Aruba R9F19A Reference guide

Brand: Aruba

Model: R9F19A

Category: Software

Type: Reference guide

This manual is also suitable for

HPE FlexFabric 12900E Switch Series

Security Command Reference

Software

version: Release 5210

Document version: 6W100-20230424

The information contained herein is subject to change without notice. The only warranties for Hewlett Packard

Enterprise products and services are set forth in the express warranty statements accompanying such

products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett

Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or

copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software

Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s

standard commercial license.

Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard

Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise

website.

Acknowledgments

Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the

United States and other countries.

Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the

United States and/or other countries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java and Oracle are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of The Open Group.

Contents

Keychain commands ····················································································· 1

accept-lifetime ············································································································································ 1

accept-tolerance ········································································································································· 2

authentication-algorithm ····························································································································· 3

default-send-key ········································································································································· 4

display keychain ········································································································································· 4

key ······························································································································································ 6

keychain ····················································································································································· 7

key-string ···················································································································································· 8

send-lifetime ··············································································································································· 8

tcp-algorithm-id ········································································································································ 10

tcp-kind ····················································································································································· 11

Public key management commands ···························································· 12

clear master-key ······································································································································· 12

display master-key info ···························································································································· 12

display master-key type ··························································································································· 14

display public-key local public ·················································································································· 14

display public-key peer ····························································································································· 19

peer-public-key end ·································································································································· 20

public-key local create ······························································································································ 21

public-key local destroy ···························································································································· 24

public-key local export dsa ······················································································································· 25

public-key local export ecdsa ··················································································································· 27

public-key local export rsa ························································································································ 28

public-key local import ······························································································································ 30

public-key peer ········································································································································· 31

public-key peer import sshkey·················································································································· 32

set master-key ·········································································································································· 33

PKI commands ···························································································· 36

attribute ···················································································································································· 36

ca identifier ··············································································································································· 37

certificate request entity ··························································································································· 38

certificate request from ····························································································································· 39

certificate request mode ··························································································································· 39

certificate request polling ························································································································· 41

certificate request url ································································································································ 42

common-name ········································································································································· 43

country ····················································································································································· 43

crl check enable ······································································································································· 44

crl update-period ······································································································································ 44

crl url ························································································································································ 45

display pki certificate access-control-policy ····························································································· 46

display pki certificate attribute-group ········································································································ 47

display pki certificate domain ··················································································································· 49

display pki certificate renew-status ·········································································································· 53

display pki certificate request-status ········································································································ 55

display pki crl domain ······························································································································· 56

fqdn ·························································································································································· 58

ip ······························································································································································ 59

ldap-server ··············································································································································· 59

locality ······················································································································································ 60

organization ·············································································································································· 61

organization-unit ······································································································································· 61

pkcs7-encryption-algorithm ······················································································································ 62

pki abort-certificate-request ······················································································································ 63

pki certificate access-control-policy ·········································································································· 63

pki certificate attribute-group ···················································································································· 64

pki certificate logging enable ···················································································································· 65

pki delete-certificate ································································································································· 66

pki domain ················································································································································ 67

pki entity ··················································································································································· 68

pki export ·················································································································································· 69

pki import ·················································································································································· 76

pki request-certificate ······························································································································· 80

pki retrieve-certificate ······························································································································· 81

pki retrieve-crl ··········································································································································· 83

pki storage ················································································································································ 84

pki validate-certificate ······························································································································· 84

public-key dsa ·········································································································································· 86

public-key ecdsa ······································································································································ 87

public-key rsa ··········································································································································· 89

root-certificate fingerprint ························································································································· 90

rule ··························································································································································· 91

source ······················································································································································ 92

state ························································································································································· 93

subject-dn ················································································································································· 94

usage ······················································································································································· 95

vpn-instance ············································································································································· 96

Crypto engine commands ············································································ 97

display crypto-engine ······························································································································· 97

display crypto-engine statistics ················································································································ 98

reset crypto-engine statistics ···················································································································· 99

SSH commands ························································································· 100

SSH server commands ·································································································································· 100

display ssh server ·································································································································· 100

display ssh user-information ·················································································································· 101

free ssh ·················································································································································· 102

scp server enable ··································································································································· 103

sftp server enable ··································································································································· 104

sftp server idle-timeout ··························································································································· 104

ssh server acl ········································································································································· 105

ssh server acl-deny-log enable ·············································································································· 106

ssh server authentication-retries ············································································································ 107

ssh server authentication-timeout ·········································································································· 107

ssh server compatible-ssh1x enable ······································································································ 108

ssh server dscp ······································································································································ 109

ssh server enable ··································································································································· 109

ssh server ipv6 acl ································································································································· 110

ssh server ipv6 dscp ······························································································································ 111

ssh server key-re-exchange enable ······································································································· 111

ssh server pki-domain ···························································································································· 112

ssh server port ······································································································································· 113

ssh server rekey-interval ························································································································ 113

ssh user ·················································································································································· 114

SSH client commands ···································································································································· 117

bye ························································································································································· 117

cd ··························································································································································· 117

cdup ······················································································································································· 118

delete ····················································································································································· 118

delete ssh client server-public-key ········································································································· 118

dir ··························································································································································· 119

display scp client source ························································································································ 120

display sftp client source ························································································································ 120

display ssh client server-public-key ········································································································ 121

display ssh client source ························································································································ 122

iii

exit ·························································································································································· 123

get ·························································································································································· 123

help ························································································································································ 124

ls ····························································································································································· 124

mkdir ······················································································································································ 125

put ·························································································································································· 126

pwd ························································································································································· 126

quit ························································································································································· 127

remove ··················································································································································· 127

rename ··················································································································································· 127

rmdir ······················································································································································· 128

scp ·························································································································································· 128

scp client ipv6 source ····························································································································· 132

scp client source ···································································································································· 132

scp ipv6 ·················································································································································· 133

scp ipv6 suite-b ······································································································································ 137

scp suite-b ·············································································································································· 139

sftp ························································································································································· 141

sftp client ipv6 source ····························································································································· 143

sftp client source ···································································································································· 144

sftp ipv6 ·················································································································································· 145

sftp ipv6 suite-b ······································································································································ 148

sftp suite-b ·············································································································································· 149

ssh client ipv6 source ····························································································································· 151

ssh client source ···································································································································· 152

ssh2 ························································································································································ 152

ssh2 ipv6 ················································································································································ 155

ssh2 ipv6 suite-b ···································································································································· 158

ssh2 suite-b ············································································································································ 160

SSH2 commands ··········································································································································· 162

display ssh2 algorithm ···························································································································· 162

ssh2 algorithm cipher ····························································································································· 163

ssh2 algorithm key-exchange ················································································································ 164

ssh2 algorithm mac ································································································································ 164

ssh2 algorithm public-key ······················································································································· 165

SSL commands ························································································· 167

certificate-chain-sending enable ············································································································ 167

ciphersuite ·············································································································································· 167

ciphersuite server-preferred enable ···················································································· 170

client-verify ············································································································································· 171

display ssl client-policy ··························································································································· 172

display ssl server-policy ························································································································· 173

pki-domain (SSL client policy view) ········································································································ 174

pki-domain (SSL server policy view) ······································································································ 175

prefer-cipher ··········································································································································· 175

server-name ··········································································································································· 178

server-verify enable ································································································································ 179

session ··················································································································································· 180

ssl client-policy ······································································································································· 181

ssl renegotiation disable ························································································································· 182

ssl server-policy ····································································································································· 182

ssl version disable ·································································································································· 183

version ···················································································································································· 184

version disable ······································································································································· 184

Packet filter commands ············································································· 186

acl logging interval ································································································································· 186

acl trap interval ······································································································································· 187

display packet-filter ································································································································ 187

display packet-filter statistics ·················································································································· 189

display packet-filter statistics sum ·········································································································· 192

display packet-filter verbose ··················································································································· 194

packet-filter (Ethernet service instance view)························································································· 197

packet-filter (interface view) ··················································································································· 198

packet-filter (service template view) ······································································································· 200

packet-filter default deny ························································································································ 201

packet-filter global ·································································································································· 202

reset packet-filter statistics ····················································································································· 203

DHCP snooping commands ······································································· 205

dhcp snooping alarm enable ·················································································································· 205

dhcp snooping alarm threshold ·············································································································· 206

dhcp snooping binding database filename ····························································································· 206

dhcp snooping binding database update interval ··················································································· 208

dhcp snooping binding database update now ························································································ 209

dhcp snooping binding record ················································································································ 209

dhcp snooping check giaddr ·················································································································· 210

dhcp snooping check mac-address········································································································ 211

dhcp snooping check request-message································································································· 211

dhcp snooping client-detect ··················································································································· 212

dhcp snooping deny ······························································································································· 213

dhcp snooping disable ··························································································································· 213

dhcp snooping enable ···························································································································· 214

dhcp snooping enable vlan ···················································································································· 214

dhcp snooping information circuit-id······································································································· 215

dhcp snooping information enable ········································································································· 217

dhcp snooping information remote-id ····································································································· 218

dhcp snooping information strategy ······································································································· 219

dhcp snooping information vendor-specific ···························································································· 220

dhcp snooping log enable ······················································································································ 221

dhcp snooping max-learning-num ·········································································································· 222

dhcp snooping rate-limit ························································································································· 222

dhcp snooping trust ································································································································ 223

dhcp snooping trust interface ················································································································· 224

dhcp snooping trust tunnel ····················································································································· 225

display dhcp snooping binding ··············································································································· 225

display dhcp snooping binding database ······························································································· 227

display dhcp snooping information ········································································································· 227

display dhcp snooping drni-statistics ······································································································ 229

display dhcp snooping drni-status ·········································································································· 230

display dhcp snooping packet statistics ································································································· 231

display dhcp snooping trust ···················································································································· 232

reset dhcp snooping binding ·················································································································· 233

reset dhcp snooping drni-statistics ········································································································· 233

reset dhcp snooping packet statistics ···································································································· 234

DHCPv6 snooping commands ··································································· 235

display ipv6 dhcp snooping binding ······································································································· 235

display ipv6 dhcp snooping binding database························································································ 236

display ipv6 dhcp snooping drni-statistics ······························································································ 236

display ipv6 dhcp snooping drni-status ·································································································· 238

display ipv6 dhcp snooping packet statistics·························································································· 239

display ipv6 dhcp snooping pd binding ·································································································· 240

display ipv6 dhcp snooping trust ············································································································ 241

ipv6 dhcp snooping alarm enable ·········································································································· 241

ipv6 dhcp snooping alarm threshold ······································································································ 242

ipv6 dhcp snooping binding database filename ····················································································· 243

ipv6 dhcp snooping binding database update interval ··········································································· 245

ipv6 dhcp snooping binding database update now ················································································ 245

ipv6 dhcp snooping binding record ········································································································ 246

ipv6 dhcp snooping check relay-forward ································································································ 246

ipv6 dhcp snooping check request-message ························································································· 247

ipv6 dhcp snooping client-detect ············································································································ 248

ipv6 dhcp snooping deny ······················································································································· 249

ipv6 dhcp snooping enable ···················································································································· 249

ipv6 dhcp snooping log enable··············································································································· 250

ipv6 dhcp snooping max-learning-num ·································································································· 250

ipv6 dhcp snooping option interface-id enable ······················································································· 251

ipv6 dhcp snooping option interface-id string ························································································· 252

ipv6 dhcp snooping option remote-id enable ························································································· 252

ipv6 dhcp snooping option remote-id string ··························································································· 253

ipv6 dhcp snooping pd binding record ··································································································· 254

ipv6 dhcp snooping rate-limit ················································································································· 254

ipv6 dhcp snooping trust ························································································································ 255

ipv6 dhcp snooping trust tunnel ············································································································· 256

reset ipv6 dhcp snooping binding··········································································································· 256

reset ipv6 dhcp snooping drni-statistics ································································································· 257

reset ipv6 dhcp snooping packet statistics ····························································································· 257

reset ipv6 dhcp snooping pd binding ······································································································ 258

ARP attack protection commands ······························································ 259

Unresolvable IP attack protection commands ································································································ 259

arp resolving-route enable ····················································································································· 259

arp resolving-route probe-count ············································································································· 259

arp resolving-route probe-interval ·········································································································· 260

arp source-suppression enable ·············································································································· 260

arp source-suppression limit ·················································································································· 261

display arp source-suppression ············································································································· 262

ARP packet rate limit commands ··················································································································· 262

arp rate-limit ··········································································································································· 262

arp rate-limit log enable ·························································································································· 263

arp rate-limit log interval ························································································································· 263

snmp-agent trap enable arp ··················································································································· 264

Source MAC-based ARP attack detection commands ·················································································· 265

arp source-mac ······································································································································ 265

arp source-mac aging-time ···················································································································· 266

arp source-mac exclude-mac ················································································································· 266

arp source-mac threshold ······················································································································ 267

display arp source-mac ·························································································································· 267

display arp source-mac statistics ··········································································································· 268

reset arp source-mac statistics ·············································································································· 269

ARP packet source MAC consistency check commands··············································································· 269

arp valid-check enable ··························································································································· 269

display arp valid-check statistics ············································································································ 270

reset arp valid-check statistics ··············································································································· 271

ARP active acknowledgement commands ····································································································· 271

arp active-ack enable ····························································································································· 271

Authorized ARP commands ··························································································································· 272

arp authorized enable ···························································································································· 272

ARP attack detection commands ··················································································································· 272

arp detection enable······························································································································· 272

arp detection log enable ························································································································· 273

arp detection port-match-ignore ············································································································· 274

arp detection rule ··································································································································· 275

arp detection trust ·································································································································· 276

arp detection validate ····························································································································· 276

arp restricted-forwarding enable ············································································································ 277

display arp detection ······························································································································ 278

display arp detection statistics attack-source ························································································· 278

display arp detection statistics packet-drop ··························································································· 279

reset arp detection statistics attack-source ···························································································· 280

reset arp detection statistics packet-drop ······························································································· 281

ARP scanning and fixed ARP commands ······································································································ 281

arp fixup ················································································································································· 281

arp scan ················································································································································· 282

arp scan auto enable······························································································································ 283

arp scan auto send-rate ························································································································· 285

ARP gateway protection commands ·············································································································· 285

arp filter source ······································································································································ 285

ARP filtering commands································································································································· 286

arp filter binding ······································································································································ 286

ARP packet sender IP address checking commands ···················································································· 287

arp sender-ip-range ································································································································ 287

ND attack defense commands ··································································· 288

ND packet rate limit commands ····················································································································· 288

ipv6 nd rate-limit ····································································································································· 288

ipv6 nd rate-limit log enable ··················································································································· 288

ipv6 nd rate-limit log interval ·················································································································· 289

Source MAC consistency check commands ·································································································· 290

ipv6 nd check log enable························································································································ 290

ipv6 nd mac-check enable ····················································································································· 290

ND attack detection commands ····················································································································· 291

display ipv6 nd detection statistics ········································································································· 291

ipv6 nd detection enable ························································································································ 292

ipv6 nd detection log enable ·················································································································· 292

reset ipv6 nd detection statistics ············································································································ 293

ND scanning commands ································································································································ 293

ipv6 nd scan auto enable ··········································································································· 293

ipv6 nd scan auto send-rate ··················································································································· 295

Attack detection and prevention commands ·············································· 296

ack-flood action ······································································································································ 296

ack-flood detect ······································································································································ 296

ack-flood detect non-specific ·················································································································· 297

ack-flood threshold ································································································································· 298

attack-defense local apply policy ··········································································································· 299

attack-defense login reauthentication-delay··························································································· 300

attack-defense policy ····························································································································· 300

attack-defense signature log non-aggregate·························································································· 301

attack-defense tcp fragment enable ······································································································· 302

blacklist global enable ···························································································································· 302

blacklist ip ··············································································································································· 303

blacklist ipv6 ··········································································································································· 304

blacklist logging enable ·························································································································· 305

display attack-defense flood statistics ip ································································································ 306

display attack-defense flood statistics ipv6 ···························································································· 308

display attack-defense policy ················································································································· 310

display attack-defense policy ip ············································································································· 315

display attack-defense policy ipv6 ·········································································································· 317

display attack-defense scan attacker ip ································································································· 318

display attack-defense scan attacker ipv6 ····························································································· 320

display attack-defense statistics interface ······························································································ 321

display attack-defense statistics local ···································································································· 325

dns-flood action ······································································································································ 329

dns-flood detect ······································································································································ 330

dns-flood detect non-specific ················································································································· 331

dns-flood port ········································································································································· 332

dns-flood threshold ································································································································· 332

exempt acl ·············································································································································· 333

fin-flood action ········································································································································ 334

fin-flood detect ········································································································································ 335

fin-flood detect non-specific ··················································································································· 336

fin-flood threshold ··································································································································· 337

http-flood action ······································································································································ 338

http-flood detect ····································································································································· 338

http-flood detect non-specific ················································································································· 340

vii

http-flood port ········································································································································· 340

http-flood threshold ································································································································ 341

icmp-flood action ···································································································································· 342

icmp-flood detect ip ································································································································ 343

icmp-flood detect non-specific················································································································ 344

icmp-flood threshold ······························································································································· 344

icmpv6-flood action ································································································································ 345

icmpv6-flood detect ipv6 ························································································································ 346

icmpv6-flood detect non-specific ············································································································ 347

icmpv6-flood threshold ··························································································································· 348

reset attack-defense policy flood ············································································································ 349

reset attack-defense statistics local ······································································································· 349

rst-flood action ········································································································································ 350

rst-flood detect ······································································································································· 350

rst-flood detect non-specific ··················································································································· 351

rst-flood threshold ·································································································································· 352

scan detect ············································································································································· 353

signature { large-icmp | large-icmpv6 } max-length ················································································ 354

signature detect ······································································································································ 355

signature level action ····························································································································· 358

signature level detect ····························································································································· 359

syn-ack-flood action ······························································································································· 360

syn-ack-flood detect ······························································································································· 361

syn-ack-flood detect non-specific ··········································································································· 362

syn-ack-flood threshold ·························································································································· 363

syn-flood action ······································································································································ 363

syn-flood detect ······································································································································ 364

syn-flood detect non-specific ·················································································································· 365

syn-flood threshold ································································································································· 366

udp-flood action ······································································································································ 367

udp-flood detect ····································································································································· 367

udp-flood detect non-specific ················································································································· 369

udp-flood threshold ································································································································ 369

IP source guard commands ······································································· 371

display ip source binding ························································································································ 371

display ipv6 source binding ···················································································································· 372

display ipv6 source binding pd ··············································································································· 374

ip source binding (interface view) ··········································································································· 375

ip source binding (system view) ············································································································· 376

ip verify source ······································································································································· 377

ipv6 source binding (interface view) ······································································································· 378

ipv6 source binding (system view) ········································································································· 379

ipv6 verify source ··································································································································· 380

IPv4 uRPF commands ··············································································· 382

display ip urpf ········································································································································· 382

ip urpf ····················································································································································· 382

Document conventions and icons ······························································ 384

Conventions ··················································································································································· 384

Network topology icons ·································································································································· 385

Support and other resources ····································································· 386

Accessing Hewlett Packard Enterprise Support····························································································· 386

Accessing updates ········································································································································· 386

Websites ················································································································································ 387

Customer self repair ······························································································································· 387

Remote support ······································································································································ 387

Documentation feedback ······················································································································· 387

viii

Index ·········································································································· 389

Keychain commands

accept-lifetime

Use accept-lifetime to set the receiving lifetime for a key of a keychain.

Use undo accept-lifetime to restore the default.

Syntax

accept-lifetime daily start-day-time to end-day-time

accept-lifetime date { month-day&<1-31> | start-month-day to

end-month-day }

accept-lifetime day { week-day | start-week-day to end-week-day }

accept-lifetime month { month | start-month to end-month }

accept-lifetime utc start-time start-date { duration { duration-value |

infinite } | to end-time end-date }

undo accept-lifetime

Default

The receiving lifetime is not configured for a key of a keychain.

Views

Key view

Predefined user roles

network-admin

Parameters

daily: Specifies the key to be effective in the specified time range of each day.

start-day-time to end-day-time: Specifies the time range of each day. Both the start time

and the end time are in the HH:MM:SS format. The value range for the start-day-time

argument and the end-day-time argument is 0:0:0 to 23:59:59.

date: Specifies the key to be effective on the specified dates of each month.

month-day&<1-31>: Specifies a space-separated list of up to 31 dates of a month. The value

range for the month-day argument is 1 to 31.

start-month-day to end-month-day: Specifies the date range of each month. The end date

must be greater than the start date.

day: Specifies the key to be effective on the specified days of each week.

week-day: Specifies a day in a week. Values include mon, tue, wed, thu, fri, sat, and sun. You

can specify this argument multiple times with different values.

start-week-day to end-week-day: Specifies the day range of each week. The end day must

be greater than the start day.

month: Specifies the key to be effective in the specified months of each year.

month: Specifies a month in a year. Values include jan, feb, mar, apr, may, jun, jul, aug, sep, oct,

nov, and dec. You can specify this argument multiple times with different values.

start-month to end-month: Specifies the month range of each year. The end month must be

greater than the start month.

utc: Specifies the receiving lifetime in absolute time mode. The key takes effect in the specified time

range, for example, from 08:00 2019/9/1 to 18:00 2019/9/3.

start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is

0:0:0 to 23:59:59.

start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value

range for YYYY is 2000 to 2035.

duration duration-value: Specifies the lifetime of the key, in the range of 1 to 2147483646

seconds.

duration infinite: Specifies that the key never expires after it becomes valid.

to: Specifies the end time and date.

end-time: Specifies the end time in the HH:MM:SS format. The value range for this argument is

0:0:0 to 23:59:59.

end-date: Specifies the end date in the MM/DD/YYYY or YYYY/MM/DD format. The value range

for YYYY is 2000 to 2035.

Usage guidelines

A key becomes a valid accept key when the following requirements are met:

•

A key string has been configured.

•

An authentication algorithm has been specified.

•

The system time is within the specified receiving lifetime.

If an application receives a packet that carries a key ID, and the key is valid, the application uses the

key to authenticate the packet. If the key is not valid, packet authentication fails.

If the received packet does not carry a key ID, the application uses all valid keys in the keychain to

authenticate the packet. If the packet does not pass any authentication, packet authentication fails.

An application can use multiple valid keys to authenticate packets received from a peer.

Examples

# Set the receiving lifetime for key 1 of keychain abc in absolute time mode.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1] accept-lifetime utc 12:30 2019/1/21 to 18:30 2019/1/21

# Set the receiving lifetime for key 1 of keychain 123 in weekly periodic time mode.

<Sysname> system-view

[Sysname] keychain 123 mode periodic weekly

[Sysname-keychain-123] key 1

[Sysname-keychain-123-key-1] accept-lifetime day fri

accept-tolerance

Use accept-tolerance to set a tolerance time for accept keys in a keychain.

Use undo accept-tolerance to restore the default.

Syntax

accept-tolerance { value | infinite }

undo accept-tolerance

Default

No tolerance time is configured for accept keys in a keychain.

Views

Keychain view

Predefined user roles

network-admin

Parameters

value: Specifies a tolerance time in the range of 1 to 8640000 seconds.

infinite: Specifies that the accept keys never expires.

Usage guidelines

After a tolerance time is configured, the start time and the end time configured in the

accept-lifetime utc command are extended for the period of the tolerance time.

If authentication information is changed, information mismatch occurs on the local and peer devices,

and the service might be interrupted. Use this command to ensure continuous packet authentication.

Examples

# Set the tolerance time to 100 seconds for accept keys in keychain abc.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] accept-tolerance 100

# Configure the accept keys in keychain abc to never expire.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] accept-tolerance infinite

authentication-algorithm

Use authentication-algorithm to specify an authentication algorithm for a key.

Use undo authentication-algorithm to restore the default.

Syntax

authentication-algorithm { hmac-md5 | hmac-sha-1 | hmac-sha-256 | md5 }

undo authentication-algorithm

Default

No authentication algorithm is specified for a key.

Views

Key view

Predefined user roles

network-admin

Parameters

hmac-md5: Specifies the HMAC-MD5 authentication algorithm.

hmac-sha-1: Specifies the HMAC-SHA-1 authentication algorithm.

hmac-sha-256: Specifies the HMAC-SHA-256 authentication algorithm.

md5: Specifies the MD5 authentication algorithm.

Usage guidelines

If an application does not support the authentication algorithm specified for a key, the application

cannot use the key for packet authentication.

Examples

# Specify the MD5 authentication algorithm for key 1 of keychain abc in absolute time mode.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1] authentication-algorithm md5

default-send-key

Use default-send-key to specify a key in a keychain as the default send key.

Use undo default-send-key to restore the default.

Syntax

default-send-key

undo default-send-key

Default

No key in a keychain is specified as the default send key.

Views

Key view

Predefined user roles

network-admin

Usage guidelines

When send keys in a keychain are inactive, the default send key can be used for packet

authentication.

A keychain can have only one default send key. The default send key must be configured with an

authentication algorithm and a key string.

Examples

# Specify key 1 in keychain abc as the default send key.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1] default-send-key

display keychain

Use display keychain to display keychain information.

Syntax

display keychain [ name keychain-name [ key key-id ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name keychain-name: Specifies a keychain by its name, a case-sensitive string of 1 to 63

characters. If you do not specify a keychain, this command displays information about all keychains.

key key-id: Specifies a key by its ID in the range of 0 to 281474976710655. If you do not specify

a key, this command displays information about all keys in a keychain.

Examples

# Display information about all keychains.

<Sysname> display keychain

Keychain name : abc

Mode : absolute

Accept tolerance : 0

TCP kind value : 254

TCP algorithm value

HMAC-MD5 : 5

HMAC-SHA-256 : 7

MD5 : 3

Default send key ID : 2 (Inactive)

Active send key ID : 1

Active accept key IDs: 1 2

Key ID : 1

Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g==

Algorithm : md5

Send lifetime : 01:00:00 2019/01/22 to 01:00:00 2019/01/25

Send status : Active

Accept lifetime : 01:00:00 2019/01/22 to 01:00:00 2019/01/27

Accept status : Active

Key ID : 2

Key string : $c$3$vuJpEX3Lah7xcSR2uqmrTK2IZQJZguJh3g==

Algorithm : md5

Send lifetime : 01:00:01 2019/01/25 to 01:00:00 2019/01/27

Send status : Inactive

Accept lifetime : 01:00:00 2019/01/22 to 01:00:00 2019/01/27

Accept status : Active

Table 1 Command output

Field

Description

Mode

Time mode for the keychain:

• Absolute.

• Periodic daily.

• Periodic weekly.

• Periodic monthly.

• Periodic yearly.

Accept tolerance Tolerance time (in seconds) for accept keys of the keychain.

TCP kind value Value for the TCP kind field.

TCP algorithm value ID of the TCP authentication algorithm. The default algorithm ID is 5 for

HMAC-MD5, 7 for HMAC-SHA-256, and 3 for MD5.

Default send key ID ID of the default send key. The status for the key is displayed in

parentheses.

Key string Key string in encrypted form.

Algorithm

Authentication algorithm for the key:

• hmac-md5

• hmac-sha-1

• hmac-sha-256

• md5

Send lifetime Sending lifetime for the key.

Send status Status of the send key: Active or Inactive.

Accept lifetime Receiving lifetime for the key.

Accept status Status of the accept key: Active or Inactive.

key

Use key to create a key for a keychain and enter its view, or enter the view of an existing key.

Use undo key to delete a key and all its configurations for a keychain.

Syntax

key key-id

undo key key-id

Default

No keys exist.

Views

Keychain view

Predefined user roles

network-admin

Parameters

key-id: Specifies a key ID in the range of 0 to 281474976710655.

Usage guidelines

The keys in a keychain must have different key IDs.

Examples

# Create key 1 and enter its view.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1]

keychain

Use keychain to create a keychain and enter its view, or enter the view of an existing keychain.

Use undo keychain to delete a keychain and all its configurations.

Syntax

keychain keychain-name [ mode { absolute | periodic { daily | monthly |

weekly | yearly } } ]

undo keychain keychain-name

Default

No keychains exist.

Views

System view

Predefined user roles

network-admin

Parameters

keychain-name: Specifies a keychain name, a case-sensitive string of 1 to 63 characters.

mode: Specifies a time mode.

absolute: Specifies the absolute time mode. In this mode, each time point during a key's lifetime is

the UTC time and is not affected by the system's time zone or daylight saving time.

periodic: Specifies the periodic time mode. In this mode, a key's lifetime is calculated based on

the local time and is affected by the system's time zone and daylight saving time.

daily: Specifies the daily periodic time mode.

monthly: Specifies the monthly periodic time mode.

weekly: Specifies the weekly periodic time mode.

yearly: Specifies the yearly periodic time mode.

Usage guidelines

You must specify the time mode when you create a keychain. You cannot change the time mode for

an existing keychain.

The time mode is not required when you enter the view of an existing keychain.

Examples

# Create keychain abc, specify the absolute time mode for it, and enter keychain view.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc]

key-string

Use key-string to configure a key string for a key.

Use undo key-string to restore the default.

Syntax

key-string { cipher | plain } string

undo key-string

Default

No key string is configured for a key.

Views

Key view

Predefined user roles

network-admin

Parameters

cipher: Specifies a key in encrypted form.

plain: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form

will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-sensitive string of 1 to 255 characters. Its

encrypted form is a case-sensitive string of 33 o 373 characters.

Usage guidelines

If the length of a plaintext key exceeds the length limit supported by an application, the application

uses the supported length of the key to authenticate packets.

Examples

# Set the key string to 123456 in plaintext form for key 1.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1] key-string plain 123456

send-lifetime

Use send-lifetime to set the sending lifetime for a key of a keychain.

Use undo send-lifetime to restore the default.

Syntax

send-lifetime daily start-day-time to end-day-time

send-lifetime date { month-day&<1-31> | start-month-day to

end-month-day }

send-lifetime day { week-day | start-week-day to end-week-day }

send-lifetime month { month | start-month to end-month }

send-lifetime utc start-time start-date { duration { duration-value |

infinite } | to end-time end-date }

undo send-lifetime

Default

The sending lifetime is not configured for a key of a keychain.

Views

Key view

Predefined user roles

network-admin

Parameters

daily: Specifies the key to be effective in the specified time range of each day.

start-day-time to end-day-time: Specifies the time range of each day. Both the start time

and the end time are in the HH:MM:SS format. The value range for the start-day-time

argument and the end-day-time argument is 0:0:0 to 23:59:59.

date: Specifies the key to be effective on the specified dates of each month.

month-day&<1-31>: Specifies a space-separated list of up to 31 dates of a month. The value

range for the month-day argument is 1 to 31.

start-month-day to end-month-day: Specifies the date range of each month. The end date

must be greater than the start date.

day: Specifies the key to be effective on the specified days of each week.

week-day: Specifies a day in a week. Values include mon, tue, wed, thu, fri, sat, and sun. You

can specify this argument multiple times with different values.

start-week-day to end-week-day: Specifies the day range of each week. The end day must

be greater than the start day.

month: Specifies the key to be effective in the specified months of each year.

month: Specifies a month in a year. Values include jan, feb, mar, apr, may, jun, jul, aug, sep, oct,

nov, and dec. You can specify this argument multiple times with different values.

start-month to end-month: Specifies the month range of each year. The end month must be

greater than the start month.

utc: Specifies the sending lifetime in absolute time mode. The key takes effect in the specified time

range, for example, from 08:00 2019/9/1 to 18:00 2019/9/3.

start-time: Specifies the start time in the HH:MM:SS format. The value range for this argument is

0:0:0 to 23:59:59.

start-date: Specifies the start date in the MM/DD/YYYY or YYYY/MM/DD format. The value

range for YYYY is 2000 to 2035.

duration duration-value: Specifies the lifetime of the key, in the range of 1 to 2147483646

seconds.

duration infinite: Specifies that the key never expires after it becomes valid.

to: Specifies the end time and date.

end-time: Specifies the end time in the HH:MM:SS format. The value range for this argument is

0:0:0 to 23:59:59.

end-date: Specifies the end date in the MM/DD/YYYY or YYYY/MM/DD format. The value range

for YYYY is 2000 to 2035.

Usage guidelines

A key becomes a valid send key when the following requirements are met:

•

A key string has been configured.

•

An authentication algorithm has been specified.

•

The system time is within the specified sending lifetime.

To make sure only one key in a keychain is used at a time to authenticate packets to a peer, set

non-overlapping sending lifetimes for the keys in the keychain.

Examples

# Set the sending lifetime for key 1 of keychain abc in absolute time mode.

<Sysname> system-view

[Sysname] keychain abc mode absolute

[Sysname-keychain-abc] key 1

[Sysname-keychain-abc-key-1] send-lifetime utc 12:30 2019/1/21 to 18:30 2019/1/21

# Set the sending lifetime for key 1 of keychain 123 in weekly periodic time mode.

<Sysname> system-view

[Sysname] keychain 123 mode periodic weekly

[Sysname-keychain-123] key 1

[Sysname-keychain-123-key-1] send-lifetime day fri

tcp-algorithm-id

Use tcp-algorithm-id to set an algorithm ID for a TCP authentication algorithm.

Use undo tcp-algorithm-id to restore the default.

Syntax

tcp-algorithm-id { hmac-md5 | hmac-sha-256 | md5 } algorithm-id

undo tcp-algorithm-id { hmac-md5 | hmac-sha-256 | md5 }

Default

The algorithm ID is 3 for the MD5 authentication algorithm, 5 for the HMAC-MD5 authentication

algorithm, and 7 for the HMAC-SHA-256 authentication algorithm.

Views

Keychain view

Predefined user roles

network-admin

Parameters

hmac-md5: Specifies the HMAC-MD5 authentication algorithm, which provides a key length of 16

bytes.

hmac-sha-256: Specifies the HMAC-SHA-256 authentication algorithm, which provides a key

length of 16 bytes.

md5: Specifies the MD5 authentication algorithm, which provides a key length of 16 bytes.

algorithm-id: Specifies an algorithm ID in the range of 1 to 63.

Usage guidelines

If an application uses keychain authentication during TCP connection establishment, the incoming

and outgoing TCP packets will carry the TCP Enhanced Authentication Option. The

Page is loading ...

Aruba R9F19A Reference guide

Brand: Aruba

Model: R9F19A

Category: Software

Type: Reference guide

This manual is also suitable for

Download PDF

report

Aruba R9F19A Reference guide

This manual is also suitable for

Aruba R9F19A Reference guide

Related papers

Other documents