HPE FlexFabric 12900E Switch Series
Security Command Reference
Software
version: Release 5210
Document version: 6W100-20230424
© Copyright 2023 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
Keychain commands ····················································································· 1
accept-lifetime ············································································································································ 1
accept-tolerance ········································································································································· 2
authentication-algorithm ····························································································································· 3
default-send-key ········································································································································· 4
display keychain ········································································································································· 4
key ······························································································································································ 6
keychain ····················································································································································· 7
key-string ···················································································································································· 8
send-lifetime ··············································································································································· 8
tcp-algorithm-id ········································································································································ 10
tcp-kind ····················································································································································· 11
Public key management commands ···························································· 12
clear master-key ······································································································································· 12
display master-key info ···························································································································· 12
display master-key type ··························································································································· 14
display public-key local public ·················································································································· 14
display public-key peer ····························································································································· 19
peer-public-key end ·································································································································· 20
public-key local create ······························································································································ 21
public-key local destroy ···························································································································· 24
public-key local export dsa ······················································································································· 25
public-key local export ecdsa ··················································································································· 27
public-key local export rsa ························································································································ 28
public-key local import ······························································································································ 30
public-key peer ········································································································································· 31
public-key peer import sshkey·················································································································· 32
set master-key ·········································································································································· 33
PKI commands ···························································································· 36
attribute ···················································································································································· 36
ca identifier ··············································································································································· 37
certificate request entity ··························································································································· 38
certificate request from ····························································································································· 39
certificate request mode ··························································································································· 39
certificate request polling ························································································································· 41
certificate request url ································································································································ 42
common-name ········································································································································· 43
country ····················································································································································· 43
crl check enable ······································································································································· 44
crl update-period ······································································································································ 44
crl url ························································································································································ 45
display pki certificate access-control-policy ····························································································· 46
display pki certificate attribute-group ········································································································ 47
display pki certificate domain ··················································································································· 49
display pki certificate renew-status ·········································································································· 53
display pki certificate request-status ········································································································ 55
display pki crl domain ······························································································································· 56
fqdn ·························································································································································· 58
ip ······························································································································································ 59
ldap-server ··············································································································································· 59
locality ······················································································································································ 60
organization ·············································································································································· 61
organization-unit ······································································································································· 61
pkcs7-encryption-algorithm ······················································································································ 62
pki abort-certificate-request ······················································································································ 63
ii
pki certificate access-control-policy ·········································································································· 63
pki certificate attribute-group ···················································································································· 64
pki certificate logging enable ···················································································································· 65
pki delete-certificate ································································································································· 66
pki domain ················································································································································ 67
pki entity ··················································································································································· 68
pki export ·················································································································································· 69
pki import ·················································································································································· 76
pki request-certificate ······························································································································· 80
pki retrieve-certificate ······························································································································· 81
pki retrieve-crl ··········································································································································· 83
pki storage ················································································································································ 84
pki validate-certificate ······························································································································· 84
public-key dsa ·········································································································································· 86
public-key ecdsa ······································································································································ 87
public-key rsa ··········································································································································· 89
root-certificate fingerprint ························································································································· 90
rule ··························································································································································· 91
source ······················································································································································ 92
state ························································································································································· 93
subject-dn ················································································································································· 94
usage ······················································································································································· 95
vpn-instance ············································································································································· 96
Crypto engine commands ············································································ 97
display crypto-engine ······························································································································· 97
display crypto-engine statistics ················································································································ 98
reset crypto-engine statistics ···················································································································· 99
SSH commands ························································································· 100
SSH server commands ·································································································································· 100
display ssh server ·································································································································· 100
display ssh user-information ·················································································································· 101
free ssh ·················································································································································· 102
scp server enable ··································································································································· 103
sftp server enable ··································································································································· 104
sftp server idle-timeout ··························································································································· 104
ssh server acl ········································································································································· 105
ssh server acl-deny-log enable ·············································································································· 106
ssh server authentication-retries ············································································································ 107
ssh server authentication-timeout ·········································································································· 107
ssh server compatible-ssh1x enable ······································································································ 108
ssh server dscp ······································································································································ 109
ssh server enable ··································································································································· 109
ssh server ipv6 acl ································································································································· 110
ssh server ipv6 dscp ······························································································································ 111
ssh server key-re-exchange enable ······································································································· 111
ssh server pki-domain ···························································································································· 112
ssh server port ······································································································································· 113
ssh server rekey-interval ························································································································ 113
ssh user ·················································································································································· 114
SSH client commands ···································································································································· 117
bye ························································································································································· 117
cd ··························································································································································· 117
cdup ······················································································································································· 118
delete ····················································································································································· 118
delete ssh client server-public-key ········································································································· 118
dir ··························································································································································· 119
display scp client source ························································································································ 120
display sftp client source ························································································································ 120
display ssh client server-public-key ········································································································ 121
display ssh client source ························································································································ 122
iii
exit ·························································································································································· 123
get ·························································································································································· 123
help ························································································································································ 124
ls ····························································································································································· 124
mkdir ······················································································································································ 125
put ·························································································································································· 126
pwd ························································································································································· 126
quit ························································································································································· 127
remove ··················································································································································· 127
rename ··················································································································································· 127
rmdir ······················································································································································· 128
scp ·························································································································································· 128
scp client ipv6 source ····························································································································· 132
scp client source ···································································································································· 132
scp ipv6 ·················································································································································· 133
scp ipv6 suite-b ······································································································································ 137
scp suite-b ·············································································································································· 139
sftp ························································································································································· 141
sftp client ipv6 source ····························································································································· 143
sftp client source ···································································································································· 144
sftp ipv6 ·················································································································································· 145
sftp ipv6 suite-b ······································································································································ 148
sftp suite-b ·············································································································································· 149
ssh client ipv6 source ····························································································································· 151
ssh client source ···································································································································· 152
ssh2 ························································································································································ 152
ssh2 ipv6 ················································································································································ 155
ssh2 ipv6 suite-b ···································································································································· 158
ssh2 suite-b ············································································································································ 160
SSH2 commands ··········································································································································· 162
display ssh2 algorithm ···························································································································· 162
ssh2 algorithm cipher ····························································································································· 163
ssh2 algorithm key-exchange ················································································································ 164
ssh2 algorithm mac ································································································································ 164
ssh2 algorithm public-key ······················································································································· 165
SSL commands ························································································· 167
certificate-chain-sending enable ············································································································ 167
ciphersuite ·············································································································································· 167
ciphersuite server-preferred enable ···················································································· 170
client-verify ············································································································································· 171
display ssl client-policy ··························································································································· 172
display ssl server-policy ························································································································· 173
pki-domain (SSL client policy view) ········································································································ 174
pki-domain (SSL server policy view) ······································································································ 175
prefer-cipher ··········································································································································· 175
server-name ··········································································································································· 178
server-verify enable ································································································································ 179
session ··················································································································································· 180
ssl client-policy ······································································································································· 181
ssl renegotiation disable ························································································································· 182
ssl server-policy ····································································································································· 182
ssl version disable ·································································································································· 183
version ···················································································································································· 184
version disable ······································································································································· 184
Packet filter commands ············································································· 186
acl logging interval ································································································································· 186
acl trap interval ······································································································································· 187
display packet-filter ································································································································ 187
display packet-filter statistics ·················································································································· 189
display packet-filter statistics sum ·········································································································· 192
iv
display packet-filter verbose ··················································································································· 194
packet-filter (Ethernet service instance view)························································································· 197
packet-filter (interface view) ··················································································································· 198
packet-filter (service template view) ······································································································· 200
packet-filter default deny ························································································································ 201
packet-filter global ·································································································································· 202
reset packet-filter statistics ····················································································································· 203
DHCP snooping commands ······································································· 205
dhcp snooping alarm enable ·················································································································· 205
dhcp snooping alarm threshold ·············································································································· 206
dhcp snooping binding database filename ····························································································· 206
dhcp snooping binding database update interval ··················································································· 208
dhcp snooping binding database update now ························································································ 209
dhcp snooping binding record ················································································································ 209
dhcp snooping check giaddr ·················································································································· 210
dhcp snooping check mac-address········································································································ 211
dhcp snooping check request-message································································································· 211
dhcp snooping client-detect ··················································································································· 212
dhcp snooping deny ······························································································································· 213
dhcp snooping disable ··························································································································· 213
dhcp snooping enable ···························································································································· 214
dhcp snooping enable vlan ···················································································································· 214
dhcp snooping information circuit-id······································································································· 215
dhcp snooping information enable ········································································································· 217
dhcp snooping information remote-id ····································································································· 218
dhcp snooping information strategy ······································································································· 219
dhcp snooping information vendor-specific ···························································································· 220
dhcp snooping log enable ······················································································································ 221
dhcp snooping max-learning-num ·········································································································· 222
dhcp snooping rate-limit ························································································································· 222
dhcp snooping trust ································································································································ 223
dhcp snooping trust interface ················································································································· 224
dhcp snooping trust tunnel ····················································································································· 225
display dhcp snooping binding ··············································································································· 225
display dhcp snooping binding database ······························································································· 227
display dhcp snooping information ········································································································· 227
display dhcp snooping drni-statistics ······································································································ 229
display dhcp snooping drni-status ·········································································································· 230
display dhcp snooping packet statistics ································································································· 231
display dhcp snooping trust ···················································································································· 232
reset dhcp snooping binding ·················································································································· 233
reset dhcp snooping drni-statistics ········································································································· 233
reset dhcp snooping packet statistics ···································································································· 234
DHCPv6 snooping commands ··································································· 235
display ipv6 dhcp snooping binding ······································································································· 235
display ipv6 dhcp snooping binding database························································································ 236
display ipv6 dhcp snooping drni-statistics ······························································································ 236
display ipv6 dhcp snooping drni-status ·································································································· 238
display ipv6 dhcp snooping packet statistics·························································································· 239
display ipv6 dhcp snooping pd binding ·································································································· 240
display ipv6 dhcp snooping trust ············································································································ 241
ipv6 dhcp snooping alarm enable ·········································································································· 241
ipv6 dhcp snooping alarm threshold ······································································································ 242
ipv6 dhcp snooping binding database filename ····················································································· 243
ipv6 dhcp snooping binding database update interval ··········································································· 245
ipv6 dhcp snooping binding database update now ················································································ 245
ipv6 dhcp snooping binding record ········································································································ 246
ipv6 dhcp snooping check relay-forward ································································································ 246
ipv6 dhcp snooping check request-message ························································································· 247
ipv6 dhcp snooping client-detect ············································································································ 248
v
ipv6 dhcp snooping deny ······················································································································· 249
ipv6 dhcp snooping enable ···················································································································· 249
ipv6 dhcp snooping log enable··············································································································· 250
ipv6 dhcp snooping max-learning-num ·································································································· 250
ipv6 dhcp snooping option interface-id enable ······················································································· 251
ipv6 dhcp snooping option interface-id string ························································································· 252
ipv6 dhcp snooping option remote-id enable ························································································· 252
ipv6 dhcp snooping option remote-id string ··························································································· 253
ipv6 dhcp snooping pd binding record ··································································································· 254
ipv6 dhcp snooping rate-limit ················································································································· 254
ipv6 dhcp snooping trust ························································································································ 255
ipv6 dhcp snooping trust tunnel ············································································································· 256
reset ipv6 dhcp snooping binding··········································································································· 256
reset ipv6 dhcp snooping drni-statistics ································································································· 257
reset ipv6 dhcp snooping packet statistics ····························································································· 257
reset ipv6 dhcp snooping pd binding ······································································································ 258
ARP attack protection commands ······························································ 259
Unresolvable IP attack protection commands ································································································ 259
arp resolving-route enable ····················································································································· 259
arp resolving-route probe-count ············································································································· 259
arp resolving-route probe-interval ·········································································································· 260
arp source-suppression enable ·············································································································· 260
arp source-suppression limit ·················································································································· 261
display arp source-suppression ············································································································· 262
ARP packet rate limit commands ··················································································································· 262
arp rate-limit ··········································································································································· 262
arp rate-limit log enable ·························································································································· 263
arp rate-limit log interval ························································································································· 263
snmp-agent trap enable arp ··················································································································· 264
Source MAC-based ARP attack detection commands ·················································································· 265
arp source-mac ······································································································································ 265
arp source-mac aging-time ···················································································································· 266
arp source-mac exclude-mac ················································································································· 266
arp source-mac threshold ······················································································································ 267
display arp source-mac ·························································································································· 267
display arp source-mac statistics ··········································································································· 268
reset arp source-mac statistics ·············································································································· 269
ARP packet source MAC consistency check commands··············································································· 269
arp valid-check enable ··························································································································· 269
display arp valid-check statistics ············································································································ 270
reset arp valid-check statistics ··············································································································· 271
ARP active acknowledgement commands ····································································································· 271
arp active-ack enable ····························································································································· 271
Authorized ARP commands ··························································································································· 272
arp authorized enable ···························································································································· 272
ARP attack detection commands ··················································································································· 272
arp detection enable······························································································································· 272
arp detection log enable ························································································································· 273
arp detection port-match-ignore ············································································································· 274
arp detection rule ··································································································································· 275
arp detection trust ·································································································································· 276
arp detection validate ····························································································································· 276
arp restricted-forwarding enable ············································································································ 277
display arp detection ······························································································································ 278
display arp detection statistics attack-source ························································································· 278
display arp detection statistics packet-drop ··························································································· 279
reset arp detection statistics attack-source ···························································································· 280
reset arp detection statistics packet-drop ······························································································· 281
ARP scanning and fixed ARP commands ······································································································ 281
arp fixup ················································································································································· 281
arp scan ················································································································································· 282
vi
arp scan auto enable······························································································································ 283
arp scan auto send-rate ························································································································· 285
ARP gateway protection commands ·············································································································· 285
arp filter source ······································································································································ 285
ARP filtering commands································································································································· 286
arp filter binding ······································································································································ 286
ARP packet sender IP address checking commands ···················································································· 287
arp sender-ip-range ································································································································ 287
ND attack defense commands ··································································· 288
ND packet rate limit commands ····················································································································· 288
ipv6 nd rate-limit ····································································································································· 288
ipv6 nd rate-limit log enable ··················································································································· 288
ipv6 nd rate-limit log interval ·················································································································· 289
Source MAC consistency check commands ·································································································· 290
ipv6 nd check log enable························································································································ 290
ipv6 nd mac-check enable ····················································································································· 290
ND attack detection commands ····················································································································· 291
display ipv6 nd detection statistics ········································································································· 291
ipv6 nd detection enable ························································································································ 292
ipv6 nd detection log enable ·················································································································· 292
reset ipv6 nd detection statistics ············································································································ 293
ND scanning commands ································································································································ 293
ipv6 nd scan auto enable ··········································································································· 293
ipv6 nd scan auto send-rate ··················································································································· 295
Attack detection and prevention commands ·············································· 296
ack-flood action ······································································································································ 296
ack-flood detect ······································································································································ 296
ack-flood detect non-specific ·················································································································· 297
ack-flood threshold ································································································································· 298
attack-defense local apply policy ··········································································································· 299
attack-defense login reauthentication-delay··························································································· 300
attack-defense policy ····························································································································· 300
attack-defense signature log non-aggregate·························································································· 301
attack-defense tcp fragment enable ······································································································· 302
blacklist global enable ···························································································································· 302
blacklist ip ··············································································································································· 303
blacklist ipv6 ··········································································································································· 304
blacklist logging enable ·························································································································· 305
display attack-defense flood statistics ip ································································································ 306
display attack-defense flood statistics ipv6 ···························································································· 308
display attack-defense policy ················································································································· 310
display attack-defense policy ip ············································································································· 315
display attack-defense policy ipv6 ·········································································································· 317
display attack-defense scan attacker ip ································································································· 318
display attack-defense scan attacker ipv6 ····························································································· 320
display attack-defense statistics interface ······························································································ 321
display attack-defense statistics local ···································································································· 325
dns-flood action ······································································································································ 329
dns-flood detect ······································································································································ 330
dns-flood detect non-specific ················································································································· 331
dns-flood port ········································································································································· 332
dns-flood threshold ································································································································· 332
exempt acl ·············································································································································· 333
fin-flood action ········································································································································ 334
fin-flood detect ········································································································································ 335
fin-flood detect non-specific ··················································································································· 336
fin-flood threshold ··································································································································· 337
http-flood action ······································································································································ 338
http-flood detect ····································································································································· 338
http-flood detect non-specific ················································································································· 340
vii
http-flood port ········································································································································· 340
http-flood threshold ································································································································ 341
icmp-flood action ···································································································································· 342
icmp-flood detect ip ································································································································ 343
icmp-flood detect non-specific················································································································ 344
icmp-flood threshold ······························································································································· 344
icmpv6-flood action ································································································································ 345
icmpv6-flood detect ipv6 ························································································································ 346
icmpv6-flood detect non-specific ············································································································ 347
icmpv6-flood threshold ··························································································································· 348
reset attack-defense policy flood ············································································································ 349
reset attack-defense statistics local ······································································································· 349
rst-flood action ········································································································································ 350
rst-flood detect ······································································································································· 350
rst-flood detect non-specific ··················································································································· 351
rst-flood threshold ·································································································································· 352
scan detect ············································································································································· 353
signature { large-icmp | large-icmpv6 } max-length ················································································ 354
signature detect ······································································································································ 355
signature level action ····························································································································· 358
signature level detect ····························································································································· 359
syn-ack-flood action ······························································································································· 360
syn-ack-flood detect ······························································································································· 361
syn-ack-flood detect non-specific ··········································································································· 362
syn-ack-flood threshold ·························································································································· 363
syn-flood action ······································································································································ 363
syn-flood detect ······································································································································ 364
syn-flood detect non-specific ·················································································································· 365
syn-flood threshold ································································································································· 366
udp-flood action ······································································································································ 367
udp-flood detect ····································································································································· 367
udp-flood detect non-specific ················································································································· 369
udp-flood threshold ································································································································ 369
IP source guard commands ······································································· 371
display ip source binding ························································································································ 371
display ipv6 source binding ···················································································································· 372
display ipv6 source binding pd ··············································································································· 374
ip source binding (interface view) ··········································································································· 375
ip source binding (system view) ············································································································· 376
ip verify source ······································································································································· 377
ipv6 source binding (interface view) ······································································································· 378
ipv6 source binding (system view) ········································································································· 379
ipv6 verify source ··································································································································· 380
IPv4 uRPF commands ··············································································· 382
display ip urpf ········································································································································· 382
ip urpf ····················································································································································· 382
Document conventions and icons ······························································ 384
Conventions ··················································································································································· 384
Network topology icons ·································································································································· 385
Support and other resources ····································································· 386
Accessing Hewlett Packard Enterprise Support····························································································· 386
Accessing updates ········································································································································· 386
Websites ················································································································································ 387
Customer self repair ······························································································································· 387
Remote support ······································································································································ 387
Documentation feedback ······················································································································· 387
1
Keychain commands
accept-lifetime
Use accept-lifetime to set the receiving lifetime for a key of a keychain.
Use undo accept-lifetime to restore the default.
Syntax
accept-lifetime daily start-day-time to end-day-time
accept-lifetime date { month-day&<1-31> | start-month-day to
end-month-day }
accept-lifetime day { week-day | start-week-day to end-week-day }
accept-lifetime month { month | start-month to end-month }
accept-lifetime utc start-time start-date { duration { duration-value |
infinite } | to end-time end-date }
undo accept-lifetime
Default
The receiving lifetime is not configured for a key of a keychain.
Views
Key view
Predefined user roles
network-admin
Parameters
daily: Specifies the key to be effective in the specified time range of each day.
start-day-time to end-day-time: Specifies the time range of each day. Both the start time
and the end time are in the HH:MM:SS format. The value range for the start-day-time
argument and the end-day-time argument is 0:0:0 to 23:59:59.
date: Specifies the key to be effective on the specified dates of each month.
month-day&<1-31>: Specifies a space-separated list of up to 31 dates of a month. The value
range for the month-day argument is 1 to 31.
start-month-day to end-month-day: Specifies the date range of each month. The end date
must be greater than the start date.
day: Specifies the key to be effective on the specified days of each week.
week-day: Specifies a day in a week. Values include mon, tue, wed, thu, fri, sat, and sun. You
can specify this argument multiple times with different values.
start-week-day to end-week-day: Specifies the day range of each week. The end day must
be greater than the start day.
month: Specifies the key to be effective in the specified months of each year.
month: Specifies a month in a year. Values include jan, feb, mar, apr, may, jun, jul, aug, sep, oct,
nov, and dec. You can specify this argument multiple times with different values.
2
start-month to end-month: Specifies the month range of each year. The end month must be
greater than the start month.
utc: Specifies the receiving lifetime in absolute time mode. The key takes effect in the specified time
range, for example, from 08:00 2019/9/1 to 18:00 2019/9/3.
start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is
0:0:0 to 23:59:59.
start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value
range for YYYY is 2000 to 2035.
duration duration-value: Specifies the lifetime of the key, in the range of 1 to 2147483646
seconds.
duration infinite: Specifies that the key never expires after it becomes valid.
to: Specifies the end time and date.
end-time: Specifies the end time in the HH:MM:SS format. The value range for this argument is
0:0:0 to 23:59:59.
end-date: Specifies the end date in the MM/DD/YYYY or YYYY/MM/DD format. The value range
for YYYY is 2000 to 2035.
Usage guidelines
A key becomes a valid accept key when the following requirements are met:
•
A key string has been configured.
•
An authentication algorithm has been specified.
•
The system time is within the specified receiving lifetime.
If an application receives a packet that carries a key ID, and the key is valid, the application uses the
key to authenticate the packet. If the key is not valid, packet authentication fails.
If the received packet does not carry a key ID, the application uses all valid keys in the keychain to
authenticate the packet. If the packet does not pass any authentication, packet authentication fails.
An application can use multiple valid keys to authenticate packets received from a peer.
Examples
# Set the receiving lifetime for key 1 of keychain abc in absolute time mode.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2019/1/21 to 18:30 2019/1/21
# Set the receiving lifetime for key 1 of keychain 123 in weekly periodic time mode.
<Sysname> system-view
[Sysname] keychain 123 mode periodic weekly
[Sysname-keychain-123] key 1
[Sysname-keychain-123-key-1] accept-lifetime day fri
accept-tolerance
Use accept-tolerance to set a tolerance time for accept keys in a keychain.
Use undo accept-tolerance to restore the default.
Syntax
accept-tolerance { value | infinite }
3
undo accept-tolerance
Default
No tolerance time is configured for accept keys in a keychain.
Views
Keychain view
Predefined user roles
network-admin
Parameters
value: Specifies a tolerance time in the range of 1 to 8640000 seconds.
infinite: Specifies that the accept keys never expires.
Usage guidelines
After a tolerance time is configured, the start time and the end time configured in the
accept-lifetime utc command are extended for the period of the tolerance time.
If authentication information is changed, information mismatch occurs on the local and peer devices,
and the service might be interrupted. Use this command to ensure continuous packet authentication.
Examples
# Set the tolerance time to 100 seconds for accept keys in keychain abc.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] accept-tolerance 100
# Configure the accept keys in keychain abc to never expire.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] accept-tolerance infinite
authentication-algorithm
Use authentication-algorithm to specify an authentication algorithm for a key.
Use undo authentication-algorithm to restore the default.
Syntax
authentication-algorithm { hmac-md5 | hmac-sha-1 | hmac-sha-256 | md5 }
undo authentication-algorithm
Default
No authentication algorithm is specified for a key.
Views
Key view
Predefined user roles
network-admin
Parameters
hmac-md5: Specifies the HMAC-MD5 authentication algorithm.
hmac-sha-1: Specifies the HMAC-SHA-1 authentication algorithm.
4
hmac-sha-256: Specifies the HMAC-SHA-256 authentication algorithm.
md5: Specifies the MD5 authentication algorithm.
Usage guidelines
If an application does not support the authentication algorithm specified for a key, the application
cannot use the key for packet authentication.
Examples
# Specify the MD5 authentication algorithm for key 1 of keychain abc in absolute time mode.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] authentication-algorithm md5
default-send-key
Use default-send-key to specify a key in a keychain as the default send key.
Use undo default-send-key to restore the default.
Syntax
default-send-key
undo default-send-key
Default
No key in a keychain is specified as the default send key.
Views
Key view
Predefined user roles
network-admin
Usage guidelines
When send keys in a keychain are inactive, the default send key can be used for packet
authentication.
A keychain can have only one default send key. The default send key must be configured with an
authentication algorithm and a key string.
Examples
# Specify key 1 in keychain abc as the default send key.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] default-send-key
display keychain
Use display keychain to display keychain information.
Syntax
display keychain [ name keychain-name [ key key-id ] ]
5
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63
characters. If you do not specify a keychain, this command displays information about all keychains.
key key-id: Specifies a key by its ID in the range of 0 to 281474976710655. If you do not specify
a key, this command displays information about all keys in a keychain.
Examples
# Display information about all keychains.
<Sysname> display keychain
Keychain name : abc
Mode : absolute
Accept tolerance : 0
TCP kind value : 254
TCP algorithm value
HMAC-MD5 : 5
HMAC-SHA-256 : 7
MD5 : 3
Default send key ID : 2 (Inactive)
Active send key ID : 1
Active accept key IDs: 1 2
Key ID : 1
Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g==
Algorithm : md5
Send lifetime : 01:00:00 2019/01/22 to 01:00:00 2019/01/25
Send status : Active
Accept lifetime : 01:00:00 2019/01/22 to 01:00:00 2019/01/27
Accept status : Active
Key ID : 2
Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g==
Algorithm : md5
Send lifetime : 01:00:01 2019/01/25 to 01:00:00 2019/01/27
Send status : Inactive
Accept lifetime : 01:00:00 2019/01/22 to 01:00:00 2019/01/27
Accept status : Active
6
Table 1 Command output
Field
Description
Mode
Time mode for the keychain:
• Absolute.
• Periodic daily.
• Periodic weekly.
• Periodic monthly.
• Periodic yearly.
Accept tolerance Tolerance time (in seconds) for accept keys of the keychain.
TCP kind value Value for the TCP kind field.
TCP algorithm value ID of the TCP authentication algorithm. The default algorithm ID is 5 for
HMAC-MD5, 7 for HMAC-SHA-256, and 3 for MD5.
Default send key ID ID of the default send key. The status for the key is displayed in
parentheses.
Key string Key string in encrypted form.
Algorithm
Authentication algorithm for the key:
• hmac-md5
• hmac-sha-1
• hmac-sha-256
• md5
Send lifetime Sending lifetime for the key.
Send status Status of the send key: Active or Inactive.
Accept lifetime Receiving lifetime for the key.
Accept status Status of the accept key: Active or Inactive.
key
Use key to create a key for a keychain and enter its view, or enter the view of an existing key.
Use undo key to delete a key and all its configurations for a keychain.
Syntax
key key-id
undo key key-id
Default
No keys exist.
Views
Keychain view
Predefined user roles
network-admin
Parameters
key-id: Specifies a key ID in the range of 0 to 281474976710655.
7
Usage guidelines
The keys in a keychain must have different key IDs.
Examples
# Create key 1 and enter its view.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1]
keychain
Use keychain to create a keychain and enter its view, or enter the view of an existing keychain.
Use undo keychain to delete a keychain and all its configurations.
Syntax
keychain keychain-name [ mode { absolute | periodic { daily | monthly |
weekly | yearly } } ]
undo keychain keychain-name
Default
No keychains exist.
Views
System view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies a keychain name, a case-sensitive string of 1 to 63 characters.
mode: Specifies a time mode.
absolute: Specifies the absolute time mode. In this mode, each time point during a key's lifetime is
the UTC time and is not affected by the system's time zone or daylight saving time.
periodic: Specifies the periodic time mode. In this mode, a key's lifetime is calculated based on
the local time and is affected by the system's time zone and daylight saving time.
daily: Specifies the daily periodic time mode.
monthly: Specifies the monthly periodic time mode.
weekly: Specifies the weekly periodic time mode.
yearly: Specifies the yearly periodic time mode.
Usage guidelines
You must specify the time mode when you create a keychain. You cannot change the time mode for
an existing keychain.
The time mode is not required when you enter the view of an existing keychain.
Examples
# Create keychain abc, specify the absolute time mode for it, and enter keychain view.
<Sysname> system-view
8
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc]
key-string
Use key-string to configure a key string for a key.
Use undo key-string to restore the default.
Syntax
key-string { cipher | plain } string
undo key-string
Default
No key string is configured for a key.
Views
Key view
Predefined user roles
network-admin
Parameters
cipher: Specifies a key in encrypted form.
plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form
will be stored in encrypted form.
string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its
encrypted form is a case-sensitive string of 33 o 373 characters.
Usage guidelines
If the length of a plaintext key exceeds the length limit supported by an application, the application
uses the supported length of the key to authenticate packets.
Examples
# Set the key string to 123456 in plaintext form for key 1.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] key-string plain 123456
send-lifetime
Use send-lifetime to set the sending lifetime for a key of a keychain.
Use undo send-lifetime to restore the default.
Syntax
send-lifetime daily start-day-time to end-day-time
send-lifetime date { month-day&<1-31> | start-month-day to
end-month-day }
send-lifetime day { week-day | start-week-day to end-week-day }
send-lifetime month { month | start-month to end-month }
9
send-lifetime utc start-time start-date { duration { duration-value |
infinite } | to end-time end-date }
undo send-lifetime
Default
The sending lifetime is not configured for a key of a keychain.
Views
Key view
Predefined user roles
network-admin
Parameters
daily: Specifies the key to be effective in the specified time range of each day.
start-day-time to end-day-time: Specifies the time range of each day. Both the start time
and the end time are in the HH:MM:SS format. The value range for the start-day-time
argument and the end-day-time argument is 0:0:0 to 23:59:59.
date: Specifies the key to be effective on the specified dates of each month.
month-day&<1-31>: Specifies a space-separated list of up to 31 dates of a month. The value
range for the month-day argument is 1 to 31.
start-month-day to end-month-day: Specifies the date range of each month. The end date
must be greater than the start date.
day: Specifies the key to be effective on the specified days of each week.
week-day: Specifies a day in a week. Values include mon, tue, wed, thu, fri, sat, and sun. You
can specify this argument multiple times with different values.
start-week-day to end-week-day: Specifies the day range of each week. The end day must
be greater than the start day.
month: Specifies the key to be effective in the specified months of each year.
month: Specifies a month in a year. Values include jan, feb, mar, apr, may, jun, jul, aug, sep, oct,
nov, and dec. You can specify this argument multiple times with different values.
start-month to end-month: Specifies the month range of each year. The end month must be
greater than the start month.
utc: Specifies the sending lifetime in absolute time mode. The key takes effect in the specified time
range, for example, from 08:00 2019/9/1 to 18:00 2019/9/3.
start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is
0:0:0 to 23:59:59.
start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value
range for YYYY is 2000 to 2035.
duration duration-value: Specifies the lifetime of the key, in the range of 1 to 2147483646
seconds.
duration infinite: Specifies that the key never expires after it becomes valid.
to: Specifies the end time and date.
end-time: Specifies the end time in the HH:MM:SS format. The value range for this argument is
0:0:0 to 23:59:59.
end-date: Specifies the end date in the MM/DD/YYYY or YYYY/MM/DD format. The value range
for YYYY is 2000 to 2035.
10
Usage guidelines
A key becomes a valid send key when the following requirements are met:
•
A key string has been configured.
•
An authentication algorithm has been specified.
•
The system time is within the specified sending lifetime.
To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set
non-overlapping sending lifetimes for the keys in the keychain.
Examples
# Set the sending lifetime for key 1 of keychain abc in absolute time mode.
<Sysname> system-view
[Sysname] keychain abc mode absolute
[Sysname-keychain-abc] key 1
[Sysname-keychain-abc-key-1] send-lifetime utc 12:30 2019/1/21 to 18:30 2019/1/21
# Set the sending lifetime for key 1 of keychain 123 in weekly periodic time mode.
<Sysname> system-view
[Sysname] keychain 123 mode periodic weekly
[Sysname-keychain-123] key 1
[Sysname-keychain-123-key-1] send-lifetime day fri
tcp-algorithm-id
Use tcp-algorithm-id to set an algorithm ID for a TCP authentication algorithm.
Use undo tcp-algorithm-id to restore the default.
Syntax
tcp-algorithm-id { hmac-md5 | hmac-sha-256 | md5 } algorithm-id
undo tcp-algorithm-id { hmac-md5 | hmac-sha-256 | md5 }
Default
The algorithm ID is 3 for the MD5 authentication algorithm, 5 for the HMAC-MD5 authentication
algorithm, and 7 for the HMAC-SHA-256 authentication algorithm.
Views
Keychain view
Predefined user roles
network-admin
Parameters
hmac-md5: Specifies the HMAC-MD5 authentication algorithm, which provides a key length of 16
bytes.
hmac-sha-256: Specifies the HMAC-SHA-256 authentication algorithm, which provides a key
length of 16 bytes.
md5: Specifies the MD5 authentication algorithm, which provides a key length of 16 bytes.
algorithm-id: Specifies an algorithm ID in the range of 1 to 63.
Usage guidelines
If an application uses keychain authentication during TCP connection establishment, the incoming
and outgoing TCP packets will carry the TCP Enhanced Authentication Option. The
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
-
1
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
Ask a question and I''ll find the answer in the document
Finding information in a document is now easier with AI
Related papers
Other documents
-
HPE FlexNetwork 7500 Series Security Configuration Manual
-
H3C MSR Series Command Reference Manual
-
-
HP 6125XLG Configuration manual
-
-
-
Cisco Nexus 9000 Series Switches Configuration Guide
-
-
3com 4210G NT Configuration manual
-
Allied Telesis x230L-17GT User manual