Command Line Manual

Command Line Manual
Command Line Manual
Version R2.1
1
Command Line Manual
Table of Contents
Chapter 1 System management ........................................................................................................... 14
1.1 System overview............................................................................................................................ 14
1.1.1 Characteristics of command line ........................................................................................ 14
1.1.2 Grammar help ..................................................................................................................... 15
1.1.3 Supplement command with grammar help ......................................................................... 15
1.1.4 Command abbreviation ....................................................................................................... 15
1.1.5 Command mode .................................................................................................................. 16
1.1.6 Introduction of common commands ................................................................................... 16
1.2 Approach to realize system configuration ..................................................................................... 16
1.2.1 Realize system configuration through serial port ............................................................... 16
1.2.2 Realize system configuration through Telnet...................................................................... 17
1.2.3 Realize system configuration through SSH ........................................................................ 17
1.3 System file management ................................................................................................................ 17
1.3.1 Copy command ................................................................................................................... 18
1.3.2 Save configuration file........................................................................................................ 18
1.3.3 Multi-configuration file ...................................................................................................... 18
1.3.4 Upload and download configuration file ............................................................................ 19
1.3.5 System upgrade................................................................................................................... 19
1.4 Common system management command ...................................................................................... 19
1.4.1 Enable and disable Telnet service ....................................................................................... 19
1.4.2 Enable and disable SSH service ......................................................................................... 19
1.4.3 View who is on the system ................................................................................................. 19
1.4.4 Clear login user................................................................................................................... 19
1.4.5 View system version ........................................................................................................... 19
Chapter 2
Configuration interface ................................................................................................ 21
2.1 Configure Ethernet port ................................................................................................................. 21
2.1.1 Description of Ethernet port ............................................................................................... 21
2.1.2 Configure Ethernet port ...................................................................................................... 21
2.1.3 Configuration cases ............................................................................................................ 26
2.1.4 Ethernet port monitoring and maintenance ......................................................................... 26
2.1.5 Fault analysis ...................................................................................................................... 26
2.2 Configure VLAN interface ............................................................................................................ 27
2.2.1 VLAN description .............................................................................................................. 27
2.2.2 Configure interface’s encapsulated link layer protocol as VLAN ...................................... 27
2.2.3 Display configuration information ..................................................................................... 28
2.2.4 Configuration cases ............................................................................................................ 28
2.2.5 Fault analysis ...................................................................................................................... 29
2.3 Configure transparent bridge (vlan passthrough) .......................................................................... 29
2.3.1 Overview of transparent bridge .......................................................................................... 29
2.3.2 Configure transparent bridge .............................................................................................. 29
2.3.3 Configure bridge STP ......................................................................................................... 29
2.3.4 Configuration cases ............................................................................................................ 31
2.3.5 Transparent bridge monitoring and maintenance................................................................ 31
2.3.6 Common fault analysis ....................................................................................................... 32
2.4 Configure link aggregation interface ............................................................................................. 32
2
Command Line Manual
2.4.1 Overview of link aggregation ............................................................................................. 32
2.4.2 Configure link aggregation interface .................................................................................. 33
2.4.3 Configuration cases ............................................................................................................ 34
2.4.4 Common fault analysis ....................................................................................................... 35
2.5 Configure PPPoE interface ............................................................................................................ 35
2.5.1 PPPoE overview ................................................................................................................. 35
2.5.2 Configure PPPo Einterface ................................................................................................. 35
2.5.3 Configuration cases ............................................................................................................ 35
2.6 Configure DHCP interface............................................................................................................. 36
2.6.1 DHCP ................................................................................................................................. 36
2.6.2 Configure DHCP interface.................................................................................................. 36
2.6.3 Configuration cases ............................................................................................................ 36
2.7 Configure Listen Mode interface ................................................................................................... 37
2.7.1 Overview of listen mode interface ...................................................................................... 37
2.7.2 Configure listen mode interface.......................................................................................... 37
2.8 Configure GRE interface ............................................................................................................... 37
2.8.1 Gre interface ....................................................................................................................... 37
2.8.2 Configure gre interface ....................................................................................................... 37
2.8.3 Configuration cases ............................................................................................................ 38
Chapter 3
Configure safety domain.............................................................................................. 39
3.1 Overview of safety domain............................................................................................................ 39
3.2 Add interface in domain ................................................................................................................ 39
3.3 Configure mutual access among interfaces in domain .................................................................. 39
3.4 Configuration cases ....................................................................................................................... 39
3.4.1 Configuration cases: add interfaces to domain ................................................................... 39
3.5 Safety domain monitoring and maintenance ................................................................................. 40
3.5.1 View domain information ................................................................................................... 40
3.6 Common fault analysis .................................................................................................................. 40
3.6.1 Fault phenomenon: .......................................................................................................... 40
Chapter 4
Configure IPv6 ............................................................................................................ 41
4.1 IPv6 overview ................................................................................................................................ 41
4.1.1 Characteristics of IPv6 protocol ......................................................................................... 41
4.1.2 Introduction of IPv6 address ............................................................................................... 42
4.1.3 IPv6 neighbor discovery protocol ....................................................................................... 45
4.1.4 IPv6 PMTU discovery ........................................................................................................ 47
4.1.5 Introduction of IPv6 transition technology ......................................................................... 48
4.1.6 Introduction of IPv6 tunneling............................................................................................ 49
4.2 Configure IPv6 .............................................................................................................................. 51
4.2.1 Configure IPv6 unicast address .......................................................................................... 51
4.2.2 Configure IPv6 neighbor discovery protocol...................................................................... 52
4.2.3 Configure IPv6 static router .................................................................................................... 54
4.2.4 Configure IPv6 policy routing................................................................................................. 54
4.2.5 Configure IPv6 management equipment ................................................................................... 55
4.2.6 Configure IPv6 packet filtering ............................................................................................... 55
4.2.7 Configure IPv6 extension header filtration ......................................................................... 55
4.2.8 Configure IPv6-MAC binding ............................................................................................ 56
4.2.9 Configure DNSv6 server ...................................................................................................... 56
4.2.10 Configure DHCPv6 server................................................................................................ 56
4.2.11 Configure Ipv4/Ipv6 dual protocol stack .......................................................................... 56
3
Command Line Manual
4.2.12 Configure Ipv6 manual tunnel .......................................................................................... 57
4.2.13 Configure Ipv6 6to4 tunnel............................................................................................... 57
4.2.14 Configure Ipv6 ISATAP tunnel......................................................................................... 58
4.3 Configuration cases ....................................................................................................................... 58
4.3.1 Configuration cases1: basic Ipv6 manual tunnel ................................................................ 58
4.4 Ipv6 monitoring and maintenance ................................................................................................. 59
4.4.1 View Ipv6 tunnel................................................................................................................. 59
4.4.2 Common fault analysis ....................................................................................................... 59
Chapter 5
Configure IPSec VPN .................................................................................................. 60
5.1 IPSec VPN ..................................................................................................................................... 60
5.2 Configure IPSec VPN .................................................................................................................... 61
5.2.1 Default configuration message ........................................................................................... 61
5.2.2 Configure IKE phase 1 ....................................................................................................... 61
5.2.3 Configure IKE phase 2 .................................................................................................... 64
5.2.4 Manually configure Ipsec security policy ........................................................................... 65
5.3 Configuration cases ....................................................................................................................... 65
5.3.1 Configuration cases: ........................................................................................................ 65
5.4 IPSec VPN monitoring and maintenance ...................................................................................... 66
5.4.1 Display a phase A ............................................................................................................... 66
5.4.2 Display 2-phase SA ............................................................................................................ 66
5.4.3 Clear phase-1 SA ................................................................................................................ 67
5.4.4 Clear phase-2 SA ................................................................................................................ 67
5.4.5 Common fault analysis ....................................................................................................... 67
Chapter 6
Configure NAT ............................................................................................................ 68
6.1 NAT ............................................................................................................................................... 68
6.2 Configure NAT .............................................................................................................................. 69
6.2.1 Configure address pool (NAT POOL) ................................................................................ 69
6.2.2 Configure static NAT .......................................................................................................... 69
6.2.3 Configure source NAT ........................................................................................................ 69
6.2.4 Configure destination NAT ................................................................................................. 70
6.2.5 Configure destination NAT automatic mapping ................................................................. 70
6.3 Port management ........................................................................................................................... 71
6.3.1 Set service port number ...................................................................................................... 71
Chapter 7
Configure DHCP server ............................................................................................... 73
7.1 Overview of DHCP service ........................................................................................................... 73
7.1.1 DHCP server ....................................................................................................................... 73
7.1.2 Overview of DHCP Relay .................................................................................................. 73
7.2 Configure DHCP Server ................................................................................................................ 73
7.2.1 Designate DHCP Server service on interface ..................................................................... 73
7.2.2 Configure DHCP Server service subnet ............................................................................. 74
7.2.3 Configure DHCP Server address pool and its lease ............................................................ 74
7.2.4 Configure DHCP subnet with default gateway ................................................................... 74
7.2.5 Configure DHCP subnet with DNS server ......................................................................... 74
7.2.6 Configure DHCP subnet with WINS server ....................................................................... 75
7.2.7 Configure DHCP subnet domain name............................................................................... 75
7.2.8 Configure DHCP address binding ...................................................................................... 75
7.2.9 Configure DHCP address exclusion ................................................................................... 75
7.3 DHCP service monitoring.............................................................................................................. 75
7.3.1 DHCP Debug ...................................................................................................................... 75
4
Command Line Manual
7.3.2 Display DHCP Server configuration information ............................................................... 75
7.3.3 Display DHCP Server address distribution information ..................................................... 76
7.4 Configuration cases ....................................................................................................................... 76
Chapter 8
Configuration object .................................................................................................... 78
8.1 Configure absolute time and cycle time ........................................................................................ 78
8.1.1 Overview of absolute time and cycle time.......................................................................... 78
8.1.2 Configure effective time range in absolute time ................................................................. 78
8.1.3 Configure effective time range in cycle time ...................................................................... 78
8.1.4 Configure effective time period in cycle time .................................................................... 79
8.1.5 Configuration cases ............................................................................................................ 79
8.1.6 Configuration cases: configure time table .......................................................................... 79
8.1.7 Absolute time and cycle time monitoring and maintenance ............................................... 80
8.1.8 View cycle table and absolute time ..................................................................................... 80
8.1.9 Common fault analysis ....................................................................................................... 80
8.1.10 Fault phenomenon1: ...................................................................................................... 80
8.2 Configure service object and service object group ........................................................................ 80
8.2.1 Overview of service object and service object group ......................................................... 80
8.2.2 Configure service object and service object group ............................................................. 80
8.2.3 Add TCP|UDP service to service object ............................................................................. 80
8.2.4 Add ICMP service to service object.................................................................................... 81
8.2.5 Add service object to service object group ......................................................................... 81
8.2.6 Configuration cases ............................................................................................................ 82
8.2.7 Configuration case 1: add service object and service object group .................................... 82
8.2.8 Configuration case 2: configure service object................................................................... 82
8.2.9 Service object and service object group monitoring and maintenance ............................... 82
8.2.10 View service object ........................................................................................................... 82
8.2.11 View service object group ................................................................................................. 83
8.2.12 Common fault analysis ..................................................................................................... 83
8.2.13 Fault phenomenon1: ...................................................................................................... 83
8.3 Configure address object and address object group....................................................................... 83
8.3.1 Overview of address object and address object group ........................................................ 83
8.3.2 Configure address object and address object group............................................................ 83
8.3.3 Add single address to address object .................................................................................. 83
8.3.4 Add network mask to address object .................................................................................. 84
8.3.5 Add address range to object address ................................................................................... 84
8.3.6 Add address object to address object group ........................................................................ 84
8.3.7 Configuration cases ............................................................................................................ 85
8.3.8 Configuration cases: add address object and address object group .................................... 85
8.3.9 Address object and address object group monitoring and maintenance ............................. 85
8.3.10 View address object .......................................................................................................... 85
8.3.11 View address object group ................................................................................................ 85
8.3.12 Common fault analysis ..................................................................................................... 86
8.3.13 Fault phenomenon1: ...................................................................................................... 86
8.4 Configure application object and application object group ........................................................... 86
8.4.1 Overview of application object, application classification and application object group... 86
8.4.2 Configure application object group .................................................................................... 86
8.4.3 Configuration cases ............................................................................................................ 86
8.5 Configure URL object ................................................................................................................... 87
8.5.1 Overview of URL object..................................................................................................... 87
5
Command Line Manual
8.5.2 Configure URL object ........................................................................................................ 87
8.5.3 Configuration cases ............................................................................................................ 87
8.6 Configure File type object ............................................................................................................. 87
8.6.1 Overview of File type object .............................................................................................. 87
8.6.2 Configure File type object .................................................................................................. 88
8.6.3 Configuration cases ............................................................................................................ 88
8.7 Configure keyword object ............................................................................................................. 88
8.7.1 Overview of keyword object .............................................................................................. 88
8.7.2 Configure keyword object .................................................................................................. 88
8.7.3 Configuration cases ............................................................................................................ 89
8.8 Configure health check object ....................................................................................................... 89
8.8.1 Overview of health check ................................................................................................... 89
8.8.2 Configure health check object ............................................................................................ 89
8.8.3 Configure health check group ............................................................................................. 89
Chapter 9
Configure static router ................................................................................................. 91
9.1 Overview of static router ............................................................................................................... 91
9.2 Configure static router ................................................................................................................... 91
9.3 Configure default router ................................................................................................................ 91
9.4 Multipath selection ........................................................................................................................ 91
9.5 Configure information display command ...................................................................................... 92
9.6 Configuration cases ....................................................................................................................... 92
9.6.1 Configure default router ..................................................................................................... 92
9.7 Common faults .............................................................................................................................. 92
9.7.1 Abnormal data package forwarding .................................................................................... 92
Chapter 10
Configure policy routing.............................................................................................. 93
10.1 Overview of policy routing.......................................................................................................... 93
10.2 Configure policy router ............................................................................................................... 93
10.2.1 Policy router configuration ............................................................................................... 93
10.2.2 Adjust the sequence of policy router................................................................................. 93
10.2.3 Multipath selection ........................................................................................................... 94
10.3 Common fault analysis ................................................................................................................ 94
10.3.1 Fault phenomenon: ........................................................................................................ 94
Chapter 11
Configure RIP .............................................................................................................. 95
11.1 Overview of RIP protocol ............................................................................................................ 95
11.2 Configure RIP .............................................................................................................................. 95
11.2.1 Default configuration information .................................................................................... 95
11.2.2 Enable RIP router protocol function ................................................................................. 95
11.2.3 Configure RIP version ...................................................................................................... 96
11.2.4 Configure RIP released network ....................................................................................... 96
11.2.5 Configure RIP release default router ................................................................................ 96
11.2.6 Configure RIP default redistribution metric ..................................................................... 97
11.2.7 Configure RIP timer triggering time ................................................................................. 97
11.2.8 Configure RIP timer triggering time ................................................................................. 97
11.2.9 Configure the version of message received and transmitted by RIP interface .................. 98
11.2.10 Configure authentication type of RIP interface............................................................... 98
11.3 RIP monitoring and maintenance................................................................................................. 98
11.3.1 View RIP routing table ...................................................................................................... 98
11.3.2 View RIP configuration .................................................................................................... 99
11.3.3 View debugging information ............................................................................................ 99
6
Command Line Manual
11.4 Common fault analysis ...............................................................................................................100
11.4.1 Fault phenomenon: two equipment cannot communicate normally ................................100
Chapter 12
Configure OSPF .........................................................................................................101
12.1 OSPF protocol ............................................................................................................................101
12.2 Configure OSPF .........................................................................................................................101
12.2.1 Default configuration information ...................................................................................101
12.2.2 Enable OSPF routing protocol function...........................................................................102
12.2.3 Configure OSPF router Router -ID ..................................................................................102
12.2.4 Configure OSPF interface................................................................................................102
12.2.5 Configure OSPF area authentication method ..................................................................103
12.2.6 Configure OSPF NSSA ...................................................................................................103
12.2.7 Configure OSPF inter-area router aggregation ................................................................104
12.2.8 Configure OSPF router redistribution..............................................................................105
12.2.9 OSPF redistribution router default Metric .......................................................................105
12.2.10 Configure OSPF redistribution default router................................................................106
12.2.11 Configure OSPF protocol priority .................................................................................106
12.2.12 Configure OSPF compatible with RFC1583 .................................................................107
12.2.13 Configure OSPF routing computation timer ..................................................................107
12.2.14 Configure OSPF interface authentication method .........................................................107
12.2.15 Configure OSPF interface authentication key ...............................................................108
12.2.16 Configure key for OSPF interface cyphertext authentication ........................................108
12.2.17 Configure OSPF interface priority.................................................................................108
12.2.18 Configure the expense of OSPF interface sending message ..........................................109
12.2.19 Configure OSPF interface LSA retransmission interval ................................................109
12.2.20 Configure OSPF interface LSA transmission delay....................................................... 110
12.2.21 Configure OSPF interface with Hello message timer .................................................... 110
12.2.22 Configure OSPF interface neighbor failure timer .......................................................... 110
12.2.23 Configure interface’s OSPF network type ..................................................................... 111
12.3 Common fault analysis ............................................................................................................... 111
12.3.1 Fault phenomenon1: it is impossible to establish adjacency relationship between two
equipment. .................................................................................................................................. 111
Chapter 13
Configure BGP ........................................................................................................... 113
13.1 BGP protocol .............................................................................................................................. 113
13.2 Configure BGP ........................................................................................................................... 114
13.2.1 Default configuration information ................................................................................... 114
13.2.2 Enable BGP router protocol function .............................................................................. 114
13.2.3 Configure BGP Router -ID .............................................................................................. 115
13.2.4 Configure designated BGP peer....................................................................................... 115
13.2.5 Configure BGP peer group .............................................................................................. 115
13.2.6 Configure loopback interface as BGP neighbor .............................................................. 116
13.2.7 EBGP multihop configuration ......................................................................................... 116
13.2.8 Delete private AS number ................................................................................................ 116
13.2.9 Permit sending community property................................................................................ 117
13.2.10 Limit the number of reception router ............................................................................. 117
13.2.11 Retain peer router information ....................................................................................... 117
13.2.12 Close peer ...................................................................................................................... 118
13.2.13 IGP and BGP router interaction ..................................................................................... 118
13.2.14 Redistribute IGP router to BGP ..................................................................................... 119
13.2.15 Configure BGP timer ..................................................................................................... 119
7
Command Line Manual
13.2.16 Configure MED property...............................................................................................120
13.2.17 Configure LOCAL_PREF property ...............................................................................121
13.2.18 Compare router -id.........................................................................................................121
13.2.19 Configure BGP aggregation router ................................................................................121
13.3 Common fault analysis ...............................................................................................................122
13.3.1 Fault phenomenon1: cannot establish adjacency relation between two equipment .........122
Chapter 14
Configure firewall policy ............................................................................................123
14.1 Overview of firewall policy ........................................................................................................123
14.2 Configure firewall policy............................................................................................................123
14.2.1 Add and delete firewall policy .........................................................................................123
14.2.2 Add firewall policy ..........................................................................................................123
14.2.3 Delete firewall policy ......................................................................................................123
14.2.4 Modification of policy-based aging time .........................................................................123
14.2.5 Enable and disable ...........................................................................................................124
14.3 Configuration cases ....................................................................................................................124
Chapter 15
Configure user policy .................................................................................................125
15.1 Overview of user policy .............................................................................................................125
15.2 Configure user policy .................................................................................................................125
15.3 Configuration cases ....................................................................................................................125
Chapter 16
Configure Web access policy ......................................................................................126
16.1 Overview of Web access policy ..................................................................................................126
16.2 Configure Web access policy ......................................................................................................126
16.3 Configure self-defined URL type ...............................................................................................126
16.4 Configuration cases ....................................................................................................................127
Chapter 17
Configure application audit policy .............................................................................128
17.1 Overview of application audit policy .........................................................................................128
17.2 Configure application audit policy .............................................................................................128
17.3 Configuration cases ....................................................................................................................128
Chapter 18
Configure Control policy ............................................................................................129
18.1 Control policy .............................................................................................................................129
18.2 Configure Control policy ............................................................................................................129
18.3 Configuration cases ....................................................................................................................130
Chapter 19
Application policy whitelist ........................................................................................131
19.1 Overview of whitelist .................................................................................................................131
19.2 Configure whitelist .....................................................................................................................131
19.3 Configuration cases ....................................................................................................................131
Chapter 20
Configure intrusion prevention policy ........................................................................132
20.1 Overview of intrusion prevention policy ....................................................................................132
20.2 Configure intrusion prevention policy ........................................................................................132
20.2.1 Configure intrusion prevention event set .........................................................................132
20.2.2 Intrusion prevention policy ..............................................................................................132
20.3 Configuration cases ....................................................................................................................133
Chapter 21
Configure anti-virus policy .........................................................................................134
21.1 Overview of anti-virus policy .....................................................................................................134
21.2 Configure anti-virus policy .........................................................................................................134
21.2.1 Add anti-virus policy .......................................................................................................134
21.2.2 Modify anti-virus policy ..................................................................................................134
21.2.3 Delete anti-virus policy....................................................................................................135
21.3 Configuration cases ....................................................................................................................135
8
Command Line Manual
Chapter 22
Protocol management .................................................................................................136
22.1 Overview of protocol management ............................................................................................136
22.2 Configure protocol management ................................................................................................136
22.3 Configuration cases ....................................................................................................................136
Chapter 23
Configure flow control policy ....................................................................................137
23.1 Overview of flow management ..................................................................................................137
23.2 Configure flow management ......................................................................................................137
23.2.1 Configure line binding interface ......................................................................................137
23.2.2 Configure channel related line .........................................................................................137
23.2.3 Configure elimination policy ...........................................................................................138
23.2.4 Show qos configuration and speed limitation status ........................................................138
23.3 Configuration cases ....................................................................................................................138
Chapter 24
Configure authentication user .....................................................................................139
24.1 Overview of authentication user setting .....................................................................................139
24.2 Configure user authentication .....................................................................................................139
24.2.1 Configure local administrator user ..................................................................................140
24.2.2 Configure RADIUS administrator user ...........................................................................140
24.2.3 Configure LDAP administrator user ................................................................................140
24.2.4 Configure local access user .............................................................................................140
24.3 Configure RADIUS server support ............................................................................................141
24.3.1 Configure RADIUS server ..............................................................................................141
24.4 Configure LDAP server support .................................................................................................141
24.4.1 Configure LDAP server ...................................................................................................141
24.5 Configure portal server support ..................................................................................................141
24.5.1 Configure Portal Server ...................................................................................................141
24.6 Configure user group ..................................................................................................................142
24.6.1 Configure user group .......................................................................................................142
24.6.2 Configure user to user group ...........................................................................................142
24.7 Configuration cases ....................................................................................................................142
24.7.1 Configuration cases1: local user authentication ..............................................................142
24.8 Authenticated user monitoring and maintenance ........................................................................143
24.8.1 View information of accessed user ..................................................................................143
24.8.2 View user group information ...........................................................................................143
24.8.3 View RADIUS server information ..................................................................................143
24.8.4 View LDAP server information .......................................................................................143
24.8.5 View user authentication and login process .....................................................................143
24.9 Common fault analysis ...............................................................................................................144
24.9.1 Fault phenomenon1: user authentication failed ...............................................................144
Chapter 25
Configure anti-DOS attack .........................................................................................145
25.1 Overview of anti-DOS attack .....................................................................................................145
25.2 Configure anti-DOS attack .........................................................................................................145
25.2.1 Default configuration .......................................................................................................145
25.2.2 Configure anti-ping-of-death attack function ..................................................................145
25.2.3 Configure anti- tear-drop attack function ........................................................................145
25.2.4 Configure anti- jolt2 attack function................................................................................146
25.2.5 Configure anti- land-base attack function ........................................................................146
25.2.6 Configure anti- winnuke attack function .........................................................................146
25.2.7 Configure anti- syn-flag attack function ..........................................................................146
25.2.8 Configure anti- smurf attack ............................................................................................147
9
Command Line Manual
25.2.9 Configure Flood defense..................................................................................................147
25.2.10 Configure intelligent TCP Flood prevention .................................................................148
25.3 Anti-DOS attack monitoring and maintenance ...........................................................................148
25.3.1 View configuration information.......................................................................................148
25.3.2 View current TCP semi-join count...................................................................................148
25.3.3 View anti- DOS attack related debug information ...........................................................148
25.4 Common fault analysis ...............................................................................................................149
25.4.1 TCP Flood attack defense failure .....................................................................................149
Chapter 26
Configure anti-scanning..............................................................................................150
26.1 Anti-scanning ..............................................................................................................................150
26.2 Configure anti-scanning .............................................................................................................150
26.2.1 Default configuration information ...................................................................................150
26.2.2 Configure anti-TCP Scan .................................................................................................150
26.2.3 Configure anti-UDP Scan ................................................................................................150
26.2.4 Configure anti-Ping sweep ..............................................................................................151
26.2.5 Configure scanning recognition threshold .......................................................................151
26.2.6 Configure source host blockage time...............................................................................152
26.3 Configuration cases ....................................................................................................................152
26.3.1 Configure anti-scanning...................................................................................................152
26.4 Anti-scanning monitoring and maintenance ...............................................................................152
26.4.1 View anti-scan configuration ...........................................................................................152
26.5 Common fault analysis ...............................................................................................................153
26.5.1 No alarm after anti-scanning, no package rejection.........................................................153
Chapter 27
Configure IP-MAC binding ........................................................................................154
27.1 IP-MAC binding .........................................................................................................................154
27.2 Configure IP-MAC binding ........................................................................................................154
27.2.1 Configure IP-MAC binding .............................................................................................154
27.2.2 View ARP list...................................................................................................................154
27.2.3 Clear ARP list ..................................................................................................................154
27.3 Configuration cases ....................................................................................................................154
Chapter 28
Configure PKI.............................................................................................................156
28.1 PKI protocol ...............................................................................................................................156
28.2 Configure PKI ............................................................................................................................156
28.2.1 Export of local certificate ................................................................................................156
28.2.2 Import of certificate locally generated .............................................................................156
28.2.3 Import of PKCS12 format certificate...............................................................................157
28.2.4 Import of certificate key file ............................................................................................157
28.2.5 Export of CA certificate ...................................................................................................157
28.2.6 Export of CA certificate ...................................................................................................158
28.2.7 Export CRL......................................................................................................................158
28.2.8 Export CRL......................................................................................................................158
28.2.9 CRL import ......................................................................................................................158
Chapter 29
Configure PKI CA ......................................................................................................160
29.1 PKI protocol ...............................................................................................................................160
29.2 Configure PKI CA ......................................................................................................................160
29.2.1 Generate CA certificate....................................................................................................160
29.2.2 Configure certificate request information-Location ......................................................160
29.2.3 Certificate request information – Nation or region ..........................................................161
29.2.4 Configure certificate request information- Organization .................................................161
10
Command Line Manual
29.2.5 Configure certificate request information- state/province ...............................................161
29.2.6 Configure certificate request information- Department ...................................................161
29.2.7 Configure certificate request information- EMAIL .........................................................161
29.2.8 Configure certificate request information- key length .....................................................162
29.2.9 Configure certificate request information- validity period ..............................................162
29.2.10 Export of CA certificate .................................................................................................162
29.2.11 Export of CA certificate .................................................................................................162
29.2.12 CRL update ....................................................................................................................163
29.2.13 CRL export ....................................................................................................................163
29.2.14 Generate user certificate request ....................................................................................163
29.2.15 Issue user certificate request ..........................................................................................164
29.2.16 Export user certificate ....................................................................................................164
29.3 Common fault analysis ...............................................................................................................164
Chapter 30
Configure system log ..................................................................................................165
30.1 Configure system log ..................................................................................................................165
30.2 Configure system log ..................................................................................................................165
30.2.1 Default configuration information ...................................................................................165
30.2.2 Configure local log ..........................................................................................................165
30.2.3 Module sends log to local log ..........................................................................................165
30.2.4 Online user enquiry and freeze ........................................................................................165
30.2.5 Clear local log..................................................................................................................166
30.2.6 Module sends log to E-mail .............................................................................................166
30.2.7 Enable SYSLOG log server .............................................................................................166
30.2.8 Configure SYSLOG server address .................................................................................166
30.2.9 Configure SYSLOG server port ......................................................................................167
30.2.10 Module sends log to SYSLOG server............................................................................167
30.2.11 Enable centralized management center’s server ............................................................167
30.2.12 Configure centralized management center’s server address ..........................................167
30.2.13 Configure the port of centralized management center server ........................................167
30.3 Configuration cases ....................................................................................................................167
30.3.1 Configuration cases1: configure local log .......................................................................167
30.4 Common fault analysis ...............................................................................................................168
30.4.1 Fault phenomenon1: SYLOG log failure.........................................................................168
30.4.2 Fault phenomenon2: E-mail log failure ...........................................................................168
Chapter 31
System maintenance ...................................................................................................169
31.1 System time setting .....................................................................................................................169
31.1.1 View system’s continuous operation time........................................................................169
31.1.2 View system’s current date and time ...............................................................................169
31.1.3 Configure system’s current time zone .............................................................................169
31.1.4 Manually set system’s current date and time ...................................................................171
31.1.5 Set system’s current time with ntp ...................................................................................171
31.1.6 Update system time immediately with ntp ......................................................................171
31.2 System update and related configuration backup recovery ........................................................172
31.2.1 Manual upgrading and configuration restoration.............................................................172
31.2.2 Automatic upgrade ...........................................................................................................172
31.3 System diagnosis ........................................................................................................................172
31.3.1 Usage of Ping command ..................................................................................................172
31.3.2 Use of command Tracerouter...........................................................................................173
31.3.3 Use of command TCPSYN ..............................................................................................173
11
Command Line Manual
31.4 E-mail setting..............................................................................................................................174
31.4.1 Configure SMTP server name or address ........................................................................174
31.4.2 Configure mail sender address.........................................................................................174
31.4.3 Configure mail receiver address ......................................................................................174
31.4.4 Configure if authentication is necessary when mail is sent .............................................174
31.4.5 Configure the user name used for authentication while sending mail .............................175
31.4.6 Configure the authentication password while sending mail ............................................175
31.4.7 Configure SSL encryption ...............................................................................................175
31.5 Configure system monitoring .....................................................................................................175
31.5.1 CPU occupancy rate ........................................................................................................175
31.5.2 Internal memory usage rate .............................................................................................175
31.5.3 Flow configuration ..........................................................................................................175
31.5.4 Configure connection count.............................................................................................176
31.5.5 Configure the size of message .........................................................................................176
Chapter 32
Configure DNS ...........................................................................................................177
32.1 DNS ............................................................................................................................................177
32.2 Configure DNS ...........................................................................................................................177
32.2.1 Default configuration information ...................................................................................177
32.2.2 Configure master DNS server ..........................................................................................177
32.2.3 Configure backup DNS server .........................................................................................177
32.2.4 DNS inquiry.....................................................................................................................177
32.3 Configuration cases ....................................................................................................................177
32.3.1 Configuration cases .........................................................................................................177
32.4 Common fault analysis ...............................................................................................................178
32.4.1 Fault phenomenon1:DNS resolution failed...................................................................178
Chapter 33
Configure administrator user ......................................................................................179
33.1 Configure administrator ..............................................................................................................179
33.1.1 Configure user authority list ............................................................................................179
33.1.2 Configure local user.........................................................................................................179
33.1.3 Configure RADIUS administrator user ...........................................................................179
33.1.4 Configure LDAP administrator user ................................................................................180
33.1.5 Configure administrator user’s management address ......................................................180
33.1.6 Configure administrator with shortest command length ..................................................180
33.2 Configure information display command ...................................................................................180
33.3 Configuration cases ....................................................................................................................180
33.3.1 Configure the authority list function of administrator user..............................................180
33.4 Fault Analysis .............................................................................................................................182
33.4.1 User cannot log in ............................................................................................................182
33.4.2 Command cannot be executed .........................................................................................182
Chapter 34
Configure SNMP ........................................................................................................183
34.1 SNMP protocol ...........................................................................................................................183
34.2 Configure SNMP ........................................................................................................................183
34.2.1 Default configuration information ...................................................................................183
34.2.2 Enable SNMP proxy ........................................................................................................183
34.2.3 Configure equpment’s physical address ..........................................................................183
34.2.4 Configure trap address .....................................................................................................184
34.2.5 Configure community ......................................................................................................184
34.2.6 Configure SNMP version.................................................................................................184
34.2.7 Configure SNMP USM user ............................................................................................185
12
Command Line Manual
34.3 Configuration cases ....................................................................................................................185
34.3.1 Configuration cases1: access to equipment MIB library with MIB Browser ..................185
34.4 Monitoring and maintenance ......................................................................................................186
34.4.1 View usm user..................................................................................................................186
34.5 Common fault analysis ...............................................................................................................187
34.5.1 Fault phenomenon1: Management station cannot access to agent station MIB library ...187
13
Command Line Manual
Chapter 1 System management
System management is an important means for system management and maintenance and by which,
we may know the basic usage of equipment, how to manage equipment, upload and download
configuration file, upgrade system and how to get help, etc.
1.1 System overview
Operating system for next-generation firewall may be configured by command line and graphical
interface. In addition to console port connection, command line configuration supports SSH and
Telnet client connection. B/S mode under graphical interface supports connection via HTTPS and
HTTP. The manual may only describe configuration management by command line.
1.1.1 Characteristics of command line
The section mainly describes configuration steps with command line, please read through the section
and the subsequent sections for details on the use of command line interface.
Use command line interface (CLI) as follows:
Step 1: Be sure you are entitled to corresponding authority when a command prompt appears. Most of
configuration commands depend on the rights of administrator.
Step 2: Enter command name.
Note:
All commands and keywords in equipment command line are lower case.
Please directly go to step 3 if command includes no parameters that should be input by user and if any,
proceed with the following steps:
1) If a command needs a parameter value, please input a parameter value and it is necessary to
input keyword.
2) Parameter value in command generally indicates the parameter you should input, a value within
a certain scope, or character string or IP address. Keyword refers to the object to be operated in a
command.
3) If commands need multiple parameters, please input keyword and each parameter in sequence
according to command prompt until you are prompted to press Enter.
Step 3: Please press Enter after inputting a complete command.
For instance, “exit” is a command excluding parameter and keyword, command name is exit; “ip
address A.B.C.D/M” is a command including parameter and keyword, and of which command name
is ip, keyword is address and parameter value A.B.C.D/M.
14
Command Line Manual
1.1.2 Grammar help
Command line interface is internally provided with grammar help and if you cannot ascertain
grammar of a command, you may input the part you know, followed by “?” or “Blank + ?”.
Command line will prompt you possible remaining command list.
1.1.3 Supplement command with grammar help
User may enable command supplement function after inputting “Tab” and after inputting a part of
commands, following “Tab”, the possible command list would appear (if several matchable
commands are available), and if only one command is available, command line will automatically
supplement the command input by user and shift cursor to the end.
Symbol in a command
You may see various symbols in command grammar that indicate you how to input the command, but
they are not a part of command. Summary description of those symbols is given below.
Table 1-1 Symbols in command line
Symbol
Capital letter
Description
Capital letter means the part of the command requires inputting a character string
parameter.
In a command, for instance,
usergroup NAME firewall
You must input a legal user group name at the position of NAME as the name of user group
to be created.
A.B.C.D和A.B.C.D/M
A.B.C.D means IP address, M means mask, for instance, a command:
ip router A.B.C.D/M (A.B.C.D|INTERFACE)
Parenthesis ( ) and vertical curve |
Parenthesis is generally used together with vertical curve. The part in parenthesis means
several options separated by vertical curve, and you must elect one of them.
A command, for instance,
timezone (utc|cst)
Center parenthesis includes two options separated by vertical curve, and you must input
any one of utc and cst.
Bracket [ ]
Bracket means the parameters in bracket may be or not input.
A command, for instance,
show access-user [USERNAME]
The 2nd parameter, if available, means displaying access user information and if no, means
displaying the information of all access users.
Angle bracket and numerical range
Angle bracket and numerical range means the value of input parameter is a certain number
within the two values.
A command, for instance, policy <1-5000>
The strategy ID configured to equipment may be any one of 1-5,000.
1.1.4 Command abbreviation
Command abbreviation means you may only input the front letter of word or keyword in command as
long as the letter would cause no ambiguity, and the command can be directly executed by pressing
Enter. Such parameters input by user, such as the name of PPPoE template, should be complete.
For instance: ip address 192.168.1.1/16 can be abbreviated as: ip add 192.168.1.1/16
15
Command Line Manual
Note:
When command abbreviation is selected, you must input sufficient number of letters to avoid
ambiguity among commands.
1.1.5 Command mode
Equipment can support various command modes and all command modes are listed in the following
table.
Table 1-2 All command modes supported by equipment
Command mode
Prompt
Access method
Common mode
HOST>
Input password after system booting
Privileged mode
HOST #
Input “enable” under common mode
Global configuration mode
HOST (config)#
Input “configure terminal” under privileged mode
Ethernet interface configuration mode
HOST (config-ge0/0)#
VLAN configuration mode
HOST (config-vlan12)#
Input “interface IFNAME” under global configuration mode,
such as interface ge0/0
Input “interface vlan+VID” under configuration mode
1.1.6 Introduction of common commands
Table 1-3 Common commands under common mode
Command
enable
exit
ping -c <1-10000> -s <0-65507> -w <0-10> WORD
list
show running-config
show startup-config
show version
Description
Equipment configuration and write operation is permitted under privileged
mode
Exit current mode and return to top-level mode
Basic tool for network connectivity detection, WORD is the opposite side’s
host address. –c means the number of ping packet, -s the size of packet and –w
the corresponding waiting time.
Display available commands under current mode
Display current configuration information (it may include those not saved)
Display saved startup configuration information
Display version information
1.2 Approach to realize system configuration
You may manage equipment by the following approaches:

Connect to equipment serial port (Console) via terminal (or terminate simulation software) and
access command line interface (CLI).

Manage equipment with Telnet

Manage equipment with SSH

Manage equipment with Web
1.2.1 Realize system configuration through serial port

Baud rate: 9600

Data bit: 8

Odd-even check: None

Stop bit: 1

Flow control: None
16
Command Line Manual
Correctly configure Console parameters, power on equipment, and you may see login prompt
information.
1.2.2 Realize system configuration through Telnet
Workstations with Telnet function support connection with equipment through TCP/IP network, and
Telnet can log in equipment by the following steps:
Log in equipment with the account number of administrator user through Console port and access to
interface configuration mode.
Configure IP address for a certain interface of equipment by using the following commands:
ip address A.B.C.D/M
Configure interface and allow for Telnet login by using the following commands:
allow telnet
Then, Telnet may log in equipment command line interface from the interface with its IP address.
Note:
Telnet login is by default not permitted by interface.
1.2.3 Realize system configuration through SSH
In many cases, cyber-attack is caused by Telnet service provided by server. Telnet service has a fatal
weakness: those with ulterior motives can easily steal the command since Telnet service transmits
username and command in plaintext form. At present SSH service has effectively replaced Telnet
service. While client side is communicating with server side, SSH service would encrypt username
and command, effectively prevent from stealing command. Equipment support equipment
management by SSH.
Workstations with SSH function support connection with equipment through TCP/IP network, and it
is possible to log in equipment by the following steps:
Log in equipment with the account number of administrator user through Console port and access to
interface configuration mode.
Configure IP address for a certain interface of equipment by using the following commands:
ip address A.B.C.D/M
Configure interface and allow for SSH login by using the following commands:
allow ssh
Then, it is possible to log in equipment command line interface from the interface with its IP address
and through SSH command.
Note:
By default interface’s SSH function is disabled and if need to enable the function, you must use
command “allow ssh”.
1.3 System file management
System file management refers to maintenance and management of configuration file and system
application program file. System file management, if no special indication, is performed under
privileged mode.
17
Command Line Manual
1.3.1 Copy command
Format of command “copy”:
copy ftp user password A.B.C.D RemoteFile (version|config)
Specific parameters are explained as follows:
Version: update version file
config: configuration file
copy tftp A.B.C.D RemoteFile (version|config)
Specific parameters are explaned as follows:
version: update version file
config: configuration file
1.3.2 Save configuration file
Note:
After each of equipment configuration modification, you must save configuration to equipment
and configuration will maintain changeless only after restart.
Save configuration file as follows:
Method 1:
Step 1
write memory
Save configuration file into system
write file
Save configuration file into system
Method 2:
Step 1
Note:
1) Above two commands have the same function to save configuration file.
2) startup-config refers to configuration item at the time of system startup, while running-config
current configuration item after system startup; configuration item changed by operator will be
reflected in running-config and when system is just started, running-config is startup-config.
1.3.3 Multi-configuration file
Multi-configuration file may be backed up as follows:
Step 1
copy (running-config|startup-config) backup-config
[<0-9>]
Run configuration or start up configuration backup
Add description information for configuration file:
Step 1
write (startup-config|backup-config) (default|<0-9>)
description .DESCRIPTION
Add description information for configuration file
Consider a configuration file for next startup configuration:
Step 1
copy backup-config (default|<0-9>) startup-config
Consider a configuration file for next startup configuration:
18
Command Line Manual
1.3.4 Upload and download configuration file
User may save a good configuration file into text file and when needed (for instance, equipment
configuration is confused and not know how to restore the configuration to its previous state),
download configuration file to equipment by using the following commands:
copy tftp A.B.C.D RemoteFile config
Exported command:
copy (running-config|startup-config) tftp A.B.C.D RemoteFile
1.3.5 System upgrade
User may download a version file to equipment by using the following command:
copy tftp A.B.C.D RemoteFile version
1.4 Common system management command
1.4.1 Enable and disable Telnet service
Disable Telnet service:
Step 1
(no) allow telnet
Disable Telnet service and after command execution,
prohibit other machine from Telnet to equipment
1.4.2 Enable and disable SSH service
Disable SSH service:
Step 1
(no) allow ssh
Disable SSH service and after command execution, prohibit
other machine from SSH to equipment
1.4.3 View who is on the system
Who command supports displaying the operators log in system.
1.4.4 Clear login user
If there are several operators login the system while some show abnormality, an administrator may
clear other administrators from the system by using command “clear user”.
Clear administrator user
Operation steps:
Step 1
clear user USERNAME addr A.B.C.D time .TIME
Clear corresponding user according to input username,
address and time
1.4.5 View system version
By using command “show version”, user may view the system version information, including all
physical interface and the interface’s MAC address, for instance:
19
Command Line Manual
host# show version
Model Name
: SX-800C
Serial Number : 100TW-8E2AF-20001-H0H52-E040D
Software
: V1.1-R2.120161208
App Signature : 20161201
IPS Signature : 20161115
AV Signature
: 20161020
URL Signature : 20160909
Compile time
: Dec 8 2016 12:31:01
Uptime is 0 day 0 hour 39 minutes 42 seconds
20
Command Line Manual
Chapter 2 Configuration interface
2.1 Configure Ethernet port
2.1.1 Description of Ethernet port
By configuring Ethernet port, user may change port’s bandwidth, duplex mode and port rate. As for
a 1,000 M network card, prefix of name should be ge, such as ge0, ge1, etc. All of equipment ports
are by default enabled.
2.1.2 Configure Ethernet port
Default configuration
Table 2-1 Default setting information regarding port
Contents
Default setting
Remark
Auto-negotiate configuration (auto-negotiate on/off)
on
Setting can be changed
Port MTU(mtu)
1500
Setting can be changed
Port management status (shutdown/no shutdown)
no shutdown
Setting can be changed
Enable auto-negotiate function
By default port parameter can be automatically negotiated and under auto-negotiate mode, all port
parameters can be automatically negotiated, and port parameter cannot be set.
Steps to enable port’s auto-negotiate function:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
auto-negotiate on
Enable auto-negotiate function
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
Disable auto-negotiate function
By default port parameter can be automatically negotiated and after disabling the function, port
parameters can be configured.
Steps to disenable port’s auto-negotiate function:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
auto-negotiate off
Disenable auto-negotiate function
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
21
Command Line Manual
Note:
Since auto-negotiate function is by default enabled, user must disable port’s auto-negotiate
function before configuring other parameters.
Duplex setting
Duplex means simultaneous information transmission in relative direction. Half-duplex supports
bidirectional communication but not in two directions simultaneously, and communication must be
performed one after the other. For connection with shared HUB, it is required to set Ethernet port as
half-duplex; for connection with switching LAN SWITCH, generally Ethernet port should be full
duplex.
Steps to configure duplex mode:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
duplex (full|half)
Configure port with duplex mode
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
Parameter description: duplex (full|half)
Parameter
Description
full
Full duplex
half
Half duplex
Default configuration
Rate setting
Port rate refers to the rate of port receiving and dispatching data packet, generally 10M and 100M,
KM equipment port has the rate of 10M, 100M and 1,000M. To ensure network interconnection
equipment work normally, it is required to configure two interconnected ports with same rate.
Steps to set port rate:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
speed (10|100|1000)
Configure port rate
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
Note:
100 M port cannot be set with port rate of 1,000 M.
Close port
A closed port cannot receive and dispatch data. Closing port is mainly designed for discovery and
diagnosis of system failure, which is not necessary under normal conditions.
22
Command Line Manual
Steps to close port:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
shutdown
Close port
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
Configure interface IP address
A port’s IP address may be configured by the following three methods:

Static configuration: it refers to IP address;

PPPoE acquisition: By means of PPPoE, user may acquire IP address from PPPoE server and also the
gateway and DNS setting, applicable for equipment access to internet via ADSL.

DHCP acquisition: By means of DHCP, user may acquire IP address from DHCP server and also the
gateway and DNS setting.
Each port can be respectively configured with different IP address method, but only once each time.
Their differences are as follows:
Steps to configure port with static IP:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
ip address A.B.C.D/M
Statically designate interface IP address, A.B.C.D/M refers to IP
address and mask length.
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
Steps to configure port and get its address via PPPoE:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
ip address pppoe [A.B.C.D]
Configure interface and acquire address via PPPoE, the interface
may also designate IP address, A.B.C.D is IP address designated
by the interface.
Step 4
pppoe username USERNAME
Configure PPPoE authenticated username
Step 5
pppoe password PASSWORD
Configure PPPoE authenticated password
Step 6
pppoe default_gateway
Configure interface and use PPPoE gateway as default gateway
Step 7
pppoe dns
Use PPPoE server’s DNS setting
Step 8
pppoe distance <1-255>
Acquire default gateway’s weight through PPPoE
Step 9
end
Return to privileged mode
Step 10
write terminal
Display configuration
Steps to acquire port address through DHCP:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
ip address dhcp metric <1-255> gw (reset|default)
dns (reset|default)
Acquire IP address through DHCP
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
23
Command Line Manual
Parameter description:
ip address dhcp:
Parameter
Description
Default configuration
metric <1-255>
IP address weight acquired through DHCP, range <1-255>
gw (reset|default)
Configure gateway acquisition method, reset means the gateway
designated by DHCP server, and default means the original
system gateway
dns (reset|default)
Configure DNS acquisition method, reset means the DNS
designated by DHCP server, and default means the original
system DNS
User may delete current interface’s IP address setting by using no ip address;
User may cancel interface’s dhcp client setting by using no ip address dhcp;
User may cancel interface’s PPPoE setting by using no ip address pppoe.
Note:
DHCP Client allows for application on physical port such as VLAN, but cannot be applied on
physical interface with VLAN.
Configure interface MTU
Interface MTU controls the maximum segment size of interface to be sent.
Steps to close port:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
mtu <1280-1500>
Set the maximum segment size of port, by default 1,500
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
Configure internal and external network interface
External and internal network interface is used for user identification and set statistics.
Steps to configure external and internal network interface:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
traffic-mode external/internal
Internal or external network interface
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
Configure port management access
Port management access is used to control the authority of port access and equipment management
and by which, user may restrict certain types of port access and ensure safe equipment operation.
Steps to configure port management access:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
allow
Configure port management and access
(|http|https|ping|telnet|ssh|bgp
24
Command Line Manual
|dns|ospf|rip|tcontrol)
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
Parameter description: allow access:
Parameter
Description
Default configuration
tcontrol
Permit or prohibit monitoring center from equipment management
http
Permit or prohibit equipment management via HTTP
https
Permit or prohibit equipment management via HTTPs
telnet
Permit or prohibit equipment management via Telnet
ssh
Permit or prohibit equipment management via ssh
ping
Permit or prohibit external equipment Ping equipment
bgp
Permit or prohibit external equipment from using bgp
dns
Permit or prohibit external equipment from using dns server function
ospf
Permit or prohibit external equipment from using ospf
rip
Permit or prohibit external equipment from using rip
Above authorities may be simultaneously enabled on the same port and used in combination.
Configure port access
Port access is used to control the authority of users accessing Internet or server through the port and
by which, user may restrict some port accesses and ensure safe server operation.
Steps to configure port access:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
allow
Configure port access
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
(webauth)
Parameter description: allow access
Parameter
webauth
Description
Default configuration
Permit or prohibit the port from accessing to Web authenticated user
Above authorities may be simultaneously enabled on the same port and used in combination.
Configure port alias
When equipment leave from factory, the name of each port is consistent with that on equipment panel
and during equipment application, and in order to facilitate understand and keep in heart the usage of
port, user may give each port a fairly intuitive name by using command “aliasname”.
Steps to modify port alias name:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface IFNAME
Enter a certain interface
Step 3
aliasname NAME
Configure port alias name, NAME is the alias name of port.
Step 4
end
Return to privileged mode
Step 5
write terminal
Display configuration
25
Command Line Manual
2.1.3 Configuration cases
Case description
Set port ge0 with rate of 100Mbps, duplex mode as full duplex and close port ge0.
Configuration steps:
Step 1
Enter Ethernet port configuration mode
HOST(config)# interface ge0
Step 2
Close auto-negotiate
HOST(config-if)# no auto
Step 3
Configure port ge0 with bandwidth of 100Mbps
HOST(config-if)# speed 100
Step 4
Configure port ge0 as full duplex mode
HOST(config-if)# duplex full
Step 5
Close port ge0
HOST(config-if)# shutdown
2.1.4 Ethernet port monitoring and maintenance
4.1.4.1 Display port information
Steps to display information of a port:
Step 1
Display information of a port
HOST_A# show interface ge0
interface ge0
description:
Admin UP
Link UP
kernel ID: 2
MTU: 1500
IP address: 172.17.50.16/16
MAC address: 00:bb:dd:bb:cc:dd
Auto negotiate: ON
Speed: 1000 Duplex: FULL
media type: COMBO(COPPER)
Listen Mode: OFF
Traffic Mode: INTERNAL
Command “Show interface” cannot support displaying information of all ports if a specific port is not
designated.
2.1.5 Fault analysis
Test if Ethernet port can function normally with the following method:

When network load is small, PC machine (PC machine and equipment in the same LAN) Ping
equipment’s Ethernet port and check if it can correctly return all messages;

When network load is large, check statistics information of port connecting both sides (such as
equipment and switch), view if the quantity of wrong frames received is quickly increased.
26
Command Line Manual

If any of above two tests fail, it is confirmed that the equipment’s Ethernet port functions abnormally.

Remove faults as follows when Ethernet is confirmed with fault:

Check if physical equipment is correctly connected.

When physical equipment connection is normal, Link indicator corresponding to ports on both sides of
network cable should be on.

Check if rate setting for both sides is consistent.

When an equipment work with 100Mbps while another 10Mbps, the port will not function normally.
Fault description: the equipment configured with 100Mbps would be displayed as port down, and the
other configured with 10Mbps would be displayed as port UP; for such fault, user is just required to
ensure consistent rate by using command “speed”.

Check if both equipment is in the same network.

Both equipment must be in the same network, namely their network address is identical while host
address is different, and if their network address is different, please correctly set IP address by using
command “ip address”.

Check if duplex mode is consistent (one side is equipment).
When duplex mode is inconsistent, namely one side works under full duplex mode, while another
under half-duplex mode, fault description: when network flow is increased, a side configured with
half-duplex mode displays frequent conflict (when connecting to shared Hub, all machines on the
whole of network segment would display such conflict), the side configured with full duplex mode
would display receiving large number of wrong packet, and both sides are subject to severe packet
loss.
User may, by using command “show interface [IFNAME]”, By using command “show interface
[IFNAME]”, user may view error rate of packet received and dispatched by Ethernet, and generally
conflict can be detected by viewing port status indicator;
For connection with shared Hub, half-duplex mode should be selected, and for connection with
Lanswitch, full duplex mode should be used.
2.2 Configure VLAN interface
The section relates to VLAN configuration, mainly including:

VLAN description;

Configure interface encapsulation’s link layer protocol as VLAN
2.2.1 VLAN description
By means of port division, in a physical LAN, equipment in LAN is partitioned into several
independent groups, and equipment inside group can freely communicate and, when equipment in
different groups need to communicate, three-layer routing forward will be necessary and by which, a
physical LAN is as if partitioned into several isolated LANs, and those different groups are called
virtual LAN (VLAN).
2.2.2 Configure interface’s encapsulated link layer protocol as VLAN
To keep equipment identify the packet with VLAN mark, it is required to create a vlan and add the
vlan to Ethernet interface, and user may receive/forward packet with VLAN mark through the
subinterface.
Description of VLAN ID value:
VLAN ID value ranges 1-4,094, is created by using command “vlan ID”, for instance, if vlan 10 is
created and add ge0 to vlan 10 as untag mode, the command is untag vlan 10.
27
Command Line Manual
Steps to configure link layer protocol with interface encapsulation as VLAN:
Step 1
Step 2
host(config)#vlan <1-4094>
Used to create VLAN, <1-4094> as VLAN ID
host(config)#interface ge0
Interface view
host(config-ge0)#tag vlan ID
Designate interface’s vlan tag ID, an interface may have
several vlan tag IDs.
host(config)#interface vlan<1-4094>
Used to create VLAN interface, <1-4094> as VLAN ID
ip address A.B.C.D/M
Set vlan’s IP address
Note:
When the Ethernet interface has been configured with IP address, IP address will be automatically
deleted after VLAN addition.
2.2.3 Display configuration information
Command for displaying VLAN configuration information:
Step 1
show interface
Display VLAN interface information
Step 2
Show vlan
Display VLAN information
2.2.4 Configuration cases
Router connection between two VLANs:
Case description
Switch connects with equipment.
The switch has two VLANs: VLAN 10 and VLAN 20.
VLAN 10’s VLAN ID is 10, including port 1, 2 and 3, port 1 is Taged port, connecting to ge0
interface, port 2 and 3 are Untaged ports, downlink to network segment 192.168.10.0/24.
VLAN 20’s VLAN ID is 20, including port 1, 4 and 5, port 1 is Taged port, connecting to ge0
interface, port 4 and 5 are Untaged ports, downlink to network segment 192.168.20.0/24.
Equipment geo interface also has two VLANs, vlan 10 and vlan 20, with VLAN ID respectively
being 10 and 20.
vlan10’s IP address is192.168.10.1/24.
vlan20’s IP address is 192.168. 20.1/24.
Configuration steps
Step 1
Create vlan10 and designate IP address.
HOST_A# configure terminal
HOST_A (config)# vlan 10
HOST_A (config-vlan)# ip address 192.168.10.1/24
HOST_A (config-vlan)# exit
Step 2
Create vlan20 and designate IP address.
HOST_A (config)# vlan 20
HOST_A (config-vlan)# ip address 192.168.20.1/24
HOST_A (config-vlan)# exit
Step 3
Create safety strategy for mutual access between interfaces.
HOST_A(config) policy 1 any any any any any always permit
28
Command Line Manual
HOST_A(config-policy)# enable
HOST_A(config-policy)# exit
Step 3
Save configuration
HOST_A (config)# write memory
2.2.5 Fault analysis
VLAN cannot function normally
Fault phenomenon
VLAN cannot function normally
Analysis and
solution
1. Check configuration if it is the VLAN ID you need and your configuration is correct.
2. If network topology is correct.
3. If lines are under normal condition.
4. If VLAN status is correct.
2.3 Configure transparent bridge (vlan passthrough)
2.3.1 Overview of transparent bridge
Function of transparent bridge: transparent bridge, initially proposed by DEC, is adopted and
standardized by 802.1 committee. Transparent bridge is convenient for application and installation,
and can operate as long as bridged to interconnected LAN. It will not affect existing LAN, it is not
necessary to change original software and hardware, nor set address switch and load path selection
parameter. For users, the bridge is transparent, that is to say, user cannot feel it when bridge accesses
or leaves the network.
2.3.2 Configure transparent bridge
Create transparent bridge
Steps to create transparent bridge:
Step 1
VLAN ID
Create a VLAN
User may delete a VLAN by using no VLAN.
Configure bridge group port
After configuring transparent bridge, it is required to add actual physical interface or aggregation
interface to bridge, and such interfaces are known as bridge group port.
Steps to configure bridge group port:
Step 1
interface NAME
Access to a port
Step 2
Tag/untag <1-4094>
Add multiple interfaces to the same vlan, interface of the same vlan is
considered as a transparent bridge
2.3.3 Configure bridge STP
STP (Spanning Tree Protocol) is applicable for loop network and by using an algorithm, can
implement path redundancy, prune loop network into tree network without loop, thus avoid message
from multiplication in loop network and infinite loop.
Create a new bridge interface, enable and disable STP function.
29
Command Line Manual
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
VLAN ID
Access to VLAN
Step 3
bridge stp (enable|disable)
Enable and then disable STP function
Configure bridge priority
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
VLAN ID
Access to VLAN
Step 3
bridge priority <0-61440>
Configure bridge interface priority
Parameter description:
Parameter
priority
Description
Default configuration
Bridge interface priority value, ranging 0-61,440
32,768
Configure the time of bridge sending bpdu hello
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
VLAN ID
Access to VLAN
Step 3
bridge hello-time <1-10>
Configure the time of bridge sending bpdu hello
Parameter description:
Parameter
hello-time
Description
Default configuration
Send hello bpdu time interval, rangin 1- 10
2
Configure maximum aging time of bridge STP
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
VLAN ID
Access to VLAN
Step 3
bridge max-age <6-40>
Configure maximum aging time of STP
Parameter description:
Parameter
max-age
Description
Default configuration
Maximum aging time of STP, ranging 6-40
20
Configure port status switching delay
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
VLAN ID
Access to VLAN
Step 3
bridge forward-delay <4-30>
Configure port status switching delay
Parameter description:
Parameter
forward-delay
Description
Port status switching delay, ranging 4-30
Default configuration
15
30
Command Line Manual
Note:
Elect the bridge with high performance, close to center and of highest priority.
Prompt:
Port switching time: it refers to the time interval of port from listening, to learning and to
forwarding, after STP is enabled.
2.3.4 Configuration cases
Configure transparent bridge
Case description
Insert equipment into an original network structure without changing original topology and
configuration, and add two ports (ge0 and ge1) of equipment to bridge group (vlan 10), with ge0 and
ge1respectively connecting to Router (192.168.0.1) and ge1 to other machines in network segment
192.168.0.0/16.
Configuration steps:
Step 1
Create transparent bridge (vlan 10)
HOST# configure terminal
HOST(config)# vlan 10
HOST(config-vlan)# exit
Step 2
Add port ge0 to transparent bridge (vlan 10)
HOST(config)# interface ge0
HOST(config-ge0)# untag vlan 10
HOST(config-ge0)# exit
Step 3
Add port ge1 to transparent bridge (vlan 10)
HOST(config)# interface ge1
HOST(config-ge1)# untag vlan 10
HOST(config-ge1)# exit
2.3.5 Transparent bridge monitoring and maintenance
View information relating to bridge group
Step 1
View information relating to bridge group
HOST# show vlan 10 stp
vlan:vlan10
STP: disabled
bridge id
designated root
: 8000.0010f30d1a04
: 8000.0010f30d1a04
Ageing time: 300
bridge ports:
ge0 <forwarding>
ge1 <forwarding>
Respectively display bridge group name, STP enabling status, bridge ID, designated root, FDB aging time, ports included
by the bridge and their status.
31
Command Line Manual
View FDB information
Step 1
HOST# show vlan 10 fdb
vlan:vlan10
Address
State
00:10:f3:0e:56:b8
forwarding
00:16:41:59:3e:9c
00:16:76:65:3c:b7
Ageing
Interface
87
ge0
forwarding
31
ge0
forwarding
201
ge0
00:16:76:6b:15:9b
forwarding
18
ge0
00:16:41:59:57:ca
forwarding
151
ge0
00:16:17:96:c5:71
forwarding
110
00:10:f3:0d:1a:04
forwarding
static
00:16:76:80:ab:84
forwarding
89
ge0
00:16:76:6b:16:d9
forwarding
63
ge0
00:16:76:65:3e:3c
00:16:17:ed:ff:5f
forwarding
forwarding
ge0
ge0
90
ge0
125
ge0
00:15:e9:b0:4f:42
forwarding
1
00:16:17:96:c5:6f
forwarding
49
ge0
00:17:df:ba:4c:00
forwarding
0
ge0
00:16:76:6b:9d:98
forwarding
262
ge0
00:19:aa:15:6f:03
forwarding
0
ge0
00:16:76:80:ab:94
forwarding
12
00:10:f3:0d:1a:05
forwarding
static
ge0
ge0
ge1
Local port’s MAC address is displayed as static, no aging.
View transparent bridge’s debug information
Step 1
View bridge group messaging information
HOST# debug vlan
2.3.6 Common fault analysis
Transparent bridge cannot function normally
Fault phenomenon
Data cannot be transmitted between two ports of bridge.
Analysis and solution
1) If add correct port to bridge;
2) If link is normal;
3) If port status is normal (if the port Admin status is UP)
2.4 Configure link aggregation interface
2.4.1 Overview of link aggregation
Link aggregation means to improve bandwidth by combining multiple links into a logic network link.
By means of link aggregation, and utilizing fast Ethernet and GbE technology, it improves the
capacity and availability of communication channel among equipment. Binding two or more Megabit
or Gigabit Ethernet can improve bandwidth capacity and connection redundancy. In addition, link
aggregation helps handle with communication load by means of load balancing, allows for even
distribution of communication load in several links, no one single link overloaded. By means of link
32
Command Line Manual
aggregation, user may enjoy practical benefit from application: higher reliability, higher bandwidth,
less cost with existing equipment (obtain higher bandwidth without updating equipment).
2.4.2 Configure link aggregation interface
Create a new aggregate interface and add physical interface to Aggregate
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
Interface agg0
Create Aggregate interface agg0
Step 3
Interface ge0
Add physical interface ge0 and ge1 to agg 0 group
aggregate-group 0
interface ge1
aggregate-group 0
Parameter description:
Parameter
Description
Aggregate-group number
Default configuration
0-255
Configure aggregation mode
Configuration steps
Step 1
configure terminal
Enter configuration mode
Step 2
Interface agg0
Access to Aggregate interface agg0
Step 3
trunk lacp
Configure Aggregate interface agg0 aggregation mode as
LACP protocol aggregation mode
Parameter description:
Parameter
Description
LACP aggregation
mode
Default configuration
Enable LACP protocol on all physical subinterfaces added to Aggregate,
negotiate physical interface at opposite end with LACP, those qualifying
aggregation should be aggregated.
Configure Aggregate send load balance
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
Interface agg0
Create Aggregate interface agg0
Step 3
trunk hash polling
Configure Aggregate load balance polling
trunk hash dst-mac
Configure Aggregate load balance based on destination
MAC
trunk hash dst-ip
Configure Aggregate load balance based on destination IP
trunk hash src-dst-ip
Configure Aggregate load balance based on source IP and
destination IP and port (TCP, UDP protocol)
trunk hash src-dst-mac
Configure Aggregate load balance based on source mac and
destination MAC
trunk hash src-ip
Configure Aggregate load balance based on source IP
trunk hash src-mac
Configure Aggregate load balance based on source MAC
33
Command Line Manual
Parameter description:
Parameter
Description
Default configuration
polling
polling means to provide hash and elect sending port according to connection
dst-mac
dst-mac means to provide hash and elect sending port according to the destination
MAC of messageto be sent
dst-ip
dst-ip means to provide hash and elect sending port according to destination IP
src-dst-ip
src-dst-ip means to provide hash and elect sending port according to source IP,
destination IP and port (if it is TCP or UDP message)
src-dst-mac
src-dst-mac means to provide hash and elect sending port according to source MAC,
destination MAC
src-mac
src -mac means to provide hash and elect sending port according to source MAC
src-ip
src- ip means to provide hash and elect sending port according to source IP
Configure Aggregate interface as a port of bridge interface
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
Vlan 10
Configure a transparent bridge
Step 3
Interface agg0
Access to Aggregate interface configuration
Step 4
Untag vlan10
Configure bridge port
Configure Aggregate interface as vlan
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
Interface agg0
Access to Aggregate interface configuration
Step 3
Tag vlan 10
Configure Aggregate interface as vlan port
Parameter description:
Parameter
Description
vlan ID of
aggregate
Default configuration
vlan ID should be identical with physical interface vlan ID
2.4.3 Configuration cases
Case description
Two subnets in a company LAN1 and LAN2 is respectively connected to two equipment through
Megabit port. Two LANs connect to 3 equipment interfaces respectively. Since the interactive
network flow between LAN1 and LAN2 is very high, 300M bandwidth and link backup is necessary
in order to prevent two LANs from disconnection due to link fault.
In such case, two equipment can be respectively configured with two Aggregate interface, physical
interface directly connected, user may respectively add 3 physical interfaces to Aggregate for
aggregation, in order to increase bandwidth and complete link backup.
Configuration steps
Step
1. Enter equipment configuration mode
HOST #config terminal
2. Create Aggregate interface as agg0 and Aggregate group number as 0
HOST(config)#intface agg0
3. Configure Aggregate interface mode as LACP mode
34
Command Line Manual
HOST(config-agg0) #trunk lacp
4. Configure Aggregate load balance as 3-layer mode
HOST(config-agg0)#trunk hash src-dst-ip
5. Return to upper-level interface node
HOST(config-agg0)#exit
6. Add ge0 ge1 ge2 to agg0
HOST(config)#interface ge0
HOST(config-ge0)#Aggregate-group 0
HOST(config-ge0)#interface ge1
HOST(config-ge1)# Aggregate-group 0
HOST(config-ge1)#interface ge2
HOST(config-ge2)#i Aggregate-group 0
7. Exit and configuration is completed.
HOST(config-ge2)#end
HOST #
Description
After above equipment configuration, 3 ports of two equipment are mutually aggregated and from upper layer, they
serve as an interface, and bandwidth is tripled. In addition, 3 interfaces back up for each other, when an interface is
down for failure, two equipment would communicate normally.
2.4.4 Common fault analysis
Fault phenomenon1:Aggregate interface does not receive and dispatch message
Phenomenon
Aggregate interface cannot receive nor dispatch message
Analysis
Aggregate link aggregation cannot successfully negotiate, causing lower port inactive
Solution
Check Aggregate port of opposite side equipment to enable both ends of Aggregate aggregate and negotiate
2.5 Configure PPPoE interface
2.5.1 PPPoE overview
PPPoE, point-to-point protocol over Ethernet, enables Ethernet host connect to a remote access
concentrator through a simple bridge equipment. By means of PPPoE protocol, remote access
equipment can control and bill for each of accessed users.
2.5.2 Configure PPPo Einterface
Configure PPPoE interface and configure physical interface with PPPoE
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
Interface ge0
Access to physical port
Step 3
ip address pppoe
Configure interface with PPPoE mode, add PPPoE
username/password
pppoe username xxx
pppoe password secret xxx
2.5.3 Configuration cases
Case description:
35
Command Line Manual
A company may transmit intranet user data by PPPoE dialing mode, username xsa112233 and
password 111222333.
Configuration steps
Step 1
1.Enter equipment configuration mode
HOST #config terminal
2. Access to dialing interface
HOST(config)#intface ge0/0
3. Configure interface with IP acquisition method
Host(config-ge0/0)# ip address pppoe
4. Configure username and password
Host(config-ge0/0)# pppoe username xsa112233
Host(config-ge0/0)# pppoe password 111222333
5.Exit and configuration is completed.
HOST(config-eth2)#end
HOST #
2.6 Configure DHCP interface
2.6.1 DHCP
DHCP (Dynamic Host Configuration Protocol) is a networking protocol for LAN. The application of
UDP protocol mainly has two functions: automatically distribute IP address to intranet or network
service provider, to be a means taken by user or intranet administrator for central management of all
computers. DHCP has 3 ports and of which UDP67 and UDP68 is the normal DHCP service port,
respectively the service port of DHCP Server and DHCP Client.
2.6.2 Configure DHCP interface
Configure DHCP interface and configure DHCP on physical interface
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
Interface ge0
Access to physical port
Step 3
ip address dhcp metric METRIC gw(default|reset)dns
(default|reset)
Configure DHCP and acquire IP address, set router weight and
global DNS.
2.6.3 Configuration cases
Case description:
A company may access equipment to DHCP and acquire interface’s IP address.
Configuration steps
Step 1
1.Enter equipment configuration mode
HOST #config terminal
2.Access to dialing interface
HOST(config)#interface ge0
3.Configure interface with IP acquisition method
Host(config-ge0)# ip address dhcp metric 10 gw reset dns default
4.Exit and configuration is completed.
HOST(config-ge0)#end
HOST #
36
Command Line Manual
2.7 Configure Listen Mode interface
2.7.1 Overview of listen mode interface
Under Bypass work mode, network flow will not flow through the equipment, and other network
equipment would mirror the flow to be detected to equipment. Under such deployment mode,
equipment will not affect the normal transmission of network flow and in case of attack, can block
attack by linking with firewall.
2.7.2 Configure listen mode interface
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
Interface ge0
Access to physical port
Step 3
listen-mode
Configure interface monitoring
2.8 Configure GRE interface
2.8.1 Gre interface
GRE means encapsulating data message of some network layer protocol (such as IP, IPX, AppleTalk,
etc.), in order to transmit encapsulated data message in another network layer protocol (such as IP). It
is the initial definition of GRE, and the latest GRE encapsulation specification has allowed for
encapsulation of two-layer data frame, such as PPP frame, MPLS, etc. GRE is defined in RFC2784 as
“X over Y”, X and Y can be random protocol. GRE is truly a “universal router encapsulation”.
GRE protocol is actually an encapsulation protocol, provides a mechanism to encapsulate message of
a protocol to another protocol message, enables message transmit in heterogeneous network. The
channel for heterogeneous message transmission is known as Tunnel.
GRE tunnel cannot configure two-layer information but IP address. GRE supports transmission by
actual physical interface designated by tunnel as follows:
(1) All original messages sent to remote VPAN will be initially sent to source side of tunnel.
(2) Original messages are subject to GRE encapsulation at source side of tunnel, it is required to fill
in tunnel source address and destination address confirmed when tunnel is created, then transmit it to
remote VPN network through public IP network.
2.8.2 Configure gre interface
Configuration steps:
Step 1
configure terminal
Enter global configuration mode
Step 2
interface tunnel <0-2047> mode gre
Create gre interface
Step 3
aliasname NAME
Set interface name
Step 4
ip address A.B.C.D/M
Set ip address
Step 5
tunnel-source (A.B.C.D |INTERFACE_NAME)
Set tunnel source address
Step 6
tunnel-destination (A.B.C.D | dynamic)
Set opposite end address of tunnel
Step 7
tunnel-key <1-9999>
Set tunnel mark
Step 8
tunnel-keepalive [<1-86400>] [<1-1000>]
Set keep-alive time, by default 10s, set number of retries
37
Command Line Manual
and by default, 3 times.
Each of command setting can be cancelled by using command “No” to restore them to Default
configuration.
Parameter description: interface gre<0-2047>
Parameter
tunnel <0-2047>
Description
Gre group number
Default configuration
None
2.8.3 Configuration cases
Configuration steps:
Step 1
Configure gre interface
1. Access to gre interface
host(config)# interface tunnel 10 mode gre
2. Name the interface
host(config-gre10)#aliasname 10
3. Configure source address
host(config-gre10)#tunnel-source 172.16.2.2
4. Configure opposite end address
host(config-gre10)#tunnel-destination 172.16.2.1
5. Configure group number
host(config-gre10)#tunnel-key 10
6. Configure keep-alive time
host(config-gre10)#tunnel-keepalive 2 3
7. Configure ip address
host(config-gre10)#ip address 10.1.1.2/24
8. Configure is completed and exit
host(config-gre10)#exit
Step 2
Add static router
host(config)#ip router 172.16.1.0/24 tunl10
38
Command Line Manual
Chapter 3 Configure safety domain
3.1 Overview of safety domain
Domain refers to interface group, it is possible to add multiple interfaces in a domain but an interface
may only belong to a domain. If an interface is included in a certain domain, the interface cannot be
separately configured.
3.2 Add interface in domain
User may add an interface to domain by using command “include”.
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
zone NAME
Enter NAME domain mode
Step 3
include interface IF_NAME
Add IF_NAME interface to the domain
Step 4
show zone NAME
Display domain configuration information
By using command “no include interface IF_NAME”, it is possible to delete interfaces added to
interface group by command “include interface”.
Parameter description:
Command (1):zone NAME
Parameter
<NAME>
Description
Domain name
Default configuration
None
Command (2):include interface IF_NAME
Parameter
<IF_NAME>
Description
Interface name
Default configuration
None
3.3 Configure mutual access among interfaces in domain
Configure interfaces in domain with command “allow intrazone”.
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
zone NAME
Enter NAME domain mode
Step 3
allow intrazone
Allow for interfaces in the area mutually accessible
3.4 Configuration cases
3.4.1 Configuration cases: add interfaces to domain
Case description
Configure an interface to designated domain
39
Command Line Manual
Configuration steps:
Step 1
Create a domain
HOST_A(config)# zone all
Step 2
Add an interface in the domain
HOST_A(config-zone)# include interface ge0
Configuration result:
HOST# show running-config
!
zone all
include interface ge0
!
3.5 Safety domain monitoring and maintenance
3.5.1 View domain information
Steps to view a domain:
Step 1
Display information of a domain
HOST_A# show zone all
!
zone all
include interface ge0
HOST_A#
All is domain name; ge0 is the name of interface added to domain.
3.6 Common fault analysis
3.6.1 Fault phenomenon:
Phenomenon
The domain still exists after “no zone NAME” is executed.
Analysis
It is impossible to delete a domain is being quoted by using command “No”.
Solution
Delete quotation of the domain by other configurations and after ensuring no other quotations, delete the node by using
command “No”.
40
Command Line Manual
Chapter 4 Configure IPv6
4.1 IPv6 overview
IPv6 (Internet Protocol Version 6), the second generation of standard protocol of network layer, also
known as IPng (IP Next Generation), is a set of specification designed by IETF (Internet Engineering
Task Force) and also the upgrade version of IPv4, its most significant difference from IPv4 lies in IP
address length, which has been increased to 128- bit from 32- bit.
4.1.1 Characteristics of IPv6 protocol
Simplified message header format
By cutting or shifting some fields of IPv4 message header to expanded message header, user may
reduce the load of IPv6 basic message header, simplify IPv6 message handling by forward equipment
and improve forwarding efficiency. IPv6 has the address length four times IPv4, but IPv6 basic
message header is only 40 bits, two times IPv4 message header (excluding option field).
Fig. Comparison of format between IPv4 message head and IPv6 basic message header
Sufficient address room
Both the source address and destination address of IPv6is 128 bits (16 bytes), IPv6 provides address
space of more than 3.4×1038, completely supports multi-layered address division as well as address
distribution in public network and internal private network.
Layering address structure
IPv6’s address space is designed with layering address structure, convenient for quick router search
and, by means of router aggregation, can effectively reduce system resource occupied by IPv6 routing
table.
Address automatic configuration
To simplify host configuration, IPv6 supports stateful address configuration and stateless address
configuration:
41
Command Line Manual

Stateful address configuration means server (such as DHCP server) acquires IPv6 address and related
information;

Stateless address configuration means the host automatically configures IPv6 address and related
information according to own link layer address and prefix information issued by router .

In addition, host may form link-local address according to own link layer address and default prefix
(FE80::/64), and in further communicate with other hosts on the link.
Internal safety
With IPSec as standard extension head, IPv6 can provide end-to-end safety feature which, in turn,
provides standard for solution of network safety problem, and improve interoperability among
different IPv6 applications.
Support QoS
IPv6 message header’s flow label field supports flow identification, allows for identification of
message in a certain flow and provides special treatment.
Enhanced neighbor discovery mechanism
IPv6’s neighbor discovery protocol is a group of ICMPv6 (Internet Control Message Protocol for
IPv6) , responsible for information interaction among neighbor nodes (namely the node on the same
link). It replaces with ARP (Address Resolution Protocol), ICMPv4 router discovery and ICMPv4
redirect message, and provides a series of other functions.
Flexible expanded message header
IPv6 cancels option field of IPv4, introduces various extension message header and while, improves
handling efficiency, significantly enhances its flexibility and provides good extension capability for
IP protocol. Option field in IPv4 message has at most 40 bytes, while the size of IPv6 extension
message header is only limited by the size of IPv6 message.
4.1.2 Introduction of IPv6 address
Representation of IPv6 address
IPv6 address is expressed as a series of 16-bit hexadecimal number separated by colon (:). Each of
IPv6 address is divided into 8 groups, each group of 16-bit is represented by 4 hexadecimal numbers,
separated by colon and, for instance, 2001:0000:130F:0000:0000:09C0:876A:130B.
To simplify IPv6 address expression, “0” in IPv6 address may be as follows:

2001:0:130F:0:0:9C0:876A:130B。Leading “0 ” in each group can be omitted, namely above address
may be expressed as 2001:0:130F:0:0:9C0:876A:130B.

If an address contains two or more consecutive groups being 0, they may be replaced with double colon
“::”, and above address may be expressed as 2001:0:130F::9C0:876A:130B.
Note:
An IPv6 address shall contain only one double colon “::”, or otherwise when “::” is analyzed into 0
to restore 128-bit address, it is unable to confirm the number of 0 represented by “::”.
IPv6 address is composed of two parts: address prefix and interface label and of which, address prefix
corresponds to the network number field in IPv4 address, while interface label corresponds to the host
number in IPv4 address.
42
Command Line Manual
Address prefix is expressed as: IPv6 address/prefix length and of which, IPv6 address is any of the
forms listed above, and prefix length is a decimal number, indicating the number of most left digits in
IPv6 address being address prefix.
Classification of IPv6 address
Pv6 mainly has three types of addresses: unicast address, multicast address and anycast address.

Unicast address: used to solely identify an interface, similar to IPv4’s unicast address. Data message
sent to unicast address will be transmitted to the interface identified by the address.

Multicast address: used to identify a group of interfaces (generally the group of interfaces belong to
different nodes), similar to IPv4’s multicast address. Data message sent to multicast address will be
transmitted to all interfaces identified by the address.

Anycast address: used to identify a group of interfaces (generally the group of interfaces belong to
different nodes), Data message sent to anycast address will be transmitted to the interface among a
group of interfaces identified by the address nearest to source node (based on used router protocol).
Prompt:
IPv6 has no broadcast address, and the function of broadcast address can be realized by multicast
address.
The type of IPv6 address is determined by former digits of address (known as format prefix).
Correspondence between major address type and format prefix is shown in Table 1-1.
Table 4-1 Correspondence between major address type and format prefix
Address type
Format prefix (binary system)
IPv6 prefix label
No specified address
00...0
(128 bits)
::/128
Loopback address
00...1
(128 bits)
::1/128
Link-local address
1111111010
FE80::/10
Site-local address
1111111011
FEC0::/10
Global unicast address
Other forms
-
Multicast address
11111111
FF00::/8
Anycast address
Distribute from unicast address space, in the format of unicast address
Unicast address
Type of unicast address
IPv6 unicast address has various types, including global unicast address, link-local address and
station-local address, etc.

Global unicast address corresponds to IPv4 public network address, provides to network service
supplier. This type of address type structure allows for router prefix aggregation, thus restricting the
quantity of global router table items.

Link-local address is used for communication among local-link nodes in neighbor discovery protocol
and stateless automatic configuration. Data message with link-local address as source or destination
address will not be forwarded to other sites.

Site-local address is similar to IPv4’s private address. Data message with site-local address as source or
destination address will not be forwarded to sites other than this one (corresponding to a private
network).

Loopback address: unicast address 0:0:0:0:0:0:0:1 (simplified expression::1) known as loopback
address, cannot be distributed to any physical interface. Its function is identical with that in IPv4, this is
to say, nodes use it to send IPv6 message to themselves.
43
Command Line Manual

No designated address: address :: is known as not designated address, cannot be distributed to any node.
Before node has acquired effective IPv6 address, it is possible to fill in the address in source address
field of IPv6 message, but cannot serve as destination address of IPv6 message.
Multicast address
Multicast addresses in the following table are those reserved for special purposes.
Table 4-2 Reserved IPv6 multicast address list
Address
Application
FF01::1
All node multicast addresses within node-local scope
FF02::1
All node multicast addresses within link-local scope
FF01::2
All router multicast addresses within node-local scope
FF02::2
All router multicast addresses within link-local scope
FF05::2
All router multicast addresses within node-local scope
In addition, there is another type of multicast address: Solicited-Node address. Such addresses are
mainly used to acquire link layer address of neighboring node on the same link and to realize
duplicated address detection. Each of unicast or anycast IPv6 address has a corresponding
Solicited-Node address, with format as follows:
FF02:0:0:0:0:1:FFXX:XXXX
Where, FF02:0:0:0:0:1:FF is 104-bit fixed format; XX:XXXX is rear 24-bit of unicast or anycast IPv6
address.
Interface identifier of IEEE EUI-64 format
Interface identifier in IPv6 unicast address is used to identify the sole interface on link. At present
IPv6 unicast address basically requires 64-bit interface identifier. Interface identifier in the format of
IEEE EUI-64 is a variation of interface link layer address (MAC address). Interface identifier in IPv6
address is 64-bit, while MAC address is 48-bit, therefore it is required to insert hexadecimal number
FFFE (1111111111111110) in the center of MAC address (after the 24th digit from high digit). To ensure the
interface identifier obtained from MAC address is sole and the 7th digit from high-digit for
Universal/Local (U/L) as “”. The group of number obtained in the last is interface identifier of
EUI-64 format.
Fig. 4-2 Translation process from MAC address to interface identifier of EUI-64 format
MAC address
Binary representation
Insert FFFE
Set U/L digit
EUI- 64 address
44
Command Line Manual
4.1.3 IPv6 neighbor discovery protocol
IPv6 neighbor discovery protocol utilizes five types of ICMPv6 message to realize the following
functions: address resolution, verify if neighbor is reachable, duplicated address detection, router
discovery/prefix discovery, automatic address configuration, redirection, etc.
The type and function of ICMPv6 message utilized by neighbor discovery protocol is shown in Table
1-3.
Table 4-3 Type and function of ICMPv6 message utilized by neighbor discovery protocol
ICMPv6 message
Function
Acquire neighbor’s link layer address
NS Neighbor
Verify if neighbor is reachable
Solicitation message
Duplicated address detection
NA (Neighbor
Respond to NS message
Advertisement)
In case of link layer variation, node will actively send NA message to inform neighbor node of
node variation
RS (Router Solicitation)
After host is started, provide solicitation to router through RS message, request for prefix and
message
other configuration information, used for automatic host configuration
Respond to RS message
RA (Router Advertisement)
When there is no restraint on RA message distribution, router will periodically release RA
message, including prefix and some flag bit information.
When certain conditions are satisfied, default gateway would, by sending redirection message to
(Redirect) message
source host, enable host elect correct address for subsequent message transmission
Major functions provided by neighbor discovery protocol:
Address resolution
Link layer address of neighbor node on the same link (identical with IPv4’s ARP function) can be
acquired through NS message and NA message and as shown in Fig. 1-3, node A acquires node B’s
link layer address.
Fig. 4-3 Address resolution diagram
45
Command Line Manual

Node A sends NS message by multicast mode. NS message’s source address is interface IPv6 address
of node A sending NS message, and destination address is node B’s solicited node multicast address.
Message includes node A’s link layer address.

Upon receipt of NS message, node B will judge if message’s destination address is the solicited node
multicast address corresponding to own IPv6 address and if so, return NA message by unicast mode,
including own link layer address.

From received NA message, node A can acquire node B’s link layer address and then both sides may
communicate normally.
Verify if neighbor is reachable
After acquiring neighbor node’s link layer address, it is possible to verify if neighbor node is
reachable through NS and NA.

Node sends NS message, and destination address is neighbor node’s IPv6 address.

If neighbor’s confirmation message is received, neighbor is reachable, or otherwise it is not reachable.
Duplicated address detection
After node has acquired an IPv6 address, it is required to, by duplicated address detection, verify if
the address has been used by other nodes (identical with free ARP function of IPv4). The utilization
of NS and NA is shown below:
Fig. 4-4 Duplicated address detection diagram

Node A sends NS message, NS message’s source address is not specified address ::, destination address
is the solicited node multicast address corresponding to IPv6 address to be detected, the message
includes IPv6 address to be detected.

If node B has used the IPv6 address, NA message will be returned, including own IPv6 address.

After node A has received NA message from node B, user may know the IPv6 address has been used, or
otherwise the address is not used, and node A may use the address.
Router discovery/prefix discovery and address automatic configuration
Router discovery and prefix discovery refers to the prefix of neighbor router and network acquired by
host from received RA message and other configuration parameters.
Stateless address automatic configuration refers to that host automatically configures IPv6 address
based on the information acquired from router discovery/prefix discovery.
Router discovery/prefix discovery is realized by router RS and RA as follows:
46
Command Line Manual

When host is started, it is possible to facilitate host configuration by sending solicitation to router for
prefix and other configuration message through RS.

Router would return RA message that include prefix and some flag bit information (router will also
periodically release RA message).

By utilizing address prefix and other configuration parameters in RA message returned by router , host
may automatically configure interface with IPv6 address and other information.
Redirection function
When host is started, its routing table may only has one default router to default gateway and when
certain conditions are satisfied, default gateway will send ICMPv6 redirection information to source
host, enable host elect correct address for subsequent message transmission (identical with the
function of ICMP redirect message of IPv4).
When the following conditions are met, equipment will send ICMPv6 redirect message for host
redirection:

The interface receiving and forwarding data message should be identical;

Router elected has not been created or modified by ICMPv6 redirect message;

Router elected is not the default router ; and

IPv6 data message forwarded should not include router extension header;
4.1.4 IPv6 PMTU discovery
Link passed by message during transmission path from source end to destination end may have
different MTUs. For the purpose of IPv6, when message length is larger than link MTU, message will
be partitioned at source end, in order to reduce middle forwarding equipment’s pressure and rationally
utilize network resource.
The purpose of PMTU (Path MTU) discovery mechanism is to discover the smallest MTU on path
from source end to destination end. PMTU discovery is shown below.
Fig. 4-5 Work process of PMTU discovery

Source-end host will partition message with own MTU and then send message to destination host.

When a message is to be forwarded, middle forwarding equipment would discard message if MTU
value supported by message forwarding interface is less than message length, and return to source end
an ICMPv6 error message that include MTU of interface failed to forward the message.

Upon receipt of the error message, source host will partition and send message again with MTU
contained in message.

So then, until destination host receives the message, it is possible to confirm the smallest MTU in the
path from source end to destination end.
47
Command Line Manual
4.1.5 Introduction of IPv6 transition technology
With booming internet, existing IPv4 address has been very scarce and to a certain extent, the
application of such techniques as distributing temporary IPv4 address or NAT (Network Address
Translator) has alleviated IPv4 address shortage, it has, on the other hand, increased expenses in
address resolution and handling, caused some failed high-level applications, and it is still inevitable
that IPv4 addresses are to be completely distributed. The utilization of IPv6 protocol with 128-bit
address has completely solved IPv4 address shortage, and made significant improvement in terms of
address capacity, safety, network management, mobility and service quality, has been one of core
standard adopted by next-generation internet protocol. IPv6 is incompatible with IPv4, but with other
protocols in TCP/IP protocol family, that is to say, IPv6 can completely replace IPv4.
Before IPv6 has been the dominant protocol, it is required to keep the network with IPv6 protocol
stack normally communicate with Internet supported by IPv4, and therefore IPv4 and IPv6
intercommunication technology must be developed to ensure smooth transition from IPv4 to IPv6.
Furthermore, intercommunication technology should ensure efficient and seamless information
transfer. IETF has formed specialized NGTRANS work group to conduct research on IPv4 and IPv6
transition and seamless intercommunication. At present various transition techniques and
intercommunication schemes show distinct features, available to solve communication problems
during different transition periods and under different environments.
Presently there are mainly 3 basic transition solutions: dual protocol stack (RFC2893), tunnel
technology (RFC2893) and NAT-PT(RFC2766).
Prompt:
The equipment support dual protocol stack and tunnel technology.
For the purpose of IPv6 node, the most direct and effective way to accommodate IPv4 is to maintain a
complete IPv4 protocol stack, and network node supporting IPv4 and IPv6 protocol will become dual
protocol stack node. After dual protocol node is configured with IPv4 and IPv6 address, user may
forward IPv4 and IPv6 message at corresponding interface.
When an upper-layer application supports IPv4 and IPv6 protocol and according to protocol
requirement, user may elect TCP or UDP as transport layer protocol, and give preference to IPv6
protocol stack.
Fig. 4-6 Structure chart of IPv4 single protocol stack and IPv4/IPv6 dual protocol stack
48
Command Line Manual
4.1.6 Introduction of IPv6 tunneling
Tunneling refers to the third-layer tunnel protocol widely applied in VPN (Virtual Private Network).
Tunnel is a virtual point-to-point connection and in practical application, only point-to-point
connected virtual interface can be tunnel interface. A tunnel may provide a channel for transmitting
encapsulated data message and on both ends of tunnel, user may respectively encapsulate and
decapsulate data message.
The equipment support configuring IPv6 in IPv4 tunnel.
Work principle of IPv6 in iPv4 tunnel
IPv6 in IPv4 tunnel mechanism is to encapsulate IPv6 data message with IPv4 message header and by
means of tunnel, enable IPv6 message through IPv4 network, and thus realize intercommunication of
isolated IPv6 network, as shown below:
Fig. 4-7 Schematic diagram of IPv6 in IPv4 tunnel
Note:
Equipment on both sides of IPv6 in IPv4 tunnel must support IPv4/IPv6 dual protocol stack.
IPv6 in IPv4 tunnel handles with message as follows:

Equipment in IPv6 network send IPv6 message to equipment at source end of tunnel;

Equipment at source end of tunnel will, based on router table, encapsulate IPv6 message with IPv4
message header and forward it through tunnel’s actual physical interface;

Encapsulated message will reach equipment at destination side of tunnel through tunnel, the equipment
will decapsulate message after confirming the equipment.

Based on destination address of decapsulated IPv6 message, equipment at destination end will forward
message and if the destination is the equipment, would forward IPv6 message to upper-layer protocol
for treatment.
IPv6 in IPv4 tunnel mode
IPv6 in iPv4 tunnel may be set up between host-host, host-equipment, equipment-host and
equipment-equipment. The end of tunnel may be the final destination of IPv6 message and also
require further forwarding.
Based on different acquisition method of IPv4 address of the end of tunnel, tunnel may be classified
into “configuration tunnel” and “automatic tunnel”.

If the end of tunnel is not IPv6 message’s final destination, after IPv6 message arrives at end of tunnel
through tunnel, equipment at end of tunnel (generally a router ) will decapsulate the capsulated IPv6
message and forward it to final destination and in such case, manual configuration will be required
since it is impossible to automatically get IPv4 address at end of tunnel from IPv6 message’s
destination address, and the tunnel is known as “configured tunnel”.
49
Command Line Manual

If the end of tunnel is IPv6 message’s final destination, special IPv6 address with embedded IPv4
address may be utilized to automatically acquire IPv4 address at end of tunnel from IPv6 message’s
final destination, and such tunnels are known as “automatic tunnel”.
Based on different encapsulation method for Ipv6 message, IPv6 in IPv4 tunnel may have the
following modes:

Manual tunnel

6to4 tunnel

ISATAP(Intra-Site Automatic Tunnel Addressing Protocol)tunnel
Among above-mentioned tunnel modes, manual tunnel is configured tunnel; IPv4 is compatible with
Ipv6 automatic tunnel and 6to4 tunnel; ISATAP tunnel is automatic tunnel.
Manual tunnel
Manual tunnel refers to the link between points, and a link is actually an independent tunnel, mainly
used to provide stable connection for regular safe communication between edge router -edge router or
host-edge router .
6to4 tunnel
6to4 tunnel is point-to-multipoint automatic tunnel, mainly used to connect multiple Ipv6 island to
Ipv6 network through Ipv4 network. 6to4 tunnel may, through Ipv4 address embedded in Ipv6
message’s destination address, automatically acquire the end of tunnel. 6to4 tunnel is designed with
special address: 6to4 address, format: 2002:abcd:efgh: subnet number:: interface ID/64 and of which
abcd:efgh refers to 32-digit Ipv4 source address corresponding to 6to4 tunnel, expressed as
hexadecimal (for instance, 1.1.1.1 is expressed as 0101:0101). Based on the embedded Ipv4 address,
user may automatically verify the end of tunnel and conveniently create tunnel.
Since 16-digit subnet number in prefix of 64-digit address of 6to4 address can be defined by user,
former 48-digit in prefix has been determined by fixed numerical value, and by IPv4 address of
equipment at the starting point or end of tunnel, enabled IPv6 message forwarding through tunnel.
6to4 tunnel allows for IPv6 network connection and has overcomed the limitation on application of
IPv4 compatible with IPv6 automatic tunnel.
ISATAP tunnel
With the promotion of IPv6 technology, existing IPv4 network will have more and more IPv6 hosts,
ISATAP tunnel technology has provided ideal solution for those applications. ISATAP tunnel is
point-to-point automatic tunnel technology and through IPv4 address embedded in IPv6 message’s
destination address, user can automatically acquire the end of tunnel. When ISATAP tunnel is used,
IPv6 message’s destination address and tunnel interface’s IPv6 address should be special address:
ISATAP address. ISATAP address format: Prefix(64bit):0:5EFE:ip-address. ip-address form is a.b.c.d
or abcd:efgh and of which, abcd:efgh means 32-digit IPv4 source address. Based on the embedded
IPv4 address, user may automatically create tunnel and transmit IPv6 message. ISATAP tunnel is
mainly used for connection between IPv6 router -IPv6 router and host-router in IPv4 network.
50
Command Line Manual
Fig. 4-8 ISATAP tunnel
4.2 Configure IPv6
4.2.1 Configure IPv6 unicast address
IPv6 site-local address and global unicast address may be configured by the following two methods:

Use EUI-64 format to form the prefix configured for Ipv6 address of interface when Ipv6 address is
formed by EUI-64 format, while interface identifier is converted from interface’s link layer address.

Manual configuration: user may manually configure Ipv6 site-local address or global unicast address.
IPv6’s link-local address may be acquired by the following two methods:

Automatic generation: based on link-local address prefix (FE80::/64) and interface’s link layer address,
equipment will automatically generate link-local address for interface;

Manual designation: user may manually configure Ipv6 link-local address.
1)
2)
3)
Prompt:
After interface is configured with IPv6 site-local address or global unicast address, it will
automatically generate link-local address, and identical with that generated by ipv6 address auto
link-local command. Link-local address of interface, if manually designated, should be effective.
If designated link-local address is manually deleted, the interface’s link-local address is restored to
be the address automatically generated by system.
When link-local address is configured, manually designated link-local address should have higher
priority than those automatically generated, that is to say, if an address is manually designated
after automatic generation, the address manually designated will cover the one automatically
generated; if an address is initially designated by manual method, following by automatic
generation, the automatic configuration will not be effective, and interface’s link-local address is
still manually designated. In such case, to realize automatic configuration, user must delete
manually designated address, following by automatic generation.
To configure IPv6 site-local address or global unicast address under LoopBack interface view,
user may only configure a 128-digit prefix.
51
Command Line Manual
1)
2)
Note:
The equipment only support manual configuration with IPv6 global unicast address and
site-local address IPv6 address;
The equipment would automatically generate interface’s IPv6 link-local address, no need for
configuration.
Configure IPv6 unicast address
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
interface IFNAME
Enter Interface Mode
Step 3
pv6 address
Configure IPv6 global unicast address or site-local
ipv6-address/prefix-length
address
Manually designate IPv6 address
4.2.2 Configure IPv6 neighbor discovery protocol
User may, according to actual condition, configure if to send RA message and the time interval, also
configure relevant parameters in RA and notify host. Upon receipt of RA message, host may conduct
corresponding operation with such parameters. Parameters in RA message that may be configured and
their meaning are shown in Table 1-8.
52
Command Line Manual
Table 1-8 Parameter in RA message and description
Parameter
Description
Prefix Information
After receiving prefix information from equipment, the host on the same link will complete
automatic stateless configuration.
Managed address flag bit (M flag)
Used to confirm if host has elected stateful automatic configuration to acquire IPv6 address and if
the flag bit is set as 1, host will acquire IPv6 address through stateful automatic configuration (such
as DHCP server), or otherwise acquire IPv6 address through stateless automatic configuration, that
is to say, generate IPv6 address according to own link layer address and prefix information released
by router .
Other configured flag bits (O flag)
Used to confirm if host has elected stateful automatic configuration to acquire information other
than IPv6 address and if the flag bit is set as 1, host will acquire information other than IPv6
address through stateless automatic configuration (such as DHCP server), or otherwise acquire
other information through stateless automatic configuration.
ra-lifetime (Router lifetime)
Used to set router releasing RA message as the time of defaulty router of host, host will, according
to ra-lifetime in received RA message, confirm if router releasing RA message is considered as
default router .
Neighbor solicitation message
retransmission interval
(ra-interval)
After equipment send NS message, if no response is received within designated interval, equipment
will send NS message again.
Time to maintain neighbor
reachable (reachable-time)
When neighbor is confirmed reachable through neighbor reachability detection, if within set
reachable time, equipment would consider neighbor is reachable and if beyond set time, it is
required to send message to neighbor and confirm neighbor is reachable or not again.
Prompt:
Interval of neighbor solicitation message retransmission configured on interface and the time of
maintaining neighbor reachability can be released to host as message in RA, and may also be the
interval of neighbor solicitation message released from the interface and the time of maintaining
neighbor reachability.
Note:
Maximum release interval of RA message should be less than or equivalent to router lifetime in RA
message.
53
Command Line Manual
Configure parameters related to RA message.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
interface IFNAME
ipv6 nd send-ra
Step 4
ipv6 nd ra-interval SECONDS
Step 5
ipv6 nd prefix-advertisement
IPV6PREFIX VALID PREFERRED
[onlink] [autoconfig]
Step 6
ipv6 nd managed-config-flag
Step 7
ipv6 nd other-config-flag
Step 8
ipv6 nd ra-lifetime SECONDS
Step 9
ipv6 nd ra-interval SECONDS
Step 10
ipv6 nd reachable-time
MILLISECONDS
Enter configuration mode
Enter Interface Mode
Cancel the restratin on RA message release
Mandatory
By default, restrict the release of RA message
Configure release interval of RA message
By default, maximum and minimum release interval of RA
message is 600s and 200s respectively
When RA message is periodically released, the time interval
should be a value randomly elected between maximum and
minimum interval, as the time interval of periodically released
RA message.
Configured minimum time interval should be less than and
equivalent to 0.75 of maximum time interval; the maximum
release interval of RA message should be less than or equivalent
to lifetime of router in RA message.
Prefix information in RA message
By default, prefix information in RA message is not configured,
interface IPv6 address sending RA message will be considered
as prefix information in RA message.
Configure managed address flag bit as 1
By default, managed address flag bit is 0, namely host may
acquire IPv6 address through stateless automatic configuration.
Configure other flag bits as 1
By default, other configuration flag bits are 0, namely host may
acquire other information through stateless automatic
configuration.
Configure lifetime of router in RA message
By default, lifetime of router in RA message is 1,800 s; the
lifetime should be larger than or equivalent to release interval of
RA message.
Configure neighbor solicitation message retransmission interval
By default, the time interval of interface sending NS message is
1,000ms, and the value of Retrans Timer field in RA message is
0.
Configure the time of maintaining neighbor reachability
Optional and by default, the time of maintaining neighbor
reachability is 30,000ms, and the value of Reachable Timer field
in RA message is 0.
4.2.3 Configure IPv6 static router
Configure IPv6 static router
Configuration steps:
Step 1
Step 2
configure terminal
ipv6 router X:X::X:X/M (X:X::X:X
|INTERFACE_NAME) [<1-255> <1-100>]
no ipv6 router X:X::X:X/M (X:X::X:X
|INTERFACE_NAME)
show ipv6 router
Step 3
Step 4
Enter configuration mode
Configure IPv6 static router
Cancel IPv6 static router configuration
Display IPv6 routing table
4.2.4 Configure IPv6 policy routing
Configure IPv6 policy routing
Configuration steps:
Step 1
configure terminal
Enter global configuration mode
Step 2
prouter 6 (IF_IN|any) (SIP|any) (DIP|any)
(SEV|any) (USER|any) (APP|any)
(SCHEDULE|always) (blackhole|throw|unicast)
[ID<1-65535>]
nexthop (gateway|interface) (IF_IN|IP) [weight
<1-255>]
Configure routing policy matching condition, keep data
packet satisfying policy skip to the next hop, and the
command may configure multiple items. Matching
sequence may be matched in the order of display.
Configure policy routing to next hop, and the command
may configure multiple items. Distribute flow according
to weight.
Return to privileged mode
Step 3
Step 4
exit
54
Command Line Manual
Sequence to adjust policy routing
User may adjust policy routing sequence with command “Move”, and match former policy in priority.
Configuration steps:
Step 1
configure terminal
Step 2
prouter 6 move
<1-65535>
Enter configuration mode
<1-65535>
[ before | after ]
Move a policy router before a designated policy router
4.2.5 Configure IPv6 management equipment
Configure IPv6 management equipment
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
configure terminal
interface IFNAME
allow ping
allow http
allow https
allow telnet
allow ssh
Enter configuration mode
Enter Interface Mode
Configure allow ping
Allow http management
Allow https management
Allow telnet management
Allow ssh management
4.2.6 Configure IPv6 packet filtering
Configure IPv6 packet filtering
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
policy-v6 <1-9999> (IF_IN|any) (IF_OUT|any) (SIP|any)
(DIP|any) CMD_GROUP_SERVICE (USER|any) (APPany)
(TR|always) (permit|deny)
Add firewall policy
Step 3
show policy
View firewall policy
Parameter description:
policy-v6 <1-9999> (IF_IN|any) (IF_OUT|any) (SIP|any) (DIP|any)
CMD_GROUP_SERVICE (USER|any) (APP|any) (TR|always) (permit|deny)
Parameter
Description
Default configuration
<1-9999>
Policy ID
IF_IN
Incoming interface for policy matching
None
IF_OUT
Outgoing interface for policy matching
None
SIP
Souce IP for policy matching
None
DIP
Destination IP for policy matching
None
CMD_GROUP_SERVICE
Policy matching service
None
USER
Policy matching user name
None
APP
Application of policy matching
None
TR
Policy validity time
None
PERMIT|DENY
Policy action
None
4.2.7 Configure IPv6 extension header filtration
Configure IPv6 extension header filtration
Configuration steps:
Step 1
configure terminal
Enter configuration mode
55
Command Line Manual
Step 2
ipv6 ext-hdr filter (exthdr_auth | exthdr_dest |
exthdr_esp | exthdr_fragment | exthdr_hop |
exthdr_routing)
Configure extension header filtration, optional identity
authentication header, destination option header,
encapsulation safety payload, fragment, hop and routing
header
4.2.8 Configure IPv6-MAC binding
To add IP-MAC binding, it is required to input IP address and MAC address.
Configuration steps:
Step 1
config terminal
Enter configuration mode
Step 2
ipv6 mac bind X:X::X:X FF-FF-FF-FF-FF-FF
Configure IP-MAC binding
Under config mode, use no ipv6 mac bind X:X::X:X to delete a binding item.
4.2.9 Configure DNSv6 server
Configure DNSv6 server
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Step 13
Step 13
Step 14
configure terminal
dns listener6 X:X::X:X
dns server
zone ZONE_NAME
rotoco-server HOST-NAME
e-mail EMAIL_ADDRESS
default-ttl <0- 214748364>
refresh <0-214748364>
retry< 0-214748364>
espire < 0-214748364>
negative-ttl <0-214748364 >
rr type-aaaa DOMAIN_NAME X:X::X:X
[<0-2147483647>]
rr type-ns DOMAIN_NAME SERVER_NAME
[<0-2147483647>]
exit
add zone ZONE_NAME
Enter configuration mode
Configure ipv6 monitoring address
Enter dns server configuration
Configure name
Configure master server
Configure email address
Configure ttl and by default, 86400
Configure refresh time and by default, 10,800
Configure retry time and by default, 3,600
Configure expire time and by default, 604,800
Configure wrong cache time and by default, 3600
Configure NS record information
Configure dns record
Exit configuration
Add zone
4.2.10 Configure DHCPv6 server
Configure DHCPv6
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
dhcp
poolv6 IFNAME X:X::X:X X:X::X:X <300-2592000>
Enter configuration mode
Enter DHCP configuration mode
Add subnet address pool, with lease as configured time
4.2.11 Configure Ipv4/Ipv6 dual protocol stack
To provide dual protocol stack function, enable IPv6 function firstly, or otherwise it is impossible to
forward IPv6 message even if interface’s IPv6 address is configured.
Configure dual protocol stack.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
interface IFNAME
ip address A.B.C.D/M
ipv6 address X:X::X:X/M
Enter configuration mode
Enter Interface Mode
Cancell IPv6 static router configuration
Configure interface’s IPv6 address
56
Command Line Manual
4.2.12 Configure Ipv6 manual tunnel
Configure manual tunnel
Configuration steps:
Step 1
Step 2
configure terminal
interface tunnel <number> mode ipv6-ipv4 manual
Step 3
Step 4
ipv6 address X:X::X:X/M
tunnel-source ip-address
Step 5
tunnel-destination ip-address
1)
2)
3)
4)
Enter configuration mode
Create tunnel interface (manual tunnel) and enter tunnel
interface mode
Configure tunnel interface’s IPv6 address
Configure tunnel interface’s source end address
By default, tunnel interface is not configured with source
end address
Configure tunnel interface’s destination end address
By default, tunnel interface is not configured with
destination end address
Note:
For functional characteristics configuration under tunnel interface, all configurations on
interface will be deleted when tunnel interface is deleted.
If address of tunnel interface on both sides of tunnel is not located at the same network
segment, user must configure forwarding router to opposite side, in order to normally forward
encapsulated message.
To configure static router , it is required to manually configure destination address (not the
terminal IPv4 address of tunnel but the destination IPv6 address of message before
encapsulation), and configure the next hop as tunnel interface number or network address of
tunnel. Configuration should be made to both ends of tunnel.
To configure dynamic router , it is required to enable dynamic router protocol at tunnel
interface on both ends of tunnel, and configuration should be made to both ends of tunnel.
4.2.13 Configure Ipv6 6to4 tunnel
Configure 6to4 tunnel
Configuration steps:
Step 1
Step 2
configure terminal
interface tunnel <number>mode ipv6-ipv4 6to4
Step 3
Step 4
ipv6 address X:X::X:X/M
tunnel-source ip-address
1)
2)
3)
4)
Enter configuration mode
Create tunnel interface (6to4 tunnel) and enter tunnel
interface mode
Configure tunnel interface’s IPv6 address
Configure tunnel interface’s source end address
By default tunnel interface is not configured with source
end address
Note:
Starting point of the same tunnel can only create an automatic tunnel.
It is unnecessary to configure automatic tunnel with destination address, since destination
address can be automatically acquired through IPv4 address embedded in IPv4 compatible
with IPv6 address.
If address of tunnel interface on both sides of tunnel is not located in the same network
segment, user must configure forwarding router to opposite side, in order to normally forward
encapsulated message.
To configure static router , it is required to manually configure destination address (not the
terminal IPv4 address of tunnel but the destination IPv6 address of message before
encapsulation), and configure the next hop as tunnel interface number or network address of
tunnel. Configuration should be made to both ends of tunnel.
57
Command Line Manual
4.2.14 Configure Ipv6 ISATAP tunnel
Configure ISATAP tunnel
Configuration steps:
Step 1
Step 2
configure terminal
interface tunnel <number> mode ipv6-ipv4 isatap
Step 3
Step 4
ipv6 address X:X::X:X/M
tunnel-source ip-address
Enter configuration mode
Create tunnel interface (ISATAP tunnel mode) and enter
tunnel interface mode
Configure tunnel interface’s IPv6 address
Configure tunnel interface’s source end address
By default tunnel interface is not configured with source
end address
Note:
If address of tunnel interface on both sides of tunnel is not located in the same network segment,
user must configure forwarding router to opposite side, in order to normally forward encapsulated
message.
To configure static router , it is required to manually configure destination address (not the
terminal IPv4 address of tunnel but the destination IPv6 address of message before encapsulation),
and configure the next hop as tunnel interface number or network address of tunnel. Configuration
should be made to both ends of tunnel.
4.3 Configuration cases
4.3.1 Configuration cases1: basic Ipv6 manual tunnel
Case description
It is assumed network environment is shown below, PC1 and PC2 respectively belong to remote Ipv6
network in different network segment, and both can mutually communicate with Ipv4 network.
User may configure Ipv6 manual tunnel on equipment A and B, enable mutual access of Ipv6 data
between PC1 and PC2.
Fig. 4-9 Case networking diagram
58
Command Line Manual
Configuration steps:
Equipment A configuration:
Step 1
Step 2
Step 3
Step 4
Enter configuration mode
HOST_A#configure terminal
Configure interface Ipv4 and Ipv6 address
HOST_A(config)# interface ge0
HOST_A(config- ge0)# ip address 192.168.31.62/24
HOST_A(config- ge0)# ipv6 address 2012:31::1/64
HOST_A(config- ge0)# exit
Create ipv6 manual tunnel, and configure source end and opposite end address
HOST_A(config)# interface tunnel 101 mode ipv6-ipv4 manual
HOST_A(config-tunnel101)# ipv6 address 2010:31::1/64
HOST_A(config-tunnel101)# tunnel –source 192.168.31.62
HOST_A(config-tunnel101)# tunnel –destination 192.168.42.80
HOST_A(config-tunnel101)# exit
Configure ipv6 router
HOST_A(config)# ipv6 router 2012:42::0/64 tunnel101
HOST_A(config)# ipv6 router 2010:42::0/64 tunnel101
Equipment Bconfiguration:
Step 1
Step 2
Step 3
Step 4
Enable ipv6
HOST_B#configure terminal
HOST_B(config)# ipv6 enable
Configure interface Ipv4 and Ipv6 address
HOST_B(config)# interface ge0
HOST_B(config- ge0)# ip address 192.168.42.80/24
HOST_B(config- ge0)# ipv6 address 2012:42::1/64
HOST_B(config- ge0)# exit
Create ipv6 manual tunnel, and configure source end and opposite end address
HOST_B(config)# interface tunnel 101 mode ipv6-ipv4 manual
HOST_B(config-tunnel101)# ipv6 address 2010:42::1/64
HOST_B(config-tunnel101)# tunnel- source 192.168.42.80
HOST_B(config-tunnel101)# tunnel –destination 192.168.31.62.80
HOST_B(config-tunnel101)# exit
Configure ipv6 router
HOST_B(config)# ipv6 router 2012:31::0/64 tunnel101
HOST_B(config)# ipv6 router 2010:41::0/64 tunnel101
4.4 Ipv6 monitoring and maintenance
4.4.1 View Ipv6 tunnel
After Ipv6 tunnel configuration, user may execute show command under any mode and display the
operation condition after Ipv6 tunnel configuration. By viewing display information, user may verify
configuration effect.
Configuration steps:
Step 1
Step 2
show interface tunlnumber
show tunnel number
Display relevant information of tunnel interface
Display Ipv6 information relating to tunnel interface
4.4.2 Common fault analysis
Fault phenomenon: Still under Up status after configuring relevant parameters (such as the starting
point of tunnel, destination address and tunnel mode) on tunnel interface.
Analysis
Solution
The common cause for tunnel interface not under Up status is that the physical interface at starting point of tunnel is not
under Up status. View if physical interface at starting point of tunnel is Up or Down with command show interface tunnel
and show ip tunnel.
The another cause for tunnel interface not under Up status is that the destination address of tunnel is not reachable. View
if destination address is reachable by router with command show ipv6 router and show ip router . If no routing item for
tunnel communication is provided in routing table, please configure relevant routers .
59
Command Line Manual
Chapter 5 Configure IPSec VPN
5.1 IPSec VPN
IPSec utilizes encryption and authentication mechanism to ensure data transmission in public
network environment, and provides the following security services for data transmission:

Data confidentiality-IPSec provides encryption protection for data transmission with ESP security
protocol.

Data completeness -IPSec provides integrity protection for data transmission with ESP or AH security
protocol, and data receiver can timely discover if data is modified during transmission.

Data source authentication -IPSec receiver may verify data source.

Anti-replay -IPSec receiver may detect replayed IP packet and discard it.
Generally, an IPSec system is mainly composed of the following parts:

Security protocol - including encapsulating security payload (hereinafter referred to as ESP) and
Authentication Header Protocol (hereinafter referred to as AH). ESP can providfe data integrity,
confidentiality and anti-replay service; AH protocol can provide data source authentication, integrity
and anti-replay protection.

Security policy database (hereinafter referred to as SPDB) and Security Association Database
(hereinafter referred to as SADB) - SPDB decides which IP message to be handled and how to handle
with IP message (discard, bypass, IPSec handling); SPDB decides which IP message to be subject to
IPSec treatment, for instance, which security protocol, encryption algorithm and authentication
algorithm is to be used, etc.

Key management protocol - used to establish, update and delete SA, including ISAKMP SA and IPSec
SA. Generally, IPSec system utilizes IKE to establish SA.
Relevant terminology:

Authentication header protocol (AH): used to verify data packet security protocol.

Encapsulating security payload (ESP): used to encrypt and verify data packet security protocol; it can
work together with AH, and independently work.

Encryption algorithm: Encryption algorithm used by ESP;

Verification algorithm: Verification algorithm used to verify the opposite party by AH or ESP.

Key management protocol: used to establish, update and delete shared key, and of which IKE (Internet
key exchange protocol) is the key exchange protocol used by IPSec by default.
Constructing VPN is the typical application of IPSec. The chapter mainly describes how to construct
VPN with IPSec and presents typical cases. Separate application of equipment integrated IPSec VPN
subsystem provides security assurance for data transmission between gateways, host at VPN client
and gateway. Equipment integrated IPSec VPN subsystem has the following functions:

Support router mode and bridge mode using IPSec.

Support tunnel mode and transmission mode.

Establish, update and delete SA with IKE protocol.

IKE phase 1 negotiates supporting pre-shared-key authentication, RSA signature verification method
and digital envelope (commercial code) authentication method.

Active mode negotiation and aggressive mode negotiation.

When pre-shared-key authentication is used, it supports using Ipv4 address, FQDN, USER_FQDN
type ID. When RSA signature authentication or digital envelope (commercial code) authentication
method is selected, the theme of certificate is deemed ID.
60
Command Line Manual

Support static access (by designating opposite-end gateway as static IP or domain name) and dynamic
access (by designating opposite-end gateway as dynamic IP).

Support dual gateway. When opposite-end gateway is set as static IP, it is permitted to set redundant
gateway and when the negotiation between own side with opposite-end gateway’s primary IP, it is
possible to negotiate with another IP.

Support rich encryption algorithm and authentication algorithm.

Support DH group 1, 2 and 5.

Support DPD detection.

Support NATtraversal.

Support router injection. Generally, when IPSec is used in multi-link environment and after enable
router injection function, user may automatically add a proper router after successful IPSec SA
negotiation and when IPSec SA is deleted, the router will be deleted.

Support extension authentication.

Support using mode configuration to issue internal IP, DNS and WINS under VPN client.

Support separate or combined use of ESP and AH protocol.

Support PFS.

Support manual establishment of IPSec SA.

Provide IPSec configuration wizard to quickly complete configuration.

Conform with Technical Specification for IPSec VPN formulated by State Encryption Administration.
5.2 Configure IPSec VPN
5.2.1 Default configuration message
Table 5-1 IPSec VPNDefault configuration information
Contents
Default setting
Remark
When pre-shared key method is used, it may be
changed as FQDN and USER_FQDN
Key negotiation verification
By default, pre-shared key method is deemed as
interface’s IP address negotiated by IKE; and by
default, RSA signature and digital envelope
(commercial code) is deemed as the theme of
certificate.
(pre-shared ) key
Lifetime of ISAKMP SA
Lifetime of IPSec SA (time method)
Lifetime of IPSec SA (flow method)
Work method of security protocol
Encryption algorithm
Verification algorithm
Key negotiation mode
DPD peer detection function
Extension authentication
Mode configuration
86,400s
3,600s
0Kb
Channel mode
3DES
MD5
Primary mode
Disable
Disable
Disable
Negotiate both parties’ identity label
during key negotiation
May be changed into RSA signature or digital
envelope (commercial code)
Setting can be changed
Setting can be changed
Setting can be changed
Can be changed as transmission mode
Setting can be changed
Setting can be changed
Can be changed as aggressive mode
Can be changed as enable
Setting can be changed
Setting can be changed
5.2.2 Configure IKE phase 1
Under global configuration mode, configure IKE (Internet Key Exchange) phase 1 related
parameters. IKE negotiation initiator may initiate negotiation with those parameters and by creating
ISAKMP SA with opposite-end, provide a safe environment for IPSec SA negotiation.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
vpn ipsec phase1
edit gateway NAME
authentication (pre-share|rsa-sig)
Enter global configuration mode
Start phase 1 configuration
Compile the name of phase 1, and enter next-layer node
Set authentication method, key authentication and digital
authentication
61
Command Line Manual
Step 5
set mode {main | aggressive}
Step 6
Step 6 .1
set remotegw A.B.C.D|DOMAIN-NAME|dynamic
set nat <10-900>
no set nat
set localid (fqdn ID_NAME| user-fqdn ID_NAME)
no set localid [address]
set peerid (address A.B.C.D|fqdn ID_NAME| user-fqdn
ID_NAME)
no set peerid
authentication (pre-share|rsa-rig)
no authentication
dpd (enable|disable)
no dpd
set policy <1-3>
no set policy <1-3>
encrypt (3des|des|aes128|aes192|aes256)
hash (md5|sha)
Step 7
Step 8
Step 8
Step 9
Step 10
Step 11
Step 12
group (1|2|5)
no group
lifetime <120-86400>
no lifetime
xauth-server (enable|disable)
no xauth-server
set modecfg-server
no set modecfg-server
exit
Step 13
Step 14
Step 15
Step 19
Set phase
1’s negotiation mode (digital envelope
(commercial code) authentication does not support
aggressive mode)
Set address of opposite-end gateway
Set NAT keep-alive message release interval
Set local ID type
Set opposite-end ID type
Pre-shared key authentication
RSA digital certification
Enable or disable dpd function
Add, delete or modify an encrypted proposal
Set encryption algorithm and by default, it is 3 des
Set HASH authentication algorithm and by default, it is
md5
Set DH group
Set phase sa lifetime
Enable or disable extension authentication
Enable mode configuration
Exit current setting
User may cancel command setting with command “No” and restore them to default configuration.
Parameter description: edit gateway NAME
Parameter
Description
NAME
Default configuration
Name of phase 1
By default, no setting
Parameter description: set mode {main|aggressive}
Parameter
Description
Set phase 1’s negotiation mode
{main|aggressive}
Default configuration
By default, it is primary mode
Parameter description: set remotegw A.B.C.D|DOMAIN-NAME dynamic
Parameter
Description
{A.B.C.D|DOMAIN-NAME dynamic}
Set opposite-end gateway mode
Default configuration
By default, it is IP address
Parameter description: set secondary remotegw A.B.C.D
Parameter
A.B.C.D
Description
Default configuration
Set IP address of opposite-end gateway
By default, it has no setting, and it can be set only when primary
gateway is set with IP address
Parameter description: set preshared-key KEY
Parameter
KEY
Description
Key value. It is effective when authentication method is set as
pre-shared key.
Default configuration
None
Parameter description: set local-cert NAME
Parameter
NAME
Description
Name of local certificate. It is effective when authentication method
is set as rsa signature or commercial code.
Default configuration
None
Parameter description: set peer-cert NAME
Parameter
NAME
Description
Name of opposite-end certificate. It is effective when authentication
method is set as rsa signature or commercial code.
Default configuration
None
62
Command Line Manual
Parameter description: group (1|2|5)
Parameter
(1|2|5)
Description
Default configuration
When pre-shared key or rsa signature is set, user may configure Diff-Hellmen array
elected for key exchange
Default group2
Parameter description: lifetime TIME
Parameter
Description
TIME
Default configuration
Configure lifetime of isakmp sa
By default, 86,400s
Parameter description: set policy <1-3>
Parameter
<1-3>
Description
Default configuration
Set IKE policy, at most combination of three groups of algorithms
By default, it is policy1
Parameter description: encrypt (des|3des|aes128|aes192|aes256|scb128)
Parameter
Description
(des|3des|aes128|aes192|aes256|scb
128)
Set encryption
algorithm
Default configuration
Pre-shared key and rsa signature is, by default, 3DES encryption.
Domestic encryption method, is by default, SM1 (corresponding to
scb128) encryption.
Parameter description: hash (md5|sha)
Parameter
(md5|sha)
Description
Default configuration
Set HASH authentication
method
Pre-shared key and rsa signature is, by default, MD5 authentication. Domestic
encryption method, is by default, SHA1 authentication.
Parameter description: set dpd <30-120>
Parameter
<30-120>
Description
Default configuration
Set peer detection
By default, it is 0
Parameter description: set nat <10-900>
Parameter
<10-900>
Description
Default configuration
Set keep-alive time of NAT traverse
By default, it is 0
Parameter description: set id (local|peer) ID
Parameter
ID
Description
Default configuration
Set local | opposite-end ID value
By default, it has no setting
Parameter description: set nexthop (primary|secondary) A.B.C.D/M
Parameter
A.B.C.D/M
Description
Default configuration
When router injection is enabled, set next hop as IP address, generally used
under multi-link environment.
By default, it has no setting
Parameter description: set xauth-server USERGROUP
Parameter
USERGROUP
Description
User
group
designated
authentication server
Default configuration
by
extension
By default, it has no setting
Parameter description: set xauth-client USERNAME PASSWORD
Parameter
Description
Default configuration
USERNAME
User name used by extension authentication
client
Secret used by extension authentication client
By default, it has no setting
PASSWORD
By default, it has no setting
Parameter description: ip-range A.B.C.D A.B.C.D
Parameter
A.B.C.D
Description
Start and end address of mode configuration addres pool
Default configuration
By default, it has no setting
63
Command Line Manual
Parameter description: dns A.B.C.D
Parameter
Description
A.B.C.D
dns allocated by server to client
Default configuration
By default, it has no setting
Parameter description: wins A.B.C.D
Parameter
A.B.C.D
Description
wins allocated by server to client
Default configuration
By default, it has no setting
Note:
User may configure multiple IKE policies and when equipment negotiate with IKE, attempt to
negotiate IKE policy to equipment on both ends.
5.2.3 Configure IKE phase 2
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
vpn ipsec phase2
edit tunnel NAME
no edit tunnel NAME
set peer GATEWAY-NAME
no set peer
mode (tunnel|)
no mode
pfs (1|2|5)
no pfs
set lifetime kilobytes <2560-536870912>
set lifetime seconds <120-86400>
no set lifetime kilobytes
no set lifetime seconds
auto-connect (enable|disable)
no auto-connect
set
(proposal1|proposal2|proposal3|proposal4)(esp-3des-md
5|esp-aes128-sha1|esp-aes256-null|esp-null-md5|esp-3de
s-null|esp-aes192-md5|esp-aes256-sha1|esp-null-null|esp
-3des-sha1|esp-aes192-null|esp-des-md5|esp-null-sha1|e
sp-aes128-md5|esp-aes192-sha1|esp-des-null|esp-aes128
-null|esp-aes256-md5|esp-des-sha1)(ah-md5-hmac|
ah-null|ah-sha-hmac)
noset(proposal1|proposal2|proposal3|proposal4)
exit
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Enter global configuration mode
Enter phase 2 configuration
Add, delete or compile IPSEC
Designate a phase
(IKE) negotiation policy for IPSEC
Designate IPSEC’s encapsulation mode
Designate perfect forward secrecy
Set lifetime of Ipsec sa
Enable or disable automatic connection
Set IPSEC encryption proposal
Exit IPSec policy configuration mode
User may cancel command setting with command “No” and restore them to default configuration.
Parameter description: edit tunnel NAME
Parameter
NAME
Description
Default configuration
Compile the name of phase 2
Parameter description: set peer GATEWAY
Parameter
GATEWAY
Description
Default configuration
Name of phase 1
Parameter
description:
set
(
propasal1|
propasal2|
propasal3
)
(esp-3des-md5|esp-3des-null|esp-3des-sha1|esp-aes128-md5|esp-aes128-null|esp-aes128-sha1|esp-a
es192-md5|esp-aes192-null|esp-aes192-sha1|esp-aes256-md5|esp-aes256-null|esp-aes256-sha1|espdes-md5|esp-des-null|esp-des-sha1|esp-null-md5|esp-null-null|esp-null-sha1|esp-scb128-null|esp-sc
b128-md5|esp-scb128-sha1) (ah-null|ah-md5-hmac|ah-sha-hmac)
Parameter
(esp-3des-md5|esp-3des-null|esp-3des
-sha1|esp-aes128-md5|esp-aes128-nul
l|esp-aes128-sha1|esp-aes192-md5|es
Description
Set ESP encapsulation algorithm
Default configuration
By pre-shared key and rsa mode and by default, it is
esp-3des-md5, and domestic encryption mode is
esp-scb128-sha1.
64
Command Line Manual
p-aes192-null|esp-aes192-sha1|esp-ae
s256-md5|esp-aes256-null|esp-aes256
-sha1|esp-des-md5|esp-des-null|esp-d
es-sha1|esp-null-md5|esp-null-null|es
p-null-sha1|
esp-scb128-null|esp-scb128-md5|espscb128-sha1)
(ah-null|ah-md5-hmac|ah-sha-hmac)
Set AH encapsulation algorithm
By pre-shared key and rsa mode and by default, it is
ah-md5-hmac, and domestic encryption mode is
ah-null.
Parameter description: pfs (1|2|5)
Parameter
(1|2|5)
Description
Default configuration
Configure Diffle-Hellmen array used by
pfs
By default, it has no setting
Parameter description: set lifetime seconds <600-86400>
Parameter
<600-86400>
Description
Default configuration
Configure lifetime of IPSec SA
By default, it is 3,600s
Parameter description: set lifetime kilobytes <10-524288>
Parameter
<10-524288>
Description
Configure lifetime of IPSec SA
Default configuration
By default, it is 0KB
5.2.4 Manually configure Ipsec security policy
Configuration steps:
Step 1
configure terminal
Enter global configuration mode
Step 2
policy (IF_IN|any) (IF_OUT|any) (SIP|any) (DIP|any)
(“CMD_GROUP_SERVICE”)
(USER|any)(APPLICATION|any)
(SCHEDULE|always) (permit|deny|ipsec) [ID]
Configure IPSsec security policy
Step 3
exit
Exit IPSec policy configuration mode
5.3 Configuration cases
5.3.1 Configuration cases:
Configuration steps:
Step 1
Set a srage
host(config)# vpn ipsec phase1
host(config-phase1)# edit gateway ike_test
host(config-phase1-ike_test)# set mode main
host(config-phase1-ike_test)# set remotegw 192.168.1.97
host(config-phase1-ike_test)# lifetime 6000
host(config-phase1-ike_test)# set dpd 30
host(config-phase1-ike_test)# dpd enable
host(config-phase1-ike_test)# authentication pre-share
host(config-phase1-ike_test)# set preshared-key 111111
host(config-phase1-ike_test)# set nat 10
host(config-phase1-ike_test)# set policy 1
host(config-phase1-ike_test-policy1)# encrypt 3des
host(config-phase1-ike_test-policy1)# hash md5
host(config-phase1-ike_test-policy1)# exit
65
Command Line Manual
Step 2
Set 2 phase
host(config)# vpn ipsec phase2
host(config-phase2)# edit tunnel ipsec_test
host(config-phase2-ipsec_test)# set peer ike_test
host(config-phase2-ipsec_test)# mode tunnel
host(config-phase2-ipsec_test)# set lifetime seconds 3600
host(config-phase2-ipsec_test)# pfs 2
host(config-phase2-ipsec_test)# set proposal1 esp-3des-md5 ah-null
host(config-phase2-ipsec_test)#exit
Step 3
Configure address object
host(config)# address 2_24
host(config-address)# ip subnet 2.2.2.0/24
host(config-address)# exit
host(config)# address 1_24
host(config-address)# ip subnet 1.1.1.0/24
host(config-address)# exit
Step 4
Configure tunnel interface
host(config)# interface tunnel 10 mode ipsec
host(config-tunnel10)#tunnel-ipsec ipsec_test
host(config-tunnel10)#tunnel-ipsec interested-subnet 2_24 1_24
Step 5
Add static router
host(config)#ip router 1.1.1.0/24 tunnel10
5.4 IPSec VPN monitoring and maintenance
5.4.1 Display a phase A
Step 1
host# show ike sa
Name: ike_test
id: 895
local_addr: 192.168.1.61
peer_addr: 192.168.1.65
stat: establish
life time: 5996
Data: ike sa
Total count: 1.
5.4.2 Display 2-phase SA
Step 1
host# show ipsec sa
Name: ipsec_test
id: 1786
local_addr: 192.168.1.61
esp: yes
peer_addr: 192.168.1.65
mode: tunnel
enc_algo/auth_algo: 3des/md5
inbound_spi/outbound_spi: 131155688/170802143
ah: no
stat: establish
life time/cur_life_time: 3600/3553
inbound/outbound: 0/0 kbytes
local_net: 2.2.2.0/24
peer_net: 1.1.1.1/32
Data: ipsec sa Total count: 1.
66
Command Line Manual
5.4.3 Clear phase-1 SA
Step 1
clear ike sa all
Step 2
clear ike sa id <1-2000000000> Delete designated SA according to ID
clear ike sa name NAME Delete designated SA according to name
5.4.4 Clear phase-2 SA
Step 1
clear ipsec sa all
Step 2
clear ipsec sa id <1-2000000000> Delete designated SA according to ID
clear ipsec sa name NAME Delete designated SA according to name
5.4.5 Common fault analysis
Fault phenomenon: cannot set up tunnel
Phenomenon
Fail to create SA if security association negotiation is unsuccessful, and user cannot view related information with
command “show crypto ipsec sa”
Analysis
1) View if security configurationi corresponding to equipment on both ends are symmetric;
2) If phase-1’s negotiation policy and authentication key is consistent;
3) If phase-2’s translation set is inconsistent;
Solution
1) If security policy configuration is inconsistent, modify them into symmetric;
2) If phase-1 or phase-2’s negotiation policy is inconsistent, modify them into consistent.
67
Command Line Manual
Chapter 6 Configure NAT
6.1 NAT
NAT, namely network address translation, is initially defined by RFC1631 (currently replaced by
RFC3022), used for translation from private address to public address in order to handle with public
IP address shortage. With development of NAT technology and its in-depth application, NAT has
been proved to be very practical technology with various functions, for instance, to provide ideal
security performance with one-way isolation; to enable public address access to server configured
with private address through target address mapping; and to enable server load balance and address
reuse, etc.
NAT may be classified into source NAT and destination NAT. Source NAT is the NAT based on
source address, can be in further classified into dynamic NAT, PAT and static NAT. dynamic NAT and
PAT is one-way mapping for source address, mainly used for internal network to access external
network, in order to reduce the number of public addresses and hide internal address. Dynamic NAT
refers to source address dynamically conversed and mapped to a relatively small address pool and for
the same source IP, different connection may be mapped to different addresses in address pool; PAT
refers to all source addresses mapped to the same address and by port mapping, differentiate different
connection and share public network address. Static NAT refers to one-to-one bidirectional address
mapping, mainly used for internal server to provide external services. In such cases, internal server
may actively access to the outside, while the outside may also actively access to the server,
corresponding to a bidirectional path between external and internal network.
NAT based target address is known as destination NAT, classified into target address mapping, target
port mapping and server load balance. NAT based on target address is also known as reversed NAT or
address mapping. Destination NAT is a one-way mapping based on target address, mainly used for
external server to provide service to the outside, and its difference from static NAT lies in
unidirection. The outside may actively access to the inside while the inside cannot actively access to
the outside. In addition, it is possible to achieve load balance by using destination NAT, namely, to
translate a target address into multiple internal server address, and map different ports to different
machines through port mapping.
In addition, after knowing NAT’s basic principle, user may user NAT for translation between public
and private address, and also between public addresses, as well as private addresses.
The equipment support NAT ALG, common NAT allows for port translation and the translation of IP
address in UDP or TCP message header, but cannot handle with the field in application level data
load. In some application level protocols, such as multimedia protocol (H.323 and SIP), FTP,
SQLNET, etc., problems would occur when the address or port information in TCP/UDP load cannot
be effectively conversed by NAT. NAT ALG (Application Level Gateway) supports analysis of
application level message and address translation for multichannel protocol, translate and handle with
IP address and port in load that should be subject to address translation or the fields that should be
subject to special treatment, thus ensuring the correctness of application level communication.
For example, FTP application is jointly accomplished by data connection and control connection, the
data connection is dynamically determined by load field information in control connection, and ALG
is required to accomplish translation of load field information so as to ensure correct subsequent data
connection.
NAT ALG application protocol supported by the equipment includes FTP, TFTP, H.323 and
SQLNET.
Note:
NAT load balance function is merely to translate target address to different internal host address in
a balanced way, but not detect if internal host functions normally. It is merely a special address
translation function, not a real sense of load balance.
68
Command Line Manual
6.2 Configure NAT
NAT configuration is classified into three types in the system: Static, Source and Destination.
Each NAT rule is correlated with a certain interface and it should be noted that Source NAT is
translated while leaving interface, and Destination NAT is translated while entering interface, and
therefore it is required to correlate with corresponding outcoming interface while configuring Source
NAT, and with corresponding incoming interface while destination Source NAT.
6.2.1 Configure address pool (NAT POOL)
Address pool accommodates the assembly of address range for dynamic NAT. The use of address
pool supports rotation method and non-rotation method, and also supports address pool segmentation.
After address translation, the real address of message will be translate into address in address pool.
Steps to configure address pool:
Step 1
configure terminal
Enter configuration mode
Step 2
ip nat pool POOLNAME
Enter node of address pool
Step 3
ip address A.B.C.D A.B.C.D
Configure a segment of address pool
Step 4
rotary
Polling
User may delete an address pool with command “no ip nat pool POOLNAME”.
User may prohibit polling with command “no rotary”.
Note:
It is forbidden to delete address pool being cited by NAT rule; end address should not be less than
start address; no overlapping is forbidden in address segment range.
6.2.2 Configure static NAT
Static NAT is a one-to-one bidirectional address mapping and in such case, the internal host being
mapped can actively access to the outside, while the outside may also actively access to the internal
host, corresponding to a bidirectional channel between internal and external network.
Steps to configure static NAT:
Step 1
Step 2
configure terminal
ip nat static IFNAME A.B.C.D A.B.C.D [ID]
Enter configuration mode
Configure a static NAT rule
User may delete a static NAT rule with command “no ip nat ID”.
Note:
It is not recommended to designate ID while configuring NAT rule, since the system will
automatically elect ID.
6.2.3 Configure source NAT
Source NAT is a one-way mapping for source address, mainly used for internal network to access
external network, in order to reduce the number of public addresses and hide internal address.
Steps to configure source NAT:
Step 1
configure terminal
Enter configuration mode
69
Command Line Manual
Step 2
ip nat source IFNAME (ADDR_OBJ | any)
(ADDR_OBJ | any) (SRV_OBJ|any)
Configure a source NAT rule. User may designate defined
address pool, and indicate the interface address of outcoming
interface with interface keyword.
(POOL|interface) [ID]
User may delete a source NAT rule with command “no ip nat ID”.
Note:
It is not recommended to designate ID while configuring NAT rule, since the system will
automatically elect ID.
6.2.4 Configure destination NAT
By its application occasion, destination NAT may be classified into the following three types:
Server address and port mapping: one-way mapping for extranet address and internal addressor
simultaneously translate ports;
Server business segregation: according to different businesses, system would translate destination
address into different internal server address;
Server load sharing: map an external IP into an internal address pool, namely, the one-to-many
mapping function;
Interface mapping: automatically change destination NAT rule according to outcoming interface IP,
mainly used to acquire dynamic IP for PPPoE dial-up networking.
Steps to configure destination NAT:
Step 1
Step 2
configure terminal
ip nat destination IFNAME (ADDR_OBJ | any)
Enter configuration mode
Configure a destination NAT rule
(ADDR_OBJ | any | interface) (SRV_OBJ|any)
POOL [service <1-65535>] [ID]
User may delete a destination NAT rule with command “no ip nat ID”.
Note:
It is not recommended to designate ID while configuring NAT rule, since the system will
automatically elect ID.
6.2.5 Configure destination NAT automatic mapping
Destination NAT automapping will automatically establish correspondence between address in
destination address object input by user and the address in address pool, and generate multiple
destination NAT rules. In the automatically generated destination NAT rules, destination address
objects are host addresses, while the translated addresses are the host addresses included in address
range in address pool.
70
Command Line Manual
Note:
If destination address object includes M host addresses, N host addresses in address pool, and it
should be subject to automapping:
When M > N, automatically generate M destination NAT rules, former N-1 NAT rules uses former
N-1 host addresses in address pool, and other NAT rules use the last host address in address pool.
When M = N, automatically generate M destination NAT rules, destination address in each NAT
has one-to-one correspondence relation with address in address pool.
When M < N, automatically generate M destination NAT rules, only the former M host addresses
in address pool should be used, and destination address in each NAT has one-to-one
correspondence relation with translated addresses.
Steps to automatically map destination NAT:
Step 1
Step 2
Step 4
Step 5
configure terminal
ip nat auto-destination IFNAME (ADDR_OBJ |
any) (ADDR_OBJ | any) (SRV_OBJ|any)
POOL [log]
end
write terminal
Enter configuration mode
Configure a destination NAT automatic mapping
Return to privileged mode
Display configuration
Since multiple destination NAT rules would be generated, it is required to delete each destination
NAT rule with command “no ip nat ID”.
Parameter description: ip nat auto-destination IFNAME (ADDR_OBJ | any)
(SRV_OBJ|any) POOL [log]:
Parameter
IFNAME
(ADDR_OBJ | any)
(ADDR_OBJ | any)
(SRV_OBJ|any)
POOL
[log]
Description
Interface name of equipment for destination NAT message
Name of source address object of destination NAT message
Name of destination address object of destination NAT message
Service type of destination NAT message
Address pool name, cluster of address range storing destination NAT
Log record
(ADDR_OBJ | any)
Default configuration
None
None
None
None
None
None
Note:
Optimized destination NAT can only apply to destination address and if destination address
contains too much addresses, the readability would be reduced, it is not recommended to use
optimized destination NAT. If destination address is “any”, it is impossible to use optimized
destination NAT.
6.3 Port management
6.3.1 Set service port number
In consideration of the fact that server may sometime change or add corresponding monitoring port
number related to service, the equipment must change or add preset service port number to enable it
correctly identify service type corresponding to port number in message.
For example, in addition to enable 21 port monitoring request, a certain FTP server would also enable
1,000 port monitoring FTP request; when an equipment receives a message destination port number
1,000, it is required to identify a message being FTP related message, and then the equipment may
treat service port.
Prompt:
Default port number corresponding to protocol cannot be changed or deleted.
71
Command Line Manual
Configuration steps:
Step 1
configure terminal
Enter global configuration mode
Step 2
ip nat service (ftp|tftp) <1-65535>
Add port number corresponding to protocol (currently only
support ftp and tftp protocol)
Step 3
end
Return to privileged mode
Step 4
write terminal
Display configuration
Prompt:
With the exception to default prot, each protocol is at most added with 7 port numbers.
72
Command Line Manual
Chapter 7 Configure DHCP server
7.1 Overview of DHCP service
The equipment provide two DHCP service functions: DHCP server and DHCP relay.
7.1.1 DHCP server
DHCP (Dynamic Host Configuration Protocol), can serve DHCP Server, used for dynamic
distribution and centralized management of IP address in network. Dynamic distribution means
DHCP client cannot permanently use the IP address that it initially rents from DHCP Server and upon
expiry of lease term, client should release the IP address to other workstations. To dynamically
distribute IP address, it is required to set DHCP Server with IP address range to distribute to user, and
the address range distributed to client is also called IP address pool (IP Pool).
Host (client) would initially broadcast DHCPDISCOVER packet to discover DHCP server on
network, DHCP server will unicast to client DHCPOFFER message containing configuration
parameters.

When client logs in network in the first time, it would broadcast to network a DHCPDISCOVER
message and then, client would not know which network it belongs to, and the source address of
encapsulated packet is 0.0.0.0, destination address is 255.255.255.255.

Since a network may have more than one DHCP server, DHCP server with effective IP address
information would elect an idle IP from un-leased addresses and respond the proposal to client.

Client will elect IP address information from the first proposal received, and broadcast a message
request for renting address. DHCP server issuing the proposal would respond to the message, confirm
the accepted request and start leasing.

Client starts using the address upon receipt of the confirmation.
Note:
DHC client may receive information from multiple DHCP server and elect one DHCP server from
them, and imply that it has rejected configuration parameters from other DHCP servers.
7.1.2 Overview of DHCP Relay
DHCP Relay is a DHCP Relay used to forward DHCP request in a network segment to another one
and DHCP Server in other network segment will distribute IP address. For the purpose of DHCP
Relay, DHCP client has no IP environmental setting, and DHCP Relay would handle with customer’s
DHCP request and deliver DHCP message to DHCP Server, transmit DHCP server’s response
information to client and client would acquire IP address. User may install DHCP Server in each of
network segmen, but equipment cost will increase and management would be affected.
7.2 Configure DHCP Server
7.2.1 Designate DHCP Server service on interface
Configuration steps
Step 1
(config)# interface IFNAME
Enter corresponding interface
73
Command Line Manual
Step 2
(config-if)# dhcpserver enable
Step 3
(config-if)# no dhcpserver enable
Designate DHCP Server on the
interface
Cancel DHCP Server on the interface
Note:
DHCP Server will not respond to DHCP request from the interface if no DHCPServer service is
designated on the interface. When the system is initialized, DHCP Server would not respond to
DHCP request from all interfaces.
DHCP SERVER supports physical interface and VLAN interface.
7.2.2 Configure DHCP Server service subnet
Configuration steps
Step 1
Step 2
Step 3
Step 4
(config)# dhcp
(config-dhcp)# share-net NAME subnet A.B.C.D/M
(config-dhcp)# no share-net NAME subnet
(config-dhcp)# no share-net NAME
Enter DHCP configuration mode
Increase subnet and its SUBNET
Delete SUBNET
Delete subnet’s all configurations
7.2.3 Configure DHCP Server address pool and its lease
Configuration steps
Step 1
(config-dhcp)# share-net NAME A.B.C.D E.F.G.H infinite
Step 2
(config-dhcp)# share-net NAME A.B.C.D A.B.C.D <0-100> days <0-23> hours
<0-59> mins
(config-dhcp)# no share-net NAME A.B.C.D E.F.G.H
Step 3
Increase subnet address pool, with
its lease term unlimited
Add subnet address pool, with
lease as configured time
Dete subnet address pool
Note:
Each subnet may have only 1 address pool. Infinite means the lease term is infinite and if not, its
value range should be 5min to 100d.
7.2.4 Configure DHCP subnet with default gateway
Configuration steps
Step 1
(config-dhcp)# share-net NAME router A.B.C.D
Configure subnet
gateway
with default
Step 2
(config-dhcp)# no share-net NAME router
Delete subnet’s default gateway
7.2.5 Configure DHCP subnet with DNS server
Configuration steps
Step 1
(config-dhcp)# share-net NAME dns A.B.C.D [E.F.G.H]
Configure subnet’s DNS server
Step 2
(config-dhcp)# no share-net NAME dns
Delete subnet’s DNS server
74
Command Line Manual
7.2.6 Configure DHCP subnet with WINS server
Configuration steps
Step 1
Step 2
(config-dhcp)# share-net NAME wins A.B.C.D [E.F.G.H]
(config-dhcp)# no share-net NAME wins
Configure subnet’s WINS server
Delete subnet’s WINS server
7.2.7 Configure DHCP subnet domain name
Configuration steps
Step 1
Step 2
(config-dhcp)# share-net NAME domain NAME
(config-dhcp)# no share-net NAME domain
Configure subnet domain name
Cancel subnet domain name
7.2.8 Configure DHCP address binding
DHCP Server may set designated IP address binding with designated MAC address, designated MAC
addresses correspond to IP address respectively, and each of binding item should have a designated
binding name.
Configuration steps
Step 1
(config-dhcp)# bind NAME HH-HH-HH-HH-HH-HH A.B.C.D
Step 2
(config-dhcp)# no bind NAME
Set address binding
Cancel address binding
7.2.9 Configure DHCP address exclusion
DHCP Server may set retained address range, and such retained addresses will not be distributed to
DHCP client.
Configuration steps
Step 1
Step 2
(config-dhcp)# exclude 10.0.0.0 10.0.0.11
(config-dhcp)# no exclude 10.0.0.0 10.0.0.11
Set address exclusion
Cancel address exclusion
7.3 DHCP service monitoring
7.3.1 DHCP Debug
Step 1
Display debug of current DHCP
HOST# show dhcp debug
Step 2
Turn on DHCP debug switch
HOST# debug dhcp event
HOST# debug dhcp packet detail
HOST# show debug
DHCP debugging status:
DHCP event debugging is on
DHCP packet debugging is on
Turn off dhcp debug
HOST# no debug dhcp
HOST# show dhcp debug
Step 3
7.3.2 Display DHCP Server configuration information
Step 1
Display current DHCP configuration and switch
HOST# show dhcp config
75
Command Line Manual
dhcp
exclude 10.0.0.2 10.0.0.3
exclude 10.0.0.5 10.0.0.10
bind aaa 11:22:33:44:55:66 1.1.1.1
bind bindtable 00:16:76:65:30:9c 192.168.6.169
share-net aaa subnet 10.0.0.0/24
share-net aaa 10.0.0.3 10.0.0.10 7 days 3 hours 5 mins
share-net aaa router 10.0.0.1
share-net aaa dns 203.196.0.3
share-net aaa wins 10.0.0.1
share-net aaa domain zte.com
share-net bbb subnet 192.168.6.1/24
share-net bbb 192.168.6.171 192.168.6.173 infinite
share-net bbb router 192.168.6.1
share-net bbb dns 203.196.0.3
share-net bbb wins 192.168.0.1
share-net bbb domain zte.com
7.3.3 Display DHCP Server address distribution information
Step 1
Display current address lease and client information
HOST# show dhcp ip active
ipaddr:
macaddr:
start_time:
end_time:
interface:
192.168.2.4
00-0d-60-78-81-75
2007-01-01 05:22:43
2007-01-01 05:27:43
bvi2
HOST# show dhcp ip free
ipaddr:
macaddr:
start_time:
end_time:
interface:
192.168.2.3
00-16-76-65-3b-3c
2007-01-01 05:17:49
2007-01-01 05:22:49
bvi2
HOST# show dhcp ip summary
General Statistics
Active IP
:
Abandoned IP
1
:
Expired Leases :
0
1
Usage by Network :
Network
192.168.2.1
Netmask
255.255.255.0
Active Abandoned
1
0
Expired
1
7.4 Configuration cases
Case description:
Configure equipment (DHCP Server) to distribute IP address to two subnets and as shown below,
172.16.1.0/16 is the directly connected subnet, and 172.16.2.0/16 is a subnet connected through
another equipment (DHCP Relay).
76
Command Line Manual
Configuration steps:
Step 1
Configure IP address of interface on DHCP SERVER
HOST_A(config) interface ge0
HOST_A (config- ge0) ip address 192.168.0.1/24
HOST_A (config- ge0) dhcpserver enable
HOST_A (config) interface ge1
HOST_A (config- ge1) ip address 172.16.1.1/24
HOST_A (config- ge1) dhcpserver enable
HOST_A (config) exit
HOST_A (config) ip router 172.16.2.0/24 192.168.0.2
HOST_A (config) exit
Step 2
Configure DHCP with related parameter
HOST_A (config)dhcp
HOST_A (config-dhcp)share-net ge1 subnet 172.16.1.0/24
HOST_A (config-dhcp)share-net ge1 router 172.16.1.1
HOST_A (config-dhcp)share-net ge1 dns 202.99.16.1
HOST_A (config-dhcp)share-net ge1 172.16.1.10 172.16.1.250 infinite
HOST_A (config-dhcp)share-net ForRelay subnet 172.16.2.0/24
HOST_A (config-dhcp)share-net ForRelay 172.16.2.10 172.16.2.254 infinite
HOST_A (config-dhcp)exit
Step 3
Configure dhcp relay
HOST_A (config)# interface ge1
HOST_A (config-ge1)# dhcprelay 192.168.0.1
HOST_A (config-ge1)# exit
HOST_A(config)# policy 1 any any any any any always permit
HOST_A(config-policy)# enable
HOST_A(config-policy)# exit
77
Command Line Manual
Chapter 8 Configuration object
8.1 Configure absolute time and cycle time
8.1.1 Overview of absolute time and cycle time
To facilitate user configuration and management, the concept of time object is introduced in
next-generation firewall equipment, and time object may be classified into absolute time and cycle
time. In other function configurations, time object may be introduced to define and configure
conditions for validity.
Absolute time: configuration service takes effective within designated time.
Cycle time: configuration service is executed during designated cycle (from Monday to Sunday) in
designated time range.
8.1.2 Configure effective time range in absolute time
Absolute time can only be configured with one effective time range.
Configuration steps:
Step 1
Step 2
configure terminal
schedule onetime NAME
Step 3
absolute YY-MM-DD HH:NN:SS YY-MM-DD
HH:NN:SS
Enter configuration mode
Enter absolute time mode (NAME) and if not exist, create a
new time object
Configure effective time range. Year, month, day, hour,
minute and second is a time unit, setting time tables’
starting and end time.
User may delete effective time range in absolute time with command “no absolute”.
Parameter description:
schedule onetime NAME
Parameter
Description
<NAME>
Name of time object
Default configuration
None
Parameter description: absolute YY-MM-DD HH:NN:SS YY-MM-DD HH:NN:SS
Parameter
<YY-MM-DD>
<HH:NN:SS>
<YY-MM-DD>
<HH:NN:SS>
Description
Default configuration
Start and end date of time table (year, month and date)
Start and end date of time table (hour, minute and second)
Start and end date of time table (year, month and date)
Start and end date of time table (hour, minute and second)
None
None
None
None
8.1.3 Configure effective time range in cycle time
User may define effective time range and time period in cycle time. There may be only one effective
time range but many effective time period s. Either of“Yes”/”OR” relation between effective time
period s should be satisified; while the “Yes”/”And” relation between effective time range and
effective time period should be wholly satisfied.
User may add an effective time range in cycle time with command “absolute”.
Configuration steps:
Step 1
Step 2
Configure terminal
schedule recurring NAME
Step 3
absolute YY-MM-DD HH:NN:SS YY-MM-DD
HH:NN:SS
Step 4
show running-config
Enter configuration mode
Enter absolute time mode (NAME) and if not exist, create a
new time object
Configure effective time range. Year, month, day, hour,
minute and second is a time unit, setting time tables’
starting and end time.
View current configuration
78
Command Line Manual
Parameter description:
schedule recurring NAME
Parameter
Description
Default configuration
<NAME>
Name of cycle time table
None
Parameter description: absolute YY-MM-DD HH:NN:SS YY-MM-DD HH:NN:SS
Parameter
Description
Default configuration
<YY-MM-DD>
<HH:NN:SS>
<YY-MM-DD>
<HH:NN:SS>
Start and end date of time table (year, month and date)
Start and end date of time table (hour, minute and second)
Start and end date of time table (year, month and date)
Start and end date of time table (hour, minute and second)
None
None
None
None
8.1.4 Configure effective time period in cycle time
User may add mutiple effective time periods in cycle time with command “periodic”.
Configuration steps:
Step 1
Step 2
configure terminal
schedule recurring NAME
Step 3
periodic HH:NN:SS HH:NN:SS
(Monday|null)…(Sunday|null)
show running-config
Step 4
Parameter description:
Enter configuration mode
Enter time object mode (NAME) and if not exist, create a
new time object
Configure cycle time period. User may configure daily time
range and support sporadic week configuration
View current configuration
schedule recurring NAME
Parameter
Description
<NAME>
Name of cycle table
Default configuration
None
Parameter description: periodic HH:NN:SS HH:NN:SS (Monday|null)…(Sunday|null)
Parameter
<HH:NN:SS >
<HH:NN:SS>
<Monday|null>
<Tuesday|null>
<Wednesday|null>
<.Thursday|null>
<Friday|null>
<Saturday|null>
<Sunday|null>
Description
Starting and ending time of cycle table (hour, minute and second)
Ending time of cycle table (hour, minute and second)
Monday or null
Tuesday or null
Wednesday or null
Thursday or null
Friday or null
Saturday or null
Sunday or null
Default configuration
None
None
None
None
None
None
None
None
None
Note:
In command Periodic HH:NN:SS HH:NN:SS (nmonday|null)…(Sunday|null), dates from
Monday to Sunday must be filled in and if it is unnecessary to set them, they may be replaced with
null.
8.1.5 Configuration cases
8.1.6 Configuration cases: configure time table
Case description
Configure a time object, with absolute time range from 0:00, January 1, 2007 to 0:00, February 2,
2007. Cycle time period means a.m 8:30 to p.m. 5:30 on each Saturday and Sunday.
Configuration steps:
Step 1
Step 2
Create a time table
HOST_A(config)# schedule recurring backup
Configure effective time range in time object
79
Command Line Manual
Step 3
HOST_A(config-tr-obj)# absolute 07-01-01 00:00:00 07-02-02 00:00:00
Configure absolute time in time object
periodic 08:30:00 17:30:00 null null null null null Saturday Sunday
Configuration result:
HOST# show running-config
schedule recurring backup
absolute 07-01-01 00:00:00 07-02-02 00:00:00
periodic 08:30:00 17:30:00 null null null null null Saturday Sunday
!
8.1.7 Absolute time and cycle time monitoring and maintenance
8.1.8 View cycle table and absolute time
Configuration steps:
Step 1
Display a cycle time table
HOST_A# show schedule recurring backup
schedule recurring backup
absolute 07-01-01 00:00:00 07-02-02 00:00:00
periodic 08:30:00 17:30:00 null null null null null Saturday Sunday
HOST_A#
Backup is the name of time table;。07-01-01 00:00:00 07-02-02 00:00:00 is absolute time
08:30:00 17:30:00 null null null null null Saturday Sunday is cycle time
8.1.9 Common fault analysis
8.1.10 Fault phenomenon1:
Phenomenon
Analysis
Solution
The time table still exists after no schedule recurring NAME is executed.
An object or object group being quoted cannot be deleted with command “No”.
User may cancel the incitation of time table by other configurations, confirm it is not being quoted and then delete the
node with command “No”.
8.2 Configure service object and service object group
8.2.1 Overview of service object and service object group
In order to facilitate user configuration and management, the concept of service object is introduced
in next-generation firewall equipment and in other function configurations, service object may be
introduced to define and configure conditions for validity.
8.2.2 Configure service object and service object group
Service object covers protocol and protocol property.
8.2.3 Add TCP|UDP service to service object
User may add tcp|udp service to Service with command tcp|udp and for TCP and UDP, service object
includes protocol, source port and target port information.
Configuration steps:
Step 1
configure terminal
Enter configuration mode
80
Command Line Manual
Step 2
Step 3
Step 4
service NAME
(tcp|udp) dest <1-65535> [<1-65535>] [source
<1-65535> [<1-65535>]]
show service NAME
Enter service object mode (NAME)
To add a tcp|udp service, it is required to designate target
port or range, or designate source port or range.
Display configuration information of service object NAME
User may cancel service object setting with command no dest <1-65535> [<1-65535>] [source
<1-65535> [<1-65535>]].
Parameter description:
service NAME
Parameter
Description
<NAME>
Default configuration
Name of service object
None
Parameter description: (tcp|udp) dest <1-65535> [<1-65535>] [source <1-65535> [<1-65535>]]
Parameter
Description
<dest>
<1-65535>
<1-65535>
<source>
<1-65535>
<1-65535>
Default configuration
Target port
Starting target port
Ending target port
Source port
Starting source port
Ending source port
None
None
None
None
None
None
8.2.4 Add ICMP service to service object
User may add icmp service to Service with command icmp and for ICMP, service object includes
protocol, type and code information.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
service NAME
icmp <0-255> [<0-255>]
Step 4
show service NAME
Parameter description:
Enter configuration mode
Enter service object mode (NAME)
To add an icmp service, it is required to designate type and
code.
Display service object NAME’s configuration information
icmp <0-255> [<0-255>]
Parameter
Description
<0-225>
<0-225>
Default configuration
ICMP type
ICMP code
None
None
8.2.5 Add service object to service object group
Service object group is the assembly of service objects, and a service object group may include
multiple service objects.
User may add a service object to service object group with command service-object, system
pre-defined service or user-defined service.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
service-group NAME
service-object
(“CMD_GROUP_SERVICEX “|SERVICE)
show service-group NAME
Parameter description:
Parameter
Enter configuration mode
Enter NAME service object group mode
Add designated pre-defined or self-defined service to the
service object group
Display configuration information of service object NAME
service-object (“ CMD_GROUP_SERVICEX “|SERVICE)
<”CMD_GROUP_SERVICEX” |
SERVICE>
Description
Services supported by the system and self-defined service
Default configuration
None
By using command no service-object (“CMD_GROUP_SERVICEX”|SERVICE), user may delete
service objects added to service object group with command service-object.
81
Command Line Manual
8.2.6 Configuration cases
8.2.7 Configuration case 1: add service object and service object group
Case description
Configure a service object and a service object group and add the service object to service object
group.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Create a service object
HOST_A(config)# service svc
Add TCP service to the address object
HOST_A(config-sev)# tcp dest 80
Create a service object group
HOST_A(config)# service-group svc-group
Add service object (svc) to the service object group
HOST_A(config-sevgrp)# service-object svc
Display addition information
HOST_A(config)# show service-group
!
service-group svc-group
service-object svc
HOST_A(config)#
Configuration result:
HOST_A# show running-config
service svc
tcp dest 80
!
!
service-group svc-group
service-object svc
8.2.8 Configuration case 2: configure service object
Case description
Configure a service object, including tcp protocol, target port is 23 and source port 1~65535.
Configuration steps:
Step 1
Create a service object
HOST_A(config)# service telnet2
Step 2
Add port range to service object
HOST_A(config-sev)# tcp dest 23 source 1 65535
8.2.9 Service object and service object group monitoring and maintenance
8.2.10 View service object
Steps to view an address object:
Step 1
Display information of an address object
HOST_A# show service svc
!
service svc
tcp dest 80
HOST_A#
Svc is the name of service object; 80 is target port.
82
Command Line Manual
8.2.11 View service object group
Steps to view a certain address object group:
Step 1
Display an address object group:
HOST_A # show service-group svc-group
!
service-group svc-group
service-object svc
HOST_A #
svc-group is the name of service object group; svc is the name of service objet.
8.2.12 Common fault analysis
8.2.13 Fault phenomenon1:
Phenomenon
Analysis
Solution
The object or object group still exists after no service|service-group NAME is executed.
It is impossible to delete an object or object being quoted by using command “No”.
Delete quotation of the object or object group by other configurations and after ensuring no other quotations, delete the
node by using command “No”.
8.3 Configure address object and address object group
8.3.1 Overview of address object and address object group
To facilitate user configuration and management, the concept of address object is introduced in
next-generation firewall equipment. Address object may be classified into address node and address
group, and address group is the assembly of address node. In other function configurations, user may
define and configure conditions for validity by quoting address object.
8.3.2 Configure address object and address object group
User may designate a confirmed IP address in address object, designate IP arange with network mask
or verifying the starting and ending IP address. Various multiple addresses may be added to an
address object.
8.3.3 Add single address to address object
User may add single IP address to address object with command “host-address”.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
address NAME
host-address A.B.C.D
show address NAME
Enter configuration mode
Enter NAME address object mode
Add designated IP addressto address object
Display configuration information of address object
By using command “no host-address”, user may cancel address object setting to restore it Default
Configuration.
Parameter description: address NAME
Parameter
<NAME>
Description
Name of address object
Default configuration
None
Parameter description: host-address A.B.C.D
Parameter
<A.B.C.D>
Description
IP address
Default configuration
None
83
Command Line Manual
8.3.4 Add network mask to address object
User may add a network mask to address object with command “net-address”, representing all IP
addresses in network segment with network mask.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
address NAME
net-address A.B.C.D/M
show address NAME
Parameter description:
Enter configuration mode
Enter NAME address object mode
Add a network mask to address object
Display configuration information of address object
net-address A.B.C.D/M
Parameter
Description
<A.B.C.D/M>
Default configuration
Network address and mask
None
8.3.5 Add address range to object address
User may add a network address range to address object with command “range-address” and in such
cases, it is required to confirm starting and ending IP address in the range.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
address NAME
range-address A.B.C.D E.F.G.H
Step 4
show address NAME
Parameter description:
rang-address A.B.C.D
Parameter
<A.B.C.D E.F.G.H>
Enter configuration mode
Enter NAME address object mode
Represent range with starting and ending IP address, add it
to address object
Display configuration information of address object
E.F.G.H
Description
Starting and ending IP address
Default configuration
None
8.3.6 Add address object to address object group
Address object group is the assembly of address object, and an address object group may include
many address objects.
User may add an address object to address object group with command “address-object”.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
address-group NAME
address-object ADDRESS
show address-group NAME
Enter configuration mode
Enter NAME address object group mode
Add designated address object to address object group
Display configuration information of address object group
By using command “no address-object ADDRESS”, user may delete address objects added to address
object group with command address-object.
Parameter description:
Parameter
<NAME>
<ADDRESS>
address-group NAME
Description
Name of address object group
Name of address object
Default configuration
None
None
84
Command Line Manual
8.3.7 Configuration cases
8.3.8 Configuration cases: add address object and address object group
Case description
Configure an address object and address object group, and add address object to address object group.
Configuration steps:
Step 1
Create an address object
HOST_A(config)# address dev
Step 2
Add a host address to address object
HOST_A(config-addr)# host-address 192.168.10.100
Create an address object group
HOST_A(config)# address-group dev-group
Add address object (dev) to address object group
HOST_A(config-addrgrp)# address-object dev
Display addition information
HOST_A(config)# show address-group
!
address-group dev-group
address-object dev
Step 3
Step 4
Step 5
Configuration result:
HOST_A# show running-config
address dev
host-address 192.168.10.100
!
!
address-group dev-group
address-object dev
!
8.3.9 Address object and address object group monitoring and maintenance
8.3.10 View address object
Steps to view an address object:
Step 1
Display information of address object
HOST_A# show address dev
!
address dev
host-address 192.168.10.100
HOST_A#
Dev is the name of address object; 192.168.10.100 is host IP address.
8.3.11 View address object group
Steps to view an address object group:
Step 1
Display information of address object group
HOST_A# show address-group dev-group
!
Address-group dev-group
address-object dev
HOST_A#
dev-group is the name of address object; dev is host IP address.
85
Command Line Manual
8.3.12 Common fault analysis
8.3.13 Fault phenomenon1:
Phenomenon
Analysis
Solution
The object or object group still exists after no address|address-group NAME is executed.
It is impossible to delete an object or object being quoted by using command “No”.
Delete quotation of the object or object group by other configurations and after ensuring no other quotations, delete the
node by using command “No”.
8.4 Configure application object and application object group
8.4.1 Overview of application object, application classification and application object
group
To facilitate user configuration and management, the concept of application object is introduced in
next-generation firewall equipment. Application object is actually the application program object.
Application classification means the quotation classification by program function. Application object
group is truly the assembly of application object and/or application classification. In other function
configurations, user may define and configure conditions for validity by quoting application object.
8.4.2 Configure application object group
Application object and application classification is internally designed in system, cannot be
configured and modified.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
app-group NAME
member app APP
Step 4
show app-group
Enter configuration mode
Enter application object group mode (NAME)
Add designated application object and application
classification to application object group
Display configuration information of application object
group
User may delete the quotation of application object group with command “no member app APP”.
Parameter description:
app-group NAME
Parameter
<NAME>
Description
Name of application object group
Default configuration
None
Parameter description: member app APP
Parameter
<APP>
Description
Name of application object or application classification
Default configuration
None
8.4.3 Configuration cases
Case description
Configure an application object group.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Create an application object group.
HOST_A(config)# app-group apptest
Add application object http to application object group
HOST_A(config-app-group)# member app http
Add application classification p2p-software to application object group
HOST_A(config-app-group)# member app p2p-software
Display addition information
host# show app-group
app-group apptest
member app p2p-software
member app http
86
Command Line Manual
8.5 Configure URL object
8.5.1 Overview of URL object
To facilitate user configuration and management, the concept of URL is introduced in next-generation
firewall equipment. In other function configurations, user may define and configure conditions for
validity by quoting URL object.
8.5.2 Configure URL object
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
url-category NAME
url URL
show url-category (NAME)
Enter configuration mode
Enter URL object mode (NAME)
Configure url
Display configuration information of URLobject
User may delete the qutotation of URL object with command “no url-category NAME”.
Parameter description:
keyword NAME
Parameter
<NAME>
Description
Name of URL object
Default configuration
None
Parameter description: content CONTENT
Parameter
<URL>
Description
Contents of url
Default configuration
None
8.5.3 Configuration cases
Case description
Configure a URL object.
Configuration steps:
Step 1
Create a URL object
HOST_A(config)#url-category aaa
Step 2
Add url to URL object
HOST_A(config-custom-url-category)# url www.baidu.com
Display addition information
Step 3
host# show url-category
url-category aaa
url www.baidu.com
!
8.6 Configure File type object
8.6.1 Overview of File type object
To facilitate user configuration and management, the concept of File type is introduced in
next-generation firewall equipment. In other function configurations, user may define and configure
conditions for validity by quoting File type object.
87
Command Line Manual
8.6.2 Configure File type object
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Enter configuration mode
configure terminal
file-type-group
Enter file type object mode (NAME)
NAME
Configure file extension
file-type EXPR
Display configuration information of file type object
show file-type-group
User may delete the qutotation of File type with command “no file-type-group NAME”.
Parameter description:
keyword NAME
Parameter
<NAME>
Description
Name of keyword object
Default configuration
None
Parameter description: content CONTENT
Parameter
<EXPR>
Description
Contents of file extension
Default configuration
None
8.6.3 Configuration cases
Case description
Configure a file type object.
Configuration steps:
Step 1
Create a file type object
HOST_A(config)# file-type-group aaa
Step 2
Add file extension to file type object
HOST_A(config-file-type)# file-type exe
Step 3
Display addition information
host# show file-type-group
file-type-group file
file-type exe
8.7 Configure keyword object
8.7.1 Overview of keyword object
To facilitate user configuration and management, the concept of keyword is introduced in
next-generation firewall equipment. In other function configurations, user may define and configure
conditions for validity by quoting keyword object.
8.7.2 Configure keyword object
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
keyword NAME
content CONTENT
show keyword (NAME)
Enter configuration mode
Enter keyword object mode (NAME)
Configure keyword
Display configuration information of keyword object
User may delete the qutotation of keyword object with command “no content CONTENT”.
88
Command Line Manual
Parameter description:
keyword NAME
Parameter
Description
<NAME>
Default configuration
Name of keyword object
None
Parameter description: content CONTENT
Parameter
Description
<CONTENT>
Default configuration
Contents of keyword
None
8.7.3 Configuration cases
Case description
Configure a keyword object.
Configuration steps:
Step 1
Create a keyword object
HOST_A(config)# keyword testkey
Step 2
Add keyword to keyword object
HOST_A(config-keyword)# content baidu.com
Display addition information
host# show keyword
Step 3
Keyword Name
: testkey
Description
:
1 items
: baidu.com
==========================================
8.8 Configure health check object
8.8.1 Overview of health check
Health check is to detect if target address is reachable.
8.8.2 Configure health check object
Configuration steps
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
configure terminal
healthcheck NAME [TYPE]
real ip A.B.C.D
timeout <1-86400>
interval <1-86400>
Maxretrys <1-10>
Enter configuration mode
Set health check
Add health check destination ip
Set overtime time
Set interval time
Set maximum attempts
Parameter Description
Parameter
NAME
[TYPE]
A.B.C.D
<1-86400>
<1-86400>
<1-10>
Description
Default configuration
Name of address monitoring object
Health check type (dns | icmp| tcphalfopen | udp)
Target address of health check
Overtime
Interval
Maximum attempts
None
None
None
5
16
3
8.8.3 Configure health check group
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
healthcheck-group NAME [Type]
include hm NAME
pass hm <0-5>
Enter configuration mode
Set health check group name and type
Add health check object
Set the minimum method number that pass health check
89
Command Line Manual
Parameter description:
Parameter
NAME
[Type]
NAME
<0-5>
Description
Name of address monitoring object
Health check type(ipv4/ipv6)
Name of health check object
Minimum number of passed health check methods (0: all)
Default configuration
None
None
None
0
90
Command Line Manual
Chapter 9 Configure static router
9.1 Overview of static router
For IP equipment, user may acquire unicast router generally by two ways: static configuration and
dynamic router . Static configuration means that network administrator expressly defines
configuration through terminal command, called static router .
9.2 Configure static router
Static router is configured by user. When a user needs to forward message to a certain address before
access to a certain network segment, user may configure the static router with command ip router ,
and also configure its weight (1-100), used for load sharing. Static router is linked by address
monitoring object. When address monitoring object becomes failed, corresponding static router
would be invalid, and user may increase 32-digit mask router to address monitoring object, the next
hop is identical with that of corresponding static router .
Steps to configure static router :
Step 1
configure terminal
Enter global configuration mode
Step 2
ip router A.B.C.D/M (A.B.C.D|INTERFACE) [monitor
MONITOR] [<distance> <weight>]
exit
show ip router
Configure static router
Step 3
Step 4
Exit configuration mode
Display information of static router
Parameter description: ip router :
Parameter
A.B.C.D/M
(A.B.C.D|INTERFACE)
MONITOR
<distance>
<weight>
Description
Default configuration
Destination address
Router gateway address or outgoing interface
Name of monitoring address group
Router priority, range <1-255>
Router weight, range 1-100
9.3 Configure default router
A special router is called default router (or default router ), namely the router with destination address
and mask being 0.0.0.0/0. It can match any destination address, and each message that no
corresponding router is discovered will be forwarded according to default router . Generally default
router is configured by user through static router when user deems it necessary. When a sole outlet of
a network is connected to other network, configuring default router is very useful, can significantly
reduce the number of router required.
Steps to configure default router :
Step 1
configure terminal
Enter global configuration mode
Step 2
Step 3
ip router 0.0.0.0/0 (A.B.C.D|INTERFACE)
end
Configure default router
Exit configuration mode
9.4 Multipath selection
Configuration steps:
Step 1
Step 2
configure terminal
default static router (per-ip-connection | per-source-address)
Enter configuration mode
Load based on connection or source ip
91
Command Line Manual
9.5 Configure information display command
Display static router information
Command
show ip router
Explanation
Display static router information
9.6 Configuration cases
9.6.1 Configure default router
Case description:
Configure default router , forward message without corresponding router to public network address
202.118.3.2
Configuration steps:
Step 1
Step 2
Step 3
Configure default router
HOST_A(config)# ip router 0.0.0.0/0 202.118.3.2
Configure interface parameter
HOST_A(config)# interface ge0
HOST_A(config-ge0)#ip address 202.118.3.1/24
HOST_A(config)# interface ge1
HOST_A(config-ge1)#ip address 192.168.0.1/24
View routing table
HOST_A# show ip router
Codes: K - kernel route, C - connected, S - static, I - ISP, R - RIP, O - OSPF,
D - DHCP, P - PPPOE, T - tunnel IPsec > - selected route, * - FIB route
S 0.0.0.0/0 [1/0] via 202.119.3.2 inactive weight: 1
C>* 1.1.11.0/24 is directly connected, ge1 weight: 0
K>* 1.1.11.1/32 is directly connected, ge1 weight: 0
C>* 1.1.14.0/24 is directly connected, ge4 weight: 0
K>* 1.1.14.1/32 is directly connected, ge4 weight: 0
C>* 1.1.15.0/24 is directly connected, ge5 weight: 0
K>* 1.1.15.1/32 is directly connected, ge5 weight: 0
C>* 13.13.13.0/24 is directly connected, lo weight: 0
K>* 13.13.13.1/32 is directly connected, lo weight: 0
C>* 127.0.0.0/8 is directly connected, lo weight: 0
C>* 172.17.0.0/16 is directly connected, ge0 weight: 0
K>* 172.17.90.99/32 is directly connected, ge0 weight: 0
9.7 Common faults
9.7.1 Abnormal data package forwarding
Fault phenomenon:abnormal data packet forwarding
Analysis and solution : abnormal data packet forwarding may be caused by the following
circumstances:

Not configured with correct static router ;

Not configured with default router for data packet without corresponding static router item; and

Next hop designated by static router is not reachable.
92
Command Line Manual
Chapter 10 Configure policy routing
10.1 Overview of policy routing
Policy routing, just as its name implies, means to forward message according to a certain policy, and
therefore policy router is a routing mechanism more flexible than destination router . When an
equipment forwards a data message, it is required to filter message according to configuration rule
and if successful matching is confirmed, user may forward message according to a certain forwarding
policy. The rule may be based on standard and extension access control list; while forwarding policy
is to control and forward message according to designated policy routing table, and therefore policy
router has effectively enhanced traditional IP routing mechanism.
Equipment support routing according to policy. Data packet would be firstly matched by policy and
after successful matching, router d to preset host. Policy router supports dynamic designation of next
hop according to PPPOE.
10.2 Configure policy router
10.2.1 Policy router configuration
Steps to configure policy router :
Step 1
configure terminal
Enter global configuration mode
Step 2
prouter (IF_IN|any) (SIP|any) (DIP|any) (SEV|any)
(USER|any) (APP|any) (SCHEDULE|always)
(blackhole|throw|unicast)
Step 3
nexthop (gateway|interface) (IF_IN|IP)
Step 4
multipath-algorithm (per-ip-connection|per-source-address)
Step 5
exit
Configure router policy matching condition, router
the data packet satisfying policy to the next hop,
and the command configures multiple items.
Matching sequence would be matched according to
displayed sequence.
Configure next hop of policy router , and the
command may configure multiple items, distribute
flow according to weight.
Elect multi-path algorithm according to source ip or
connection
Return to privileged mode
[weight <1-255>]
Note:
Policy router may only take effect when flow enters equipment, not apply to the flow directly
related to the equipment.
10.2.2 Adjust the sequence of policy router
User may match the former policy in priority by adjusting sequence of policy router with command
“move”.
Configuration steps:
Step 1
Step 2
configure terminal
prouter move <1-65535> [ before | after ]
<1-65535>
Enter configuration mode
Move a policy router before a designated policy router
93
Command Line Manual
10.2.3 Multipath selection
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
prouter <1-65535>
multipath-algorithm (per-ip-connection |
per-source-address)
Enter configuration mode
Enter the policy router to be modified
Load according to connection or source ip
10.3 Common fault analysis
10.3.1 Fault phenomenon:
Phenomenon
Cannot Ping after policy router is configured
Analysis
It may be caused by wrong address object configuration and wrong next hop configuration
Solution
Distinguish entry and message source address object, and configure correct next hop.
94
Command Line Manual
Chapter 11 Configure RIP
11.1 Overview of RIP protocol
RIP protocol is the internal dynamic routing protocol based on D-V algorithm (also known as
Bellman-Ford algorithm), IGP (Interior Gateway Protocol) for short, and can switch router
information through UDP datagraph. D-V algorithm, also known as Distance Vector Algorithm, had
been used to compute the router of computer network in early stage of ARPARNET. RIP protocol has
been currently one of standard for router and host router information transfer, one of IGPs mostly
widely used, and widely applied by most IP router sellers. RIP protocol is designed for middle-sized
network with the same technology, and therefore applicable for most of campus network and
continous areaal network with less utilization rate variation. RIP protocol is generally not used in a
complex environment.
RIP protocol measures distance to destination machine with hop count, namely router weight, and
RIP protocol uses two types of message: path information request message and path information
response message. Router port will, when started in the first time, send request message. Path
information response message includes actual router information, send to adjacent port with interval
of 30s. In a RIP protocol, split horizon and poison reverse mechanism is used to prevent formation of
routing loop, and ensure router correctness with triggered update and router overtime mechanism.
11.2 Configure RIP
11.2.1 Default configuration information
RIP default setting information relating to equipment is shown below:
Table 11-1 RIPDefault configuration information
Contents
Default setting
Enable/disable status (enable/disable)
Interface authentication type (none/text/md5)
Version
Timing update
Overtime
Waste collection time
disable
none
2
30s
180s
120s
Remark
It is possible to change setting
It is possible to change setting
It is possible to change setting
Default setting is recommended
Default setting is recommended
Default setting is recommended
11.2.2 Enable RIP router protocol function
Enable rip router protocol and based on which, user may complete further configuration of rip router
function.
Configuration steps:
Step 1
Step 2
configure terminal
router rip
Enter configuration mode
Enable rip function and enter rip configuration node
Under configuration mode, user may cancel rip setting with command no router rip in order to restore
to Default configuration.
Parameter description:
router NAME
Param
eter
NAME
Description
Type of router protocol
Default
configuration
None
95
Command Line Manual
Prompt:
It is impossible to configure other functions of rip in further only when rip is enabled.
11.2.3 Configure RIP version
RIP version configuration: control version information of message received and transmited by RIP
protocol when interface is not provided with version configuration.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router rip
version 1
end
show running-config
Enter configuration mode
Enable rip function and enter rip configuration mode
Configure message version as 1
Return to Enable mode
show command
User may cancel version setting with command no version, in order to restore to default configuration
2.
Parameter description:
version <1-2>
Parameter
<1-2>
Description
Rip version
Default configuration
2
11.2.4 Configure RIP released network
Release directly connected network in the system, in order to enable other routers learn the router to
local network.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router rip
network 202.38.168.1/24
end
show ip rip
Enter configuration mode
Enable rip function and enter rip configuration mode
Configure externally released network 202.38.168.1/24
Return to Enable mode
show command
User may cancel 202.38.168.1/24 setting with command no network 202.38.168.1/24 and not enable
releasing 202.38.168.1/24 router .
Parameter description:
network <A.B.C.D/M>
Parameter
<A.B.C.D/M>
Description
Network that should be released
Default configuration
None
11.2.5 Configure RIP release default router
Configure and release a router 0.0.0.0/0.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router rip
default-information originate
end
show ip rip
Enter configuration mode
Enable rip function and enter rip configuration mode
Configure and release default router
Return to Enable mode
show command
User may cancel setting of default router with command no default-information originate.
96
Command Line Manual
11.2.6 Configure RIP default redistribution metric
If no redistribution measuremetn is configured when a certain type is redistributed, default
measurement value should be used.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router rip
default-metric 3
end
show ip rip
Enter configuration mode
Enable rip function and enter rip configuration mode
Configure default redistribution metric as 3
Return to Enable mode
show command
User may cancel setting of default metric with no default-metri and restore it to default value 1.
Parameter description:
default-metric <1-16>
Parameter
Description
<1-16>
Default redistribution metric value
Default configuration
1
11.2.7 Configure RIP timer triggering time
RIP will externally release the whole of routing table according to regularly updated time cycle and if
no updated router is received, the router will be deleted from internal core routing table, and metric is
set as 16 to be released, and waste collection timer will be set; when waste collection time is expired,
user should delete the router from rip routing table.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router rip
timers basic 5 30 20
end
show ip rip
Enter configuration mode
Enable rip function and enter rip configuration mode
Set timer triggering time as 5 30 20s
Return to Enable mode
show command
User may cancel the setting of timer triggering tmie with command no timers basic and restore its to
default value of 30s, 120s and 180s.
Parameter description:
timers basic <5- 2147483647> <5- 2147483647> <5- 2147483647>
Parameter
<5- 2147483647>
<5- 2147483647>
<5- 2147483647>
Description
Timely update time
Overtime
Waste collection time
Default configuration
30s
180s
120s
11.2.8 Configure RIP timer triggering time
Redistributed router may introduce static, directly connected and ospf router to rip for external
release.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
router rip
redistribute connected metric 3
Step 4
Step 5
end
show ip rip
Enter configuration mode
Enable rip function and enter rip configuration mode
Configure redistribution direct-connection router , with
metric as 3
Return to Enable mode
show command
User may cancel the redistribution of directly connected router with command “no redistribute
connected”.
97
Command Line Manual
Parameter description:
redistribute (connected|static|ospf) [ metric <1-16>]
Parameter
Description
(connected|static|ospf)
<1-16>
Default configuration
Router type
Redistribution metric
None
1
11.2.9 Configure the version of message received and transmitted by RIP interface
Set unique version of message received and transmitted at each interface
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router rip
ip rip ge0/1 send version 1
end
show ip rip
Enter configuration mode
Enable rip function and enter rip configuration mode
Set the version sent by interface ge0/1 as 1
Return to Enable mode
show command
User may cancel the configuration of version sent by interface ge0/1 with command “no ip rip ge0/1
send version” and restore to default value.
Parameter description:
ip rip NAME (send|receive) version <1-2>
Parameter
Description
NAME
(send|receive)
<1-2>
Default configuration
Interface name
Action type
Version
None
None
2
11.2.10 Configure authentication type of RIP interface
Set unique version of message received and transmitted at each interface.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
router rip
ip rip ge0/1 authentication md5 12345
Step 4
Step 5
end
show running-config
Enter configuration mode
Enable rip function and enter rip configuration mode
Set interface ge0/1 as md5 authentication
authentication password as 12345 Set.
Return to Enable mode
show command
with
User may cancel configuration of interface ge0/1 authentication with command “no ip rip ge0/1
authentication” and restore to default value.
Parameter description:
ip rip NAME authentication (md5|text) NAME
Parameter
NAME
(md5|text)
NAME
Description
Interface name
Authentication type
Authentication password
Default configuration
None
None
None
11.3 RIP monitoring and maintenance
11.3.1 View RIP routing table
Steps to view RIP routing table:
Step 1
Display rip routing table
HOST# show ip router rip
Codes: R – RIP, C – connected, O – OSPF, B – BGP
(n) – normal, (s) – static, (d) – default, (r) – redistribute,
(i) – interface
Network
Next Hop
Metric From
R(s) 0.0.0.0/0
0.0.0.0
1 self
C(r) 192.168.31.0/24
0.0.0.0
1 self
C(i) 202.38.168.0/24
0.0.0.0
1 self
HOST#
Time
RIP rouing table has three routers , two directly connected routers 192.168.31.0/24 and 192.168.31.0/24, with metric as
1, and another default router .
98
Command Line Manual
11.3.2 View RIP configuration
Steps to view RIP configuration:
Step 1
View RIP configuration
Routing Protocol is “rip”
Sending updates every 5 seconds with +/-50%, next due in 2 seconds
Timeout after 30 seconds, garbage collect after 20 seconds
Default redistribution metric is 1
Redistributing: connected
Default version control: send version 2, receive version 2
Interface
Send Recv
ge0/2
2
2
Routing for Networks:
202.38.168.1/24
Routing Information Sources:
Gateway
BadPackets BadRouters
Distance Last Update
Distance: (default is 120)
HOST#
Timer may be set as 5s, 30s and 20s and by default, redistribution router metric is 1, redistribute the directly connected
router , and the version of message received and sent from interface 2 is 2, configuration network 202.38.168.1/24
releases message externally.
11.3.3 View debugging information
Application environment
With command “debug rip events”, user may view events during RIP operation.
With command “debug rip packet”, user may view message received by and sent from RIP.
With command “debug rip zebra”, user may view events occurred when router is changed.
Debugging cases
HOST# debug rip packet
HOST# debug rip events
update timer fire!
SEND UPDATE to ge0/2 ifindex 3
multicast announce on ge0/2
update routers on interface ge0/2 ifindex 3
SEND to socket 11 port 520 addr 224.0.0.9
SEND RESPONSE version 2 packet size 44
0.0.0.0/0 -> 0.0.0.0 family 2 tag 0 metric 1
192.168.31.0/24 -> 0.0.0.0 family 2 tag 0 metric 3
Rip_read!
Ignore packet comes from myself, 202.38.168.1
update timer fire!
SEND UPDATE to ge0/2 ifindex 3
multicast announce on ge0/2
update routers on interface ge0/2 ifindex 3
SEND to socket 11 port 520 addr 224.0.0.9
SEND RESPONSE version 2 packet size 44
0.0.0.0/0 -> 0.0.0.0 family 2 tag 0 metric 1
192.168.31.0/24 -> 0.0.0.0 family 2 tag 0 metric 3
Rip_read!
99
Command Line Manual
Ignore packet comes from myself, 202.38.168.1
Result Analysis
Conduct necessary analysis of above debugging cases and handle with unexpected cases.

RIP will timely release updated message at each interface and receive updated message from other
equipment.
Note:
Only senior user can use the command. Since the command would printe large number of
information on command line, occupying lots of CPU resources, users are strongly recommended
to disable the function with command “no debug rip (events|packet|zebra)” after debugging.
11.4 Common fault analysis
11.4.1 Fault phenomenon: two equipment cannot communicate normally
Phenomenon
Two equipment cannot communicate normally
Analysis
Confirm if the version of message received by and sent from interconnected interfaces is not matchable, authentication
type is not matchable, and cif interface configuration is correct.
Solution
Check interface configuration and modify interface configuration
100
Command Line Manual
Chapter 12 Configure OSPF
12.1 OSPF protocol
OSPF(Open Shortest Path First) is dynamic router protocol, used to support routing between
networks.
OSPF is an internal routing protocol in autonomous system, used to computer the router generated in
single autonomous system (AS). Different from RIP equidistance vector router protocol, OSPF is a
router protocol based on link status. It can quickly generate new router in case of network link
variation and manage network autonomous system wider than RIP.
OSPF is link state router protocol used inside automonous system, creates link state database through
link state advertisement (LSA) among routers , and based on SPF algorithm, user may calculate the
shortest path tree to each node and in further the router . With work mode different from our familiar
RIP and IGRP protocol, OSPF would just send router structure information from current node to
adjacent node, while RIP and IGRP need to send retainined routing table or a part of routing table to
adjacent node and according to such information, adjacent nodes may update own routing table.
Obviously OSPF protocol sends less information but RIP sends more. In an announced link state
structure, OSPF protocol supports IP subnet structure.
OSPF would regularly send a hello message to adjacent router and receive a hello message from
adjacent router. The hello message can help router know adjacent structure during initial work, and
also know the work condition of adjacent routers during operation. No hello message would be
received from corresponding neighbors if adjacent router is turned off or link is disconnected, and
user can quickly know which routers are out of function, and make quick response to variation of
network topology.
If a network supports multiple routers, user may elect one designated router DR and a backup
designated router BDR amongmultiple OSPF routers in a network segment and while ensuring link
database synchronization, allow designated router send LSA to the whole of network, and thus reduce
expenses in flow.
12.2 Configure OSPF
12.2.1 Default configuration information
OSPF default setting information relating to equipment is shown below:
Table 12-1 OSPFDefault configuration information
Contents
enable/disable status
OSPF areaal authentication type (none/text/md5)
Interface authentication type (none/text/md5)
Release default router
OSPF router priority
spf-delay value and spf-holdtime value
Compatible with rfc1583
LSA retransmission time
LSA transmission delay
Hello-interval value
Dead-interval value
Interface DR priority
OSPF areaal router aggregation
Redistribute other router protocol router and router type
Default setting
disable
Not authenticated
Not authenticated
Not release
110
spf-delay: 5s
spf-holdtime: 10s
Incompatible
5s
1s
10s
4 * Hello-interval
1
No aggregation
Type 2 external router
Remark
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Default setting is recommended
Setting can be changed
Default setting is recommended
Default setting is recommended
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
101
Command Line Manual
12.2.2 Enable OSPF routing protocol function
Enable OSPF router protocol and based on which, configure OSPF router function in further.
Configuration steps:
Step 1
Step 2
configure terminal
router ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration node
Under configuration mode, user may cancel OSPF setting with command “no router OSPF” and
restore to default configuration.
Parameter description:
router NAME
Parameter
Description
NAME
Type of routing protocol
Default configuration
None
Prompt:
It is impossible to configure other functions of OSPF in further only when OSPF is enabled.
12.2.3 Configure OSPF router Router -ID
OSPF protocol needs router’s Router –ID as unique identification of router in autonomous system.
Generally after protocol task is enabled, it will automatically elect a Router –ID. Router would firstly
elect maximum loopback address among IP addresses. If no loopback address, user may elect large
interface address with UP status as the router’s Router –ID or designate a Router –ID.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router ospf
router -id 1.1.1.1
end
show ip ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Configure router Router -ID
Return to Enable mode
show command
User may cancel router –id setting with command no router –id and router –id will be automatically
selected.
Parameter description:
router -id A.B.C.D
Parameter
Description
A.B.C.D
OSPF Router -ID
Default configuration
12.2.4 Configure OSPF interface
Configure OSPF interface and its areas
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router ospf
network 10.0.1.0/24 area 0
end
show ip ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Enable OSPF from interface 10.0.1.0/24 and its area is 0
Return to Enable mode
show command
102
Command Line Manual
User may cancel setting with command “no network 10.0.1.0/24 area 0”.
Parameter description:
network A.B.C.D/M area (A.B.C.D|<0-4294967295>)
Parameter
Description
Default configuration
<A.B.C.D/M>
Network segment to which interface belongs
None
(A.B.C.D|<0-4294967295>)
Area ID
None
12.2.5 Configure OSPF area authentication method
OSPF supports authentication in the same area. All routers in a area must have consistent
authentication type (no authentication, cleartext authentication and ciphertext authentication).
Authentication provides password-based protection to prevent unauthorized access to the area. For
areaal authentication, it is required to independently configure authentication password for all
interfaces in the area. When interface authentication method is inconsistent with that in the area, user
should take priority to consider interface configuration.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
router ospf
area 0 authentication
Step 4
Step 5
end
show ip ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Configure area 0 authentication method as clear text
authentication.
Return to Enable mode
show command
User may cancel areaal authentication setting with command “no area (A.B.C.D|<0-4294967295>)”
and restore to default value not authenticated.
Parameter description:
area (A.B.C.D|<0-4294967295>) authentication [message-digest]
Parameter
(A.B.C.D|<0-4294967295>)
message-digest
Description
Area ID
Ciphertext authentication
Default configuration
None
No the parameter means clear text authentication
12.2.6 Configure OSPF NSSA
ASE router outside of autonomous system cannot enter NSSA area, but ASE router introduced by
routers in NSSA area can spread in NSSA and send it outside of area. As an extension property of
OSPF standard protocol, it is required to minimize and not support conflict and compatibility during
router coordination.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
router ospf
area 1 nssa translate-candidate
Step 4
Step 5
end
show ip ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Configure area 1 as nssa area, and if type 7 1sa is converted
into type 5.
Return to Enable mode
show command
User may cancel the area’s nssa property setting with command “no area 1 nssa”.
Parameter description: area (A.B.C.D|<0-4294967295>) nssa
(translate-candidate|translate-never|translate-always) [no-summary]
Parameter
Description
Default configuration
(A.B.C.D|<0-4294967295>)
(translate-candidate|translate-never|transl
ate-always)
Area ID
If ABR in NSSA area supports 7-to-5 operation.
The parameter is meaningless.
[no-summary]
If the parameter is configured, ABR will filter
type 3 LSA and not transmit it to NSSA area.
None
By default, it is translate-candidate,
means to elect one from ABR for 7-to-5
operation.
Optional configuration
103
Command Line Manual
1)
2)
Note:
If router in a certain area is configured with the property, all routers in the area must be
configured with the property.
To change the property, restart ospf。
12.2.7 Configure OSPF inter-area router aggregation
In-area router aggregation is designed to reduce the number of inter-area router, enable ABR declare
an aggregated inter-area router to other areas, and aggregated router would not be declared out. In
OSPF, when ABR sends router information to other areas, it would generate Type 3 LSA in the unit
of network segment and, if there are some continuous network segments in the area, user may
configure ABR to aggregate those continuous network segments into a network segment. In such case,
ABR would only send one aggregated LSA, all LSAs in the range of aggregated network segment
designated by the command will no longer be sent separately, and thus the scale of link state database
(LSDB) in other areas is reduced. If the range of network segment is defined by keyword
not-advertise, aggregated router in the network segment will not be broadcasted. The network
segment is expressed by IP address/mask. Reception of aggregated network segment and network
segment definition can reduce the information communication quantity among routers.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router ospf
area 0 range 10.0.0.0/16
end
show running-config ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Set the area of aggregated router and address range
Return to Enable mode
show command
User may complete setting with command no area (A.B.C.D|<0-4294967295>) range A.B.C.D/M..
Parameter description:
area (A.B.C.D|<0-4294967295>) range A.B.C.D/M [not-advertise]
Parameter
(A.B.C.D|<0-4294967295>)
A.B.C.D/M
[not-advertise]
Parameter description:
<0-16777215>
Parameter
(A.B.C.D|<0-4294967295>)
A.B.C.D/M
<0-16777215>
Description
Default configuration
Aggregated Area ID
Address range
Not advertise aggregated router
area (A.B.C.D|<0-4294967295>) range A.B.C.D/M advertise cost
Description
Default configuration
Aggregated Area ID
Address range
Advertise aggregated router Metric
Parameter description: area (A.B.C.D|<0-4294967295>) range A.B.C.D/M substitute A.B.C.D/M
Parameter
(A.B.C.D|<0-4294967295>)
A.B.C.D/M
A.B.C.D/M
Description
Aggregated Area ID
Address range
Replace address range with address
advertisement
Default configuration
1
Prompt:
User may cancel router aggregation advertisement cost with command “no area
(A.B.C.D|<0-4294967295>) range A.B.C.D/M advertise cost”.
104
Command Line Manual
12.2.8 Configure OSPF router redistribution
To enable multiple router protocol simultaneously operate, we may introduce information of a router
protocol to another, a process known as router redistribution. Autonomous system operating OSPF
may introduce other router protocols outside of the system or static router for router information
sharing. For router operating OSPF and also other router protocols, we need to configure router
redistribution before introducing external router information.
OSPF uses 4 types of routers and they may rank from high to low by priority as follows:

Intra-area router;

Inter-area router;

Type 1 external router; and

Type 2 external router
Intra-area and inter-area router describes the internal network structure of autonomous system;
external router describes how to elect the router to autonomous system. Type 1 external router refers
to IGP router received (such as RIP and STATIC) and, since such routers have relatively high
reliability, the expenses in computing external router is roughtly equivalent to that of computing
routers in autonomous system, and comparable with the expenses in OSPF, that is to say, expenses in
type 1 external router= expenses for router to corresponding ASBR + expenses for ASBR to router’s
destination address. Type 2 external router refers to EGP router received and, since such routers have
relatively low reliability, OSPF protocol believes that, expenses for ASBR to autonomous system is
far more than that from autonomous system to ASBR, and the former is mainly considered, that is to
say, expenses for Type 2 external router= expenses for ASBR to the router’s destination address and if
the value is equivalent, expenses for router to corresponding ASBR would be then considered.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
router ospf
redistribute connected metric 11 metric-type 1
Step 4
Step 5
end
show running-config ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Redistribute connected metric 11 metric- type 1 external
router
Return to Enable mode
show command
User may cancel router redistribution setting with command “no redistribute (connected|static|rip)”.
Parameter description:
redistribute (connected|static|rip) metric <1-16777214> metric-type (1|2)
Parameter
Description
(connected|static|rip)
<1-16777214>
(1|2)
Default configuration
Type of redistribution router
Metric of redistribution router
Type of redistribution router
None
None
Type 2 external router
12.2.9 OSPF redistribution router default Metric
Configure default Metric for OSPF resitribution external router
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router ospf
default-metric 100
end
show running-config ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Configure redistribution router with default Metric as 100
Return to Enable mode
show command
User may cancel the setting with command “no default-metric”.
Parameter description:
Parameter
<1-16777214>
default-metric <1-16777214>
Description
Default Metric of redistribution router
Default configuration
None
105
Command Line Manual
12.2.10 Configure OSPF redistribution default router
Once router redistribution is configured, router will automatically become an edge router of
automonous system but, by default, no default router would be released, user may force edge router
of automonous system release the default router and in such case, routing table must include the
default router and if not, always parameter should be used.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
router ospf
default-information originate metric 100 metric-type 1
Step 4
Step 5
end
show running-config ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Configure redistribution default router with Metric as 100,
type 1 external router.
Return to Enable mode
show command
User may cancel the configuration with command “no default-information originate” and restore to
default value.
Parameter description:
default-information originate metric <1-16777214> metric-type (1|2)
Parameter
Description
<1-16777214>
(1|2)
Default configuration
Metric redistribution default router
Type of redistribution default router
Parameter description:
roumetric-type (1|2)
default-information
Parameter
None
Type 2 external router
originate
always
metric
Description
always
<1-16777214>
(1|2)
<1-16777214>
Default configuration
Compulsorily release default router even if no default router in routing table
Metric of redistribution default router
Type of redistribution default router
None
None
Type 2 external router
12.2.11 Configure OSPF protocol priority
Protocol priority refers to the credibility level of router information source. Priority is an integer from
1 to 255 and generally, the higher the value, the lower the credibility. 255 means the router
information source is not credible and should be neglected.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router ospf
distance <1-255>
end
show running-config ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Configure OSPF management distance (protocol priority)
Return to Enable mode
show command
User may cancel configuration with command “no distance” and restore to default value 110.
Parameter description:
distance <1-255>
Parameter
<1-255>
Description
Interface name
Default configuration
None
Parameter description: distance ospf intra-area <1-255> inter-area <1-255> external <1-255>
Parameter
<1-255>
<1-255>
<1-255>
Description
OSPF priority of intra-domain router
OSPF priority of inter-domain router
OSPF priority of AS external router
Default configuration
110
110
110
106
Command Line Manual
12.2.12 Configure OSPF compatible with RFC1583
Configure router if it is compatible with RFC 1583 while compute path from external to ASBR, and
when there are multiple AS internal paths to ASBR:
Compatible with RFC1583: directly determine the distance value of multiple routers.
Incompatible with RFC1583: constantly elect intra-area path in nonbackbone areas.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router ospf
compatible rfc1583
end
show ip ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Compatible with rfc1583
Return to Enable mode
show command
User may cancel configuration compatible with rfc1583 with command “no compatible rfc1583” and
restore default value not compatible with rfc1583.
12.2.13 Configure OSPF routing computation timer
Configure the delay time after ospf reception of topological structure change and enabling OSPF, and
configure the time between two consecutive SPF computations.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router ospf
timers spf 10 20
end
show ip ospf
Enter configuration mode
Enable OSPF function and enter OSPF configuration mode
Set spf-delay as 10s and spf-holdtime as 20s
Return to Enable mode
show command
User may cancel the configuration with “no timers spf”, restore default value spf-delay as 5s and
spf-holdtime as 10s.
Parameter description:
timers spf <0-4294967295> <0-4294967295>
Parameter
<0-4294967295>
<0-4294967295>
Description
spf-delay value
spf-holdtime value
Default configuration
5s
10s
12.2.14 Configure OSPF interface authentication method
While establish neighbor relationship between neighbors, OSPF supports authentication to prevent
illegal equipment from accessing to network.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
interface ge0/0
ip ospf authentication
Step 4
Step 5
end
show running-config
Enter configuration mode
Enter interface ge0/0 for OSPF configuration
Set interface configuration method as clear text
authentication
Return to Enable mode
show command
User may cancel the configuration with “no ip ospf authentication” and restore default value not
authenticated.
Parameter description:
Parameter
[message-digest]
ip ospf authentication [message-digest]
Description
Not using the parameter means clear text authentication, and using the parameter
means ciphertext.
Default configuration
Not authenticated
107
Command Line Manual
12.2.15 Configure OSPF interface authentication key
Configure OSPF interface with clear text authentication key.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
interface ge0/0
ip ospf authentication-key aaa
end
show running-config
Enter configuration mode
Enter interface ge0/0 for OSPF configuration
Set interface clear text authentication key
Return to Enable mode
show command
User may cancel the configuration with “no ip ospf authentication-key” and delete the authentication
key.
Parameter description:
ip ospf authentication-key AUTH_KEY
Parameter
AUTH_KEY
Description
Configure the key for cleartext authentication
Default configuration
Not authenticated
12.2.16 Configure key for OSPF interface cyphertext authentication
Configure the key for OSPF interface cyphertext authentication
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
interface ge0/0
ip ospf message-digest-key 1 md5 aaa
Step 4
Step 5
end
show running-config
Enter configuration mode
Enter interface ge0/0 for OSPF configuration
Set interface configuration method as clear text
authentication
Return to Enable mode
show command
User may cancel the configuration with “no ip ospf message-digest-key <1-255>” and delete the
authentication key.
Parameter description:
Parameter
<1-255>
KEY
ip ospf message-digest-key <1-255> md5 KEY
Description
Configure key-ID
Key for cyphertext authentication
Default configuration
None
None
12.2.17 Configure OSPF interface priority
Network supports multiple routers, enables selecting a designated router DR and backup router BDR
among OSPF routers in a network segment and at the time of link database synchronization, allows
desinated router send LSA to the whole of network, thus reducing flow expenses.
Router interface’s priority determines the interface’s qualification to elect DR, and the one with
higher priority will be given paramount consideration in case of conflict. DR is not artificially
designated, and should be jointly elected by all routers in the network segment. Routers with priority
higher than 0 are considered as “candidate”. Routers with highest priority named DR should be
elected and if two routers have the same priority, the one with maximum Router ID should be DR.
BDR and DR should be elected at the same time, BDR may establish adjacency relation with all
routers in the network segment and exchange router information. When DR is failed, BDR may
immediately become DR and since re-selection is unnecessary, and adjacency relation has been
established, the process would be very short. In such case, a new BDR should be reelected and it may
cost quite a long time, but would not affect router computation. DR in network segment is not
definitely the router with highest priority and similarly, BDR is not definitely the one with second
highest priority.
For the purpose of router interface, DR refers to the conception in a certain network segment. A
router on interface may be DR, and may be BDR or Drother on another interface.
108
Command Line Manual
DR will be elected only in case of broadcasting or NBMA type interface, and DR selection is
unnecessary on point-to-point or point-to-multipoint interface.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
interface ge0/0
ip ospf priority <0-255>
end
show running-config ospf
Enter configuration mode
Enter interface ge0/0 for OSPF configuration
Set interface priority
Return to Enable mode
show command
User may cancel the configuration with “no ip ospf priority” and restore default value as not
authenticated.
Parameter description:
ip ospf priority <0-255>
Parameter
<0-255>
Description
Default configuration
Interface priority
None
12.2.18 Configure the expense of OSPF interface sending message
User may designate interface sending message, or otherwise OSPF will automatically calculate
expenses according to current interface.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
interface ge0/0
ip ospf cost <1-65535>
end
show ip ospf interface
Enter configuration mode
Enter interface ge0/0 for OSPF configuration
Set interface sending message
Return to Enable mode
show command
User may cancel the configuration with “no ip ospf cost”.
Parameter description:
Parameter
<1-65535>
ip ospf cost <1-65535>
Description
Default configuration
Expenses of interface sending messages
None
12.2.19 Configure OSPF interface LSA retransmission interval
When a router sends a LSA to neighbor, it has to wait for acknowledgement message and if no
acknowledgement message is received, it will retransmit LSA. User may configure
retransmit-internal value.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
interface ge0/0
ip ospf retransmit-interval <3-65535>
end
show ip ospf interface
Enter configuration mode
Enter interface ge0/0 for OSPF configuration
Set interface with LSA retransmission interval
Return to Enable mode
show command
User may canel the configuration with “no ip ospf retransmit-interval” and restore default value as 5s.
Parameter description:
Parameter
<3-65535>
ip ospf retransmit-interval <3-65535>
Description
LSA retransmission interval
Default configuration
5s
109
Command Line Manual
12.2.20 Configure OSPF interface LSA transmission delay
To send link state update message (LSU), user should add LSA aging time with transmit-delay second
and for parameter configuration, should mainly consider the time necesasry for interface to send
message. LSA’s “link state database” (LSDB) in the router will age along with time (add 1 for each
second) but not during network transmission, and therefore it is necessary and important for
low-network to add transmit-delay seconds to aging time before transmission.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
interface ge0/0
ip ospf transmit-delay <1-65535>
end
show ip ospf interface
Enter configuration mode
Enter interface ge0/0 for OSPF configuration
Set interface LSA transmission delay
Return to Enable mode
show command
User may cancel the configuration with no ip ospf transmit-delay and restore default value as not
authenticated.
Parameter description:
ip ospf transmit-delay <1-65535>
Parameter
<1-65535>
Description
Interface LSA transmission delay
Default configuration
1s
12.2.21 Configure OSPF interface with Hello message timer
Hello message is the most common message, would be periodically sent to neighbor router, used to
discover and maintain neighbor relationship, and elect DR and BDR. User may configure interval
“Hello-interval” value of sending Hello message and the smaller the value, the network variation
would be more quickly discovered, but costing more network transmission. Routers in the same
network segment must have the same Hello-interval.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
interface ge0/0
ip ospf hello-interval <1-65535>
end
show ip ospf interface
Enter configuration mode
Enter interface ge0/0 for OSPF configuration
Set interface Hello message sending timer
Return to Enable mode
show command
User may cancel the configuration with “no ip ospf hello-interval” and restore default value as 10s.
Parameter description:
ip ospf hello-interval <1-65535>
Parameter
<1-65535>
Description
Hello message transmission interval
Default configuration
10s
12.2.22 Configure OSPF interface neighbor failure timer
Neighboring router’s failure time means opposite-end router failed if no hello message is received
from counterparty in the interval. User may configure dead time value (Dead-interval) of neighboring
router. Dead-interval value should be at least 4 times Hello-interval, and Routers in the same network
segment must have the same Dead-interval.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
interface ge0/0
ip ospf dead-interval <1-65535>
end
show ip ospf interface
Enter configuration mode
Enter interface ge0/0 for OSPF configuration
Set failure interval of neighboring interface
Return to Enable mode
show command
110
Command Line Manual
User may cancel the configuration with “no ip ospf dead-interval” and restore default value as 40s.
Parameter description:
ip ospf dead-interval <1-65535>
Parameter
Description
<1-65535>
Default configuration
Neighbor failure interval
40s
12.2.23 Configure interface’s OSPF network type
By default, there are three types of network by different medium: broadcasting network (Ethernet,
Token ring and FDDI), Non-Broadcast MultiAccess network (frame relay, X.25) and point-to-point
network (HDLC and PPP). Any of abovementioned network can be provided with OSPF
configuration. User may not consider the default media type, elect configuration OSPF network type.
In addition, user may configure Non-Broadcast MultiAccess network as broadcasting network, for
instance, X.25 and frame relay allows OSPF operate as broadcasting network, no need to configure
neighbor. User may configure broadcasting network as Non-Broadcast MultiAccess network, for
instance, routers in network do not support multicast address transmission. For network without
broadcasting and unicast capacity, it is required to configure opposite-end neighbor to designate
sending hello message and designate neighbor priority and polling interval.
For point-to-multipoint, it has one or more neighbor’s point-to-point interface and establishes
multiple host routers. Compared with Non-Broadcast MultiAccess and point-to-point network,
point-to-point network has the following advantages: one-to-many interface is more easily configured,
and therefore it needs no neighbor configuration command, just an IP subnet, router selection is
unnecessary. It needs no full network topology, costs less expenses.
Equipment support broadcasting OSPF network and point-to-point OSPF network.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
interface ge0/0
ip ospf network (broadcast |point-to-point)
end
show ip ospf interface
Enter configuration mode
Enter interface ge0/0 for OSPF configuration
Set interface OSPF network type
Return to Enable mode
show command
User may cancel the configuration with “no ip ospf network”.
Parameter description:
ip ospf network (broadcast |point-to-point)
Parameter
broadcast
Point-to-point
Description
Default configuration
Set interface OSPF network type as broadcasting network
Set interface OSPF network type as point-to-point network
12.3 Common fault analysis
12.3.1 Fault phenomenon1: it is impossible to establish adjacency relationship between
two equipment.
Phenomenon:
it is impossible to establish adjacency relationship between two equipment.
Analysis
Area ID mismatching
Authentication type mismatching
Secret key mismatching
Network segment (network mask matching)
Hello-interval mismatching
Dead-interval mismatching
It is necessary to establish adjacency relationship between two equipment?
Solution
Check interface’s OSPFParameter configuration
If it is necessary to establish adjacency relationship with neighboring router, and it is necessary to establish adjacency
relationship when one or more of the following conditions are met:
111
Command Line Manual
Point-to-point network
Point-to-multipoint network
Virtual link network
BDR Local router is BDR of the network where neighboring router is located
Neighboring router is DR
Neighboring router is BDR
112
Command Line Manual
Chapter 13 Configure BGP
13.1 BGP protocol
BGP (Border Gateway Protocol) is an exterior gateway protocol (EGP) for communication
between routers in different autonomous systems, mainly used to exchange network reachable
information between different Autonomous Systems (AS) and by protocol mechanism, elimite
routing loop.
BGP uses TCP protocol as transmission protocol and by means of its reliable transmission
mechanism, ensures BGP’s transmission reliability.
Router operating BGP protocol is known as BGP Speaker; BGP Speakers with GBP session
connection is called GBP Peers. Peers between BGP speaker may have two modes: IBGP (Internal
BGP) and EBGP(External BGP). IBGP means BGP connection in the same AS, while EBGP means
BGP connection among different ASs. In short, their functions are as follows; EBGP is to exchange
router information among different ASs and IBGP is to support router information transition in AS.
The product supports BGP-4, with the following characteristics:

Support configuring router -id

Support manually designate BGP peer;

Support BGP peer group

Support using Loopback interface

Support multi-hop EBGP connection

Support limiting the number of reception router

Support filtering private AS number

Support timer setting

Support BGP and IGP interraction

Support BGP router aggregation

Support BGP router attenuation

Support BGP router reflector

Support AS alliance

Support management distance configuration

Support BGP soft reset

Support BGP monitoring and maintenance
Supported router property mainly has the following:

ORIGN

AS_PATH

NEXT_HOP

MULTI_EXIT_DISC

LOCAL-PREFERENCE

ATOMIC_AGGREGATE

AGGREGATOR

COMMUNITY

ORIGINATOR_ID

CLUSTER_LIST
113
Command Line Manual
Furthermore, it also supports received and released router implementation policy, AS path list
filtration, access list, prefix list, distribute-list and Router map filter.
13.2 Configure BGP
13.2.1 Default configuration information
BGP’s default setting informationis shown below:
Table 13-1 BGP Default configuration information
Contents
Router ID
Default router generation
EBGP multi-hop
Release default router
TCP MD5 authentication
Keepalive Time value
Holdtime value
ConnectRetry time
AdvIntelval(IBGP)
Advintelval(EBGP)
Bgp scan time
MED value
Local_pref value
Router aggregation
Router attenuation
Suppress limit
Half-life-time
Reuse limit
Max-suppress time
Management distance
IGP route check
Default setting
Remark
If lookback interface is configured, elect the largest among
lookback interfaces, or otherwise from physical interfaces.
Not generate
Close/2555
Not release
Not authenticated
60s
180s
120s
15s
30s
60s
0
100
Close
Close
2000
15minutes
750
4*half-life-time
EBGP 20
IBGP 200
Local 200
Not check
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting cannot be changed
Default setting is recommended
Setting can be changed
Setting cannot be changed
Default setting is recommended
Default setting is recommended
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
13.2.2 Enable BGP router protocol function
Enable BGP router protocol and based on which, complete further configuration of BGP router
function.
Configuration steps:
Step 1
Step 2
configure terminal
router bgp <1-4294967295>
Enter configuration mode
Enable bgp function and enter bgp configuration node
Under configuration mode, user may cancel bgp setting with command “no router bgp
<1-4294967295>” and retore to default configuration.
Parameter description: router NAME
Parameter
NAME
Description
Router protocol type
Default configuration
None
Prompt:
It is impossible to configure other functions of bgp in further only when bgp is enabled. Each
equipment can be simultaneously configured with one bgp case.
Autonomous system: AS is a group of routers with the same routing policy, opeated under the
same technical management department, ranging <1-4294967295>.
114
Command Line Manual
13.2.3 Configure BGP Router -ID
BGP protocol needs router’s Router –ID, as the unique identification of router in automonous system.
Generally after protocol task is started, a Router- ID will be automatically selected. Router would
firstly elect IP address’s maximum loopback address and if no loopback address, elect the interface
address with state UP as the router’s Router –ID.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
bgp router -id 1.1.1.1
end
show ip bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Configure router Router -ID
Return to Enable mode
show command
User may cancel router –id setting with no bgp router –id, and router –id will be automatically
elected again.
Parameter description:
Parameter
A.B.C.D
bgp router -id A.B.C.D
Description
Default configuration
bgp Router -ID
13.2.4 Configure designated BGP peer
BGP operation needs manually designating peer.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
neighbor 1.1.1.1 remote-as 100
end
show run bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Designated peer’s ip address is 1.1.1.1, AS 100
Return to Enable mode
show command
User may cancel setting with no neighbor 1.1.1.1 remote-as 100.
Parameter description: neighbor
Parameter
A.B.C.D
<1-4294967295>
A.B.C.D
remote-as <1-4294967295>
Description
Peer’s address
AS number of AS to which peer belongs
Default configuration
None
None
13.2.5 Configure BGP peer group
For BGP Speaker, many peers’ configuration information (including executive routing policy) is
identical and in order to simplify configuration and improve efficiency, BGP peer group is
recommended.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
configure terminal
router bgp <1-4294967295>
neighbor WORD peer-group
neighbor A.B.C.D peer-group WORD
end
show run bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Create peer group
Add member to peer group
Return to Enable mode
show command
User may cancel peer group setting with no neighbor peer-group WORD and restore default value not
authenticated.
115
Command Line Manual
Parameter description:
neighbor
A.B.C.D
Parameter
peer-group
WORD
Description
A.B.C.D
WORD
Default configuration
Address of peer group
Name of peer group
None
13.2.6 Configure loopback interface as BGP neighbor
BGP uses an optimal local address to neighbor as the source of updated message. The address is
generally IP address of interface with optimal path to neighbor. When there are multiple links
connecting to a neighbor, it may commonly occur in IBGP topology, a loopback interface is generally
used as local router’s BGP neighbor with high availability.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
neighbor 1.1.1.1 remote-as 100
neighbor 1.1.1.1 update-source lo1
end
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Designated peer ip address is 1.1.1.1, AS is AS100
Configure lo1 as neighbor’s source port
Return to Enable mode
User may cancel the setting with no neighbor A.B.C.D update-source lo1.
Parameter description:
Parameter
A.B.C.D
lo<1-255>
neighbor
A.B.C.D update-source lo<1-255>
Description
Peer’s IP address
Lookback interface address
Default configuration
None
None
13.2.7 EBGP multihop configuration
EBGP’s default TTL value is 1 hop, directly connected and if not, configuring EBGP multihop and
hop count<1-255> would be necessary.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
neighbor A.B.C.D ebgp-multihop <1-255>
End
show running-config bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Configure EBGP multihop and configure hop count
Return to Enable mode
show command
User may cancel setting with no neighbor 1.1.1.1 ebgp-multihop <1-255>.
Parameter description:
neighbor A.B.C.D ebgp-multihop <1-255>
Parameter
A.B.C.D
<1-255>
Description
Neighbor IP address
Hop count
Default configuration
None
1
13.2.8 Delete private AS number
As specified in RFC4271, private AS number ranging from 64512 to 65535 cannot be spread on
public network and sometimes, it is required to delete private AS number while advertise router to
peers.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
neighbor{A.B.C.D | peer-group-name}
remove-private-AS
end
show ip bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Delete private AS number
Return to Enable mode
show command
116
Command Line Manual
User may cancel
remove-private-AS.
Parameter description:
the
configuration
no
neighbor{A.B.C.D
|
peer-group-name}
neighbor{A.B.C.D | peer-group-name} remove-private-AS
Parameter
A.B.C.D
peer-group-name
with
Description
Neighbor IP address
Group name
Default configuration
None
None
13.2.9 Permit sending community property
By default, BGP does not send community property to peer and sometimes, when group property is
used for router filtration, it is required to enable sending community property to neighbor.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
neighbor{A.B.C.D | peer-group-name} send-community
end
show running-config
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Enable sending group property
Return to Enable mode
show command
User may cancel the configuration with no neighbor{A.B.C.D | peer-group-name} send-community.
Parameter description:
neighbor{A.B.C.D | peer-group-name} send-community
Parameter
A.B.C.D
peer-group-name
Description
Neighbor IP address
Group name
Default configuration
None
None
13.2.10 Limit the number of reception router
Different equipment may have different performance and sometimes, in order to protect equipment, it
is required to limit the number of reception routers.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
router bgp <1-4294967295>
neighbor{A.B.C.D | peer-group-name} maximum-prefix
<1-4294967295>
end
show running-config
Step 4
Step 5
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Limit the number of reception routers
Return to Enable mode
show command
User may cancel the configuration with no neighbor{A.B.C.D | peer-group-name} maximum-prefix
<1-4294967295>.
Parameter description: neighbor{A.B.C.D | peer-group-name} maximum-prefix
Parameter
A.B.C.D
peer-group-name
<1-4294967295>
Description
Neighbor IP address
Group name
Router number
<1-4294967295>
Default configuration
None
None
None
13.2.11 Retain peer router information
Save router information from neighbor, and when bgp re-establishes peers, neighbor is not required to
directly send router information and since it has quite high requirement for internal memory,
generally it is not recommended.
Configuration steps:
Step 1
Step 2
configure terminal
router bgp <1-4294967295>
Enter configuration mode
Enable bgp function and enter bgp configuration mode
117
Command Line Manual
Step 3
neighbor{A.B.C.D | peer-group-name}
soft-reconfiguration inbound
end
show running-config
Step 4
Step 5
User may cancel the configuration
soft-reconfiguration inbound.
Parameter description:
Return to Enable mode
show command
with
no
neighbor{A.B.C.D
neighbor{A.B.C.D | peer-group-name}
Parameter
A.B.C.D
peer-group-name
Retain peer router information
peer-group-name}
soft-reconfiguration inbound
Description
Neighbor IP address
Group name
|
Default configuration
None
None
Note:
Generally such configuration would have quite high requirement for internal memory.
13.2.12 Close peer
Sometimes it is required to temporarily close BGP peer before configuring some routing policies.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
router bgp <1-4294967295>
neighbor{A.B.C.D | peer-group-name}
shutdown
end
show running-config bgp
Step 4
Step 5
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Close BGP peer
Return to Enable mode
show command
User may cancel the configuration with no neighbor {A.B.C.D | peer-group-name} shutdown.
Parameter description:
neighbor{A.B.C.D | peer-group-name} shutdown
Parameter
A.B.C.D
peer-group-name
Description
Neighbor IP address
Group name
Default configuration
None
None
13.2.13 IGP and BGP router interaction
Inject router information from IGP through interaction with IGP protocol. BGP may release injected
router to own neighbor, and manually inject network information by manually advertising to BGP
Speaker through command Network.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
network A.B.C.D/M [backdoor]
end
show ip bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Advertise router
Return to Enable mode
show command
User may cancel the configuration with no network A.B.C.D/M.
Parameter description:
Parameter
A.B.C.D/M
network A.B.C.D/M [backdoor]
Description
Router/mask
Default configuration
None
118
Command Line Manual
1)
2)
Note:
If no mask is added, by default it should be type A, B and C;
To ensure advertised router is local router, it is required to configure bgp network
import-check to check if the router is in current IP routing table and if not, user should not
consider the router as BGP router.
13.2.14 Redistribute IGP router to BGP
Redistribute IGP generated router to BGP router. Redistributed router may be the router generated by
directly connected router, static router and dynamic router protocol.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
redistribute [connected | ospf | rip | static ]
end
show ip bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Redistribute router
Return to Enable mode
show command
User may cancel the configuration with “no redistribute [connected | ospf | rip | static ]” and restore
default value as 5s.
Parameter description:
redistribute
[connected | ospf | rip |
Parameter
Connected
Ospf
Rip
Static
static ]
Description
Default configuration
Directly connected router
Ospf generated router
Rip generated router
Static router
None
None
None
None
13.2.15 Configure BGP timer
BGP uses Keepalive timer to maintain effective connectionwith peers and Holdtime timer to judge
the validity of peers and by default, Keepalive timer is 60 S and Holdtime timer is 180S. When BGP
connection is established between BGP Speakers, both parties may negotiate on Holdtime, lower
Holdtime value would be selected, while timer value should be the less of 1/3 of negotiated Holdtime
and configured Keepalive value.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
timers bgp <0-65535> <0-65535>
end
show run bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Set Holdtime and keepalive timer
Return to Enable mode
show command
User may cancel the configuration with no timers bgp <0-65535> <0-65535>.
Parameter description:
timers bgp <0-65535> <0-65535>
Parameter
<0-65535>
<0-65535>
Description
Keepalive
Holdtime
Default configuration
60s
180s
119
Command Line Manual
Note:
After setting timer, it is required to execute command clear which may be described below.
13.2.16 Configure MED property
BGP uses MED value as one of the basis for priority comparison of path learnt by EBGP Peers, and
the less MED value, the higher the path priority.
By default, when optimal path is selected, only compare MED value for path of peers from the same
AS and if you wish to permit comparison of MED value of peer path from different AS, execute the
following under BGP configuration mode:
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
bgp always-compare-med
end
show run bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Permit comparison of path MED value of different AS
Return to Enable mode
show command
By default, when optimal path is selected, no MED comparison is necessary for path of peers from
other sub-AS in AS alliance and, if you wish to permit MED value comparision of peer path from AS
alliance, execute the following under BGP configuration mode:
Step 1
Step 2
Step 3
configure terminal
router bgp <1-4294967295>
bgp bestpath med confed
Step 4
Step 5
end
show run bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Permit MED value comparison of peer path of other sub-AS
from alliance
Return to Enable mode
show command
By default, if path without MED property setting is received, the path’s MED value should be
considered 0. The less MED value, the higher path priority, and the path’s MED reach the highest
priority.
If you want MED property priority of path without setting MED property to be the lowest, execute
the following under BGP configuration mode:
Step 1
Step 2
Step 3
configure terminal
router bgp <1-4294967295>
bgp bestpath med missing-as-worst
Step 4
Step 5
end
show run bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Set the path without setting MED property with lowest
priority
Return to Enable mode
show command
By default, when the optimal path is selected, compare peer path from the same AS according to
reception sequence and execute the following under BGP configuration mode:
Step 1
Step 2
Step 3
configure terminal
router bgp <1-4294967295>
bgp deterministic-med
Step 4
Step 5
end
show run bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Permit comparison of peer path from the same AS and by
default, compare received path according to path reception
sequence.
Return to Enable mode
show command
120
Command Line Manual
Prompt:
In addition, user may modify AS-PATH property through router –map.
13.2.17 Configure LOCAL_PREF property
BGP uses LOCAL_PREF as one of the basis for priority comparison of path learnt by IBGP Peers,
and the larger LOCAL_PREF, the higher the path priority.
Add local priority property while BGP Speaker sends received external router to IBGP Peers and if
need to modify local priority property, execute under BGP configuration mode:
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
router bgp <1-4294967295>
bgp default local-preference <0-4294967295>
end
show run bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Modify localpref value
Return to Enable mode
show command
User may cancel the configuration with no bgp default local-preference <0-4294967295> and restore
default value 100.
Parameter description:
bgp default local-preference <0-4294967295>
Parameter
<0-4294967295>
Description
Local_pref value
Default configuration
100
Prompt:
In addition, user may modify through router –map.
13.2.18 Compare router -id
By default, during optimal path selection, if two paths with same path property from different EBGP
Peers are received, we may elect the optimal path according to reception sequence. You may elect the
path with least Router ID as optimal path by configuring the following commands:
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
router bgp <1-4294967295>
bgp bestpath compare-router id
Step 4
Step 5
end
show run bgp
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Permit BGP conduct router iD comparison during optimal
path selection.
Return to Enable mode
show command
User may cancel the configuration with no bgp bestpath compare-router id.
13.2.19 Configure BGP aggregation router
BGP-4 supports CIDR, and it is permitted to create aggregation table items in order to reduce the size
of BGP routing table and of course, BGP aggregation table item can be added to BGP routing table
only when effective path exists in aggregation range. The product supports manual and automatic
aggregation.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
router bgp <1-4294967295>
aggregate-address A.B.C.D/M
Enter configuration mode
Enable bgp function and enter bgp configuration mode
Configure aggregation router
121
Command Line Manual
Step 4
Step 5
Step 6
Step 5
aggregate-address A.B.C.D/M as-set
aggregate-address A.B.C.D/M summary-only
end
show run bgp
Parameter description:
Add AS number
Not send aggregation router
Return to Enable mode
show command
aggregate-address A.B.C.D/M [ as-set summary-only]
Parameter
Description
A.B.C.D/M
Default configuration
Aggregation router
Parameter description:
aggregate-address A.B.C.D Aggregate mask A.B.C.D [ as-set summary-only]
Parameter
A.B.C.D
A.B.C.D
Description
Default configuration
Aggregation address
Aggregation mask
Note:
Router aggregation would have quite higher requirement for equipment performance and should
be used after full consideration of equipment performance.
13.3 Common fault analysis
13.3.1 Fault phenomenon1: cannot establish adjacency relation between two equipment
Phenomenon
cannot establish adjacency relation between two equipment
Analysis
Peer address router cannot be reached
Peer IP address or AS number is wrongly configured
Open message is not successfully negotiated
Lookback interface router is not reachable
Network among Igp is disconnected
Router –id conflict
Solution
Check interface configuration
Turn on debug switch
Capture package Analysis
122
Command Line Manual
Chapter 14 Configure firewall policy
14.1 Overview of firewall policy
Firewall policy supports access control of equipment source interface/domain, destination
interface/domain, source ip, destination IP, service, user, application and time.
14.2 Configure firewall policy
14.2.1 Add and delete firewall policy
14.2.2 Add firewall policy
Configuration steps:
Step 1
Step 2
configure terminal
policy (IF_IN|any) (IF_OUT|any) (SIP|any) (DIP|any)
CMD_GROUP_SERVICE (USER|any) (APPany)
(TR|always) (permit|deny)
show policy
Step 3
Enter configuration mode
Add firewall policy
View firewall policy
Parameter
description:
policy
(IF_IN|any)
(IF_OUT|any)
CMD_GROUP_SERVICE (USER|any) (APP|any) (TR|always) (permit|deny)
Parameter
IF_IN
IF_OUT
SIP
DIP
CMD_GROUP_SERVICE
USER
APP
TR
PERMIT|DENY
Description
Policy matching incoming interface
Policy matching outcoming interface
Policy matching source IP
Policy matching destination IP
Policy matching service
Policy matching user name
Policy matching application
Policy validity period
Policy action
(SIP|any)
(DIP|any)
Default configuration
None
None
None
None
None
None
None
None
None
14.2.3 Delete firewall policy
Configuration steps:
Step 1
Step 2
configure terminal
no policy PolicyID
Parameter description:
Enter configuration mode
Delete firewall policy
no policy PolicyID
Parameter
<PolicyID>
Description
Firewall policy ID
Default configuration
None
14.2.4 Modification of policy-based aging time
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
protocol manage NAME
rotocol (tcp|udp)
port PORT_NUMBER
timeout TIMEOUT
Enter configuration mode
Enter NATM protocol management mode
Configure protocol type
Configure protocol port number
Configure overtime, unit: min
Automatic linkage is permitted when firewall service is identical with protocol management.
123
Command Line Manual
Parameter description:
protocol manage NAME
Parameter
< NAME >
Description
Name of protocol management
Default configuration
None
Parameter description: port PORT_NUMBER
Parameter
Description
< PORT_NUMBER >
Protocol port
Default configuration
None
Parameter description: timeout TIMEOUT
Parameter
Description
< TIMEOUT >
Overtime
Default configuration
None
14.2.5 Enable and disable
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
policy PolicyID
enable|disable
Parameter description:
Enter configuration mode
Enter firewall policy configuration mode
Enable/disable firewall policy
policy PolicyID
Parameter
<PolicyID>
Description
Firewall policy ID
Default configuration
None
14.3 Configuration cases
Case description
Configure firewall policy, incoming interface ge0/0 and outcoming interface ge0/1, user lili data is
blocked.
Configuration steps:
Step 1
Step 2
Step 3
Enter congfig mode
HOST# configure terminal
Add firewall policy
HOST(config)# policy 1 ge0/0 ge0/1 any any any lili any always deny
Enabling policy
HOST(config-policy)# enable
124
Command Line Manual
Chapter 15 Configure user policy
15.1 Overview of user policy
To facilitate user configuration and management, the concept of authentication policy is introduced in
next-generation firewall equipment. Authentication policy is used to control user’s networking
authentication method.
15.2 Configure user policy
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
user-policy (IF_IN|any) (IF_OUT|any) (SIP|any)
(DIP|any) (TR|always) (local-webauth|permit)
show user-policy
no user-policy USER_POLICY_ID
Enter configuration mode
Add user authentication policy
View user authentication policy
Delete user authentication policy
Parameter description: user-policy (IF_IN|any) (IF_OUT|any)(SIP|any)
(DIP|any)(TR|always
)(local-webauth|permit)
Parameter
IF_IN
IF_OUT
SIP
DIP
TR
local-webauth|permit
Description
Default configuration
Policy matching incoming interface
Policy matching outcoming interface
Policy matching source IP
Policy matching destination IP
Policy validity period
Policy action type, local web authentication, permit pass
None
None
None
None
None
None
Parameter description: no user-policy USER_POLICY_ID
Parameter
USER_POLICY_ID
Description
User authentication policy ID
Default configuration
None
15.3 Configuration cases
Case description
Configure ge0 interface’s user web authentication.
Configuration steps:
Step 1
Step 2
Enter congfig mode
HOST# configure terminal
Add and enable firewall policy
HOST(config)# user-policy ge0 any any any always local-webauth
125
Command Line Manual
Chapter 16 Configure Web access policy
16.1 Overview of Web access policy
Through Web access policy, administrator may:
Prohibit user from acces to host or URL classification.
Record users’ Web access.
16.2 Configure Web access policy
Configuration steps:
Step 1
Step 2
configure terminal
web-policy <1-32> (USER|any) (ADDR|any)
(enable|disable)
rule <1-32> (CATEGORY|any) (FILE|any)
(KEYWORD|any) (permit|deny)
(emergencies|alerts|critical|errors|warnings|notifications|i
nformation|ignore) (SCHEDULE|always)
(enable|disable)
web-policy forbidden-page [enable |disable]
no rule <1-32>
exit
show web-policy
web-policy <1-32>
no web-policy <1-32>
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Parameter description:
Enter configuration mode
Add web access policy
Add rules to web access policy
Enable/disable prompt page blockage
Delete rules from web access policy
Exit configuration mode
Display currently configured web access policy
Modify web access policy
Delete web access policy
web-policy <1-32> (USER|any) (ADDR|any) (enable|disable)
Parameter
<1-32>
USER|any
ADDR|any
enable|disable
Description
Default configuration
Web access policy ID
User object or user object group
Address object or address object group
Enable or disable web access policy
None
None
None
None
Parameter description:
rule <1-32> (CATEGORY|any) (KEYWORD|any) (permit|deny)
(emergencies|alerts|critical|errors|warnings|notifications|information|ignore)
(SCHEDULE|always)
(enable|disable)
Parameter
<1-32>
CATEGORY|any
FILE|any
KEYWORD|any
SCHEDULE|always
permit|deny
emergencies|alerts|critical|errors|warnings|n
otifications|information|ignore
Description
Default configuration
Web access policy ID
URL classification name, may be self-defined
or pre-defined
File type
Name of keyword object
Rule Effective time of rule
Rule disable/enable
Log level
None
16.3 Configure self-defined URL type
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
configure terminal
url-category CATEGORY_NAME
description CONTENT
url URL
no url URL
Enter configuration mode
Add self-defined URL type or configure existing URL type
Add description information of self-defined URL type
Add URL to the self-defined URL type
URL Delete a certain URL from self-defined URL
126
Command Line Manual
16.4 Configuration cases
Case description
Configure web access policy to clock access to search engine and record the log.
Configuration steps:
Step 1
Step 2
Step 3
Enter congfig mode
HOST# configure terminal
Add web access policy
HOST(config)# web-policy 1 user 192.168.1.41 enable
Add rules to block access to search engine
HOST (config-app-policy)# rule 1 searchengine any deny information always enable
127
Command Line Manual
Chapter 17 Configure application audit policy
17.1 Overview of application audit policy
To improve staff’s work efficiency in an enterprise, it is possible to record users’ network behavior
through application audit function and help administrator manage network in a better way.
Application audit function applies to the following:
Instant messaging
Search engine
Social networking service
E-mail
File sharing
Online shopping
17.2 Configure application audit policy
Configuration steps:
Step 1
Step 2
configure terminal
audit-policy <1-32> (USER|any) (ADDR|any)
(enable|disable)
audit
(instant-message|search-engine|social-network|email|file
-transfer|online-shopping|other)
no audit
(instant-message|search-engine|social-network|email|file
-transfer|online-shopping|other)
exit
show audit-policy
audit-policy <1-32>
no audit-policy <1-32>
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Parameter description:
Enter configuration mode
Add application audit policy
Add the behavior and content to be audited in application
audit policy
Delete the behavior and content to be audited from
application audit policy
Exit configuration mode
Display currently configured application audit policy
Modify application audit policy
Delete application audit policy
audit-policy <1-32> (USER|any) (ADDR|any) (enable|disable)
Parameter
Description
Default configuration
<1-32>
Application audit policy ID
None
USER|any
User object or user object group
None
ADDR|any
Address object or address object group
None
enable|disable
Enable or disable application audit policy
None
Parameter description: audit
(instant-message|search-engine|social-network|email|file-transfer|online-shopping|other)
Parameter
Description
instant-message|search-engine|socia
l-network|email|file-transfer|onlineshopping|other
Audited behavior and content:
Instant messaging |Search engine |Social network service
|E-mail|File sharing|Online shopping.
Other types other than above behaviors
Default configuration
17.3 Configuration cases
Case description
Configure application audit policy, audit instant message and e-mail, and keep record of logs.
Configuration steps:
Step 1
Step 2
Step 3
Enter config mode
HOST# configure terminal
Add application audit policy
HOST(config)# audit-policy 1 any any enable
Audit instant message and e-mail
HOST (config-app-policy)# audit instant-message
HOST (config-app-policy)# audit email
128
Command Line Manual
Chapter 18 Configure Control policy
18.1 Control policy
Along with growing popularity of broadband network, IM (instant chatting software such as MSN,
QQ), P2P (point-to-point transmission software, such as BitTorrent, eMule), stream media (video on
demand software, such as PPLive and QQLive), network games (such as SOHU game lobby, Joyful
West tours) and stock software (such as Great Wisdom) have played more and more important roles
in people’s work and life.
In addition to benefit people, IM, P2P, stream media, network game and stock software have also
imposed new challenges to network management and on one hand, software abuse has occasionally
caused to network jam, internal network information disclosure and viral transmission and, on the
other hand, for the complexity of application protocol, traditional firewall would be helpless in face
of those common external connection software, and therefore it is imperative to take effective
administration means.
Major types of application:

Instant mesasge: MSN, QQ, Yahoo Messenger, Gtalk, Skype, etc.

P2P software: Thunder, QQ DOWN, BitTorrent, etc.

Stream media: Youku, Tudou, Sina video, etc.

Network community: Sina microblog, Tencent Weibo, MOP Forum, Baidu Tieba, etc.

Online game: World of Warcraft, League of Legends, Turret, etc.

Search engine: Baidu, Google, Yahoo, Sogou, etc.

E-commerce: Taobao, Jingdong, 1# Store, Amazon, etc.

Other types, such as stock software, file transmission, e-mail, remote control, life service, etc.
Application control and audit of related users is conducted only when application is quoted in
application policy. Application object would be updated along with application characteristic library,
user cannot manually create new application object, nor delete existing application objects.
18.2 Configure Control policy
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
app-policy ID (any|USER) (any|ADDRESS)
rule ID APP (ACTION|any) (CONTENT|any)
(exclude|include) KEYWORD (SCHEDULE|always)
(deny|permit)
(alerts|critical|emergencies|errors|ignore|information|noti
fications|warnings)
rule ID (enable|disable)
(enable|disable)
Step 4
Step 5
Parameter description:
Parameter
ID
any|USER
any|ADDRESS
Enter configuration mode
Add online behavior policy
Add rule to online behavior policy
Rules enabled/disabled
Policy enabled/disabled
app-policy ID (any|USER) (any|ADDRESS)
Description
Default configuration
Online behavior policy ID
User object or user object group
Address object or address object group
None
None
None
Parameter description: rule ID APP (ACTION|any) (CONTENT|any) (exclude|include) KEYWORD
(SCHEDULE|always)
(deny|permit)
(alerts|critical|emergencies|errors|ignore|information|notifications|warnings)
Parameter
ID
APP
Description
Online behavior policy ID
Application name
Default configuration
None
129
Command Line Manual
ACTION|any
CONTENT|any
exclude|include
KEYWORD
SCHEDULE|always
deny|permit
alerts|critical|emergencies|errors|ignore|informatio
n|notifications|warnings
Application behavior
Contents of application behavior
Keyword inclusion relation
Name of keyword object
Effective time of rules
Rules enabled/disabled
Log level
18.3 Configuration cases
Case description
Configure Online behavior policy, block QQ login action and record log.
Configuration steps:
Step 1
Step 2
Step 3
Enter config mode
HOST# configure terminal
Add online behavior management policy
HOST(config)# app-policy 1 any any
Add rules, block QQ login action
HOST (config-app-policy)# rule 1 qq Login any include any always deny notifications
130
Command Line Manual
Chapter 19 Application policy whitelist
19.1 Overview of whitelist
Whitelist corresponds to “blacklist”, and if whitelist is created, user in whitelist (or IP address) would
pass with priority, its safety and quickness is significantly improved. Application control policy, Web
access policy and application audit does not apply to user and address matching with whitelist.
19.2 Configure whitelist
Configuration steps:
Step 1
Step 2
configure terminal
app-policy white-list (user | addr)
Parameter description:
app-policy white-list [user | addr]
Parameter
USER|any
ADDR|any
Enter configuration mode
Add user and address that should set whitelist
Description
User object or user object group
Address object or address object group
Default configuration
None
None
19.3 Configuration cases
Case description
Configure whitelist to enable user with ip being 2.2.2.2 not audited.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Enter config mode
HOST# configure terminal
Add user
HOST(config)#user-local user_test
HOST(config-user)#enable bind
HOST(config-user)#bind ip address 2.2.2.2
HOST(config-user)#exit
Add address
HOST(config)#address addr_test
HOST(config-addr)# host-address 2.2.2.2
HOST(config-addr)#exit
Configure whitelist
HOST (config)# app-policy white-list user_test addr_test
131
Command Line Manual
Chapter 20 Configure intrusion prevention
policy
20.1 Overview of intrusion prevention policy
Along with rapid development of internet, network environment has been more and more
complicated and in face of increasingly enhanced hybrid threat such as hostile attack, Trojan horse
and worm virus, single protection measures have been feeble and weak, enterprises need multi-layer
and deep-layer protection to effectively ensure its network safety, and therefore intrusion prevention
system guarantees depth protection.
Intrusion prevention event library supports online update and manual update.
20.2 Configure intrusion prevention policy
20.2.1 Configure intrusion prevention event set
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
ips set SETNAME
member event ID level (alert|info|notice|warninig)
action (block_source|drop|drop_session|pass|reset) log
(off|on) (enable|disable)
level (high|low|middle)
description LINE
Step 4
Step 5
Enter configuration mode
Add intrusion prevention time
Add prevention event to intrusion prevention event set
Configure protection level
Add event set description
Parameter description:
member event ID level ( alert|info|notice|warninig )
(block_source|drop|drop_session|pass|reset) log (off|on) (enable|disable)
Parameter
Description
ID
alert|info|notice|warninig
block_source|drop|drop_session|pass|reset
off|on
enable|disable
action
Default configuration
Event ID
Event alarm level
Event action
Log switch
Policy matching’s destination IP
None
None
None
None
None
Parameter description: level (high|low|middle)
Parameter
high|low|middle
Description
Default configuration
Event set protection level
None
Parameter description: description LINE
Parameter
LINE
Description
Event set description
Default configuration
None
20.2.2 Intrusion prevention policy
Configuration steps:
Step 1
configure terminal
Enter configuration mode
Step 2
ips rule ID RULE_NAME (any|IF_IN) (any|IF_OUT)
(any|SIP) (any|DIP) IPS_SET [log]
Add intrusion prevention rule
132
Command Line Manual
Parameter description:
IPS_SET [log]
ips rule ID RULE_NAME (any|IF_IN) (any|IF_OUT) (any|SIP) (any|DIP)
Parameter
ID
RULE_NAME
IF_IN|any
IF_OUT|any
SIP|any
DIP|any
IPS_SET
[log]
Description
Rule ID
Rule name
Policy matching incoming interface
Policy matching’s outcoming interface
Policy matching’s source IP
Policy matching’s destination IP
Name of intrusion prevention event set
Rule log record
Default configuration
None
None
any
any
any
any
None
None
20.3 Configuration cases
Case description
Configure intrusion prevention time set and add intrusion prevention policy.
Configuration steps:
Step 1
Step 2
Step 3
Enter config mode
HOST# configure terminal
Add intrusion prevention event set
HOST(config)# ips set ipstest
HOST (config-ips-set)# member event 91438af level warning action pass log on enable
Add intrusion prevention policy
HOST(config)# ips rule 1 ipsrule any any any any ipstest log
133
Command Line Manual
Chapter 21 Configure anti-virus policy
21.1 Overview of anti-virus policy
Equipment may conduct real-time virus scanning at entry of extranet, in order to isolate virus, protect
initiative virus protection for workstation. We may scan files for application protocols such as HTTP,
FTP, IMAP, POP3, SMTP, etc.
21.2 Configure anti-virus policy
21.2.1 Add anti-virus policy
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
av rule NAME (IF_IN|any) (IF_OUT|any) (SIP|any)
(DIP|any) protocol (http|smtp|imap|ftp|pop3 )action
(log|prev) (enable|disable)
show av rule
Enter configuration mode
Add anti-virus policy
View anti-virus policy
Parameter description: av rule NAME (IF_IN|any) (IF_OUT|any) (SIP|any) (DIP|any) protocol (
http|smtp|imap|ftp|pop3 )action (log|prev) (enable|disable)
Parameter
NAME
IF_IN
IF_OUT
SIP
DIP
http|smtp|imap|ftp|pop3
log|prev
enable|disable
Description
Default configuration
Name of anti-virus policy
Policy matching incoming interface
Policy matching’s outcoming interface
Policy matching’s source IP
Policy matching’s destination IP
Anti-virus protocol
Policy action type
Enable/disable
None
None
None
None
None
None
None
None
21.2.2 Modify anti-virus policy
Configuration steps:
Step 1
Step 2
configure terminal
av rule NAME mod (IF_IN|any) (IF_OUT|any)
(SIP|any) (DIP|any) protocol
(http|smtp|imap|ftp|pop3 )action (log|prev)
(enable|disable)
Enter configuration mode
Modify anti-virus policy
Parameter description: av rule NAME mode (IF_IN|any) (IF_OUT|any) (SIP|any) (DIP|any)protocol
(http|smtp|imap|ftp|pop3 )action (log|prev) (enable|disable)
Parameter
NAME
IF_IN
IF_OUT
SIP
DIP
http|smtp|imap|ftp|pop3
log|prev
enable|disable
Description
Name of anti-virus policy
Policy matching incoming interface
Policy matching’s outcoming interface
Policy matching’s source IP
Policy matching’s destination IP
Anti-virus protocol
Policy action type
Enable/disable
Default configuration
None
None
None
None
None
None
None
None
134
Command Line Manual
21.2.3 Delete anti-virus policy
Configuration steps:
Step 1
Step 2
configure terminal
no av rule NAME
Parameter description:
Enter configuration mode
Delete firewall policy
no av rule NAME
Parameter
< NAME >
Description
Name of anti-virus policy
Default configuration
None
21.3 Configuration cases
Case description
Configure anti-virus policy, incoming interface ge0, outcoming interface ge1, protocol http, action
blocked.
Configuration steps:
Step 1
Step 2
Enter congfig mode
HOST# configure terminal
Add and enable firewall policy
HOST(config)# av rule avtest ge0 ge1 any any protocol http action prev enable
135
Command Line Manual
Chapter 22 Protocol management
22.1 Overview of protocol management
Protocol-based long connection management function is used to set ultralong hold time for specific
data flow, ensure data flow’s session connection hold time not limited by overall aging time.
22.2 Configure protocol management
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 4
configure terminal
protocol manage NAME
protocol (UDP | TCP)
port <1-65535>
timeout <1-65535>
Enter configuration mode
Add protocol management
Elect protocol
Set port
Set overtime
22.3 Configuration cases
Case description
Configure anti-virus policy, incoming interface ge0, outcoming interface ge1, protocol http, action
blocked.
Configuration steps:
Step 1
Step 2
Enter config mode
HOST# configure terminal
Add and enable firewall policy
HOST(config)# av rule avtest any any any any protocol http action prev enable
136
Command Line Manual
Chapter 23 Configure flow control policy
23.1 Overview of flow management
QoS (Quality of Service), namely service quality, in short, can rationally queue data packet through
equipment, offer specific data packet with higher priority in order to accelerate transmission and
achieve realtime interaction.
Since each type of application system may have different requirement for network, bandwidth cannot
solve network congestion by itself. QoS is designed to ensure the following transmission quality: data
packet should reach destination address, and must be assured of succession, completeness and
timeliness. By means of QoS, network may be distinguished by business type or level, and each level
can be treated in succession, in addition, it supports traffic shaping and ensures smooth transmission
of burst traffic.
23.2 Configure flow management
23.2.1 Configure line binding interface
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 7
configure terminal
qos-profile line NAME
bind interface IF_NAME
maxbandwidth egress KBPS
maxbandwidth ingress KBPS
limit (bath|egress|ingress)
enable|disable
clear qos-profile statistics
Parameter description:
qos-profile line NAME
Parameter
NAME
Enter configuration mode
Add NAME line
Bind line to designated interface
Configure maximum bandwidth at exit of line
Configure maximum bandwidth at entry of line
Configure line validity
Line enable/disable
Delete line count state
Description
Line name
Default configuration
None
Parameter description: bind interface IF_NAME
Parameter
IF_NAME
Description
Interface name and area name
Default configuration
None
Parameter description: maxbandwidth egress KBPS
Parameter
KBPS
Description
Speed limit, unit: kbps
Default configuration
None
23.2.2 Configure channel related line
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
qos-profile channel C_NAME parent L_NAME
bandwidth (egress|ingress) KBPS
maxbandwidth (egress|ingress) KBPS
Step 5
Step 6
perip (egress|ingress) KBPS
priority ( high+|high|high-|low+|low|low-|medium+|
medium|medium-)
match (address|application|service|user) NAME
schedule SCHE
move (bottom|down|top|up)
clear qos-profile statistics
Step 7
Step 8
Step 9
Step 10
Enter configuration mode
Add channel name C_NAME, related line L_NAME
Configure channel with assured bandwidth
Configure channel with maximum
(egress|ingress)
bandwidth
Configure IP rate-limiting bandwidth
Configure channel priority
Channal matching condition
Channel effective time
Mobile channel
Clear channel count status
137
Command Line Manual
Parameter description:
qos-profile channel C_NAME
Parameter
C_NAME
L_NAME
parent
L_NAME
Description
Default configuration
Channel name
Line name
None
Parameter description: bandwidth (egress|ingress) KBPS
Parameter
egress
ingress
KBPS
Description
Default configuration
egress
ingress
Limited speed, unit: kbps
None
None
1G
Parameter description: match (address|application|service|user) NAME
Parameter
NAME
Description
Default configuration
Object or object group name
None
Parameter description: schedule SCHE
Parameter
SCHE
Description
Default configuration
Time object or time object group name
None
23.2.3 Configure elimination policy
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
qos-profile white-list ADDRESS USER
no qos-profile white-list ADDRESS USER
Enter configuration mode
Add qos elimination policy
Delete elimination policy
Parameter description: qos-profile white-list ADDRESS USER
Parameter
ADDRESS
USER
Description
Default configuration
Address object or address object group name
User object or user object group name
None
23.2.4 Show qos configuration and speed limitation status
Configuration steps:
Step 1
Step 2
show qos-profile
show qos-profile statistics
Show qos configuration
Show qos count status
23.3 Configuration cases
Case description
Configure ge0/1 interface ingress with assured bandwidth of 2Mbps and maximum bandwidth of
10Mbps.
Configuration steps:
Step 1
Step 2
Step 3
Enter config mode
HOST# configure terminal
Add lines
HOST(config)# qos-profile line qostest
HOST (config-qos-qostest)#limit ingress
HOST (config-qos-qostest)#maxbandwidth ingress 1000000
HOST (config-qos-qostest)#bind interface ge01
Add channel
HOST (config)# qos-profile channel qoschannel parent qostest
HOST (config-qos-qoschannel)# bandwidth ingress 2000
HOST (config-qos-qoschannel)#maxbandwidth ingress 10000
HOST (config-qos-qoschannel)#schedule always
HOST (config-qos-qoschannel)#match user any
HOST (config-qos-qoschannel)#match application any
HOST (config-qos-qoschannel)#match service any
HOST (config-qos-qoschannel)#match address any
138
Command Line Manual
Chapter 24 Configure authentication user
24.1 Overview of authentication user setting
Equipment support using user authentication for local user database, RADIUS server and LDAP
server.
1) User may add username to equipment user database, set a password to permit user authenticate
with the internal database.
2) User may add RADIUS server and elect RADIUS to permit user authenticate with RADIUS
server.
3) User may add a LDAP server and elect LDAP to permit user authenticate with LDAP server.
You may disable some users from authentication with the equipment, or elect temporary account to
be legal account in a certain period.
To enable authentication, you must add user name to one or more user groups, or add RADIUS or
LDAP server to user group and before authentication, you may select corresponding user group and
authenticate in the following operations:

Authenticate administrator;

Any action set as authenticated user policy (web authentication, etc.);

Ipsec VPN
When a user inputs username and password, equipment would search and match the user name in
internal user database and if the user name is disabled, the user cannot authenticate and the
connection is rejected and if the user has set password and password is matched, connection would be
permitted and if password is not matched, the connection would also be rejected.
If RADIUS is elected and RADIUS support is configured, and user name and password is consistent
with that in RADIUS server, the connection will be permitted. If user name and password is different
from that in RADIUS server, connection will be discarded.
If LDAP is elected and LDAP support is configured, and user name and password is consistent with
that in LDAP server, the connection will be permitted. If user name and password is different from
that in LDAP server, connection will be discarded.
24.2 Configure user authentication
Equipment user may be classified into the following by user authority:

Administrator user: user may authenticate and authorize equipment administrator identity.

Access user: user firewall policy, or vpn’s user access authentication.
It may be classified into the following by authentication method:

Locally authenticated user: user name and password is saved in local user database.

RADIUS authenticated administrator user: Local database only saves user name, user identity would be
verified through RADIUS server.

RADIUS authenticated user: Local database does no save user name, user identity should be verified
through RADIUS server.

LDAP authenticated administrator user: Local database only saves user name, user identity would be
verified through LDAP server.

LDAP authenticated user: Local database only saves user name, user identity would be verified through
LDAP server.
139
Command Line Manual
24.2.1 Configure local administrator user
Configuration steps:
Step 1
Step 2
configure terminal
user administrator USER local PASSWORD
authorized-table NAME [disable]
Step 3
Step 4
user administrator test description DESC
user administrator test authorized-address
(first|second|third) (A.B.C.D/M | X:X::X:X/M)
user administrator USER (enable|disable)
show admin-user [USERNAME]
Step 5
Step 6
Enter global configuration mode
Configure locally authenticated administrator user:
USER: user name
PASSWORD: password
NAME:authority list
Disable: disable the user and by default, it enables
DESC user description
Configure user management address, 3 addresses may be
configured
Disable or enable the administrator
Show administrator information
Delete user’s management address with command “no user administrator USER authorized-address
(first|second|third)”.
Delete administration description with command “no user administrator USER description”.
Delete administrator with command “no user administrator USER”.
24.2.2 Configure RADIUS administrator user
Configuration steps:
Step 1
Step 2
configure terminal
user administrator USER radius SERVER
authorized-table NAME [enable | disable]
Step 3
Step 4
user administrator USER (enable|disable)
show admin-user [USERNAME]
Enter global configuration mode
Configure radius authenticate administrator user:
USER: user name
SERVER: Radius server name
NAME: authority list
Disable: disable the user and by default, it enables the user
Disable or enable administrator
Show administrator information
24.2.3 Configure LDAP administrator user
Configuration steps:
Step 1
Step 2
Step 3
host# con t
host(config)# user administrator adm1 ldap ldap1 authorized-table
admin
host(config)#exit
Enter configuration mode
Configure ldap administrator user
Return to Enable mode
Delete user’s management address with command “no user administrator USER authorized-address
(first|second|third)”.
Delete administrator description with command “no user administrator USER description”.
Delete the administrator with command “no user administrator USER”.
24.2.4 Configure local access user
Configuration steps:
Step 1
Step 2
configure terminal
user-local USER
enable authenticate
authenticate local PASSWORD
Step 3
Config mode:
show user [USERNAME]
user-local USER
enable bind
bind ip address A.B.C.D
or bind ip address range A.B.C.D E.F.G.H
Step 4
Enter global configuration mode
Configure local authenticated access user, user type access:
USER: user name
PASSWORD: password
Disable: disable the user and by default, it enables the user
Show access user information
Bind ip or ip segment for user
Delete binding user ip with command “no bind ip address A.B.C.D”.
Under Config mode, delete user with command “no user-local USER”.
140
Command Line Manual
24.3 Configure RADIUS server support
If you have configured RADIUS support, and administrator user is required to use RADIUS server
for authentication, equipment will connect to RADIUS server.
24.3.1 Configure RADIUS server
Configuration steps:
Step 1
configure terminal
Enter global configuration mode
Step 2
radius-server
Step 3
show radius-server [SERVERNAME]
NAME: radius server name
A.B.C.D: radius server ip address SECRET: radius server
password
PORT: optional, radius server port
By default: 1812
Show radius server information
NAME A.B.C.D SECRET [PORT]
Delete radius server with command “no radius-server NAME”.
24.4 Configure LDAP server support
If you have configured LDAP support, and administrator user is required to use LDAP server for
authentication, equipment will connect to LDAP server.
24.4.1 Configure LDAP server
Configuration steps:
Step 1
host#configure terminal
Enter configuration mode
Step 2
host(config)# ldap ldap1
Enter template ldap1
Step 3
host(config-ldap)# ldap 192.168.31.32 389
Configure ip port number
Step 4
host(config-ldap)# cnid cn
Configure generic name id
Step 5
host(config-ldap)# dn dc=mytest,dc=com
Configure distinctive name
Step 6
host(config-ldap)#bindtype
regular
cn=administrator,cn=users,dc=mytest,dc=com 111111
Step 7
host(config-ldap)#end
user
Configure binding method
Return to Enable mode
User may delete template with no ldap NAME.
Under Enable mode:
You may view LDAP server’s configuration information with command “show ldapserver”.
24.5 Configure portal server support
24.5.1 Configure Portal Server
Configuration steps:
Step 1
configure terminal
Enter global configuration mode
Step 2
Step 3
Step 4
Step 5
user-portal radius SERVER_NAME
user-portal server A.B.C.D
user-portal timeout <1-144000>
user-portal-server portal-url URL
SERVER_ NAME: radius service object name
A.B.C.D: portal server IP address
<1-144000>: No flow overtime after user authentication
URL: redirected user authentication page
Delete portal server with command “no user-portal server”.
141
Command Line Manual
24.6 Configure user group
24.6.1 Configure user group
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
user-group NAME
show usergroup [GROUPNAME]
Enter global configuration mode
NAME: User group name
Show user group information
Delete user group with command “no usergroup NAME”.
Note:
A column in command “show usergroup [GROUPNAME]” is Refer_Count, means quoted count
of user group, namely how many policies quote the user group. The user group cannot be deleted
when quoted count of user group is larger than 0.
24.6.2 Configure user to user group
Configuration steps:
Step 1
Step 2
configure terminal
user-group GROUP NAME
member USERNAME
Enter global configuration mode
USERNAME: user name
GROUPNAME: user group name
Delete user from user group with command “no member USERNAME” (the user would not be
deleted).
24.7 Configuration cases
24.7.1 Configuration cases1: local user authentication
Case description
Authenticated user with user name and password locally saved can access to extranet resource after
passing equipment user authentication.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Preparation before configuration
HOST_A(config)# interface ge0
HOST_A(config- ge0)# ip address 200.0.0.1/24
HOST_A(config- ge0)# exit
HOST_A(config)# interface ge1
HOST_A(config- ge1)# ip address 10.0.0.1/16
HOST_A(config- ge1)# allow access https
HOST_A(config- ge1)# allow access http
HOST_A(config- ge1)# allow access webauth
HOST_A(config- ge1)# exit
HOST_A(config)# interface ge2
HOST_A(config- ge2)# ip address 192.168.0.1/24
HOST_A(config-ge)# exit
Configure overtime
HOST_A(config)# user-webauth keepalive-timeout 360
Configure uniqueness limit
HOST_A(config)# user-webauth login-single mode forbid-new
Configure authentication page address
HOST_A(config)# user-webauth hello-url https://10.0.0.1:1443/
Configure user group
HOST_A(config)# user-local user1
HOST_A(config-user)#quit
HOST_A(config)# user-group firewall
HOST_A(config-group)# member user1
Configure security policy
142
Command Line Manual
Step 7
Step 8
HOST_A(config)# policy 1 ge0 ge1 any any any any any always permit
HOST_A(config-policy)# user-policy any any any any always local-webauth
HOST_A(config-policy)# end
HOST_A#
Log on user authenticated portal page
https://10.0.0.1:1443/
Access to extranet resource
24.8 Authenticated user monitoring and maintenance
24.8.1 View information of accessed user
View user information
Step 1
View user information
HOST_A# show user NAME
24.8.2 View user group information
View user group information:
Step 1
View user group information
HOST_A# show user-group NAME
24.8.3 View RADIUS server information
View RADIUS server information:
Step 1
View RADIUS server information
HOST_A# show radius-server ras1
24.8.4 View LDAP server information
View LDAP server information:
Step 1
View LDAP server information
HOST_A# show ldapserver
24.8.5 View user authentication and login process
Application environment
No matter the user is local user, or RADIUS/LDAP authenticated user, or no RADIUS/LDAP user is
saved at local, when user’s login is failed, it is required to execute command “terminal monitor” in
order to show the debugging information at terminal.
Debugging case
host# AAA: receive AAA request:
Type = 7
Username : zhang
Password : 111111111111111111
Address : 10.10.1.2
bind rsp ret is 97. LDAP_RES_BIND(97) is normal
the result of parsing bind rsp is 0, ld errno 0
search ret[0]. LDAP_RES_SEARCH_RESULT(101) is normal
search ret[0]. LDAP_RES_SEARCH_RESULT(101) is normal
search ret[0]. LDAP_RES_SEARCH_RESULT(101) is normal
search ret[0]. LDAP_RES_SEARCH_RESULT(101) is normal
search ret[101]. LDAP_RES_SEARCH_RESULT(101) is normal
search success
bind rsp ret is 97. LDAP_RES_BIND(97) is normal
the result of parsing bind rsp is 0, ld errno 49
AAA: send AAA response:
Result : Failed
Reason : Ldap auth error,incorrect username or password, or incorrect setting
143
Command Line Manual
Result Analysis
You should confirm:

If user password is corrrect.
Note:
Only senior user can use the command. Since the command would printe large number of
information on command line, occupying lots of CPU resources, users are strongly recommended
to disable the function with command “no debug aaa events” after debugging.
24.9 Common fault analysis
24.9.1 Fault phenomenon1: user authentication failed
Phenomenon
Analysis
Solution
Failed to authenticate user
Wrong password
User is disabled
When user without user name saved at local is authenticated, no RADIUS server or LDAP server is added to the group
RADIUS/LDAP server configuration is wrong
RADIUS/LDAP server is not conneted (for instance: ping failed)
No user on RADIUS/LDAP server
Verify if user is a temporary account and expired
Check user password, input correct user name and password
Enable user
Add RADIUS/LDAP server
Modify RADIUS/LDAP server’s configuration
Ensure equipment can communicate and ping RADIUS/LDAP server
Add user to RADIUS//LDAP server
Reset user’s validity period
144
Command Line Manual
Chapter 25 Configure anti-DOS attack
25.1 Overview of anti-DOS attack
The equipment should be able to prevent attack and ensure normal data transmission and in face of
large number of attacks, if all of connection resources had been attacked, normal data may not pass
through equipment. Anti-DOS (Denial of Service) attack is design to protect equipment against
external hostile attack and guarantee normal communication between extranet and the outside. It
should protect both the equipment and intranet and provide alarm in face of attack.
Common DOS attack mainly includes ping-of-death, tear-drop, jolt2, syn-flag, land-base, winnuke,
smurf, ip-spoof,etc.
25.2 Configure anti-DOS attack
25.2.1 Default configuration
Contents
Anti- ping of death attack
Anti- tear drop attack
Anti-jolt2 attack
Anti-land-based attack
Anti-winnuke attack
Anti-syn flag attack
Anti-smurf attack
Anti-ip-spoof attack
Default setting
disable
disable
disable
disable
disable
disable
disable
disable
Remark
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
25.2.2 Configure anti-ping-of-death attack function
ping-of-death attack sends icmp message with length more than 65535 to destination host.
After configuring anti- ping-of-death attack function, equipment can detect ping-of-death attack,
discard attack message and output alarm log information.
Configuration steps
Step 1
Step 2
configure terminal
ip defend attack ping-of-death
Enter configuration mode
Enable anti- ping-of-death attack
Close the function with command “no”.
25.2.3 Configure anti- tear-drop attack function
tear-drop attack would send fragmented message with offset and overlapping to destination host,
cause destination host subject to abnormality and crush.
After configuring anti- tear-drop attack function, equipment can detect tear-drop attack, and output
warning log information. Since normal message transmission would show overlapping message, the
equipment would not discard the message, and send normal message by cutting and rearranging
message.
Configuration steps
Step 1
Step 2
configure terminal
ip defend attack tear-drop
Enter configuration mode
Enable anti- tear-drop attack
Close the function with command “no ip defend attack tear-drop”.
145
Command Line Manual
25.2.4 Configure anti- jolt2 attack function
jolt2 attack sends icmp message with length more than 65535 to destination host.
After configuring anti- jolt2 attack function, equipment can detect jolt2 attack, discard attack message
and output alarm log information.
Configuration steps
Step 1
Step 2
configure terminal
ip defend attack jolt2
Enter configuration mode
Enable anti- jolt2 attack
Close the function with command “no ip defend attack jolt2”.
25.2.5 Configure anti- land-base attack function
land-base attack would send to destination host the message with same destination address and source
address, cause destination host consume large number of system resources, in further lead to system
crash or breakdown.
After configuring anti- land-base attack function, equipment can detect land-base attack, discard
attack message and output alarm log information.
Configuration steps
Step 1
Step 2
configure terminal
ip defend attack land-base
Enter configuration mode
Enable anti- land-base attack
Close the function with command “no ip defend land-base”.
25.2.6 Configure anti- winnuke attack function
Winnuke attack would send port of destination host (port 139, 138, 137, 113 and 53) TCP emergency
flag bit urg as out-of-band data message as 1, cause system abnormality and crash.
After configuring anti- winnuke attack function, equipment can detect winnuke attack, forward
message after set TCP emergency flag bit as 0, and output alarm log information.
Configuration steps
Step 1
configure terminal
Enter configuration mode
Step 2
ip defend attack winnuke
Enable anti- winnuke attack
Close the function with command “no ip defend attack winnuke”.
25.2.7 Configure anti- syn-flag attack function
syn-flag attack would send wrong tcp flag combined message to destination host and in further waste
resources of destination host.
After configuring anti- syn-flag attack function, equipment can detect syn-flag attack, and discard
attack message and output alarm log information.
Configuration steps
Step 1
Step 2
configure terminal
ip defend attack syn-flag
Enter configuration mode
Enable anti- syn-flag attack
Close the function with command “no”.
146
Command Line Manual
25.2.8 Configure anti- smurf attack
Smurf attack combines IP spoofing and ICMP reply, cause large number of network transmission
filled with target system, and target system in further refuses provide service for normal system.
Smurf attack would immerse victim host in ICMP acknowledgment request (ping) data packet of
broadcast address, finally cause all hosts reply to ICMP acknowledgment request and network
congestion.
Anti-smurf attack function would detect smurf attack, effectively discard attack message and output
alarm log information.
Configuration steps
Step 1
Step 2
configure terminal
ip defend attack smurf
Enter configuration mode
Enable anti- smurf attack
Close the function with command “no ip defend smurf”.
25.2.9 Configure Flood defense
Flood attatck, is one of DOS attack forms, also classified into SYN Flood, UDP Flood and ICMP
Flood.
SYN Flood takes advantage of TCP’s defect, sends large number of false TCP connection requests to
server side, it would no longer make reponse, quickly consume resources at server side, and normal
service request cannot be timely handled and in serious cases, it will cause server system crash.
UDP Flood uses large number of UDP packet to impact DNS server or Radius authenticationserver
and stream media video server.
100k pps UDPFlood would usually paralyze backbone equipment (such as firewall) on the line,
causing the whole of network segment paralyzed. Since UDP protocol is a non-connected service,
during UDPFLOOD attack, attacker may send large number of small UDP packets with falsified
source IP addersses.
ICMP Flood would paralyze target host by sending data packet over 65,535 bytes and if data packets
are sent in large number, it is considered flood attack.
Equipment’s anti-Flood attack is designed with the latest syncookie technology in the industry and
with occupation of least system resources, can effectively protect server from Flood attack.
Ipv4 flood defense configuration steps
Step 1
configure terminal
Enter configuration mode
Step 2
ip defend flood startIp STARTIP endIp ENDIP tcp
(enable|disable) THRESHOLD udp (enable|disable)
THRESHOLD icmp (enable|disable) THRESHOLD
dns (enable|disable) THRESHOLD
Configure server IP, protection type and threshold value
Close corresponding flood function with command “Disable”.
Ipv6 flood anti- Configuration steps
Step 1
configure terminal
Enter configuration mode
Step 2
ipv6 defend flood startIp STARTIP endIp ENDIP tcp
(enable|disable) THRESHOLD udp (enable|disable)
THRESHOLD icmp (enable|disable) THRESHOLD
dns (enable|disable) THRESHOLD
Configure server IP, protection type and threshold value
Close corresponding flood function with command “Disable”.
147
Command Line Manual
25.2.10 Configure intelligent TCP Flood prevention
Intelligent TCP Flood, namely SYN Flood attack, is one of DOS attack forms. SYN Flood takes
advantage of TCP’s defect, sends large number of false TCP connection requests to server side, it
would no longer make reponse, quickly consume resources at server side, and normal service request
cannot be timely handled and in serious cases, it will cause server system crash.
Equipment’s anti-syn flood attack is designed with the latest syncookie technology in the industry
and with occupation of least system resources, can effectively protect server from SYN Flood attack.
Configuration steps
Step 1
Step 2
configure terminal
ip defend syn-cookie <100-10000>
Enter configuration mode
Enable anti- syn flood attack, protect server against syn
flood attack
Close the function with command “no ip defend syn-cookie”.
25.3 Anti-DOS attack monitoring and maintenance
25.3.1 View configuration information
Step 1
Show ip defend attack
HOST# show ip defend attack
ip defend attack informations:
ip defend attack ping-of-death:disable
ip defend attack tear-drop:disable
ip defend attack jolt2:disable
ip defend attack land-base:disable
ip defend attack winnuke:disable
ip defend attack syn-flag:disable
ip defend syn-cookie:disable
syn-cookie threshold:100
syn-cookie state:not booted
25.3.2 View current TCP semi-join count
Step 1
show ip inspect count
HOST# show ip inspect count
System
Connect sum count:
Complete connect count:
Connect rate count:
Except connect count:
6
2
0
0
Check whether the difference between Connect sum count and Complete connect count is abnormal. When the value is
too large, it is recommended to enable flood protection.
25.3.3 View anti- DOS attack related debug information
Step 1
Debug ip defend attack
HOST#debug ip defend attack
When the command is enabled, system will print out detected attack information for console.
148
Command Line Manual
25.4 Common fault analysis
25.4.1 TCP Flood attack defense failure
Phenomenon
Analysis
Solution
SYN Flood attack prevention is failed, and SYN Flood message passes through equipment.
Causes for SYN Flood attack prevention failure: anti-syn flood attack service is disabled, or attack threshold is set too
high.
1.Enable the SYN Flood function.
2. Reduce the defense threshold.
149
Command Line Manual
Chapter 26 Configure anti-scanning
26.1 Anti-scanning
Scanning is one of network attacks. Before nework attack, attacker would usually attempt to verify
open TCP/UDP port on target, while an open port usually means a certain type of application.
Common scanning mainly includes:

Vertical scanning: specific to multiple port of the same host;

Horizontal scanning: specific to same port of multiple host;

ICMP (Ping) sweeps: for the purpose of a certain address range, discover keep-alive host by
means of Ping
Equipment can effectively prevent above types of scanning, hold back external hostile attack and
protect equipment and intranet. When such scanning detection is detected, equipment would alarm
user.
26.2 Configure anti-scanning
26.2.1 Default configuration information
Anti-scanning default setting information is shown below:
Table 26-1 Anti-scanningdefault configuration
Contents
Anti- TCP Scan attack
Anti-UDP Scan attack
Anti-Ping sweep attack
Scanning recognition threshold
Source host block time
Default setting
disable
disable
disable
1000
20
Remark
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
26.2.2 Configure anti-TCP Scan
According to actual network condition, user may configure anti-tcp scanning attack in face of tcp
scan attack.
When a source IP address sends, within 1s, IP encapsulated packet containing tcp Syn to different
ports on the same target IP address larger than configured threshold value, it would be considered
port scanning, the system would identify it with tcp scan, and refuse all of other tcp Syn packets from
the source host within configured blockage period.
Enabling anti-tcp Syn scanning attack may occupy many internal memory.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
config terminal
ip defend scan tcp
end
show ip defend scan
Enter configuration mode
Configure anti- TCP Scan attack
Return to privileged mode
Display anti-scanning configuration
User may cancel anti-TCP Scan setting with command “no ip defend scan tcp” and restore default
configuration.
26.2.3 Configure anti-UDP Scan
According to actual network condition, when network is subject to udp scan attack, user may
configure anti-udp scan attack. When a source IP address sends, within 1s, IP encapsulated packet
containing udp to different ports on the same target IP address larger than configured threshold value,
150
Command Line Manual
it would be considered port scanning, the system would identify it with udp scan, and refuse all of
other IP encapsulated packets from the source host within configured blockage period.
Enabling anti-UDP Scan attack may occupy many internal memory.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
config terminal
ip defend scan udp
end
show ip defend scan
Enter configuration mode
Configure anti- UDP Scan attack
Return to privileged mode
Display anti-scanning configuration
User may cancel anti-UDP Scan setting with command “no ip defend scan udp” and restore default
configuration.
26.2.4 Configure anti-Ping sweep
According to actual network condition, when network is subject to Ping sweep attack, user may
configure anti-Ping sweep attack. When a source IP address sends, within 1s, ICMP encapsulated
packet to different hosts larger than configured threshold value, it would be considered once address
scanning. The plan is designed to get at least one reply and find target address by sending ICMP
encapsulated packet (usually the reply request) to each of host. Equipment would internally record
the number of ICMP encapsulated packets sent from a remote source point to different addresses.
When a source IP is identified as address scan attack, the system would refuse all of other ICMP
encapsulated packets from the source host within configured blockage period.
Enabling anti-Ping sweep attack may occupy many internal memory.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
config terminal
ip defend scan ping-sweep
end
show ip defend scan
Enter configuration mode
Configure anti- Ping sweep attack
Return to privileged mode
Display anti-scanning configuration
User may cancel anti-Ping sweep setting with command “no ip defend scan Ping-sweep” and restore
default configuration.
26.2.5 Configure scanning recognition threshold
User may configure scanning recognition threshold with command “threshold” and if beyond
threshold value, the source IP will be identified as scanning attack, all of other attack packets from
the source host will be blocked.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
config terminal
ip defend scan threshold <10-65535>
end
show ip defend scan
Enter configuration mode
Configure scan recognition threshold
Return to privileged mode
Display anti-scanning configuration
User may cancel scanning threshold setting with command “no ip defend scan threshold” and restore
default configuration.
151
Command Line Manual
26.2.6 Configure source host blockage time
User may set blockage time with command “block-time” and when system has detected scanning
attack, all of other attack packets from the source host will be refused within configured blockage
period.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
config terminal
ip defend scan block-time <1-65535>
end
show ip defend scan
Enter configuration mode
Configure anti-scanning blockage time
Return to privileged mode
Display anti-scanning configuration
User may cancel anti-scanning blockage time setting with command “no ip defend scan block-time”
and restore default configuration.
26.3 Configuration cases
26.3.1 Configure anti-scanning
In case of scanning attack on network, we may view semi-join information from a host on current
equipment based on collected flow data and, if there are large number of source IPs in flow data,
destination ip is not changed, and in consideration of variable flow at destination port, it may be
considered scanning attack, and we should check the type of scanning and protect intranet and
equipment by configuring corresponding anti-scan attack.
Configuration steps:
Step 1
Step 2
View network data analysis result, check if it is subject to scanning attack
User may check if it is subject to scanning attack by using NetFlow or host capture package.
Configure anti- tcp scan attack and attack threshold
HOST_A(config)# ip defend scan tcp
HOST_A(config)# ip defend scan threshold 1000
HOST_A(config)# end
HOST_A #
Configuration result:
!
ip defend scan tcp
ip defend scan threshold 1000
!
26.4 Anti-scanning monitoring and maintenance
26.4.1 View anti-scan configuration
Use of common show commands:
Steps to view anti-scan configuration:
Step 1
View enabled anti-scanning type
ip defend scan informations:
ip defend scan tcp:enable
ip defend scan udp:disable
ip defend scan ping-sweep:disable
ip defend scan block-time:20
ip defend scan threshold:1000
blocked source ip list:
10.1.1.121 TCP 15
User may view enabled anti-TCP Scan, disabled anti-UDP Scan and anti-Ping sweep, source host blockage time 20s,
scanning threshold 1,000, that is to say, when a source IP address sends, within 1s, IP encapsulated packet containing tcp
Syn to different ports on the same target IP address more than 1,000, it would be considered port scanning, and block the
152
Command Line Manual
IP from sending TCP packet.
Source host with IP being 10.1.1.121 is blocked, scanning type TCP Scan, remaining blockage time 15s
26.5 Common fault analysis
26.5.1 No alarm after anti-scanning, no package rejection
Phenomenon
Analysis
Solution
After packet capture or flow gathering, confirm scanning attack, and the equipment then provides no alarm and packet
rejection
It may be caused by the following:
Scanning recognition threshold is set too high, causing scanning count not up to threshold value
Simultaneously set anti-scanning, anti- Syn Flood and TCP semi-join count restriction in session management, their
functions overlap, may cause anti-scanning function failed.
Check configuration and if threshold is too high, modify it to be a proper value according to actual need.
153
Command Line Manual
Chapter 27 Configure IP-MAC binding
27.1 IP-MAC binding
Address Resolution Protocol (ARP) is a protocol for finding MAC address corresponding to IP
address.
Why we need to find MAC address corresponding to IP address? As we know, the for the purpose of
two communication entities in the same subnet, IP communication process in Ethernet may be as
follows:
Before a source end sends an IP packet, it must know Ethernet address of destination end but, the
source end only knows destination end’s IP address (through user’s prior configuration or viewing
routing table), and we have to accomplish Ethernet address resolution with ARP protocol. After
source end sends ARP request containing destination IP address, destination end will, upon receipt of
request, return ARP reply to source end and notify own MAC address, source end would, after receipt
of destination end MAC address, send IP encapsulated packet through Ethernet.
Some attack software in network may counterfeit a host to evade tracking and to prevent such case,
equipment is designed with IP-MAC binding function to bind user’s MAC and IP. Message through
equipment should have its MAC and IP strictly consistent, or otherwise the message should be
discarded.
During practical application, generally it is used to designate MAC binding designated ip, namely a
MAC may have multiple ip, but a specific ip may only be used by designated MAC.
27.2 Configure IP-MAC binding
27.2.1 Configure IP-MAC binding
To add IP-MAC binding, it is required to input binding name, IP address and MAC address.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
config terminal
ipmac NAME A.B.C.D FF-FF-FF-FF-FF-FF unique-ip
end
show ip defend scan
Enter configuration mode
Configure IP-MAC binding, enable uniqueness check
Return to privileged mode
Display anti-scanning configuration
Under config mode, clear a binding item with command “no ipmac NAME”.
27.2.2 View ARP list
Step 1
show arp
Display current ARP list
27.2.3 Clear ARP list
Step 1
clear arp
Clear ARP list
27.3 Configuration cases
Case description
Bind Zhang San’s host 192.168.31.118 with 00-16-41-59-3E-AF and ensure its uniqueness.
Configuration steps:
154
Command Line Manual
Step 1
Add IP-MAC binding
configure terminal
ipmac NAME 192.168.31.118 00-16-41-59-3E-AF unique-ip
155
Command Line Manual
Chapter 28 Configure PKI
28.1 PKI protocol
PKI (public key infrastructure) technique adopts certificate management key and through third
party’s dependable institution – authentication center CA(Certificate Authority), bind user’s key and
other identification information (such as name, e-mail, ID number, etc.) and verify usser identity on
Internet.
Currently the common method is to establish digital certificate on PKI, encrypt and sign digital
information to be transmitted, ensure the confidentiality, authenticity, completeness and
non-repudiation of information, and in further guarantee safe information transmission.
PKI local certificate on equipment has the following function: when equipment is PKI client, user
may elect local certificate as the equipment’s identity label, verify the validity of certificate received
from other host. It corresponds to the function of certificate item in IE browser, mainly includes three
configurations: import user certificate, third-party’s CA certificate and CRL.
The three functions are relatively independent and correlated and depending on specific need, may
import different local certificate, different CA certificate and CRL, but if need to verify a terminal
certificate, it is required to import CA certificate and CRL of the terminal certificate in order to verify
the certificate.
28.2 Configure PKI
Conduct import and export configuration for client certificate, third-party’s CA certificate and CRL,
generate a certicate request and apply to third party CA for issuance.
28.2.1 Export of local certificate
Configure the export of local certificate. Local certificate may be classified into two types by their
status: locally generated certificate request and local certificate. The request to export locally
generated certificate is certificate request; certificate file exported by local certificate. Local
certificate may be classified into two types by their storage place: local storage and KEY, both can be
exported.
Configuration steps:
Step 1
Step 2
Enter PKI configuration node with command in 1.2.1
certificate local export tftp A.B.C.D
CERTIFICATE_NAME
Parameter description:
Parameter
A.B.C.D
CERTIFICATE_NAME
Enter PKI configuration mode
certificate local export tftp A.B.C.D CERTIFICATE_NAME
Description
Tftp server address
Certificate name
Default configuration
None
None
28.2.2 Import of certificate locally generated
Certificate request file generated by certificate request from equipment may be imported to
equipment after CA signature.
Configuration steps:
Step 1
Step 2
configure terminal
certificate local cert_key|cert_chain import tftp A.B.C.D
CERTIFICATE_NAME
Enter configuration mode
Import of certificate with CA signature locally generated
156
Command Line Manual
Step 3
show certificate local [CERTIFICATE_NAME]
Show certificate request
Delete certificate designated by CERTIFICATE_NAME with command “no certificate local
CERTIFICATE_NAME”.
Parameter description:
certificate local cert_key import tftp A.B.C.D CERTIFICATE_NAME
Parameter
Description
A.B.C.D
CERTIFICATE_NAME
Default configuration
Tftp server address
Certificate name
None
None
28.2.3 Import of PKCS12 format certificate
Import PKCS12 format certificate
Configuration steps:
Step 1
Step 2
configure terminal
certificate local pkcs12 import (local|usb) tftp A.B.C.D
CERTIFICATE_NAME [PASSWORD]
show certificate local [CERTIFICATE_NAME]
Step 3
Enter configuration mode
Import PKCS12 format certificate
Show certificate information
Delete certificate designated by CERTIFICATE_NAME with command “no certificate local
CERTIFICATE_NAME”.
Parameter description:
certificate
CERTIFICATE_NAME [PASSWORD]
Parameter
(local|usb)
A.B.C.D
CERTIFICATE_NAME
PASSWORD
local
pkcs12
import
(local|usb)
Description
tftp
A.B.C.D
Default configuration
Certificate storage location: local means stored in equipment; usb means
certificate stored in USBKEY.
Tftp server address
Certificate name
Key of encrypted PKCS12 file
None
None
None
None
28.2.4 Import of certificate key file
Import of certificate and key file
Configuration steps:
Step 1
Step 2
configure terminal
certificate local cert_key import (local|usb) tftp
A.B.C.D CERTIFICATE_NAME KEYFILE_NAME
[PASSWORD]
show certificate local [CERTIFICATE_NAME]
Step 3
Enter configuration mode
Import of certificate and key file
Display certificate information
Delete certificate designated by CERTIFICATE_NAME with command “no certificate local
CERTIFICATE_NAME”.
Parameter description:
certificate local
cert_key
CERTIFICATE_NAME KEYFILE_NAME [PASSWORD]
Parameter
(local|usb)
A.B.C.D
CERTIFICATE_NAME
KEYFILE_NAME
PASSWORD
import
(local|usb)
Description
tftp
A.B.C.D
Default configuration
Certificate storage location: local means stored in equipment; usb means
certificate stored in USBKEY.
Tftp server address
Certificate file name
Key file name
Key of encrypted key file
None
None
None
None
None
28.2.5 Export of CA certificate
Export CA certificate.
Configuration steps:
Step 1
configure terminal
Enter configuration mode
157
Command Line Manual
Step 2
Step 3
certificate ca export tftp A.B.C.D
CERTIFICATE_NAME
show certificate ca [CERTIFICATE_NAME]
Parameter description:
Export CA certificate
Display certificate information
certificate ca export tftp A.B.C.D CERTIFICATE_NAME
Parameter
Description
A.B.C.D
CERTIFICATE_NAME
Default configuration
Tftp service address
CA cerficate name
None
None
28.2.6 Export of CA certificate
Import CA certificate as the basis of signature verification for user certificate from other terminals,
the imported CA certificate is used as a crediable certificate, it is required to ensure its safety.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
certificate ca ca import tftp A.B.C.D
CERTIFICATE_NAME
show certificate ca [CERTIFICATE_NAME]
Enter configuration mode
Import CA certificate
Display certificate information
Delete CA certificate designated by CERTIFICATE_NAME with command “no certificate ca
CERTIFICATE_NAME”.
Parameter description:
certificate ca import tftp A.B.C.D CERTIFICATE_NAME
Parameter
Description
A.B.C.D
CERTIFICATE_NAME
Default configuration
Tftp server address
Certificate file name
None
None
28.2.7 Export CRL
28.2.8 Export CRL.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
certificate crl export tftp A.B.C.D
CERTIFICATE_NAME
show certificate crl [CERTIFICATE_NAME]
Enter configuration mode
Export CRL
Display CRL information
Delete CRL designated by CERTIFICATE_NAME
CERTIFICATE_NAME”.
Parameter description:
with
command
“no
certificate
crl
certificate crl export tftp A.B.C.D CERTIFICATE_NAME
Parameter
A.B.C.D
CERTIFICATE_NAME
Description
Default configuration
Tftp server address
CRL name
None
None
28.2.9 CRL import
Import third-party CA’s CRL, and to verify the certificate received from other terminals, it is required
to check imported CRL and if the terminal user certificate is cancelled.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
certificate crl import tftp A.B.C.D
CERTIFICATE_NAME
show certificate crl [CERTIFICATE_NAME]
Delete CRL designated
CERTIFICATE_NAME”.
by
Enter configuration mode
Display CRL information
CERTIFICATE_NAME
with
command
“no
certificate
158
crl
Command Line Manual
Parameter description:
Parameter
A.B.C.D
CERTIFICATE_NAME
certificate crl import tftp A.B.C.D CERTIFICATE_NAME
Description
Tftp server address
CRL file name
Default configuration
None
None
159
Command Line Manual
Chapter 29 Configure PKI CA
29.1 PKI protocol
CA, namely certificate authority, is the third party organization or company entrusted to issue digital
certificate. Digital certificate is used for digital signature and corresponds to public-private key. CA is
designed to ensure the owner of unique certificate is the one being authorized. For the purpose of data
safety and e-commerce, CA is a very important part since they have to confirm the identify of
information exchange parties.
CA center provides three functions: CA certificate management, user certificate issuance and
management as well as CRL management. CA center would initially generate CA certificate (issue
certificate), and sign on user certificate with CA certificate’s private key.
User certificate may generate a user certificate request according to user information (such as the
nation, region, unit, etc.), issue the request, generate and release to specific user the certificate with
public and private key for user identification. User may cancel some insecure user certificates and
based on cancellation reasons, generate and issue CRL to user as one of the basis to verify certificate
safety.
Major usage of CA center: issue user certificate and CRL, and before issuing user certificate and CRL,
verify CA roote certificate.
29.2 Configure PKI CA
Configuration equipment CA center, mainly includes configuration management CA certificate,
configuration management user certificate and configuration management CRL. It should be noted
that user certificate and CRL are issued by CA certificate (root certificate), and therefore, after CA
certification verification, CA certificate should not be changed if there is no safety hazard (such as
CA private key disclosure).
29.2.1 Generate CA certificate
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
ca ca cacert new CERTIFICATE_NAME
show ca ca cacert
Enter configuration mode
Configure CA certificate request
Display CA certificate information
Parameter description:
Parameter
CERTIFICATE_NAME
Description
Default configuration
Certificate request name
None
29.2.2 Configure certificate request information-Location
Optional certificate request information -Location (city).
Configuration steps:
Step 1
Enter PKI CA configuration node with command in
1.2.1
city CITY_NAME
Step 2
Parameter description:
Parameter
CITY_NAME
Enter PKI CA configurationi mode
Configuration location (city)
city CITY_NAME
Description
Location (city)
Default configuration
None
160
Command Line Manual
29.2.3 Certificate request information – Nation or region
Optional certificate request information- Nation or region, GB is selected.
Configuration steps:
Step 1
Enter PKI CA configuration node with command in
1.2.1
country COUNTRY_NAME
Step 2
Parameter description:
Parameter
COUNTRY_NAME
Enter PKI CA configurationi mode
Configure nation code
country COUNTRY_NAME
Description
Default configuration
Two-digit code of nation or region name
29.2.4 Configure certificate request information- Organization
Configure the interface operating PKI interface and the region it belongs to.
Configuration steps:
Step 1
Enter PKI CA configuration node with command in
1.2.1
organization ORGANIZATION_NAME
Step 2
Parameter description:
Configure the name of certificate request information
organization
organization ORGANIZATION_NAME
Parameter
ORGANIZATION_NAME
Enter PKI CA configurationi mode
Description
Default configuration
Organization name
None
29.2.5 Configure certificate request information- state/province
Configure certificate request information- state/province.
Configuration steps:
Step 1
Enter PKI CA configuration node with command in
1.2.1
state STATE_NAME
Step 2
Parameter description:
Configure certificate request information- state/province
state STATE_NAME
Parameter
STATE_NAME
Enter PKI CA configurationi mode
Description
Default configuration
State/province name
None
29.2.6 Configure certificate request information- Department
Configure certificate request information- department.
Configuration steps:
Step 1
Enter PKI CA configuration node with command in
1.2.1
unit UNIT_NAME
Step 2
Parameter description:
Parameter
UNIT_NAME
Enter PKI CA configurationi mode
Configure certificate request information- state/province
unit UNIT_NAME
Description
Default configuration
Department name
29.2.7 Configure certificate request information- EMAIL
Configure certificate request information-EMAIL.
Configuration steps:
Step 1
Step 2
Enter PKI CA configuration node with command in
1.2.1
email EMAIL
Enter PKI CA configurationi mode
Enable PKI function and enter PKI configuration mode
161
Command Line Manual
Parameter description:
email EMAIL
Parameter
EMAIL
Description
Default configuration
EMAIL address
None
29.2.8 Configure certificate request information- key length
Configure certificate request information- key length
Configuration steps:
Step 1
Enter PKI CA configuration node with command in
1.2.1
keylength KEY_LENGTH
Step 2
Parameter description:
Enable PKI function and enter PKI configuration mode
keylength KEY_LENGTH
Parameter
KEY_LENGTH
Enter PKI CA configurationi mode
Description
Default configuration
Key length
None
29.2.9 Configure certificate request information- validity period
Configure certificate request information-validity period
Configuration steps:
Step 1
Enter PKI CA configuration node with command in
1.2.1
days DAYS
Step 2
Parameter description:
Enable PKI function and enter PKI configuration mode
days DAYS
Parameter
DAYS
Enter PKI CA configurationi mode
Description
Default configuration
Days of validity period
365
29.2.10 Export of CA certificate
CA certificate may be exported in two formats: pem format, CA certificate file would be exported;
pkcs12 format file: certificate and key is exported together. It should be noted that when CA
certificate is pkcs12 format, it will be exported together with CA private key, only used for CA
certicate backup and not be used by user. CA certificate for user should be exported in PEM format.
Configuration steps:
Step 1
Step 2
configure terminal
ca ca cacert export tftp A.B.C.D (pem|p12)
[PASSWORD]
Parameter description:
ca ca cacert export tftp A.B.C.D (pem|p12) [PASSWORD]
Parameter
A.B.C.D
(pem|p12)
PASSWORD
Enter configuration mode
Description
Tftp server address
Format of exported ca certificate
Password when exported in p12 format
Default configuration
None
29.2.11 Export of CA certificate
Export CA certificate: user may export certificate issued by superior CA to equipment, allow CA
center to manage user certificate and CRL as a sub-CA. CA certificate may be imported in two
formats: CA certificate together with CA private key in the format of pkcs12; and CA certificate
stored separately from private key, both in PEM format.
Certificate issued by third party CA is imported in pkcs12 format:
162
Command Line Manual
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
ca ca cacert import pkcs12 tftp A.B.C.D
CERTIFICATE_NAME [PASSWORD]
show ca ca cacert
Parameter description:
[PASSWORD]
Enter configuration mode
Import pkcs12 format certificate issued by third party CA,
including CA private key
Display certificate information
ca ca cacert import pkcs12 tftp A.B.C.D CERTIFICATE_NAME
Parameter
Description
A.B.C.D
CERTIFICATE_NAME
PASSWORD
Default configuration
None
None
Tftp server address。
Certificate name
Password of Pkcs12 format file
Certified issued by third party CA is imported in pem format:
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
ca ca cacert import pem tftp A.B.C.D
CERTIFICATE_NAME KEYFILE_NAME
[PASSWORD]
show ca ca cacert
Enter configuration mode
Import pem format certificate issued by third party CA,
certificate file and private key file is seprated
Display certificate information
Parameter description:
ca ca cacert import pem
KEYFILE_NAME [PASSWORD]
Parameter
tftp A.B.C.D CERTIFICATE_NAME
Description
A.B.C.D
CERTIFICATE_NAME
KEYFILE_NAME
PASSWORD
Tftp server address。
Certificate name
Key name
Password of key file
Default configuration
None
None
29.2.12 CRL update
Currently updating CRL cancellation certificate list would update in CRL list the serial number and
cancellation reason for certificate cancelled after last creation of CRL.
Configuration steps:
Step 1
Step 2
configure terminal
ca ca crl update
Enter configuration mode
Update CRL
29.2.13 CRL export
Export and provide CRL file to CA user, check if certificate to be verified has been cancelled.
Configuration steps:
Step 1
Step 2
configure terminal
ca ca crl export tftp A.B.C.D
Parameter description:
Enter configuration mode
Export CRL
ca ca crl export tftp A.B.C.D
Parameter
Description
Default configuration
A.B.C.D
Tftp service address
None
29.2.14 Generate user certificate request
To create user certificate, you create a user certificate request (generate request file and public-private
key pair), issue CA certificate and generate a certificate for user and after generation, may cancel,
delete, export and view the certificate.
It is required to sign on generated user certificate with CA private key and before issuing user
certificate, you should have CA certificate and private key.
163
Command Line Manual
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
ca ca sign NAME days DAYS password PASSWORD
show certificate NAME
Parameter description:
ca ca sign NAME days DAYS password PASSWORD
Parameter
NAME
DAYS
PASSWORD
Enter configuration mode
Issue user certificate
Display user certificate information
Description
Default configuration
Name of generated request
Days of validity period
Password of packed pkcs12 file
None
None
29.2.15 Issue user certificate request
To create user certificate, you create a user certificate request (generate request file and public-private
key pair), issue CA certificate and generate a certificate for user and after generation, may cancel,
delete, export and view the certificate.
It is required to sign on generated user certificate with CA private key and before issuing user
certificate, you should have CA certificate and private key.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
ca ca sign NAME days DAYS password PASSWORD
show certificate NAME
Parameter description:
Ca ca sign NAME days DAYS password PASSWORD
Parameter
NAME
DAYS
PASSWORD
Enter configuration mode
Issue user certificate
Display user certificate information
Description
Default configuration
Name of generated request
Days of validity period
Password of packed pkcs12 file
None
None
29.2.16 Export user certificate
Export user certificate: user may copy exported user certificate to user terminal as user identity label.
Configuration steps:
Step 1
Step 2
configure terminal
ca ca certificate export tftp A.B.C.D
CERTIFICATE_NAME
Parameter description:
ca ca certificate export tftp
Parameter
A.B.C.D
CERTIFICATE_NAME
Enter configuration mode
A.B.C.D CERTIFICATE_NAME
Description
Tftp server address
Name of user certificate
Default configuration
None
None
29.3 Common fault analysis
Phenomenon
Export CA certificate, prompt exported certificate error
Analysis
Causes for error prompt: wrong certificate password and mismatched public and private key
Solution
Input correct certificate password, ensure the public and private key matched
164
Command Line Manual
Chapter 30 Configure system log
30.1 Configure system log
System log is a method to record equipment operation condition. The equipment support standard
SYSLOG format, including local log, and send to E-mail log, provide user with methods to know
system operation condition.
The equipment support log storage consumption mechanism, namely the log storage consumption
alarm and deletion percentage setting, CLI may be configured, and mail warning may be sent.
30.2 Configure system log
30.2.1 Default configuration information
Contents
Default setting
Local log (memory)
E-Mail log (email)
SYSLOG server status (enable/disable)
SYSLOG service port (port)
Close
Close
disable
514
Remark
Not modified
Setting can be changed
Setting can be changed
Setting can be changed
30.2.2 Configure local log
Local log, namely the internal memory log, system will save each module’s log information in
internal memory.
By default, the system enables local log.
30.2.3 Module sends log to local log
Configuration steps:
Step 1
configure terminal
Enter global configuration mode
Step 2
log (ac| attack| ipsecvpn| av| bgp| config| early-warning|
filter| flood| ha| hm| if-info| ips| nat| ospf| rip| qos| scan|
systrm-info| server| vrrp)
Each module and each position shall correspond to a
priority
memory
upto (alerts| emergencies| errors| critical| warnings)
30.2.4 Online user enquiry and freeze
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
show user-recognition
show user-recognition user name NAME
show user-recognition address host ADDRESS
show user-recognition address name USER
show user-recognition address range ADDRESS1
ADDRESS2
show user-recognition authenticated
configure terminal
freeze ip IP TIME
freeze user NAME TIME
Parameter description:
Parameter
NAME
Inquire current online user
Display current online user with user name as NAME
Display current online user with IP address as ADDRESS
Display current online user with user name as USER
Display current online user with IP address within range of
ADDRESS1 and ADDRESS2
Display currently authenticated online user
Enter global configuration mode
Freeze user with IP address as IP, freeze time
Freeze user with user name as NAME, freeze time TIME
show user-recognition user name NAME
Description
User object or user object group
Default configuration
None
165
Command Line Manual
Parameter description: show user-recognition address host ADDRESS
Parameter
ADDRESS
Description
Default configuration
Host IP address
None
Parameter description: show user-recognition address name USER
Parameter
USER
Description
Default configuration
User object or user object group
None
Parameter description: show user-recognition address range ADDRESS1 ADDRESS2
Parameter
ADDRESS1
ADDRESS2
Description
Default configuration
Start IP of address range
End IP of address range
None
None
Parameter description: freeze ip IP TIME
Parameter
Description
Default configuration
IP
TIME
Freeze IP address
Freeze time
None
None
Parameter description: freeze user NAME
Parameter
NAME
TIME
TIME
Description
Default configuration
Free user name or user group name
Freeze time
None
None
30.2.5 Clear local log
The command can clear all local log information.
Configuration steps:
Step 1
clear log memory
Clear local log
30.2.6 Module sends log to E-mail
Configuration steps:
Step 1
Step 2
configure terminal
log (ac| attack| ipsecvpn| av| bgp| config| early-warning|
filter| flood| ha| hm| if-info| ips| nat| ospf| rip| qos| scan|
systrm-info| server| vrrp)
email
upto (alerts| emergencies| errors| critical| warnings)
Enter global configuration mode
Each module and each position shall correspond to a
priority
30.2.7 Enable SYSLOG log server
SYSLOG log: system can send each module’s log information to SYSLOG server.
Configuration steps:
Step 1
Step 2
configure terminal
log server enable
Enter global configuration mode
Enable SYSLOG log
Close SYSLOG log with command “no log server enable”.
30.2.8 Configure SYSLOG server address
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
log server address A.B.C.D
Log server second address A.B.C.D
Log server third address A.B.C.D
Enter global configuration mode
Configure SYSLOG server address as A.B.C.D
Configure the 2nd log server address
Configure the 3rd log server address
166
Command Line Manual
User may cancel SYSLOG server address with command “no log server address, no log second
address and no log third address”.
30.2.9 Configure SYSLOG server port
Configuration steps:
Step 1
Step 2
configure terminal
log server port <1-65535>
Enter global configuration mode
Configure SYSLOG server port, range of 1-65,535
User may restore SYSLOG server port with default status with command “no log server port”.
30.2.10 Module sends log to SYSLOG server
Configuration steps:
Step 1
Step 2
configure terminal
log (ac| attack| ipsecvpn| av| bgp| config| early-warning|
filter| flood| ha| hm| if-info| ips| nat| ospf| rip| qos| scan|
systrm-info| server| vrrp)
server
upto (alerts| emergencies| errors| critical| warnings)
Enter global configuration mode
Each module and each position shall correspond to a
priority
Lowest level is informational
User may delete all log configurations of corresponding module with command “no log (ac| attack|
ipsecvpn| av| bgp| config| early-warning| filter| flood| ha| hm| if-info| ips| nat| ospf| rip| qos| scan|
systrm-info| server| vrrp)”.
30.2.11 Enable centralized management center’s server
System will send information to centralized management center server, including current address.
Configuration steps:
Step 1
Step 2
configure terminal
state server enable
Enter global configuration mode
Send report to centralized management center server
User may disable report sending to centralized management center with command “no state server
enable”.
30.2.12 Configure centralized management center’s server address
Configuration steps:
Step 1
Step 2
configure terminal
state server addr A.B.C.D
Step 3
state server second addr A.B.C.D
Enter global configuration mode
Configure centralized management center server address as
A.B.C.D
Configure the 2nd centralized management center address
User may cancel centralized management center server with command “no state server addr” and “no
state server second addr”.
30.2.13 Configure the port of centralized management center server
Configuration steps:
Step 1
Step 2
configure terminal
log server state port <1-65535>
Step 3
log server second state port <1-65535>
Enter global configuration mode
Configure the port of centralized management center server
with range of 1-65,535.
Configure the port of 2nd centralized management center
server with range of 1-65,535
30.3 Configuration cases
30.3.1 Configuration cases1: configure local log
Case description
Configure interface module advertisement level log to local log.
167
Command Line Manual
Configuration steps:
Step 1
Step 2
Configure interface module internal memory log level
HOST# config terminal
HOST(config)# log if-info memory upto notifications
HOST(config)#exit
View configuration
HOST#show log-config
log if-info memory upto notifications
!
30.4 Common fault analysis
30.4.1 Fault phenomenon1: SYLOG log failure
Phenomenon
Analysis
Solution
Cannot view corresponding module log on SYSLOG server
1) If SYLOG server’s address and port number is correctly configured;
2) If module log type and level is designated to SYSLOG Server;
1) If SYLOG server’s address and port number is correctly configured;
2) If module log type and level is designated to SYSLOG Server;
30.4.2 Fault phenomenon2: E-mail log failure
Phenomenon
Analysis
Solution
Not receive the mail regarding corresponding module information
1) If Email Parameter is correctly configured;
2) If module log type and level is designated to Email log;
1) If Email Parameter is correctly configured;
2) If module log type and level is designated to Email log;
168
Command Line Manual
Chapter 31 System maintenance
System maintenance includes system time setting, E-mail setting, system related backup recovery,
system upgrade and diagnosis.
31.1 System time setting
31.1.1 View system’s continuous operation time
View steps:
Step 1
View system’s continuous operation time
host# show system uptime
current time
: Sat Jul 25 23:17:30 2015
system runtime
: 1 day 2 hours 3 minutes
It means current time is 17:30, and system has run 1 day 2 hours.
31.1.2 View system’s current date and time
View steps:
Step 1
View system’s current date and time
host# show date
ABS time
:1437837427
UTC time
:2015-07-25 15:17:07
Local time
:2015-07-25 23:17:07
UTC time means system’s current UTC time, Local time means system’s current local time.
View system’s current time zone
View steps:
Step 1
View system’s current time zone
HOST# show timezone
timezone 57
It means current time zone is the 57th time zone (namely CST, Time Zone of China).
31.1.3 Configure system’s current time zone
Configuration steps:
Step 1
Configure system’s current time zone
HOST(config)# timezone 57
Configure current time zone as the 57th time zone (namely CST, Time Zone of China).
Time zone aarameters are as follows:
1 zone1=GMT-12:00 West to date line
2 zone2=GMT-11:00 Midway Islands Samoa Islands
3 zone3=GMT-10:00 Hawaii
4 zone4=GMT-09:00 Alaska
5 zone5=GMT-08:00 PT(USA and Canada) Tjuana
6 zone6=GMT-07:00 Mountain Time (USA and Canada)
7 zone7=GMT-07:00 Arizona
8 zone8=GMT-07:00 Chihuahua La Paz Mazatlan
9 zone9=GMT-06:00 Saskatchewan
10 zone10=GMT-06:00 Central Time Zone (USA and Canada)
11 zone11=GMT-06:00 Middle America
12 zone12=GMT-06:00 Guadalajara Mexico City Monterey
13 zone13=GMT-05:00 Bogota Lima Guito
14 zone14=GMT-05:00 Eastern Time (USA and Canada)
169
Command Line Manual
15 zone15=GMT-05:00 Indiana (East)
16 zone16=GMT-04:00 Atlantic Time (USA and Canada)
17 zone17=GMT-04:00 Caracas La Paz
18 zone18=GMT-04:00 Santiago
19 zone19=GMT-03:30 Newfoundland
20 zone20=GMT-03:00 Brasilia
21 zone21=GMT-03:00 Buenos Aires
Georgetown
22 zone22=GMT-03:00 Greenland
23 zone23=GMT-02:00 Middle Atlantic
24 zone24=GMT-01:00 Cape Verde Islands
25 zone25=GMT-01:00 Azores Islands
26 zone26=GMT Greenwich
Dublin
Edinburgh
London
Lisbon
27 zone27=GMT Casablanca
Monrovia
28 zone28=GMT+01:00 Amsterdam Berlin Berne Rome Stockholm Vienna
29 zone29=GMT+01:00 Belgrade Bratislava Budapest Ljubljana
30 zone30=GMT+01:00 Brussels Copenhagen Madrid Paris
31 zone31=GMT+01:00 Sarajevo Skopje Warsaw Zagreb
32 zone32=GMT+01:00 Central Africa West
33 zone33=GMT+02:00 Bucharest
34 zone34=GMT+02:00 Harare Pretoria
35 zone35=GMT+02:00 Helsinki Kiev Riga Sofia Tallinn Vilnius
36 zone36=GMT+02:00 Cairo
37 zone37=GMT+02:00 Athens Beirut istanbul Minsk
38 zone38=GMT+02:00 Jerusalem
39 zone39=GMT+03:00 Baghdad
40 zone40=GMT+03:00 Kuwait Riyadh
41 zone41=GMT+03:00 Moscow St. Petersburg Volgograd
42 zone42=GMT+03:00 Nirobi
43 zone43=GMT+03:30 Teheran
44 zone44=GMT+04:00 Abu Dhabi Muscat
45 zone45=GMT+04:00 Baku Tbilisi Yerevan
46 zone46=GMT+04:30 Kabul
47 zone47=GMT+05:00 Ekaterinbug
48 zone48=GMT+05:00 Islamabad Karachi Tashkent
49 zone49=GMT+05:30 Madras Bombay Calcutta New Delhi
50 zone50=GMT+05:45 Katmandu
51 zone51=GMT+06:00 Alma- Ata Novosibirsk
52 zone52=GMT+06:00 Astana Dacca
53 zone53=GMT+06:00 Sri Jayawardenepura
54 zone54=GMT+06:30 Rangoon
55 zone55=GMT+07:00 Krasnoyarsk
56 zone56=GMT+07:00 Bangkok Hanoi Djakarta
57 zone57=GMT+08:00
Beijing Chongqing Urumchi Hong Kong Special Administration Region
58 zone58=GMT+08:00 Kuala Lumpur, Singapore
59 zone59=GMT+08:00 Perth
60 zone60=GMT+08:00 Taipei
61 zone61=GMT+08:00 Irkutsk, Zautra batu
62 zone62=GMT+09:00 Osaka, Tokyo and Sapporo
63 zone63=GMT+09:00 Seoul
170
Command Line Manual
64
65
66
67
68
69
70
71
72
73
74
75
zone64=GMT+09:00 Yakutsk
zone65=GMT+09:30 Adelaide
zone66=GMT+09:30 Darwin
zone67=GMT+10:00 Brisbane
zone68=GMT+10:00 Vladivostok
zone69=GMT+10:00 Guam Port Moresby
zone70=GMT+10:00 Hobart
zone71=GMT+10:00 Canberra Melbourne Sydney
zone72=GMT+11:00 Magadan Solomon Islands New Caledonia
zone73=GMT+12:00 Auckland Wellington
zone74=GMT+12:00 Fiji Kamchatka Peninsula
zone75=GMT+13:00 Nukualofa
31.1.4 Manually set system’s current date and time
Command Description:date <2006-2030> <1-12> <1-31> <0-23> <0-59> <0-59>
Keyword and Parameter
<2006-2030>
<1-12>
<1-31>
<0-23>
<0-59>
<0-59>
Description
Configure the year
Configure the month
Configure the date
Configure the hour
Configure the minute
Configure the second
Configuration steps:
Step 1
Set system’s current date and time
HOST# date 2015 04 02 10 20 50
It means set system time as a.m. 10:20:50, April 2, 2015
31.1.5 Set system’s current time with ntp
Configuration steps:
Step 1
Configure ntp server address loop interval
HOST(config)# ntp 192.168.2.57 60 [authentication-keyid 1 authentication-mode md5 123456
It means configuring ntp server address as 192.168.2.57, ntp loop interval as 60s, authentication id as 1, and
authentication key as md5 123456.
You may stop ntp configuration with command “no ntp”.
View steps:
Step 1
Show ntp configuration
HOST# show ntp config
timezone 57
ntp 192.168.2.57 60
31.1.6 Update system time immediately with ntp
Step 1
Update system time immediately with ntp
HOST# ntp update time.windows.com
time update success
171
Command Line Manual
31.2 System update and related configuration backup recovery
31.2.1 Manual upgrading and configuration restoration
Command Description:copy tftp A.B.C.D RemoteFile (version |config |applib |ipslib |avlib |urllib)
Keyword and Parameter
tftp
A.B.C.D
RemoteFile
(version |config |applib |ipslib |avlib |urllib)
Description
It means selecting tftp protocol to transmit file
It means tftp server address
It means file name on tftp server
Version: it means updated software version
config : It means update system configuration file
applib: It means update application file
ipslib: It means update intrusion prevention software
avlib: It means update virus file
urllib: It means update url file
Command Description:write (file|memory|terminal)
Keyword and Parameter
(file|memory|terminal)
Description
File: It means saving current configuration
Memory: It means cache current configuration
Terminal: It means displaying current configuration
31.2.2 Automatic upgrade
Step 1
Enter automatic upgrade configuration mode
HOST(config)# auto-update
HOST(auto-update)#
Configure update server
HOST(auto-update)# server 192.168.31.155
Configure update on the day of a week
HOST(auto-update)# weekly sun mon null wed null fri null
It means update on each Sunday/Monday/Wednesday/Friday
Or configure update on the date of each month
HOST(auto-update)# monthly 10,20,30
It means update on 10th, 20th and 30th of each month
Configure update time
HOST(auto-update)# time hour 3 minute 0
It means update on a.m. 3:00
Enable automatic update configuration
HOST(auto-update)# update enable
Disable automatic update configuration
HOST(auto-update)# update disable
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
31.3 System diagnosis
31.3.1 Usage of Ping command
The equipment enables detection of basic network connection with command Ping, send Internet
Control Message Protocol (ICMP) request message to a certain IP equipment in network. Common
user and administrator user may use Ping command.
If no response message is received from destination equipment within setting time, the equipment
would not output any information, or otherwise it would display byte number of response message,
message serial number, TTL and response time. Press CTRL+C to end Ping status.
Command Description:ping -c <1-10000> -s <0-65507> -w <0-10> WORD
Keyword and Parameter
-I
-c <1-10000>
-s <0-65507>
-t <1-255>
-w <0-10>
WORD
Description
Source address
Number of messages sent
Size of message sent
TTL
Message reception waiting time
Destination address
172
Command Line Manual
Detection steps:
Step 1
Test the connectivity of IP address to equipment 10.13.2.14.
HOST# ping 10.13.2.14
If equipment is connected, the following information would show:
HOST# ping 10.13.2.14
PING 10.13.2.14 (10.13.2.14): 56 data bytes
64 bytes from 10.13.2.14: icmp_seq=0 ttl=64 time=0.3 ms
64 bytes from 10.13.2.14: icmp_seq=1 ttl=64 time=0.0 ms
64 bytes from 10.13.2.14: icmp_seq=2 ttl=64 time=0.0 ms
64 bytes from 10.13.2.14: icmp_seq=3 ttl=64 time=0.0 ms
If not connected, the following information would show:
HOST# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
31.3.2 Use of command Tracerouter
Tracerouter is another command for network connection detection, its difference from Ping command
is: it can detect if network is connected, and also know the location of problematic transmission path
of data packet. The output information of command Tracerouter include all IP addresses of gateways
through which to destination and the duration, if gateway time-out occurs, “*” would be displayed.
Command Description:tracerouter [-s A.B.C.D][-u <0-65535] WORD
Keyword and Parameter
Description
WORD
Destination IP address or domain name
Detection steps:
Step 1
Test the connectivity of IP address to equipment 192.168.10.1.
HOST# tracerouter 192.168.10.1
tracerouter to 192.168.10.1 (192.168.10.1), 30 hops max, 38 byte packets
1 192.168.6.1 (192.168.6.1) 0.466 ms 1.287 ms 0.286 ms
2 192.168.10.1 (192.168.10.1) 2.092 ms 1.265 ms 2.134 ms
Connection destination
Command Description:tracerouter –s A.B.C.D A.B.C.D
Keyword and Parameter
Description
-s A.B.C.D
A.B.C.D
Designate source ip address
Targe host’s ip address
Command Description:tracerouter –u <1-65535> A.B.C.D
Keyword and Parameter
Description
<1-65535>
A.B.C.D
Port number
Targe host’s ip address
31.3.3 Use of command TCPSYN
TTCPSYN is used to detect if the other party’s equipment port is enabled by sending TCP SYN
message.
Command Description:tcpsyn
-c <1-1000> -w <1-1000> A.B.C.D <0-65535>
Keyword and Parameter
A.B.C.D
<0-65535>
-c <1-10000>
-w <0-10>
Description
Destination address
Destination port
Number of messages sent
Message reception waiting time
Detection steps:
Step 1
Test if the port 22 of equipment with IP address as 192.168.31.155 is enabled
HOST# tcpsyn 192.168.31.155 22
tcpsyn to 192.168.31.155:22
1 * TCP SYN timeout: reason=2.
2 * TCP SYN timeout: reason=2.
3 * TCP SYN timeout: reason=2.
173
Command Line Manual
Step 2
4 * TCP SYN timeout: reason=2.
5 * TCP SYN timeout: reason=2.
If port 22 is enabled
Test if the port 21 of equipment with IP address as 192.168.31.155 is enabled
HOST# tcpsyn 192.168.31.155 21
tcpsyn to 192.168.31.155:21
1 TCP ACK form 192.168.31.155:21
2 TCP ACK form 192.168.31.155:21
3 TCP ACK form 192.168.31.155:21
4 TCP ACK form 192.168.31.155:21
5 TCP ACK form 192.168.31.155:21
Port 21 is enabled
31.4 E-mail setting
31.4.1 Configure SMTP server name or address
Configuration steps:
Steps
1
2
3
4
5
Executive command
configure terminal
smtp-config
server NAME
server address
server port
Description
Enter global configuration mode
Enter SMTP configuration mode
Configure server name or IP
Configure server name or IP
Configure server port
You may delete SMTP server configuration with command “no server”.
31.4.2 Configure mail sender address
Configuration steps:
Steps
1
2
3
4
Executive command
Description
configure terminal
smtp-config
sender NAME
Send-interval <1-60>
Enter global configuration mode
Enter SMTP configuration mode
Configure mail sender’s address
Sending interval
Cancel configuration with command “no sender”.
31.4.3 Configure mail receiver address
Steps
1
2
3
Executive command
configure terminal
smtp-config
receiver1LONGSTRING
Description
Enter global configuration mode
Enter SMTP configuration mode
Configure mail receiver’s address. Multiple receiver addresses should be
isolated by “;”, at most 255 characters.
Cancel configuration with command “no receiver1”.
31.4.4 Configure if authentication is necessary when mail is sent
Steps
1
2
3
Executive command
configure terminal
smtp-config
auth enable
Description
Enter global configuration mode
Enter SMTP configuration mode
Authentication is necessary
Cancel authentication configuration while mail is sent with command “auth disable”.
174
Command Line Manual
31.4.5 Configure the user name used for authentication while sending mail
Steps
1
2
3
Executive command
Description
configure terminal
smtp-config
username NAME
Enter global configuration mode
Enter SMTP configuration mode
Configure the user name used for authentication while sending mail
Cancel the user name configuration for authentication while sending mail with command “no
username”.
31.4.6 Configure the authentication password while sending mail
Steps
1
2
3
Executive command
Description
configure terminal
smtp-config
passwd PASSWORD
Enter global configuration mode
Enter SMTP configuration mode
Configure the authentication password while sending mail
You may cancel the authentication password while sending mailwith command “no passwd”.
31.4.7 Configure SSL encryption
Steps
1
2
3
Executive command
configure terminal
smtp-config
ssl enable
Description
Enter global configuration mode
Enter SMTP configuration mode
Enable ssl encryption
You may cancel ssl encryption with command “ssl disable”.
31.5 Configure system monitoring
31.5.1 CPU occupancy rate
Steps
1
2
3
4
5
6
Executive command
configure terminal
sysmon
log cpu syslog
log cpu local
log cpu email
sysres cpu Usage
Description
Enter global configuration mode
Enter sysmon configuration mode
Enable cpu usage rate beyond limit, send log to syslog server
Enable cpu usage rate beyond limit, local record log
Enable cpu usage rate beyond limit, send log by email
Configure cpu usage rate warning limit
31.5.2 Internal memory usage rate
Steps
Executive command
1
2
3
configure terminal
sysmon
log memory syslog
4
5
6
log memory local
log memory email
sysres memory Usage
Description
Enter global configuration mode
Enter sysmon configuration mode
Enable internal memory usage rate beyond limit, send log to syslog
server
Enable internal memory usage rate beyond limit, local record log
Enable internal memory beyond limit, send log by email
Configure internal memory usage rate warning limit
31.5.3 Flow configuration
Steps
1
2
3
4
5
6
Executive command
configure terminal
sysmon
log flow syslog
log flow local
log flow email
sysres flow COUNT_OF_NET_FLOW
Description
Enter global configuration mode
Enter sysmon configuration mode
Enable flow beyond limit, send log to syslog server
Enable flow beyond limit, local record log
Enable flow beyond limit, send log by email
Configure flow warning limit, COUNT_OF_NET_FLOW is the limit value
175
Command Line Manual
31.5.4 Configure connection count
Steps
1
2
3
4
5
6
Executive command
Description
configure terminal
sysmon
log session syslog
log session local
log session email
sysres session COUNT_OF_NET_SESSION
Enter global configuration mode
Enter sysmon configuration mode
Enable session number beyond limit, send log to syslog server
Enable session number beyond limit, local record log
Enable session number beyond limit, send log by email
Configure session number warning limit, COUNT_OF_NET_SESSION is
limit value
31.5.5 Configure the size of message
Steps
1
2
3
4
5
6
Executive command
configure terminal
sysmon
log packet syslog
log packet local
log packet email
sysres packet LENGTH_OF_THE_PACKET
Description
Enter global configuration mode
Enter sysmon configuration mode
Enable packet size beyond limit, send log to syslog server
Enable package size beyond limit, local record log
Enable packet size beyond limit, send log by email
Configure
packet
size
warning
limit,
LENGTH_OF_THE_PACKET is the packet size limit value
176
Command Line Manual
Chapter 32 Configure DNS
32.1 DNS
DNS provides domain name resolution client function for modules that require DNS: send DNS
server with domain name resolution request, accept DNS server’s response, and finally send resoluted
address to each of module using DNS.
32.2 Configure DNS
32.2.1 Default configuration information
Contents
Default setting
Number of retries
Overtime period
2
5s
Remark
Setting cannot be changed
Setting cannot be changed
32.2.2 Configure master DNS server
DNS client would initially request to DNS master server for domain name resolution.
Configuration steps:
Step 1
Step 2
configure terminal
ip name-server master A.B.C.D
Enter global configuration mode。
Configure master DNS server
Clear master NDS server with command “no ip name-server master”.
32.2.3 Configure backup DNS server
If DNS master server resolution is failed or overtime, client would initially request to DNS master
server for domain name resolution.
Configuration steps:
Step 1
Step 2
configure terminal
ip name-server backup
A.B.C.D
Enter global configuration mode。
Configure backup DNS server.
Clear backup NDS server with command “no ip name-server backup”.
32.2.4 DNS inquiry
Domain name resolution
Configuration steps:
Step 1
dns-lookup NAME
Domain name resolution
32.3 Configuration cases
32.3.1 Configuration cases
Case description
DNS server address is 202.118.3.2, backup DNS server address is 202.118.3.3. After configuring
DNS service on equipment, youmay send domain name resolution request to configured DNS server,
accept DNS server reponse and conduct domain name resolution.
177
Command Line Manual
Configuration steps:
Step 1
Step 2
Create a domain。
HOST_A(config)# ip name-server master 202.118.3.2
HOST_A(config)# ip name-server backup 202.118.3.3
View configuration information
HOST# show running-config
!
ip name-server master 202.118.3.2
ip name-server backup 202.118.3.3
32.4 Common fault analysis
32.4.1 Fault phenomenon1:DNS resolution failed
Phenomenon
Analysis
Solution
DNS resolution is failed
Wrong DNS server configuration, or no router to DNS server
Configure a correct DNS server address or add router to DNS server network
178
Command Line Manual
Chapter 33 Configure administrator user
The chapter relates to administrator user and user group configuration, describes how to configure
administration user and configure user group.
33.1 Configure administrator
Ex-factory default configuration includes a super administrator user admin and with the account, user
may log in equipment for configuration, including configuration of other administrators. Each
administrator may have own administration address, administration authority and description, and the
authority is limited by authority list. Configuration details are described below. The following
configurations, if not specifically described, should refer to the operation under privileged mode.
33.1.1 Configure user authority list
Authority list may be used while configuring administration user. Each administrator may correspond
to an administrator authority list, and only administrator can exercise the authority specified in
authority list. Configuration steps are as follows:
Steps to configure user authority list:
Step 1
authorized-table NAME
Step 2
Authorized (read|write)
(all|system-config|log-config|log-read|
admin-user| |updata|reboot)
If no authority list, create an authority list, enter the node
and if any, directly enter the node.
Set the read-write authority in authority list
Parameter description:
Parameter
Description
read
write
all
system-config
log-config/log-read
admin-user
updata
Default configuration
Latter Parameter Description is read authority.
Latter Parameter Description is write authority.
All functions are enabled.
Authority configured by system. System configures all authorities other than the
following six authorities, and have the authority to object management.
Authority to log and NetFlow operation.
Administrator user, authority list and online information operation
Update authority
None
None
None
None
None
None
None
33.1.2 Configure local user
Local administrator user allows for user information stored on equipment. Configuration steps are as
follows:
Steps to configure local user:
Step 1
user administrator USER local PASSWORD
authorized-table NAME [disable]
Create or modify local administrator user’s password and
management authority list, and cause user temporarily invalid
with option “disable”.
33.1.3 Configure RADIUS administrator user
RADIUS administrator user allows for user information stored on RADIUS server. Configuration
steps are as follows:
Steps to configure RADIUS administrator user:
Step 1
user administrator USER radius SERVER
authorized-table NAME [disable]
Create or modify RADIUS administrator user’s RADIUS
server and management authority list, and cause user
temporarily invalid with option “disable”.
179
Command Line Manual
33.1.4 Configure LDAP administrator user
LDAP administrator user allows for user information stored on LDAP server. Configuration steps are
as follows:
Steps to configure RADIUS administrator user:
Step 1
Create or modify RADIUS administrator user’s LDAP server
and management authority list, and cause user temporarily
invalid with option “disable”.
user administrator USER ldap SERVER
authorized-table NAME [disable]
33.1.5 Configure administrator user’s management address
Configuration steps:To control login user’s address, you may control user login address range by
configuring administrator user’s authorized address and if no, log in through any IP address.
Steps to configure administrator user’s authorized address:
Step 1
user administrator USER authorized-address <1-16>
(A.B.C.D/M| X:X::X:X/M)
Configure three authorized address fields. The user may log
in by any address in address field.
33.1.6 Configure administrator with shortest command length
Steps to configure administrator user with shortest command length:
Step 1
Administrator user’s shortest command length
admin password LENGTH
Parameter description:
Parameter
LENGTH
Description
Default configuration
Shortest command length
33.2 Configure information display command
Configure information display command list
Command
show admin-user
show running-config
Explanation
Display information of currently added administrator user
Display current configuration
Example of Who command display:
Step 1
Display example of online administrator user:
HOST# who
Login style
Username
IP
Console
admin
*
SSH
admin
192.168.31.117
Telnet
admin
192.168.31.117
Mon Apr 9 10:17:19
Mon Apr 9 10:21:17
Mon Apr 9 10:21:32
33.3 Configuration cases
33.3.1 Configure the authority list function of administrator user
Case description:
Configure equipment, add two administrator users check and admin and of which check’s authority
list is show-config, while admin’s authority list is system-config. Show-config has the show authority
while admin has the authority to read and write all modules, result is as follows:
User check may only use show command but enter CONFIG node;
180
Command Line Manual
User admin can user all commands in the system.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
Add authority list
HOST# configure terminal
HOST(config)# authorized-table reader
HOST(authorized-table)# authorized read all
HOST(authorized-table)# exit
HOST(config)#
HOST# configure terminal
HOST(config)# authorized-table system-config
HOST(authorized-table)# authorized read all
HOST(authorized-table)# authorized write all
HOST(authorized-table)# exit
HOST(config)#
Add administrator user
HOST# configure terminal
HOST(config)# user administrator check local zte authorized-table reader
HOST(config)# user administrator admin local zte authorized-table system-config
Set user management address
HOST(config)# user administrator check authorized-address first 192.168.0.10
Save configuration
HOST (config)# write memory
Results achieved:
User check login:
Username: check
Password:
HOST> en
HOST# show admin-user
Admin User Name
User Type User Status
admin
local
enable
check
local
enable
Total users : 2
HOST# configure terminal
This user is not permited this operation
HOST#
As shown above, user check, after login, can only view information but enter config node for
configuration.
If user logs in equipment not through 192.168.0.10, the system would prompt wrong and legal
address and prohibit login.
Login by user admin
Username: admin
Password:
HOST> en
HOST# show admin-user
Admin User Name
User Type User Status
admin
local
enable
check
local
enable
Total users : 2
HOST# configure terminal
HOST(config)#
As shown above, user admin, after login, can enter config node for configuration.
181
Command Line Manual
33.4 Fault Analysis
33.4.1 User cannot log in
Fault phenomenon
Analysis and solution
The user exists, but login with the user name is failed
1) If the user is administrator user;
2) If limit the range of IP address that the user logs in;
3) If the user is disabled and if yes, enable it with command “user administrator check local zte
authorized-table Reader”.
4) User password is problematic, please reset user password with command “user administrator check local
zte authorized-table Reader”.
33.4.2 Command cannot be executed
Fault phenomenon
User can log in but execute command
Analysis and solution
View if user’s corresponding authority list has corresponding authority by command “show
running-configView configuration”.
182
Command Line Manual
Chapter 34 Configure SNMP
34.1 SNMP protocol
SNMP, Simple Network Management Protocol, is a set of network management protocol based on
SGMP(Simple Gateway Monitor Protocol), defined by IETF(Internet Engineeriing Task Force). In a
SNMP-based nework management system (NMS), management workstation may utilize SNMP to
provide remote monitoring and management of all equipment (such as computer workstation,
terminal, router, Hub, network printer, etc.) supporting the protocol, mainly responsible for
monitoring equipment status, modifying equipment configuration, accepting event warning, etc.
SNMPv3 maintains the characteristics of SNMPv1 and SNMPv2, namely, easy to understand and
realize and meanwhile enhances network management safety, and provides safety management
characteristics that former two versions not have, such as the confidentiality, verification and access
control. SNMPv3 has gradually expanded and developed, new management information base has
been on the increase, able to support more network applications, and therefore it is powerful tool for
creation of network management system and will promote consistent network development.
Based on need, snmpv3 characteristics are added to enable user management mechanism. In addition,
private mib base is also added.
34.2 Configure SNMP
34.2.1 Default configuration information
RIP Default setting information is shown below:
Table 36-1 SNMP default configuration information
Contents
Default setting
enable/disable status
Version v1
Version v2c
Version v3
Equipment location
Trap address
Group
Usm user
disable
Enable
Enable
Enable
Blank
Blank
public
Blank
Remark
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
Setting can be changed
User may be added
34.2.2 Enable SNMP proxy
Enable SNMP agency, and then you may access to MIB library information.
Configuration steps:
Step 1
Step 2
Step 3
configure terminal
snmp
snmp enable
Enter configuration mode
Enter nmp configuration node
Enable snmp proxy
Under snmp node, you may close snmp agency with command “snmp disable”.
Parameter description:
Parameter
snmp NAME
Description
Default configuration
enable
Enable snmp agency
None
disable
Close snmp agency
None
34.2.3 Configure equpment’s physical address
Configure equipment physical address’s character string information.
183
Command Line Manual
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
snmp
syslocation abc
end
Enter configuration mode
Enter snmp configuration node
Configure address as abc
Return to Enable mode
User may cancel syslocation setting and restore to Default configuration blank with command “no
syslocation”.
Parameter description: syslocation NAME
Parameter
Description
NAME
Default configuration
Equipment address information
Blank
34.2.4 Configure trap address
Configure snmp agency with IP address to which trap is sent.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
snmp
trap address 192.168.31.2
end
Enter configuration mode
Enter snmp configuration node
Configure trap address as 192.168.31.2
Return to Enable mode
User may cancel trap address setting with command “no trap address”.
Parameter description: trap address A.B.C.D
Parameter
A.B.C.D
Description
IP address to which Trap information is sent
Default configuration
None
34.2.5 Configure community
Configure snmp’s community character string
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
snmp
community abc
end
Enter configuration mode
Enter snmp configuration node
Configure group as abc
Return to Enable mode
User may cancel community setting with command “no community” and restore default value to
public.
Parameter description: community NAME
Parameter
NAME
Description
Community character string information
Default configuration
public
34.2.6 Configure SNMP version
Configure snmp agency of enabled or disabled version.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
snmp
version v1
end
Enter configuration mode
Enter snmp configuration node
Enable snmp agency v1 version
Return to Enable mode
User may close snmp agency of v1 version with command “no version v1”.
Parameter description: version (v1|v2c|v3)
Parameter
(v1|v2c|v3)
Description
Enable snmp agency version
Default configuration
Enable
184
Command Line Manual
34.2.7 Configure SNMP USM user
Configure snmpv3 user and corresponding authentication and encryption algorithm.
Configuration steps:
Step 1
Step 2
Step 3
Step 4
configure terminal
snmp
snmpv3 usm-user u1 auth-mode MD5 11111111 privacy
DES 11111111
end
Enter configuration mode
Enter snmp configuration node
Create user u1, utilize MD5 authentication algorithm and
DES encryption algorithm, secret key being 11111111.
Return to Enable mode
User may delete user u1 with command “no snmpv3 usm-user u1” and all users with command “no
snmpv2 usm-user”.
Parameter description: snmpv3 usm-user NAME auth-mode (MD5|SHA) PASSWORD1 privacy
(DES|AES) PASSWORD2
Parameter
NAME
(MD5|SHA)
PASSWORD1
(DES|AES)
PASSWORD2
Description
Default configuration
User name
Authentication algorithm
None
None
Secret key for authentication algorithm
None
Encryption algorithm
None
Secret key for encryption algorithm
None
34.3 Configuration cases
34.3.1 Configuration cases1: access to equipment MIB library with MIB Browser
Case description
Server, as equipment, supports snmp agency, v1, v2c and v3, and computer is pc, installed with
iReasoning MIB Browser software as management station.
Compute
r
Server
Configuration steps:
Step 1
Server configuration
800C_3# configure terminal
800C_3(config)# snmp
800C_3(config-snmp)# snmp enable
800C_3(config-snmp)# syslocation abc
800C_3(config-snmp)# community public
800C_3(config-snmp)# trap address 192.168.31.2
800C_3(config-snmp)# snmpv3 usm-user u1 auth-mode MD5 11111111 privacy DES 11111111
800C_3(config-snmp)# end
800C_3#
Step 2
Configure MIB Browser
185
Command Line Manual
Configuration result:
DUT’s show running-config information
snmp
snmp enable
syslocation abc
trap address 192.168.31.2
snmpv3 usm-user u1 auth-mode MD5 secret
XMrOjfrJUmSj5p7teDZnBoGy+MLHk26EnNTQfWyFPUmj2o7vvHJEaFzfpMlvuHx privacy
DES secret XMrOjfrJUmSj5p7teDZnBoGy+MLHk2
6EnNTQfWyFPUmj2o7vvHJEaFzfpMlvuHx!
34.4 Monitoring and maintenance
34.4.1 View usm user
Use of common show commands:
View usm user:
Step 1
Display usm user configuration
800C_3(config)# snmp
800C_3(config-snmp)# show snmpv3 usm-user
usm-user
authentication privacy
u1
MD5
DES
total usm-user number: 1
800C_3(config-snmp)#
Snmp is configured with a usm user for DES encryption with MD5 authentication method.
186
Command Line Manual
34.5 Common fault analysis
34.5.1 Fault phenomenon1: Management station cannot access to agent station MIB
library
Phenomenon
Analysis
Solution
Access overtime or prompt authentication failed
Wrongly configured community character string or incorrect usm user configuration
Check and modify community character string and usm user configuration
187
Download PDF
Similar pages