin Parameters ip ip-address: Specifies the IP address of the user. This option applies only to 802.1X users. location port slot-number subslot-number port-number: Specifies the port - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 31
-abc] bind-attribute ip 3.3.3.3 Related commands display local-user display local-user Use display local-user to display the local user configuration and online user statistics. Syntax display local-user [ class { manage | network } | idle-cut { disable | enable } | service-type { ftp | lan-access - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 32
type of service. • ftp: FTP users. • lan-access: LAN users, mainly users accessing the network through an Ethernet, such as 802.1X users. • ssh: SSH users. • telnet: Telnet users. • terminal: Terminal users who log in through console ports. state { active | block }: Specifies local users in active - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 33
Table 2 Command output Field State Service Type User Group Bind attributes Authorization attributes Idle TimeOut Work Directory ACL Number VLAN ID User Role List Description Status of the local user: active or blocked. Service types that the local user can use, including FTP, LAN access, SSH, - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 34
TimeOut Work Directory ACL Number VLAN ID Description Idle timeout period, in minutes. Directory that FTP/SFTP/SCP users in the group can access. Authorization ACL. Authorized VLAN. group Use group to assign a local user to a user group. Use undo group to restore the default. Syntax group group - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 35
who use a specified type of service. • ftp: FTP users. • lan-access: LAN users, mainly users accessing the network through an Ethernet, such as 802.1X users. • ssh: SSH users. • telnet: Telnet users. • terminal: Terminal users who log in through console ports. Usage guidelines If you do not specify - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 36
• service-type password Use password to configure a password for a local user. Use undo password to delete the password of a local user. Syntax In non-FIPS mode: password [ { cipher | hash | simple } password ] undo password In FIPS mode: password Default A local user has no password configured. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 37
[Sysname-luser-network-user2] password simple getapp Related commands display local-user service-type Use service-type to specify the service types that a local user can use. Use undo service-type to delete service types configured for a local user. Syntax In non-FIPS mode: service-type { ftp | lan - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 38
-type telnet [Sysname-luser-manage-user1] service-type ftp Related commands display local-user state (local user view) Use state to set the status of a local user. Use undo state to restore the default. Syntax state { active | block } undo state Default A local user is in active state. Views Local - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 39
group named abc and enter its view. system-view [Sysname] user-group abc [Sysname-ugroup-abc] Related commands display user-group RADIUS commands accounting-on enable Use accounting-on enable to configure the accounting-on feature. Use undo accounting-on enable to disable the accounting - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 40
accounting for and log out online users. After executing the accounting-on enable command, execute the save command to make sure that the command takes effect after the device reboots. For information about the save command, see Fundamentals Command Reference. Parameters set with the accounting-on - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 41
, or giga-packet. Usage guidelines The command does not apply to 802.1X and MAC users, for whom the switch does not support traffic accounting. The data flow and packet measurement units for traffic statistics must be the same as configured on the RADIUS accounting servers. Otherwise, accounting - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 42
. Information about the secondary accounting server. IP address of the server. If no server is configured, this field displays Not configured. Service port number of the server. If no port number is specified, this field displays the default port number. Status of the server: active or blocked. 33 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 43
number of accounting attempts. Quiet period for the servers, in minutes. Interval for sending real-time accounting updates, in minutes. Source IP address for outgoing RADIUS packets. VPN to which the RADIUS scheme belongs. If no VPN is specified for the server, this field displays Not configured user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 44
. Number of packets for updating user authorization information. Number of packets for which responses were received. Number of packets for which no responses were received. Number of Access-Reject packets. Number of discarded packets. Number of packets with checksum errors. Related commands reset - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 45
accounting | authentication } Default No shared key is configured. Views RADIUS scheme view Predefined user roles network-admin Parameters must contain numbers, uppercase letters, lowercase letters, and special characters. Usage guidelines The shared keys configured by using this command apply to - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 46
-ip command in system view is effective for all RADIUS schemes. The setting in RADIUS scheme view takes precedence. If no source IP address is specified for outgoing RADIUS packets, packets returned from the server cannot reach the device due to a physical port error. HP recommends you to configure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 47
the configuration. Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary accounting Default No primary RADIUS accounting server is specified. Views RADIUS scheme view Predefined user roles - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 48
the configuration. Syntax primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary authentication Default No primary RADIUS authentication server is specified. Views RADIUS scheme view Predefined user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 49
port-number: Specifies the service port number of the primary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default port number, and VPN settings. The shared key configured by this command takes precedence over that configured by using the key authentication command. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 50
vpn-instance vpn-instance-name ] Default The source IP address of an System view Predefined user roles network-admin due to a physical port error. You can specify configured by the nas-ip command in RADIUS scheme view is only for the RADIUS scheme, whereas that configured by the radius nas-ip command - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 51
is defined. If the switch uses the default configuration file, a system-defined RADIUS scheme named system exists. For more information about the initial settings and configuration file, see Fundamentals Configuration Guide. Views System view Predefined user roles network-admin Parameters radius - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 52
Predefined user roles network-admin Examples # Clear RADIUS statistics. reset radius statistics Related commands display radius statistics retry Use retry to set the maximum number of attempts for transmitting a RADIUS packet to a single RADIUS server. Use undo retry to restore the default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 53
. Syntax retry realtime-accounting retry-times undo retry realtime-accounting Default The maximum number of accounting attempts is 5. Views RADIUS scheme view Predefined user roles network-admin Parameters retry-times: Specifies the maximum number of accounting attempts, in the range of 1 to 255 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 54
timer response-timeout command), the maximum number of RADIUS packet transmission attempts is three (set with the retry command), the real-time port-number | vpn-instance vpn-instance-name ] * ] Default No secondary RADIUS accounting server is specified. Views RADIUS scheme view Predefined user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 55
port-number: Specifies the service port number of the secondary RADIUS accounting server, a UDP port number in the range of 1 to 65535. The default , port number, and VPN settings. The shared key configured by this command takes precedence over that configured by using the key accounting command. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 56
1813 [Sysname-radius-radius2] secondary accounting 10.110.1.2 1813 Related commands • display radius scheme • key (RADIUS scheme view) • server. port-number: Sets the service port number of the secondary RADIUS authentication server, a UDP port number in the range of 1 to 65535. The default setting - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 57
specified for a scheme, primary or secondary, cannot have identical IP address, port number, and VPN settings. The shared key configured by this command takes precedence over that configured by using the key authentication command. If the specified server resides on an MPLS L3VPN, specify the VPN - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 58
-instance-name ] | all } Default No security policy server is specified. Views RADIUS scheme view Predefined user roles network-admin Parameters ipv4-address [Sysname-radius-radius1] security-policy-server 10.110.1.2 Related commands display radius scheme state primary Use state primary to set the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 59
server configured commands • display radius scheme • state secondary state secondary Use state secondary to set the status of a secondary RADIUS server. Syntax state secondary { accounting | authentication } [ ip-address [ port-number | vpn-instance vpn-instance-name ] * ] { active | block } Default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 60
port-number: Service port number of a secondary RADIUS server, a UDP port number in the range of 1 to 65535. The default port number (a secondary RADIUS server configured earlier has a higher priority manually set the status to active. If all configured block Related commands • display radius - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 61
commands Default The real-time accounting interval is 12 minutes. Views RADIUS scheme view Predefined user roles network-admin Parameters minutes: Specifies the real-time accounting interval in minutes, in the range of 0 to 60. Usage guidelines When the real-time accounting interval configured - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 62
Sysname-radius-radius1] timer realtime-accounting 51 Related commands retry realtime-accounting timer response-timeout (RADIUS scheme user has more opportunity to obtain the RADIUS service. The NAS uses the RADIUS server response timeout timer to control the transmission interval. The maximum number - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 63
as one. Examples # Configure the device to remove the domain name from the username sent to the RADIUS servers specified in RADIUS scheme radius1. system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] user-name-format without-domain Related commands display radius scheme 54 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 64
configuration. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The RADIUS scheme belongs to the public network. Views RADIUS scheme view Predefined user -radius-radius1] vpn-instance test Related commands display radius scheme HWTACACS commands data-flow-format (HWTACACS scheme view) - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 65
, or giga-packet. Usage guidelines The command does not apply to 802.1X and MAC users, for whom the switch does not support traffic accounting. The data flow and packet measurement units for traffic statistics must be the same as configured on the HWTACACS accounting servers. Otherwise, accounting - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 66
is specified, the command displays the configuration of all HWTACACS schemes. Examples # Displays the configuration of all HWTACACS configured, this field displays Not configured. Service port of the HWTACACS server. If no port configuration is performed, this field displays the default port number - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 67
, this field displays Not configured. Source IP address for it is entered. Related commands reset hwtacacs statistics hwtacacs } [ vpn-instance vpn-instance-name ] Default The source IP address of a packet sent interface. Views System view Predefined user roles network-admin Parameters ipv4- - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 68
configured by using the nas-ip command in HWTACACS scheme view is only for the HWTACACS scheme, whereas that configured by using the hwtacacs nas-ip command scheme hwtacacs-scheme-name Default No HWTACACS scheme exists. Views System view Predefined user roles network-admin Parameters hwtacacs - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 69
authentication | authorization } Default No shared key is configured. Views HWTACACS scheme view Predefined user roles network-admin Parameters numbers, uppercase letters, lowercase letters, and special characters. Usage guidelines The shared keys configured on the device must match those configured - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 70
-ip { ipv4-address | ipv6 ipv6-address } undo nas-ip [ ipv6 ] Default The source IP address of an outgoing HWTACACS packet is that configured by using the hwtacacs nas-ip command in system view. If the hwtacacs nas-ip command is not configured, the source IP address is the IP address of the outbound - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 71
the configuration. Syntax primary accounting { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary accounting Default No primary HWTACACS accounting server is specified. Views HWTACACS scheme view Predefined user roles - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 72
configuration. Syntax primary authentication { ipv4-address | ipv6 ipv6-address } [ port-number | key { cipher | simple } string | vpn-instance vpn-instance-name ] * undo primary authentication Default No primary HWTACACS authentication server is specified. Views HWTACACS scheme view Predefined user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 73
Make sure that the port number and shared key settings of the primary HWTACACS authentication server are the same as those configured on the server. Two command takes precedence over the VPN specified for the HWTACACS scheme. You can remove an authentication server only when it is not used for user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 74
-address: Specifies the IPv6 address of the primary HWTACACS authorization server. port-number: Specifies the service port number of the primary HWTACACS authorization server, a TCP port number in the range of 1 to 65535. The default setting is 49. key { cipher | simple } string: Sets the shared key - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 75
port number 49, and plaintext shared key abc for HWTACACS scheme hwt1. system-view [Sysname] hwtacacs scheme hwt1 [Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49 key simple abc Related commands | authorization } Views User view Predefined user roles network-admin Parameters - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 76
-address: Specifies the IPv6 address of the secondary HWTACACS accounting server. port-number: Specifies the service port number of the secondary HWTACACS accounting server, a TCP port number in the range of 1 to 65535. The default setting is 49. key { cipher | simple } string: Specifies the shared - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 77
configured in plain text, are saved in ciphertext. Examples # Specify a secondary accounting server with IP address 10.163.155.12, TCP port number port-number: Specifies the service port number of the secondary HWTACACS authentication server, a TCP port number in the range of 1 to 65535. The default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 78
not specify this option. Usage guidelines Make sure that the port number and shared key settings of each secondary HWTACACS authentication server are the same as those configured on the corresponding server. You can configure up to 16 secondary HWTACACS authentication servers for an HWTACACS scheme - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 79
-address: Specifies the IPv6 address of the secondary HWTACACS authorization server. port-number: Specifies the service port number of the secondary HWTACACS authorization server, a TCP port number in the range of 1 to 65535. The default setting is 49. key { cipher | simple } string: Sets the shared - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 80
keys configured in plain text, are saved in ciphertext. Examples # Specify a secondary authorization server with IP address 10.163.155.13, TCP port number default. Syntax timer quiet minutes undo timer quiet Default The server quiet period is 5 minutes. Views HWTACACS scheme view Predefined user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 81
and the HWTACACS server. A short interval helps improve accounting precision but requires many system resources. Table 8 Recommended real-time accounting intervals Number of users 1 to 99 100 to 499 500 to 999 1000 or more Real-time accounting interval 3 minutes 6 minutes 12 minutes 15 minutes - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 82
] timer response-timeout 30 Related commands display hwtacacs scheme user-name-format (HWTACACS scheme view) Use user-name-format to specify the format of the username to be sent to an HWTACACS server. Use undo user-name-format to restore the default. Syntax user-name-format { keep-original | with - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 83
hwtacacs-hwt1] user-name-format without-domain Related commands display hwtacacs scheme vpn-instance (HWTACACS scheme view) Use vpn-instance to specify a VPN for an HWTACACS scheme. Use undo vpn-instance to remove the configuration. Syntax vpn-instance vpn-instance-name undo vpn-instance Default The - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 84
-server server-name Default No LDAP authentication server is specified. Views LDAP scheme view Predefined user roles network-admin one LDAP authentication server. If you execute the command for an LDAP scheme multiple times, the most recent configuration takes effect. Examples # Specify the LDAP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 85
: lda Base DN : ll Search Scope : single-level User Searching Parameters: User Object Class : Not configured Username Attribute : cn Username Format : with-domain Table 9 Command output Field Index Authentication Server Description Index number of the LDAP scheme. Name of the LDAP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 86
configure the IP address and port number of the LDAP server. Use undo ip to delete the LDAP server IP address and port number. Syntax ip ip-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ip Default An LDAP server has no IP address. Views LDAP server view Predefined user roles - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 87
.168.0.10 port 4300 Related commands ldap server ipv6 Use ipv6 to configure the IPv6 address and port number of the LDAP server. Use undo ipv6 to delete the LDAP server IPv6 address and port number. Syntax ipv6 ipv6-address [ port port-number ] [ vpn-instance vpn-instance-name ] undo ipv6 Default An - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 88
10 port 4300 Related commands ldap server ldap scheme Use ldap scheme to create an LDAP scheme and enter its view. Use undo ldap scheme to delete an LDAP scheme. Syntax ldap scheme ldap-scheme-name undo ldap scheme ldap-scheme-name Default No LDAP scheme is defined. Views System view Predefined user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 89
Use login-dn to specify the administrator DN. Use undo login-dn to remove the configuration. Syntax login-dn dn-string undo login-dn Default No administrator DN is specified. Views LDAP server view Predefined user roles network-admin Parameters dn-string: Administrator DN for binding with the server - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 90
Related commands display ldap scheme login-password Use login-password to configure the administrator password for binding with the LDAP server during LDAP authentication. Use undo login-password to restore the default. Syntax login-password { cipher | simple } password undo login-password Default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 91
LDAP authentication that occurs after your change. A Microsoft LDAP server supports only LDAPv3. Examples # Specify the LDAP version as LDAPv2. < commands display ldap scheme search-base-dn Use search-base-dn to specify the base DN for user search. Use undo search-base-dn to restore the default. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 92
-dn dc=ldap,dc=com Related commands • display ldap scheme • ldap server search-scope Use search-scope to specify the user search scope. Use undo search-scope to restore the default. Syntax search-scope { all-level | single-level } undo search-scope Default The user search scope is all-level. Views - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 93
server-timeout 15 Related commands display ldap scheme user-parameters Use user-parameters to configure LDAP user attributes, including the username attribute, username format, and user object class. Use undo user-parameters to restore the default. Syntax user-parameters { user-name-attribute { name - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 94
is cn and the username format is without-domain. No user object class is specified and the default user object class of the LDAP server is used. Views LDAP server view Predefined user roles network-admin Parameters user-name-attribute { name-attribute | cn | uid }: Specifies the username attribute - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 95
: Specifies an interface by its type and number. Usage guidelines If you specify neither the sessions keyword nor the statistics keyword, the command displays all information about 802.1X, including session information, statistics, and configurations. Examples # Display all information about 802 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 96
EAP-Relays EAP packets, and supports any of the EAP authentication number of 802.1X users is 1024 per slot Maximum number of concurrent 802.1X user per card. Current number of online 802.1X users is 1 Number of current online 802.1X users. Ten-GigabitEthernet1/1/6 is link-up Status of the port - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 97
Number of authenticated users on the port. dot1x Use dot1x to enable 802.1X globally or on the specified port. Use undo dot1x to disable 802.1X globally or on the specified port. Syntax dot1x undo dot1x Default 802.1X is neither enabled globally nor enabled for any port. Views System view, Ethernet - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 98
server. eap: Sets the access device to relay EAP packets, and supports any of the EAP authentication methods to communicate with the RADIUS server. pap: Sets the access device to perform EAP termination and use the Password Authentication Protocol (PAP) to communicate with the RADIUS server. Usage - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 99
can be an HP iNode 802.1X client. { CHAP transports username in plaintext and encrypted password over the network. supports the EAP-Message and Message-Authenticator attributes, and uses the same EAP authentication method as the client. If this mode is used, the user-name-format command configured - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 100
-view [Sysname] interface ten-gigabitethernet 1/1/6 [Sysname-Ten-GigabitEthernet1/1/6] dot1x mandatory-domain my-domain Related commands display dot1x dot1x max-user Use dot1x max-user to set the maximum number of concurrent 802.1X users on a port. Use undo dot1x max-user to restore the default. 91 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 101
Syntax dot1x max-user user-number undo dot1x max-user Default The maximum number of concurrent 802.1X users on a port is 256. Views Ethernet interface view Predefined user roles network-admin Parameters user-number: Specifies the maximum number of concurrent 802.1X users on a port. The value range - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 102
| auto | unauthorized-force } undo dot1x port-control Default The default port authorization state is auto. Views Ethernet interface view Predefined user roles network-admin Parameters authorized-force: Places the port in the authorized state, enabling users on the port to access the network without - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 103
commands display dot1x dot1x port-method Use dot1x port-method to specify an access control method for the port. Use undo dot1x port-method to restore the default. Syntax dot1x port-method { macbased | portbased } undo dot1x port-method Default MAC-based access control applies. Views Ethernet - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 104
authenticate online 802.1X users on a port. This function tracks the connection status of online users and updates the authorization attributes assigned by the server, such as the ACL, VLAN. You can use the dot1x timer reauth-period command to configure the interval for re-authentication - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 105
[Sysname-Ten-GigabitEthernet1/1/6] dot1x re-authenticate Related commands • display dot1x • dot1x timer dot1x retry Use dot1x retry to set the maximum number of attempts for sending an authentication request to a client. Use undo dot1x retry to restore the default. Syntax dot1x retry max-retry-value - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 106
server-timeout | supp-timeout | tx-period } Default The handshake timer is 15 seconds, the quiet timer 30 seconds. Views System view Predefined user roles network-admin Parameters handshake-period handshake receives no response after sending the maximum number of handshake requests, it considers that - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 107
users. To enable periodic online user re-authentication on a port, use the dot1x re-authenticate command. The change to the periodic re-authentication timer applies to the users -trigger Default The unicast trigger function is disabled. Views Ethernet interface view Predefined user roles network - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 108
-type interface-number ] Views User view Predefined user roles network-admin Parameters interface interface-type interface-number: Specifies an interface by its type and number. Usage guidelines If a port is specified, the command clears 802.1X statistics for the port. If no port is specified - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 109
mac Fixed password: Not configured Offline detect period is 300s Quiet period is 60s Server response timeout value is 100s Max number of users is 1024 per slot Current number of online users is 1 Current authentication domain is domain1 Silent MAC user info: MAC Addr VLAN ID From Port Port Index - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 110
If a shared account is used and a password is configured, this field displays a string of asterisks (******). Offline detect timer. Quiet timer. Server timeout timer. Maximum number of MAC authentication users each slot supports. Number of online users. MAC authentication domain specified in system - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 111
to disable MAC authentication globally or on a specific port. Syntax mac-authentication undo mac-authentication Default MAC authentication is not enabled globally or on any port. Views System view, Ethernet interface view Predefined user roles network-admin Usage guidelines To use MAC authentication - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 112
commands • display mac-authentication • domain default enable mac-authentication max-user Use mac-authentication max-user to set the maximum number of concurrent MAC authentication users on a port. Use undo mac-authentication max-user to restore the default. Syntax mac-authentication max-user user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 113
Ethernet interface view Predefined user roles network-admin Parameters user-number: Sets the maximum number of concurrent MAC authentication users on the port. The value range is 1 to 256. Examples # Configure port Ten-GigabitEthernet 1/1/6 to support up to 32 concurrent MAC authentication users - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 114
mac-authentication user-name-format to configure the type of user accounts for MAC authentication users. Use undo mac-authentication user-name-format to restore the default. Syntax mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 115
is suitable for trusted networks. For security purposes, all passwords, including passwords configured in plain text, are saved in cipher text. Examples # Configure a shared account for MAC authentication users, set the username as abc and password as plaintext string of xyz. system-view - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 116
If no port is specified, the command clears all global and port-specific MAC authentication statistics. Examples # Clear MAC authentication statistics on port Ten-GigabitEthernet 1/1/6. reset mac-authentication statistics interface ten-gigabitethernet 1/1/6 Related commands display mac - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 117
Port security commands display port-security Use display port-security to display port security configuration, operation information, and statistics for one or more ports. Syntax display port-security [ interface interface-type interface-number ] Views Any view Predefined user roles network-admin - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 118
illegal packets for some time. • NoAction-Performs no intrusion protection. Max number of secure MAC addresses Maximum number of secure MAC addresses (or online users) that port security allows on the port. Current number of secure MAC addresses Number of secure MAC addresses stored. 109 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 119
mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] Views Any view Predefined user roles network-admin network-operator Parameters interface interface-type interface-number: Specifies a port by its type and number. vlan vlan-id: Specifies a VLAN by its - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 120
--- # Display the count of all blocked MAC addresses. display port-security mac-address block count --- 2 mac address(es) found --- # (IRF devices) Display the count of all blocked MAC addresses. display port-security mac-address block count --- On slot 1, 1 MAC address(es - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 121
30 --- On slot 1, 1 MAC address(es) found --- --- 1 mac address(es) found --- Table 13 Command output Field MAC ADDR Port VLAN ID number mac address(es) found Description Blocked MAC address. Port having received frames with the blocked MAC address being the source address. ID of the VLAN to - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 122
MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command. Examples # Display information about all secure MAC addresses. display port-security mac-address security MAC ADDR TIME VLAN ID STATE - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 123
in minutes. By default, sticky MAC addresses do not age out, and this field displays NOAGED. Number of secure MAC addresses stored. Related commands port-security mac-address security port-security authorization ignore Use port-security authorization ignore to configure a port to ignore the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 124
online users. Examples # Enable port security. system-view [Sysname] port-security enable Related commands • display port-security • dot1x • dot1x port-control • dot1x port-method • mac-authentication port-security intrusion-mode Use port-security intrusion-mode to configure the intrusion - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 125
minutes, which is not user configurable. To view the blocked MAC address list, use the display port-security mac-address block command. disableport: Disables the port permanently upon detecting an illegal frame received on the port. disableport-temporarily: Disables the port for a specific period of - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 126
-number ] ] vlan vlan-id ] Default No secure MAC address entry is configured. Views Ethernet interface view, system view Predefined user roles network-admin Parameters sticky mac-address: Specifies a sticky MAC address, in H-H-H format. If you do not provide this keyword, the command configures - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 127
-security max-mac-count to restore the default. Syntax port-security max-mac-count count-value undo port-security max-mac-count Default Port security has no limit on the number of secure MAC addresses on a port. Views Ethernet interface view Predefined user roles network-admin Parameters count-value - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 128
mode to configure the NTK feature. Use undo port-security ntk-mode to restore the default. Syntax port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } undo port-security ntk-mode Default NTK is disabled on a port and all frames are allowed to be sent. Views Ethernet interface - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 129
the OUI of vendor A. The OUI values configured by this command apply only to the ports operating in userLoginWithOUI. In userLoginWithOUI mode, a port allows only one 802.1X user and one user whose MAC address matches one of configured OUI values. Examples # Configure an OUI value of 000d2a, and set - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 130
except that a port in this mode supports multiple 802.1X and MAC authentication users. In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from secure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 131
noRestriction mode first. When the port has online users, you cannot change port security mode. IMPORTANT: If you are configuring the autoLearn mode, first set port security's limit on the number of secure MAC addresses by using the port-security max-mac-count command. You cannot change the setting - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 132
port-security port-mode userlogin Related commands • display port-security • port-security max-mac-count port-security timer autolearn aging Use port-security timer autolearn aging to set the secure MAC aging timer. Use undo port-security timer autolearn aging to restore the default. Syntax port - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 133
action as disabling the port temporarily whenever it receives an illegal frame (by using the port-security intrusion-mode disableport-temporarily command), use this command to set the silence period. Examples # Configure the intrusion protection action on port Ten-GigabitEthernet 1/1/6 as disabling - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 134
140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display password-control Use display password-control to display password control configuration. Syntax display - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 135
for FTP and VTY users. Action to be taken after a user fails to log in after the specified number of attempts. Minimum password update interval. Number of times and maximum number of days a user can log in using an expired password. Whether the following password complexity checking is enabled - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 136
. • lock-Prohibited temporarily or permanently, depending on the password-control login-attempt command. Number of user entries in the blacklist. password-control { aging | composition | history | length } enable Use password-control { aging | composition | history | length } enable to enable - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 137
history enable Related commands • display password-control • password-control enable password-control aging Use password-control aging to set the password expiration time. Use undo password-control aging to restore the default. Syntax password-control aging aging-time undo password-control aging 128 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 138
-luser-manage-abc] password-control aging 100 Related commands • display password-control • password-control aging enable password-control alert-before-expire Use password-control alert-before-expire to set the number of days before a user's password expires during which the user is notified of - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 139
only on non-FTP users. Examples # Configure the device to notify a user about pending password expiration 10 days before the user's password expires. system-view [Sysname] password-control alert-before-expire 10 Related commands display password-control password-control complexity Use - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 140
complexity user-name check Related commands display password-control password-control composition Use password-control composition to configure the password composition policy. Use undo password-control composition to restore the default. Syntax password-control composition type-number type-number - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 141
to which the local user belongs. If no policy is configured for the user group, the system uses the global policy. The product of the minimum number of character types and minimum number of characters for each type must be smaller than the maximum length of passwords. Examples # Specify that all - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 142
password-control expired-user-login Use password-control expired-user-login to set the maximum number of days and maximum number of times that a user can log in after the password expires. Use undo password-control expired-user-login to restore the defaults. Syntax password-control expired-user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 143
-login delay 60 times 5 Related commands display password-control password-control history Use password-control history to set the maximum number of history password records for each user. Use undo password-control history to restore the default. Syntax password-control history max-record-num undo - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 144
use the reset password-control history-record command to clear the passwords manually. Examples # Set the maximum number of history password records for each user to 10. system-view [Sysname] password-control history 10 Related commands • display password-control • password-control history - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 145
system prefers to use the minimum password length in local user view for a local user. If no minimum password length is configured for the local user, the system uses the minimum password length for the user group. If no minimum password length is configured for the user group, the system uses the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 146
of consecutive failed login attempts and the action to be taken when a user fails to log in after the specified number of attempts. Use undo password-control login-attempt to restore the default. Syntax password-control login-attempt login-times [ exceed { lock | lock-time time | unlock } ] undo - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 147
to the system successfully. The password-control login-attempt command takes effect immediately after being executed, and it can affect the users already in the password control blacklist. Examples # Set the maximum number of login attempts to 4 and permanently prohibit a user from logging in if the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 148
super composition to configure the composition policy for super passwords. Use undo password-control super composition to restore the default. Syntax password-control super composition type-number type-number [ type-length type-length ] undo password-control super composition Default In non-FIPS - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 149
type-number 3 type-length 5 Related commands • display password-control • password-control composition password-control super length Use password-control super length to set the minimum length for super passwords. Use undo password-control super length to restore the default. Syntax password-control - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 150
, which is the minimum interval at which users can change their passwords. Use undo password-control update-interval to restore the default. Syntax password-control update-interval interval undo password-control update-interval Default The minimum password update interval is 24 hours. Views System - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 151
to excessive login attempts, you can use this command to remove the user from the password control blacklist and allow the user to log in again. Examples # Remove the user named test from the password control blacklist. reset password-control blacklist user-name test Are you sure to delete - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 152
. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. display display public-key local rsa public Key name: hostkey (default) Key type: RSA Time when key pair created: 15:40:48 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 153
Key name: serverkey (default) Key type: RSA Time when key pair created: 15:40:48 2012/06/12 Key code Display all local DSA public keys. display public-key local dsa public Key name: dsakey (default) Key type: DSA Time when key pair created: 15:41:37 2012/06/12 Key code: - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 154
# Display all local ECDSA public keys. display public-key local ecdsa public Key name: ecdsakey (default) Key type: ECDSA Time when key pair created: 15:42:04 2012/06/12 Key code: 3049301306072A8648CE3D020106082A8648CE3D03010103320004C10CF7CE42193F7FC2AF - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 155
key pair name. • serverkey-Default RSA server key pair name. • dsakey-Default DSA host key pair name. • ecdsakey-Default ECDSA host key pair name. Options include: • RSA. • DSA. • ECDSA. Date and time when the local key pair was created. Public key string. Related commands public-key local create - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 156
-name ] Views Any view Predefined user roles network-admin network-operator Parameters brief command displays detailed information about all peer public keys you have configured on the local device. You can use the public-key peer command or the public-key peer import sshkey command to configure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 157
view and save the configured peer public key. Syntax peer-public-key end Views Public key view Predefined user roles network-admin Usage the display public-key local public command, the system saves the key. Examples # Exit public key view and save the configured public key. system-view - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 158
-key-key1] peer-public-key end [Sysname] Related commands • display public-key local public • display public-key { dsa | ecdsa | rsa } [ name key-name ] Default No local asymmetric key pair exists. Views System view Predefined user roles network-admin Parameters dsa: Creates a DSA key pair. ecdsa - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 159
2048 bits. and the key pair uses the default name. The command only creates one host key 512 to 2048 bits. pair. 1024 by default. The command only creates one host key pair. 2048 bits. The command only creates one host key pair. 192 bits. HP recommendation At least 768 bits. N/A At least 768 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 160
is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys Create the key pair successfully. # Create a local DSA key pair with the name dsa1. system-view [Sysname] public-key local - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 161
of public key modulus is (2048 ~ 2048). It will take a few minutes.Press CTRL+C to abort. Input the modulus length [default = 2024 Create the key pair successfully. Related commands display public-key local public • public-key local destroy public-key local destroy Use public-key local destroy to - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 162
Predefined user roles no name is specified, the command destroys the specified type of local key pairs that take the default names. Usage guidelines To avoid local certificate, see Security Configuration Guide. Examples # Destroy the local RSA key pairs with the default names. system- - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 163
filename ] Views System view Predefined user roles network-admin Parameters name key- Fundamentals Configuration Guide. Usage guidelines Whether the command supported on the device where you import the host public key. Examples # Export the host public key of the local DSA key pair with the default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 164
system-view [Sysname] public-key local export dsa openssh key.pub # Display the host public key of the local DSA key pair with the default name in SSH2.0 format. system-view [Sysname] public-key local export dsa ssh2 ---- BEGIN SSH2 PUBLIC KEY ---Comment: "dsa-key-2012/06/12" - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 165
openssh | ssh2 } [ filename ] Views System view Predefined user roles network-admin Parameters name key-name: Specifies the name command displays or exports the host public key of the local DSA key pair with the default see Fundamentals Configuration Guide. Usage guidelines Whether the command exports - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 166
, use the public-key peer import sshkey command to import the host public key from the file public key formats. Choose the proper format that is supported on the device where you import the host public public key of the local RSA key pair with the default name in OpenSSH format to the file key.pub. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 167
are allowed, but are not saved. To manually specify a peer public key on the local device, obtain the public key in hexadecimal from the peer device beforehand, and perform the following configurations on the local device: 1. Execute the public-key peer command to enter public key view. 2. Type the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 168
keyname Default The device has no peer public key. Views System view Predefined user roles see Fundamentals Configuration Guide. Usage guidelines After you configure this command, the supports importing public keys in the format of SSH1.5, SSH2.0, and OpenSSH. In FIPS mode, the device supports - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 169
the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide. SSH server commands display ssh server Use display ssh server on an SSH - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 170
pair update interval. Maximum number of authentication attempts for SSH users. Number of authentication failures. Service type: SCP, SFTP, and Stelnet. Name of a user for logging in to the server. display ssh user-information Use display ssh user-information to display information about SSH users - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 171
about SSH users configured by using the ssh user command on the SSH server. Examples # Display information about all SSH users. display ssh user-information Total ssh users:2 Username Authentication-type yemx password test publickey User-public-key-name null pubkey Service-type - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 172
-view [Sysname] sftp server enable Related commands display ssh server sftp server idle-timeout Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server. Use undo sftp server idle-timeout to restore the default. Syntax sftp server idle-timeout time-out - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 173
connections after the configuration. If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure ACL 2001 and reference the ACL to allow only the IPv4 SSH client at 1.1.1.1 to access the server. system-view [Sysname] acl number 2001 [Sysname - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 174
. If the authentication method of an SSH user is any, the total number of authentication attempts (including both publickey and password authentication attempts) must not exceed the upper limit configured by the ssh server authentication-retries command. Otherwise, the authentication fails. If the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 175
server compatible-ssh1x enable undo ssh server compatible-ssh1x Default The SSH server supports SSH1 clients. Views System view Predefined user roles network-admin network-operator Usage guidelines This command is not available in FIPS mode. The configuration takes effect only on the clients at next - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 176
server. Use undo ssh server ipv6 acl to restore the default. Syntax ssh server ipv6 acl [ ipv6 ] acl-number undo ssh server ipv6 acl Default An SSH server allows all IPv6 SSH clients to access the server. Views System view Predefined user roles network-admin Parameters ipv6: Specifies ACL type as - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 177
. If you execute this command multiple times, the most recent configuration takes effect. Examples # Configure ACL 2001 and reference the ACL to allow only the IPv6 SSH client at 1::1 to access the server. system-view [Sysname] acl ipv6 number 2001 [Sysname-acl6-basic-2001] rule - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 178
username In FIPS mode: ssh user username service-type { all | scp | sftp | stelnet } authentication-type { password | password-publickey assign publickey keyname } undo ssh user username Default No SSH users exist. Views System view Predefined user roles network-admin Parameters username: Specifies - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 179
all SSH users, including the password-only SSH users, for centralized management. If you use the ssh user command to configure a host public key for a user who has already had a host public key, the most recent configuration takes effect. You can change the authentication method, service type, and - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 180
bye to terminate the connection with an SFTP server and return to user view. Syntax bye Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the exit and quit commands. Examples # Terminate the connection with the SFTP server. sftp> bye cd - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 181
SFTP server. Syntax delete remote-file Views SFTP client view Predefined user roles network-admin Parameters remote-file: Specifies the files to delete from the server. Usage guidelines This command functions as the remove command. Examples # Delete the file temp.c from the server. sftp> delete temp - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 182
| -l ] [ remote-path ] Views SFTP client view Predefined user roles network-admin Parameters -a: Displays the names of the files and Usage guidelines If the -a and -l keywords are not specified, the command displays the names of the files and sub-directories under a directory. If the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 183
commands • sftp client ipv6 source • sftp client source display ssh client source Use display ssh client source to display the source IP address or source interface configured view Predefined user roles network-admin network-operator Examples # Display the source IP address configured for the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 184
view. Syntax exit Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the bye and quit commands. Examples # Terminate the connection with the SFTP server. sftp> exit get Use get to download a file from an SFTP server and save it locally - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 185
user roles network-admin Usage guidelines The help command functions as entering the question mark (?). Examples # Display help information. sftp> help Available commands file exit Quit sftp get remote-path [local-path] Download file help Display this help text ls [-a|-l][path] Display - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 186
to be queried. Usage guidelines If the -a and -l keywords are not specified, the command displays the names of the files and sub-directories under a directory. If the remote-path argument is not server. Syntax mkdir remote-path Views SFTP client view Predefined user roles network-admin 177 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 187
> mkdir test put Use put to upload a local file to an SFTP server. Syntax put local-file [ remote-file ] Views SFTP client view Predefined user roles network-admin Parameters local-file: Specifies the name of a local file. remote-file: Specifies the name of a file on an SFTP server. If - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 188
Use quit to terminate the connection with an SFTP server and return to user view. Syntax quit Views SFTP client view Predefined user roles network-admin Usage guidelines This command functions as the bye and exit commands. Examples # Terminate the connection with the SFTP server. sftp> quit - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 189
. Syntax rmdir remote-path Views SFTP client view Predefined user roles network-admin Parameters remote-path: Specifies the directories scp to transfer files with an SCP server. Syntax In non-FIPS mode: scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 190
. port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22. vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance that the server belongs to, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. get: Downloads - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 191
interface to connect to the server. By default, the device automatically selects a source IP key of the server as svkey, and download the file abc.txt from the server. FIPS mode: scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 192
User view Predefined user roles network-admin Parameters server: Specifies an IPv6 server by its address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range of 1 to 65535. The default default, compression is not supported. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 193
kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange in non-FIPS interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address public key of the server as svkey, and download the file abc.txt from the server. The SCP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 194
User view Predefined user roles network-admin Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies a port number of the server, in the range of 1 to 65535. The default By default, compression is not supported. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 195
a source IP address or source interface to connect to the server. By default, the packet to send gets the primary IP address of its outbound interface source IP address. interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 196
configuration. Syntax sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address } undo sftp client ipv6 source Default system-view [Sysname] sftp client ipv6 source ipv6 2:2::2:2 Related commands display sftp client source sftp client source Use sftp client source - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 197
Sysname] sftp client source ip 192.168.0.1 Related commands display sftp client source sftp ipv6 Use sftp ipv6 to connect an SFTP client to an IPv6 SFTP server and enter SFTP client view. Syntax In non-FIPS mode: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 198
User view Predefined user roles network-admin Parameters server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies a port number of the server, in the range of 1 to 65535. The default By default, compression is not supported. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 199
source IP address or source interface to connect to the server. By default, the device automatically selects the source IP address from the routing table. source to remove the configuration. Syntax ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address } undo - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 200
ssh client ipv6 source command multiple times, the most recent configuration takes effect. If you use the ssh2 ipv6 command to connect to an remove the configuration. Syntax ssh client source { interface interface-type interface-number | ip ip-address } undo ssh client source Default The Stelnet - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 201
the ssh client source command multiple times, the most recent configuration takes effect. If you use the ssh2 command to connect to .0.1 Related commands display ssh client source ssh2 Use ssh2 to establish a connection to an IPv4 Stelnet server. Syntax In non-FIPS mode: ssh2 server [ port-number ] - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 202
user roles network-admin Parameters server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default client. By default, compression is not supported. zlib: - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 203
non-FIPS mode: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] [ identity-key { dsa | [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * Views User view Predefined user roles network-admin 194 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 204
-insensitive string of 1 to 253 characters. port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22. vpn-instance vpn-instance-name: between the server and the client. By default, compression is not supported. zlib: Specifies the compression algorithm zlib. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 205
address or source interface to connect to the server. By default, the device automatically selects the source IP address from as the source IP address. interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6 address of this interface is the source IP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 206
interface-number ] [ slot slot-number ] Views Any view Predefined user roles number. slot slot-number: Displays IPv4 source guard binding entries on an IRF member device. The slot-number argument is the ID of the IRF member device. Usage guidelines • If you do not specify any parameter, the command - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 207
Command output Field Total entries found IP Address MAC Address Interface VLAN Type Description Total number IPv4 source guard binding entry: • Static-Manually configured entry. • DHCP relay-Entry dynamically created -number ] [ slot slot-number ] Views Any view Predefined user roles network-admin - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 208
IRF member device. The slot-number argument is the ID of the IRF member device. Usage guidelines • • Examples If you do not specify any parameter, the command entry. Related commands • ipv6 source binding • ipv6 verify source ip source binding Use ip source binding to configure a static IPv4 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 209
ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id ] Default No static IPv4 source guard binding entry is configured on an interface. Views Ethernet interface view, VLAN interface view Predefined user roles network-admin Parameters ip-address ip-address: Specifies an IPv4 address for - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 210
static IPv4 source guard binding entries configured by the ip source binding command, instead of the keywords specified in the ip verify source command. Examples # Enable IPv4 source guard on Ethernet port Ten-GigabitEthernet 1/1/5 to filter packets received on the port based on the source IPv4 and - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 211
Default No static IPv6 source guard binding entry is configured on an interface. Views Ethernet interface view, VLAN interface view Predefined user vlan-id argument ranges from 1 to 4094. This option is supported in only Ethernet interface view. Usage guidelines IP source guard does not use the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 212
guard on a service loopback interface. This command only enables IP source guard packet filtering on a port. The port uses static IPv6 source guard binding entries to filter packets without considering the keywords specified in the command. Examples # Enable IPv6 source guard on Ethernet port Ten - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 213
dhcp-snooping } [ ip-address ip-address ] ] ] Views User view Predefined user roles network-admin Parameters static: Clears static IPv4 source guard binding 1 to 31 characters. If you do not specify a VPN, the command clears dynamic IPv4 source guard binding entries for the public network. dhcp- - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 214
address ] ] Views User view Predefined user roles network-admin Parameters static: Clears static IPv6 source guard binding entries. ip-address ipv6-address: Clears IPv6 source guard binding entries for an IPv6 address. Usage guidelines If you do not specify any parameter, the command clears all IPv6 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 215
resolving-route enable undo arp resolving-route enable Default ARP black hole routing is enabled. Views System view Predefined user roles network-admin Usage guidelines Configure this feature on the gateways. If a device receives a large number of unresolvable IP packets from a host, the following - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 216
. Syntax arp source-suppression limit limit-value undo arp source-suppression limit Default The maximum number is 10. Views System view Predefined user roles network-admin Parameters limit-value: Sets the maximum number of unresolvable packets that can be processed in 5 seconds. It is in the range - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 217
Field Current suppression limit Description Maximum number of unresolvable packets that can be received from a host in 5 seconds. ARP packet rate limit commands arp rate-limit Use arp rate-limit to enable ARP packet rate limit on an interface and configure the rate limit. Exceeded packets will - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 218
commands Default The source MAC-based ARP attack detection function is disabled. Views System view Predefined user roles network-admin Parameters filter: Generates log messages and discards subsequent ARP packets from the MAC address. monitor: Only generates log message. Usage guidelines Configure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 219
aging-time to configure the aging time for ARP attack entries. Use undo arp anti-attack source-mac aging-time to restore the default. Syntax arp -mac aging-time Default The aging time for ARP attack entries is set to 300 seconds (5 minutes). Views System view Predefined user roles network-admin - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 220
an excluded MAC address in the format H-H-H. & indicates the number of excluded MAC addresses that you can configure. Usage guidelines If you do not specify any MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses. Examples # Exclude a MAC address from - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 221
specified interface. slot slot-number: Displays ARP attack entries detected on an IRF member device. The slot-number argument specifies the ID of the IRF member device. Usage guidelines If you do not specify any interface, the display arp source-mac command displays ARP attack entries detected - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 222
Views System view Predefined user roles network-admin Usage guidelines Configure this feature on gateway devices. After you execute this command, the gateway device can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 223
trust to configure a port as an ARP trusted port. Use undo arp detection trust to restore the default. Syntax arp detection trust undo arp detection trust Default An interface is an ARP untrusted interface. Views Ethernet interface view, aggregate interface view Predefined user roles network - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 224
command deletes all objects. Syntax arp detection validate { dst-mac | ip | src-mac } * undo arp detection validate [ dst-mac | ip | src-mac ] * Default ARP packet validity check is disabled. Views System view Predefined user to the source MAC address in the Ethernet header. If they are identical, - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 225
Views VLAN view Predefined user roles network-admin detection. Syntax display arp detection Views Any view Predefined user roles network-admin network-operator Examples # Display the enabled in the following VLANs: 1-2, 4-5 Related commands arp detection enable display arp detection statistics Use - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 226
the ARP detection statistics of a specific interface. Usage guidelines This command displays numbers of packets discarded by user validity check and ARP packet validity check. If you do not specify any interface, the command displays statistics for all interfaces. Examples # Display the ARP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 227
from dynamic ARP entries have the same attributes as the manually configured static ARP entries. The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device may fail to change some dynamic - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 228
ip-address to end-ip-address ] Views VLAN interface view Predefined user roles network-admin Parameters start-ip-address: Specifies the start IP must be on the same network as the primary IP address or manually configured secondary IP addresses of the interface. IP addresses already exist in ARP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 229
source ip-address Default ARP gateway protection is disabled. Views Ethernet interface view, aggregate interface view Predefined user roles network-admin /1/5] arp filter source 1.1.1.1 ARP filtering commands arp filter binding Use arp filter binding to configure an ARP permitted entry. If the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 230
Views Ethernet interface view, aggregate interface view Predefined user roles network-admin Parameters ip-address: Permitted sender IP address. mac-address: Permitted sender MAC address. Usage guidelines You can configure up to eight ARP permitted entries on an interface. You cannot configure both - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 231
. If the two interfaces are the same (symmetrical routing), configure strict uRPF. An ISP usually adopts symmetrical routing on a PE device. After you enable the uRPF function on the switch, the routing table size might decrease by half. If the number of routes exceeds half the routing table size of - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 232
slot slot-number: Specifies an IRF member device. The slot number argument specifies the ID of the IRF member device. Examples # Display uRPF configuration. display ip urpf Global uRPF configuration information: Check type: loose Allow default route Table 30 Command output Field - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 233
mode is enabled. Related commands fips mode enable fips mode enable Use fips mode enable to enable FIPS mode. Use undo fips mode enable to disable FIPS mode. Syntax fips mode enable undo fips mode enable Default The FIPS mode is disabled. Views System view Predefined user roles network-admin Usage - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 234
. If you do not make a choice within 30 seconds, the system uses the manual reboot method by default. To switch to non-FIPS mode, execute the undo fips mode enable command in system view, save the configuration, and reboot the device. Examples # Enable FIPS mode, and choose the automatic reboot - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 235
user roles network-admin Usage guidelines To examine whether the cryptography modules in FIPS mode operate correctly, you can use a command /verification) passed. Known-answer test for random number generator passed. Known-Answer tests in the user space passed. Starting Known-Answer tests in the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 236
Known-answer test for AES passed. Known-answer test for random number generator passed. Known-Answer tests in the kernel passed. FIPS Known-Answer Tests passed. 227 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 237
commands IPsec commands are supported only when the switch is operating in FIPS mode. For more information about FIPS mode, see Security Configuration Guide Default AH does not use any authentication algorithm. Views IPsec transform set view Predefined user priority. • For a manual IPsec policy, the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 238
Predefined user roles network-admin Parameters text: Specifies the description content, a case-sensitive string of 1 to 80 characters. Usage guidelines If the system has multiple IPsec policies, IPsec policy templates, or IPsec profiles, you can use this command to configure different descriptions - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 239
, this command displays information about all IPsec policy entries with the specified name. Examples # Display information about all IPv4 IPsec policies. display ipsec policy IPsec Policy: mypolicy Interface: Vlan-interface 1 Sequence number: 10 Mode: manual Security data flow: 3101 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 240
ESP string-key: ****** ESP encryption hex key: ESP authentication hex key: Sequence number: 1 Mode: manual Description: This is my complete policy Security data flow: 3100 Remote address: 2.2.2.2 Transform set: completetransform Inbound AH setting: AH SPI: 5000 (0x00001388) AH string-key: ****** - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 241
authentication hex key: Table 31 Command output Field IPsec Policy Interface Sequence number Mode Description IPsec policy name. Interface applied with the IPsec policy. Sequence number of the IPsec policy entry. Negotiation mode of the IPsec policy: • manual-Manual mode. • isakmp-IKE negotiation - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 242
the key is configured). ESP encryption hex key (****** is displayed if the key is configured). ESP authentication hex key (****** is displayed if the key is configured). Related commands ipsec { ipv6- display ipsec { ipv6-policy-template | policy-template } [ template-name [ seq-number ] ] 233 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 243
Views Any view Predefined user roles network-admin network-operator Parameters ipv6-policy-template: Displays entry. If you specify an IPsec policy template name without any sequence number, this command displays information about all IPsec policy template entries with the specified name. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 244
32 Command output Field Description IPsec Policy Template IPsec policy template name. Sequence number Sequence number of the Syntax display ipsec profile [ profile-name ] Views Any view Predefined user roles network-admin network-operator Parameters profile-name: Specifies an IPsec profile - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 245
Description IPsec profile name. Negotiation mode used by the IPsec profile. Only the manual mode is available. Description of the IPsec profile. IPsec transform set referenced by the IPsec profile. Related commands ipsec profile display ipsec sa Use display ipsec sa to display information about - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 246
user roles network-admin network-operator Parameters brief: Displays brief information about all IPsec SAs. count: Displays the number of IPsec SAs. interface interface-type interface-number: Specifies an interface by its type and number active Table 34 Command output Field Interface/Global - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 247
port: 0 protocol: IP protocol: IP [Inbound ESP SAs] SPI: 3564837569 (0xd47b1ac1) Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 4294967295/604800 SA remaining duration (kilobytes/sec): 1843200/2686 Max received sequence-number: 5 Anti-replay check enable: Y Anti - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 248
for this SA Table 35 Command output Field Interface IPsec policy IPsec profile Sequence number Mode Tunnel id Encapsulation mode of the used IPsec profile. Sequence number of the IPsec policy entry. Negotiation mode used by the IPsec policy: • manual • isakmp IPsec tunnel ID Encapsulation mode - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 249
(kilobytes/sec) Max received sequence-number Description Source IP address of the data flow. Destination IP address, Port number. Protocol type. SPI of the backup. No duration limit for this SA The manual IPsec SAs do not have lifetime. Related commands • ipsec sa global-duration • reset ipsec sa - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 250
: 0 MTU check failure: 0 Loopback limit exceeded: 0 Table 36 Command output Field Received/sent packets Received/sent bytes Dropped packets (received/sent) No available SA Wrong SA Description Number of received/sent IPsec-protected packets. Number of bytes of received/sent IPsec-protected packets - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 251
failure MTU check failure Loopback limit exceeded Related commands reset ipsec statistics display ipsec transform-set Description Number of dropped packets due to invalid packet length. Number of dropped packets due to authentication failure. Number of dropped packets due to encapsulation failure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 252
ESP, or both. If both protocols are configured, IPsec uses ESP before AH. AH settings the security protocol. Related commands ipsec transform-set display ipsec user roles network-admin network-operator Parameters brief: Displays brief information about IPsec tunnels. count: Displays the number - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 253
Table 38 Command output Field Src Address Dst Address Inbound SPI Outbound SPI Status the IPsec SA: active or backup. Currently, "active" is displayed for all cases. # Display the number of IPsec tunnels. display ipsec tunnel count Total IPsec Tunnel Count: 2 # Display information about - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 254
remote address: 2.2.2.2 Flow: as defined in ACL 3100 Table 39 Command output Field Tunnel ID Status Perfect Forward Secrecy SA's SPI Tunnel local address, source port, destination port and protocol. Range of data flow protected by the IPsec tunnel that is established manually. This information - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 255
Default IP packets are encapsulated in tunnel mode. Views IPsec transform set view Predefined user roles network-admin Parameters transport: Uses the transport mode for IP packet encapsulation. tunnel: Uses the tunnel mode for IP packet encapsulation. Usage guidelines IPsec supports service. Configure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 256
Default ESP does not use any authentication algorithms. Views IPsec transform set view Predefined user has a higher priority. • For a manual IPsec policy, the first specified ESP least one same ESP authentication algorithm. Examples # Configure the IPsec transform set tran1 to use HMAC-SHA1 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 257
encryption-algorithm Default ESP does not use any encryption algorithms. Views IPsec transform set view Predefined user roles network- a higher priority. • For a manual IPsec policy, the first specified ESP one same ESP encryption algorithm. Examples # Configure the IPsec transform set tran1 to use - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 258
commands ipsec transform-set ike-profile Use ike-profile to specify an IKE profile for an IPsec policy or IPsec policy template. Use undo ike-profile to remove the configuration. Syntax ike-profile profile-name undo ike-profile Default An IPsec policy or IPsec policy template does not reference - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 259
some cases, some service data packets might be manually created IPsec SAs. According to the IPsec protocol, only IPsec SAs negotiated by IKE support default. Syntax ipsec anti-replay window width undo ipsec anti-replay window Default The anti-replay window size is 64. Views System view Predefined user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 260
negotiated later. In some cases, some service data packets might be received in a -view [Sysname] ipsec anti-replay window 128 Related commands ipsec anti-replay check ipsec decrypt-check enable Use Default ACL checking for de-encapsulated IPsec packets is enabled. Views System view Predefined user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 261
undo ipsec logging packet enable Default Logging for IPsec packets is disabled. Views System view Predefined user roles network-admin Usage guidelines A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason why it was discarded. Examples # - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 262
-df-bit Default The DF bit of original IP headers is copied to the outer IP headers for encapsulated IPsec packets. Views System view Predefined user roles network- mode because outer IP headers are not added in transport mode. This command does not change the DF bit for the original IP headers of - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 263
global-df-bit set Related commands ipsec df-bit ipsec | policy } Default No IPsec policy is applied to an interface. Views Interface view Predefined user roles network-admin multiple interfaces, but HP recommends applying an IKE-based IPsec policy to only one interface. A manual IPsec policy can - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 264
Syntax ipsec { ipv6-policy | policy } policy-name seq-number [ isakmp | manual ] undo ipsec { ipv6-policy | policy } policy-name [ seq-number ] Default No IPsec policy is created. Views System view Predefined user roles network-admin Parameters ipv6-policy: Specifies an IPv6 IPsec policy. policy: - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 265
specified IPsec policy template must exist. Usage guidelines Without the seq-number argument specified, the undo command deletes all entries of the specified IPsec policy. An interface referencing an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 266
number undo ipsec { ipv6-policy | policy } policy-name local-address Default No IPsec policy is bound to a source interface. Views System view Predefined user , resulting in service interruption. To solve these problems, bind a bound to multiple IPsec policies. HP recommends using a stable interface - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 267
number undo ipsec { ipv6-policy-template | policy-template } template-name [ seq-number ] Default No IPsec policy template is created. Views System view Predefined user same name but different sequence numbers. With the seq-number argument specified, the undo command deletes an IPsec policy template - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 268
[Sysname] ipsec profile profile1 manual [Sysname-ipsec-profile-profile1] Related commands display ipsec profile ipsec sa global-duration Use ipsec sa global-duration to configure the global IPsec SA lifetime. Use undo ipsec sa global-duration to restore the default. Syntax ipsec sa global-duration - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 269
Default The time-based global lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 bytes. Views System view Predefined user based 7200 # Configure the global IPsec SA lifetime as 10240 kilobytes. [Sysname] ipsec sa global-duration traffic-based 10240 Related commands • display - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 270
an IPsec transform set. Syntax ipsec transform-set transform-set-name undo ipsec transform-set transform-set-name Default No IPsec transform set exists. Views System view Predefined user roles network-admin Parameters transform-set-name: Specifies a name for the IPsec transform set, a case-sensitive - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 271
commands display ipsec transform-set local-address Use local-address to configure the local IP address for the IPsec tunnel. Use undo local-address to restore the default IPsec policy view, IPsec policy template view Predefined user roles network-admin Parameters ipv4-address: Specifies the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 272
| dh-group5 | dh-group14 | dh-group24 } undo pfs In FIPS mode: pfs dh-group14 undo pfs Default The PFS feature is disabled for the IPsec transform set. Views IPsec transform set view Predefined user roles network-admin Parameters dh-group1: Uses 768-bit Diffie-Hellman group. dh-group2: Uses 1024-bit - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 273
Syntax qos pre-classify undo qos pre-classify Default The QoS pre-classify feature is disabled. QoS uses the new IP header of IPsec packets to perform traffic classification. Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Usage guidelines The QoS pre-classify - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 274
Default No remote IP address is specified for the IPsec tunnel. Views IPsec policy view, IPsec policy template view Predefined user manual IPsec policy does not support DNS. Therefore, you must specify a remote IP address rather than a remote host name for the manual IPsec policy. If you configure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 275
10 manual [Sysname-ipsec-policy-policy1-10] remote-address 10.1.1.2 Related commands • ip host (see Layer 3-IP Services Commands Reference) • local-address reset ipsec sa Use reset ipsec sa to clear IPsec SAs. Syntax reset ipsec sa [ { ipv6-policy | policy } policy-name [ seq-number ] | profile - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 276
, this command clears all IPsec SAs. If you specify an SA triplet, this command clears the valid values for the other two parameters. After a manual IPsec SA is cleared, the system automatically creates a > reset ipsec sa policy policy1 Related commands display ipsec sa reset ipsec statistics Use - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 277
sa duration { time-based | traffic-based } Default The SA lifetime of an IPsec policy or an view, IPsec policy template view Predefined user roles network-admin Parameters time-based configured with the SA lifetime, IKE uses the global SA lifetime configured by the ipsec sa global-duration command - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 278
} Default No authentication key is configured for manual IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network 20-byte hexadecimal string for HMAC-SHA1. Usage guidelines This command applies to only manual IPsec policies and IPsec profiles. You must set an - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 279
} esp Default No encryption key is configured for manual IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network 32-byte hexadecimal string for AES256-CBC. Usage guidelines This command applies to only manual IPsec policies and IPsec profiles. You must set an encryption - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 280
view Predefined user roles network-admin Parameters seconds: Specifies the IPsec SA idle timeout, in the range of 60 to 86400 seconds. Usage guidelines This function applies only to IPsec SAs negotiated by IKE and takes effect when the ipsec sa idle-time command has been configured. The IPsec - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 281
for outbound SAs. ah: Uses AH. esp: Uses ESP. spi-number: Specifies a Security parameters index (SPI), in the range of 256 to 4294967295. Usage guidelines This command applies to only manual IPsec policies and IPsec profiles. You must configure an SPI for both inbound and outbound SAs, and make sure - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 282
{ ah | esp } Default No key string is configured for IPsec SAs. Views IPsec policy view, IPsec profile view Predefined user roles network-admin Parameters inbound: and encryption algorithm respectively. Usage guidelines This command applies to only manual IPsec policies and IPsec profiles. You must - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 283
| per-host ] undo security acl Default An IPsec policy or IPsec policy template references no ACL. Views IPsec policy view, IPsec policy template view Predefined user roles network-admin Parameters ipv6: Specifies an IPv6 ACL. acl-number: Specifies an ACL by its number in the range of 3000 to 3999 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 284
only one IPsec transform set. If you specify an IPsec transform set for the manual IPsec policy multiple times, the most recent configuration takes effect. An IKE-based IPsec policy can reference six IPsec transform sets at most. During an IKE negotiation, IKE searches for a fully matched IPsec - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 285
> system-view [Sysname] ipsec transform-set prop1 [Sysname-ipsec-transform-set-prop1] quit [Sysname] ipsec policy policy1 100 manual [Sysname-ipsec-policy-manual-policy1-100] transform-set prop1 Related commands • ipsec { ipv6-policy | policy } (system view) • ipsec profile • ipsec transform-set 276 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 286
commands IKE commands are supported only when the switch is operating in FIPS mode. For more information about FIPS mode, see Security Configuration Guide authentication-algorithm Default The IKE proposal uses the authentication algorithm of HMAC-SHA1. Views IKE proposal view Predefined user roles - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 287
shared keys, you must configure these pre-shared keys on both IKE ends. Examples # Specify pre-shared key authentication to be used in IKE proposal 1. system-view [Sysname] ike proposal 1 [Sysname-ike-proposal-1] authentication-method pre-share Related commands • display ike proposal • ike - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 288
Default In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used. In FIPS mode, group14, the 2048-bit Diffie-Hellman group is used. Views IKE proposal view Predefined user Related commands display ike proposal display ike proposal Use display ike proposal to display configuration - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 289
configured, the command displays the default IKE proposal. Examples # Display the configuration default PRE-SHARED-KEY SHA1 AES-CBC-128 Group 14 86400 Table 40 Command SA lifetime (in seconds) of the IKE proposal Related commands ike proposal display ike sa Use display ike sa to display - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 290
. display ike sa Connection-ID Remote Flag DOI 1 202.38.0.2 RD IPSEC Flags: RD--READY ST--STAYALIVE RL--REPLACED FD-FADING Table 41 Command output Field Connection-ID Remote Flags DOI Description Identifier of the IKE SA. Remote IP address of the SA. Status of the SA: • RD - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 291
-CBC-192 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 14 NAT traversal: Not detected Table 42 Command output Field Connection ID Description Identifier of the IKE SA 282 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 292
send DPD messages. Use undo dpd to disable the IKE DPD function. Syntax dpd interval interval-seconds [ retry seconds ] { on-demand | periodic } undo dpd interval Default IKE DPD is disabled. Views IKE profile view Predefined user roles network-admin 283 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 293
number of IKE peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU. When DPD settings are configured on-demand Related commands ike dpd encryption | aes-cbc-256 } undo encryption-algorithm Default In non-FIPS mode, an IKE proposal uses - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 294
Predefined user roles Sysname-ike-proposal-1] encryption-algorithm aes-cbc-192 Related commands display ike proposal exchange-mode Use exchange-mode to default. Syntax In non-FIPS mode: exchange-mode { aggressive | main } undo exchange-mode In FIPS mode: exchange-mode main undo exchange-mode Default - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 295
ike dpd interval Default IKE DPD is disabled. Views System view Predefined user roles network-admin Parameters interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300. • If the on-demand keyword is specified, this parameter specifies the number of seconds - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 296
IKE negotiations. Use undo ike identity to remove the configuration and restore the default. Syntax ike identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] } undo ike identity Default By default, the IP address of the interface where the - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 297
specify this argument, the device name configured by using the sysname command is used as the user FQDN. Usage guidelines The global identity can default. Syntax ike invalid-spi-recovery enable undo ike invalid-spi-recovery enable Default SPI recovery is disabled. Views System view Predefined user - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 298
Default No IKE keepalives are sent. Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800. Usage guidelines To detect the status of the peer, configure 200 Related commands ike keepalive timeout - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 299
Default The negotiated aging time for the IKE SA applies. Views System view Predefined user roles network-admin Parameters seconds: Specifies the number configured at the local must be longer than the keepalive interval configured keepalive timeout 20 Related commands ike keepalive interval ike - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 300
-sa sa-limit } undo ike limit { max-negotiating-sa | max-sa } Default There is no limit to the maximum number of IKE SAs. Views System view Predefined user roles network-admin Parameters max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs. The value range is 1 to - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 301
default. Syntax ike nat-keepalive seconds undo ike nat-keepalive Default The NAT keepalive interval is 20 seconds. Views System view Predefined user how to display the lifetime of NAT entries, see Layer 3-IP Services Command Reference. Examples # Set the NAT keepalive interval to 5 seconds. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 302
-name undo ike profile profile-name Default No IKE profile is configured. Views System view Predefined user roles network-admin Parameters profile-name: ike proposal proposal-number undo ike proposal proposal-number Default The system has an IKE proposal that is used as the default IKE proposal. - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 303
An IKE proposal with a smaller number has a higher priority. • The peer Default The local end uses the identity information specified by local-identity or ike identity for signature authentication. Views System view Predefined user roles network-admin Usage guidelines Configure the command - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 304
commands • local-identity • ike identity inside-vpn Use inside-vpn to specify an inside VPN instance for an IKE profile. Use undo inside-vpn to remove the inside VPN instance configuration. Syntax inside-vpn vpn-instance vpn-name undo inside-vpn Default reference. Syntax keychain keychain-name 295 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 305
-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] } undo local-identity Default No local ID is configured for an IKE profile, and an IKE profile uses the local ID configured in system view (using the ike identity command). If no local ID is configured in system view either, the IP - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 306
, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN. user-fqdn user-fqdn-name: Uses a user FQDN as the local ID. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as adc@test - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 307
earlier has a higher priority. To give an IKE keychain a higher priority, you can configure this command for the keychain. For example, suppose you configured IKE keychain A before configuring IKE keychain B, and you configured the peer ID 2.2.0.0/16 for IKE profile A and the peer ID 2.2.2.0/24 for - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 308
interface-type interface-number: Specifies a local configured in IPsec policy or IPsec policy template view (using the local-address command) for this command. If no local address is configured -instance vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } } Default No peer ID is configured. 299 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 309
as the peer ID. The specified information is configured on the peer by using the local-identity command. • address ipv4-address [ mask | mask- characters, such as www.test.com. • user-fqdn user-fqdn-name: Uses the peer's user FQDN as the peer ID. The user-fqdn-name argument is a case-sensitive string - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 310
Related commands local-identity pre-shared-key Use pre-shared-key to configure a pre-shared key. Use undo pre-shared-key prefix-length ] } | hostname host-name } Default No pre-shared key is configured. Views IKE keychain view Predefined user roles network-admin Parameters address: Specifies a peer - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 311
determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number. An IKE keychain with the match local address command configured has a higher priority than an IKE keychain that does not have the match local address - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 312
the IKE proposals for an IKE profile to reference. Use undo proposal to remove the IKE proposal references. Syntax proposal proposal-number& undo proposal Default An IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation. Views IKE - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 313
device uses the IKE proposals configured in system view to match the IKE proposals received from the initiator. Examples # Specify IKE proposal 10 for IKE profile prof1. system-view [Sysname] ike profile prof1 [Sysname-ike-profile-prof1] proposal 10 Related commands ike proposal reset ike - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 314
Default The IKE SA lifetime is 86400 seconds. Views IKE proposal view Predefined user roles network-admin Parameters Seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800. Usage guidelines If the communicating peers are configured Related commands display ike proposal 305 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 315
Acronyms. Websites • HP.com http://www.hp.com • HP Networking http://www.hp.com/go/networking • HP manuals http://www.hp.com/support/manuals • HP download drivers and software http://www.hp.com/support/downloads • HP software depot http://www.software.hp.com • HP Education http://www.hp.com/learn - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 316
Command conventions Convention Boldface Italic [ ] { x | y | ... } [ x | y | ... ] { x | y | ... } * [ x | y | ... ] * & # Description Bold text represents commands bold text. For example, the New User window appears; click OK. Multi-level or damage to hardware or software. An alert that calls - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 317
wired-WLAN switch. Represents an access point. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device. Represents a security card, such as a firewall card, a load-balancing card, or a NetStream card. Port numbering in examples - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 318
-algorithm,277 authentication-method,277 authentication-server,75 authorization command,10 authorization default,11 authorization lan-access,13 authorization login,14 authorization-attribute source binding static,198 display ldap scheme,76 display local-user,22 display mac-authentication,100 309 - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 319
password-control blacklist,126 display port-security,108 display port-security mac-address block,110 display port- default enable,18 dot1x,88 dot1x authentication-method,89 dot1x handshake,90 dot1x mandatory-domain,91 dot1x max-user,91 dot1x multicast-trigger,92 dot1x port-control,93 dot1x port - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 320
password-control expired-user-login,133 password-control history,134 password-control length,135 password-control login idle-time,136 password-control login-attempt,137 password-control super aging,138 password-control super composition,139 password-control super length,140 password-control update - HP 6125XLG | R2306-HP 6125XLG Blade Switch Security Command Reference - Page 321
,204 reset mac-authentication statistics,106 reset password-control blacklist,141 reset password-control history-record,142 reset radius statistics, ssh user,169 ssh2,192 ssh2 ipv6,194 state (ISP domain view),18 state (local user view),29 state primary,49 state secondary,50 Subscription service,306
HP 6125XLG Blade Switch
Security
Command Reference
Part number: 5998-3738
Software version: Release 2306
Document version: 6W100-20130912