HPE MSR1000_MSR2000_MSR3000_MSR4000

Add to my manuals
400 Pages

advertisement

HPE MSR1000_MSR2000_MSR3000_MSR4000 | Manualzz

HPE

MSR1000_MSR2000_MSR3000_MSR4000-

CMW710-R0306P82 Release Notes

The information in this document is subject to change without notice.

© Copyright [First Year] 2013, [Current Year] 2017 Hewlett Packard Enterprise Development LP

Contents

Version information ···········································································1

Version number ··························································································································· 1

Version history ···························································································································· 2

Hardware and software compatibility matrix ······················································································ 7

Upgrading restrictions and guidelines······························································································· 8

Hardware feature updates ··································································9

CMW710-R0306P82 ····················································································································· 9

CMW710-R0306P30 ····················································································································· 9

CMW710-R0306P07 ····················································································································· 9

CMW710-R0305P08 ····················································································································· 9

CMW710-R0305P04 ····················································································································· 9

CMW710-R0304P02 ····················································································································· 9

CMW710-R0304 ·························································································································· 9

CMW710-E0302P06 ··················································································································· 10

CMW710-E0102 ························································································································ 10

Software feature and command updates ············································· 10

MIB updates ·················································································· 11

Operation changes ········································································· 20

Restrictions and cautions ································································· 21

Open problems and workarounds ······················································ 21

List of resolved problems ································································· 21

Resolved problems in CMW710-R0306P82 ···················································································· 21

Resolved problems in CMW710-R0306P81 ···················································································· 22

Resolved problems in CMW710-R0306P80 ···················································································· 23

Resolved problems in CMW710-R0306P70 ···················································································· 26

Resolved problems in CMW710-R0306P52 ···················································································· 29

Resolved problems in CMW710-R0306P30 ···················································································· 33

Resolved problems in CMW710-R0306P12 ···················································································· 37

Resolved problems in CMW710-R0306P11 ···················································································· 38

Resolved problems in CMW710-R0306P07 ···················································································· 40

Resolved problems in CMW710-R0305P08 ···················································································· 43

Resolved problems in CMW710-R0305P04 ···················································································· 50

Resolved problems in CMW710-R0305 ·························································································· 53

Resolved problems in CMW710-R0304P12 ···················································································· 54

Resolved problems in CMW710-R0304P04 ···················································································· 57

Resolved problems in CMW710-R0304P02 ···················································································· 63

Resolved problems in CMW710-R0304 ·························································································· 65

Resolved problems in CMW710-E0302P06 ····················································································· 65

Resolved problems in CMW710-E0102 ·························································································· 67

Resolved problems in CMW710-E0006P02 ····················································································· 67

Support and other resources····························································· 67

Accessing Hewlett Packard Enterprise Support················································································ 67

Documents ······························································································································· 67

Related documents ·············································································································· 68

Documentation feedback ······································································································ 69

Appendix A Feature list ··································································· 70

Hardware features ······················································································································ 70

Software features ······················································································································· 77

i

Appendix B Upgrading software ························································ 81

Software types ·························································································································· 81

Upgrade methods ······················································································································ 81

Preparing for the upgrade ············································································································ 82

Centralized devices upgrading from the CLI ···················································································· 83

Saving the running configuration and verifying the storage space ················································· 83

Downloading the image file to the router ·················································································· 83

Specifying the startup image file ····························································································· 84

Rebooting and completing the upgrade ··················································································· 85

Distributed devices upgrading from the CLI ····················································································· 86

Display the slot number of the active MPU ··············································································· 86

Save the current configuration and verify the storge space ·························································· 86

Download the image file to the router ······················································································ 87

Specifying the startup image file ····························································································· 87

Reboot and completing the upgrade ······················································································· 89

Distributed devices ISSU ············································································································· 90

Disabling the standby MPU auto-update function ······································································· 91

Saving the running configuration and verifying the storage space ················································· 91

Downloading the upgrade image file to the router ······································································ 92

Upgrading the standby MPU ·································································································· 92

Upgrading the active MPU ···································································································· 94

Upgrading from the BootWare menu ······························································································ 96

Accessing the BootWare menu ······························································································ 96

Using TFTP/FTP to upgrade software through an Ethernet port ··················································· 98

Using XMODEM to upgrade software through the console port ·················································· 101

Managing files from the BootWare menu ······················································································ 105

Displaying all files ·············································································································· 106

Changing the type of a system software image ······································································· 106

Deleting files ···················································································································· 107

Handling software upgrade failures ······························································································ 108

Appendix C Handling console login password loss ······························ 108

Disabling password recovery capability ························································································ 108

Handling console login password loss ·························································································· 109

Examining the password recovery capability setting ································································· 110

Using the Skip Current System Configuration option ································································ 111

Using the Skip Authentication for Console Login option ···························································· 112

Using the Restore to Factory Default Configuration option························································· 112

ii

List of Tables

Table 1 Version history ................................................................................................................................... 2

Table 2 HPE product device numbers matrix ........................................................................................... 7

Table 3 Hardware and software compatibility matrix ............................................................................ 7

Table 4 MIB updates .................................................................................................................................... 11

Table 5 MSR1000 specifications ................................................................................................................. 70

Table 6 MSR2000/MSR2000 TAA specifications ....................................................................................... 70

Table 7 MSR3000/MSR3000 TAA specifications ....................................................................................... 71

Table 8 MSR4000 specifications ................................................................................................................. 72

Table 9 MSR4000/MSR4000 TAA MPU Specification ............................................................................... 72

Table 10 MSR4000 SPU Specification ........................................................................................................ 72

Table 11 MSR2004-24 AC power module specifications ...................................................................... 73

Table 12 MSR2004-48 DC power module specifications ...................................................................... 73

Table 13 MSR3044/MSR3064/MSR4060/MSR4080 AC power module specifications ...................... 73

Table 14 MSR3044/MSR3064/MSR4060/MSR4080 DC power module specifications ...................... 73

Table 15 MSR3044/MSR3064/MSR4060/MSR4080 PoE power module specifications ...................... 73

Table 16 MSR series routes Module List ..................................................................................................... 73

Table 17 Sierra Modem Module and Host/card compatibility matrix ............................................... 77

Table 18 MSR Series routers software features ........................................................................................ 77

Table 19 Storage media ............................................................................................................................. 82

Table 20 BootWare menu options ............................................................................................................ 97

Table 21 Ethernet submenu options ......................................................................................................... 98

Table 22 Network parameter fields and shortcut keys ......................................................................... 99

Table 23 Serial submenu options ............................................................................................................. 101

Table 24 File Control submenu options .................................................................................................. 106

Table 25 BootWare options and password recovery capability compatibility matrix ................. 108

iii

This document describes the features, restrictions and guidelines, open problems, and workarounds for version R0306P82. Before you use this version in a live network, back up the configuration and test the version to avoid software upgrade affecting your live network.

Use this document in conjunction with HPE

MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P82 Release Notes (Software

Feature Changes) and the documents listed in

Related documents

Version information

Version number

HPE Comware Software, Version 7.1.059, Release 0306P82

Please see the example below generated by the display version command:

<HPE> display version

HPE Comware Software, Version 7.1.059, Release 0306P82

Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP

HPE MSR3064 uptime is 0 weeks, 0 days, 0 hours, 2 minutes

Last reboot reason : User reboot

Boot image: cfa0:/msr3000-cmw710-boot-r0306p82.bin

Boot image version: 7.1.059P29, Release 0306P82

Compiled Jan 04 2017 16:00:00

System image: cfa0:/msr3000-cmw710-system-r0306p82.bin

System image version: 7.1.059, Release 0306P82

Compiled Jan 04 2017 16:00:00

Feature image(s) list:

cfa0:/msr3000-cmw710-security-r0306p82.bin, version: 7.1.059

Compiled Jan 04 2017 16:00:00

cfa0:/msr3000-cmw710-voice-r0306p82.bin, version: 7.1.059

Compiled Jan 04 2017 16:00:00

cfa0:/msr3000-cmw710-data-r0306p82.bin, version: 7.1.059

Compiled Jan 04 2017 16:00:00

CPU ID: 0x4

2G bytes DDR3 SDRAM Memory

8M bytes Flash Memory

PCB Version: 2.0

CPLD Version: 2.0

Basic BootWare Version: 1.60

Extended BootWare Version: 1.60

[SLOT 0]AUX (Hardware)2.0, (Driver)1.0, (CPLD)2.0

[SLOT 0]GE0/0 (Hardware)2.0, (Driver)1.0, (CPLD)2.0

[SLOT 0]GE0/1 (Hardware)2.0, (Driver)1.0, (CPLD)2.0

[SLOT 0]GE0/2 (Hardware)2.0, (Driver)1.0, (CPLD)2.0

[SLOT 0]CELLULAR0/0 (Hardware)2.0, (Driver)1.0, (CPLD)2.0

[SLOT 0]CELLULAR0/1 (Hardware)2.0, (Driver)1.0, (CPLD)2.0

[SLOT 6]HMIM-1CE3 (Hardware)2.0, (Driver)1.0, (CPLD)1.0

[SLOT 7]HMIM-2T1 (Hardware)3.0, (Driver)1.0, (CPLD)4.0

1

[SLOT 9]HMIM-4T1-F (Hardware)3.0, (Driver)1.0, (CPLD)3.0

Version history

Table 1 Version history

Version number

CMW710-R0306

P82

CMW710-R0306

P81

CMW710-R0306

P80

CMW710-R0306

P70

CMW710-R0306

P52

CMW710-R0306

P30

Last version

Release date

CMW710-R03

06P81

2017-01-1

0

CMW710-R03

06P80

2016-12-0

1

CMW710-R03

06P70

2016-10-3

1

CMW710-R03

06P52

2016-09-2

8

CMW710-R03

06P30

2016-08-2

6

CMW710-R03

06P12

2016-06-0

8

Release type

Remarks

Release version

Release version

Release version

MSR1000_2000_3000_4000 series, including MSR1003-8S and

MSR3012 AC

Fixes bugs

MSR1000_2000_3000_4000 series, including MSR1003-8S and

MSR3012 AC

Fixes bugs

MSR1000_2000_3000_4000 series, including MSR1003-8S and

MSR3012 AC

Fixes bugs

Release version

MSR1000_2000_3000_4000 series, including MSR1003-8S and

MSR3012 AC

Fixes bugs

Release version

MSR1000_2000_3000_4000 series, including MSR1003-8S and

MSR3012 AC

New feature:

1. MAC address recording in TCP packets

2. Configuring the leased line service for an ISDN BRI interface

3. LLDP PVID inconsistency check

Modified feature:

1. High encryption

2. OSPF

3. Policy-based routing

4. MIB objects

5. Setting ISP domain status

6. Excluding an attribute from portal protocol packets

7. NTP

8. Transceiver modules

9. E1POS

Fixes bugs

Release version

MSR1000_2000_3000_4000 series, including MSR1003-8S and

MSR3012 AC

New feature:

1. SIP compatibility

Modified feature:

1. OSPF performance

2.Telnet redirect

2

CMW710-R0306

P12

CMW710-R0306

P11

CMW710-R0306

P07

CMW710-R0305

P08

CMW710-R03

06P11

2016-04-2

7

CMW710-R03

06P07

CMW710-R03

05P08

CMW710-R03

05P04

2016-04-1

3

2016-03-1

6

2016-01-1

0

Release version

3.POS terminal access

4.License

5.IP performance optimization

Fixes bugs

MSR1000_2000_3000_4000 series, including MSR1003-8S and

MSR3012 AC

Modified feature:

1. Configuring an SSH user

2. AAA

3. Configuring a cellular interface for a

3G/4G modem

4. VXLAN

5. DHCP

Fixes bugs.

Release version

MSR1000_2000_3000_4000 series, including MSR1003-8S and

MSR3012 AC

New feature:

1. Voice VLAN

Modified feature:

1. MPLS QoS support for matching the EXP field

2. MPLS QoS support for marking the

EXP field

3. Automatic configuration

Removed feature

1. Tinyproxy

Fixes bugs.

Release version

Release version

MSR1000_2000_3000_4000 series, including MSR1003-8S and

MSR3012 AC

New feature:

1. L2TP-based EAD

2. CFD configuration

Modified feature:

1. Support using dots in user profile name

2. Default size of the TCP receive and send buffer

3. Support for obtaining fan tray and power module vendor information through MIB

4. Supporting per-packet load sharing

5. Automatic configuration

6. Software image signature

Fixes bugs.

MSR1000_2000_3000_4000 series, including MSR1003-8S and

MSR3012 AC

New feature:

1. mGRE

3

CMW710-R0305

P04

CMW710-R0305

P04

First release

CMW710-R03

05

2015-12-1

8

2015-11-2

5

Release version

Release version

CMW710-R0305

CMW710-R03

04P12

2015-10-2

3

Release version

CMW710-R0304

P12

CMW710-R0304

P04

CMW710-R03

04P04

CMW710-R03

04P02

2015-09-1

5

2015-08-1

8

Release version

Release version

2. Disabling transceiver module alarm

Modified feature:

1. Default user role

2. Debugging

Fixes bugs.

Only support MSR3012 AC Router

MSR1000_2000_3000_4000 series, including MSR1003-8S

New feature:

1. Public key management support for

Suite B

2. PKI support for Suite B

3. IPsec support for Suite B

4. SSL support for Suite B

5. FIPS support for Suit B

6. SSH support for Suite B

7. Ignoring the first AS number of

EBGP route updates for a peer or peer group

Modified feature:

1. Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces

2. Changing the maximum number of

FIB table entries

3. Enabling CWMP

4. The logo of HP is changed to HPE

Fixes bugs.

MSR1000_2000_3000_4000 series, including MSR1003-8S

New feature:

1. IKE

Modified feature:

1. IPsec

Fixes bugs.

MSR1000_2000_3000_4000 series, including MSR1003-8S

New feature:

1. Including vendor information in

PPP accounting requests

2. BFD for an aggregation group

Modified feature:

1. SSH username

2. IS-IS hello packet sending interval

3. MP-group interface numbering

Fixes bugs.

Support MSR1000_2000_3000_4000 series, including MSR1003-8S

New feature:

4

CMW710-R0304

P02

CMW710-R0304

CMW710-E0302

CMW710-R03

04

CMW710-E03

02P06

2015-07-2

2

2015-06-2

9

Release version

Release version

1. Media Stream Control (MSC) logging

Modified feature:

1. ESP encryption algorithms

Fixes bugs.

Support MSR1000_2000_3000_4000 series, including MSR1003-8S

New feature:

1. IMSI/SN binding authentication

2. Specifying a band for a 4G modem

3. CFD

4. Using tunnel interfaces as

OpenFlow ports

5. NETCONF support for ACL filtering

6. Specifying a backup traffic processing unit

7. WAAS

8. Support for the MKI field in SRTP or

SRTCP packets

9. SIP domain name

10. E&M logging

11. Add new cards

Modified feature:

1. Setting the global link-aggregation load-sharing mode

Fixes bugs.

Support MSR1000_2000_3000_4000 series, added MSR1003-8S

New feature:

1. Setting the RTC version

2. Setting the maximum size of advertisement files

3. IRF

4. Frame Relay

5. EVI

6. VPLS

7. Multicast VPN support for inter-AS option B

Modified feature:

1. 802.1X redirect URL

2. Displaying information about NTP servers from the reference source to the primary NTP server

3. Saving, rolling back, and loading the configuration

4. Displaying information about SSH users

Removed feature

1. Displaying fabric utilization

Fixes bugs

CMW710-E01 2015-04-1

ESS version

Support MSR1000_2000_3000_4000

5

P06

CMW710-E0102

CMW710-E0006

P02

02

CMW710-E00

06P02

3

2013-08-1

0

CMW710-E00

06

2013-04-2

3

ESS version

ESS version series

New feature:

1. Object policies

2. IPHC

3. Support of PPPoE server for IPv6

4. QSIG tunneling over SIP-T

5. Playout delay

6. BGP L2VPN support for NSR

7. BGP support for dynamic peers

8. ARP PnP

9. Support of Syslog for DNS and support of customlog&userlog for

IPv6 hosts

10. QoS soft forwarding

11. Filtering by application layer protocol status

12. ADVPN support for multicast forwarding

13. MPLS LDP support for IPv6

14. Port security

15. Customizable IVR

16. SRST

17. NEMO

18. Support of MFR and FR for

L2VPN, FR QoS, and FR compression and fragmentation

19. Support for LLDP on CPOS interfaces

20. SMS-based automatic configuration

21. ARP attack protection

22. SIP support for VRF

Fixes bugs

Support MSR2000_3000_4000 series

New feature:

1. Portal authentication

2. MSDP

3. IPsec MIB and IKE MIB

4. PoE

5. CoPP software forwarding feature

6. Configuring MPLS LDP FRR

7. Enhanced routing features

8. Python

9. ATM

10. DHCP MIB

Fixes bugs.

Only support MSR3000_4000 series, not support MSR2000 series

Fixes bugs.

6

CMW710-E0006 First release

2013-01-2

8

ESS version None

Hardware and software compatibility matrix

CAUTION:

To avoid an upgrade failure, use Table 3 to verify the hardware and software compatibility before

performing an upgrade.

Table 2 HPE product device numbers matrix

Product code

JG402A

JG403A

JG404A

JG405A

JG406A

JG407A

JG408A

JG409A

JG410A

JG411A

JG412A

JG413A

JG414A

JG670A

JG875A

JH060A

JG861A

JG734A

JG735A

JG866A

JG869A

JG409B

HPE Product name

HPE MSR4080 Router Chassis

HPE MSR4060 Router Chassis

HPE MSR3064 Router

HPE MSR3044 Router

HPE MSR3024 AC Router

HPE MSR3024 DC Router

HPE MSR3024 PoE Router

HPE MSR3012 AC Router

HPE MSR3012 DC Router

HPE MSR2003 AC Router

HPE MSR4000 MPU-100 Main Processing Unit

HPE MSR4000 SPU-100 Service Processing Unit

HPE MSR4000 SPU-200 Service Processing Unit

HPE MSR4000 SPU-300 Service Processing Unit

HPE MSR1002-4 AC Router

HPE MSR1003-8S AC Router

HPE MSR3024 TAA-compliant AC Router

HPE MSR2004-24 AC Router

HPE MSR2004-48 Router

HPE MSR2003 TAA-compliant AC Router

HPE MSR4000 TAA-compliant MPU-100 Engine

HPE MSR3012 AC Router

Table 3 Hardware and software compatibility matrix

Item

Product family

Boot ROM

Specifications

MSR1000_MSR2000_MSR3000_MSR4000

MSR1002-4_MSR1003-8S: 250 or higher

7

version

Host software iMC version

MSR2003_MSR2004-24_MSR2004-48: 160 or higher

MSR3012_MSR3024_MSR3044_MSR3064: 160 or higher

MSR4060_MSR4080: MPU-100: 161 or higher

SPU-100/200: 140 or higher

Hardware

MSR1002-4_MS

R1003-8S software

MSR100X-CMW7

10-R0306P82.IPE

MD5 Check Sum

0387b772d6ff15c847a b78ca468313e3

MSR2003_MSR2

004-24_MSR200

4-48

MSR3012_MSR3

024_MSR3044_

MSR3064

MSR4060_MSR4

080

MSR2000-CMW7

10-R0306P82.IPE

MSR3000-CMW7

10-R0306P82.IPE

2311ab13c46d7462e6

762ebfd384a923 e68521472290a361b8

2f5998dfcba59f

MSR4000-CMW7

10-R0306P82.IPE

f0f1932b12096307cac

55ac7a66c70a2 iMC BIMS 7.2 (E0402P02) iMC EAD 7.2 (E0407) iMC TAM 7.2 (E0407) iMC UAM 7.2 (E0407) iMC IVM 7.2 (E0402H02) iMC MVM 7.2 (E0402P02) iMC NTA 7.2 (E0402P02) iMC PLAT 7.2 (E0403P04) iMC QoSM 7.2 (E0403H01) iMC RAM 7.2 (E0402) iMC SHM 7.2 (E0402l01) iMC UBA 7.2 (E0401P03) iMC VFM 7.2 (E0403)

File size

67,390,464 bytes

74,107,904 bytes

57,053,184 bytes

118,548,480 bytes iNode version

Cards version iNode PC 7.2 (E0407)

Cards Name

SIC-3G-HSPA

SIC-3G-CDMA

Software Version

280 or higher

280 or higher

CPLD or FPGA version

200 or higher

200 or higher

Upgrading restrictions and guidelines

1.

After the software is upgraded from a version earlier than E0302P06 to E0302P06 or a later version, the unit of the VRRP preemption delay is changed from seconds to centiseconds.

2.

To upgrade from R0305 to R0305P04 or a later version, you must first install the R0305H01 hot patch.

8

Hardware feature updates

CMW710-R0306P82

None.

CMW710-R0306P30

Add new hardware:

Add new card:

4-port 100BASE-FX/1000BASE-X(SFP) Ethernet L2/L3 SIC Module-RT-SIC-4GSWF

CMW710-R0306P07

Add new hardware:

SFP-GPON-SM-ONU

USB modem E3533

CMW710-R0305P08

Add new router:

HPE MSR3012 AC Router(JG409B)

Add new card:

1-port E1 / T1 Voice SIC Module(JH240A)

CMW710-R0305P04

The logo of HP is changed to HPE.

CMW710-R0304P02

Add new cards:

HPE MSR 4GLTE SIC Mod for CDMA/WCDMA (JG742B)

HPE MSR 4G LTE SIC Mod for ATT (JG743B)

HPE MSR 4GLTE SIC Mod for Global (JG744B)

HPE MSR HSPA+/WCDMA SIC Module (JG929A)

CMW710-R0304

Add new router:

HPE MSR1003-8S AC Router

9

CMW710-E0302P06

Add new hardware:

8-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH169A)

4-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH170A)

2-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH171A)

8-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH172A)

4-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH173A)

2-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH174A)

8-port 100BASE-FX/1000BASE-X / 4-port 1000BASE-T (Combo) L2/L3 HMIM Module (JH238A)

CMW710-E0102

Add new hardware:

4-port 10/100 Mbps Ethernet L2 switching module-PoE card(SIC-4FSW-POE)

1-port ADSL over POTS SIC interface module (SIC-1ADSL)

1 port E1/CE1/PRI SIC interface module(SIC-1EPRI-V3)

9-port 10/100 Mbps Ethernet L2 switching module -PoE card (DSIC-9FSW-POE)

1-port 8-wire G.SHDSL (RJ45) DSIC Module

2-port 1000BASE-X HMIM Module (HMIM-2GEF)

4-port 1000BASE-X HMIM Module (HMIM-4GEF)

8-port 1000BASE-X HMIM Module (HMIM-8GEF)

24-port Gig-T Switch HMIM Module (HMIM-24GSW)

24-port Gig-T PoE Switch HMIM Module (HMIM-24GSW-POE)

1-port OC-3 / STM-1 CPOS HMIM Module (HMM-1CPOS)

2-port OC-3 / STM-1 CPOS HMIM Module (HMIM-2CPOS)

1-port OC-3c / STM-1c ATM SFP HMIM Module (HMIM-ATMOC3)

1-port dual-pair G.SHDSL interface module (MIM-1SHL-4W)(need to config HMIM-Adapter)

SPU-300 service module

MSR3012-DC

MSR3024-DC

MSR3024-POE

300W DCPower(PSR300-12D2)

Support USB modem E303c and E3131

Software feature and command updates

For more information about the software feature and command update history, see HPE

MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P82 Release Notes (Software

Feature Changes).

10

MIB updates

Table 4 MIB updates

Item MIB file

CMW710-R0306P82

New None

Modified None

CMW710-R0306P12

New None

Modified rfc1213.mib

CMW710-R0306P11

New None

Modified rfc1213.mib

CMW710-R0306P07

New None

Modified rfc1213.mib

CMW710-R0305P08

New None

Modified hh3c-3gmodem.mib

CMW710-R0305P04

New None

Module

None

None

Description

None

None

None

RFC1213-MIB

None

11

None

Modified description of sysDescr and sysObjectID

None

RFC1213-MIB

None

RFC1213-MIB

None

Modified description of sysObjectID

None

Modified description of sysDescr and sysObjectID

None

HH3C-3GMODEM-MIB

None

Modified description of hh3cWirelessCardOnlineTa ble, hh3cWirelessCardModemM ode, hh3cWirelessCardCurNetCo nn, hh3cWirelessCardOnlineTim e, hh3cWirelessCardOnlineTyp e, hh3cUIMInfoTable,hh3cUIMI ndex, hh3cUIMStatus,hh3cUIMIms i, hh3c3GCdma1xRttBID, hh3c3GCdma1xRttSID, hh3c3GCdma1xRttNID, hh3c3GCdmaEvDoSubNetI

D, hh3c3GGsmMcc, hh3c3GGsmMnc, hh3cSmsSrcNumberBind, hh3cSmsTimeBind, hh3cSmsEncodeBind, hh3cSmsContentBind, hh3cSmsRxNotifSwitch and hh3cSmsRxNotification

None

Modified rfc1213.mib RFC1213-MIB

Modified description of sysDescr, sysContact, sysName and sysLocation, sysObjectID

CMW710-R0305

New None

Modified rfc1213.mib

None

RFC1213-MIB

None

Modified description of sysDescr and sysObjectID

CMW710-R0304P12

New None

Modified rfc2925-disman-ping.mib hh3c-nqa.mib

hh3c-mplsext.mib

None

DISMAN-PING-MIB

HH3C-NQA-MIB

HH3C-MPLSEXT-MIB

None

Modified description of pingCtlTable

Modified description of hh3cNqaCtlTable

Added hh3cMplsExtVpnStatsTable

CMW710-R0304

New None

Modified hh3c-transceiver-info.mib

None

HH3C-TRANSCEIVER-INF

O-MIB

None

Modified description of hh3cTransceiverCurTXPow er and hh3cTransceiverCurRXPow er

CMW710-E0302P06 hh3c-stack.mib rfc5060-pim-std.mib rfc5240-pim-bsr.mib

New hh3c-qinqv2.mib rfc3019-ipv6-mld.mibs hh3c-nqa.mib hh3c-posa.mib rfc1473-ppp-ip.mib rfc1471-ppp-lcp.mib hh3c-mp-v2.mib hh3c-mplsext.mib hh3c-mplste.mib

HH3C-STACK-MIB

PIM-STD-MIB

PIM-BSR-MIB

IPV6-MLD-MIB

HH3C-NQA-MIB

HH3C-POSA-MIB

PPP-IP-NCP-MIB

PPP-LCP-MIB

HH3C-MP-V2-MIB rfc6445-mpls-frr-facility-std.m

ib

MPLS-FRR-FACILITY-STD

-MIB rfc6445-mpls-frr-general-std.

mib

HH3C-QINQV2-MIB

HH3C-MPLSEXT-MIB

HH3C-MPLSTE-MIB

MPLS-FRR-GENERAL-ST

D-MIB

Added HH3C-STACK-MIB

Added

PIM-STD-MIB

Added

PIM-BSR-MIB

Added

HH3C-QINQV2-MIB

Added

IPV6-MLD-MIB

Added HH3C-NQA-MIB

Added

HH3C-POSA-MIB

Added PPP-IP-NCP-MIB

Added PPP-LCP-MIB

Added HH3C-MP-V2-MIB

Added

HH3C-MPLSEXT-MIB

Added H3C-MPLSTE-MIB

Added

MPLS-FRR-FACILITY-STD-

MIB

Added

MPLS-FRR-GENERAL-STD

-MIB

12

Modified rfc3812-mpls-te-std.mib rfc3970-te.mib hh3c-transceiver-info.mib rfc5519-mgmd-std.mib rfc4560-disman-traceroute.m

ib

DISMAN-TRACEROUTE-

MIB rfc2925-disman-ping.mib rfc5603-pw-enet-std.mib rfc5601-pw-std.mib hh3c-snmp-ext.mib hh3c-posa.mib hh3c-bfd-std.mib hh3c-ppp-over-sonet.mib rfc3815-mpls-ldp-std.mib

MPLS-TE-STD-MIB

TE-MIB

HH3C-TRANSCEIVER-INF

O-MIB

MGMD-STD-MIB

DISMAN-PING-MIB

PW-ENET-STD-MIB

PW-STD-MIB

HH3C-SNMP-EXT-MIB

HH3C-POSA-MIB

HH3C-BFD-STD-MIB

HH3C-PPP-OVER-SONET

-MIB

MPLS-LDP-STD-MIB rfc4382-mpls-l3vpn-std.mib MPLS-L3VPN-STD-MIB hh3c-license.mib hh3c-tunnel.mib rfc5643-ospfv3.mib rfc2981-disman-event.mib hh3c-pvst.mib hh3c-evi.mib hh3c-l2vpn.mib

rfc4444-isis.mib rfc1213.mib

rfc4444-isis.mib

HH3C-LICENSE-MIB

HH3C-TUNNEL-MIB

OSPFV3-MIB

DISMAN-EVENT-MIB

HH3C-PVST-MIB

HH3C-EVI-MIB

HH3C-L2VPN-MIB

ISIS-MIB

RFC1213-MIB

ISIS-MIB

Added MPLS-TE-STD-MIB

Added TE-MIB

Added

HH3C-TRANSCEIVER-INF

O-MIB

Added MGMD-STD-MIB

Added

DISMAN-TRACEROUTE-MI

B

Added DISMAN-PING-MIB

Added PW-ENET-STD-MIB

Added PW-STD-MIB

Added

HH3C-SNMP-EXT-MIB

Added HH3C-POSA-MIB

Added HH3C-BFD-STD-MIB

Added

HH3C-PPP-OVER-SONET-

MIB

Added MPLS-LDP-STD-MIB

Added

MPLS-L3VPN-STD-MIB

Added HH3C-LICENSE-MIB

Added HH3C-TUNNEL-MIB

Added OSPFV3-MIB

Added

DISMAN-EVENT-MIB

Added HH3C-PVST-MIB

Added HH3C-EVI-MIB

Added HH3C-L2VPN-MIB

Modified description of isisSysLevelMinLSPGenI nt

Modified description of sysDescr and sysObjectID;

Modified TAA description of sysObjectID;

Modified index of ipv6InterfaceTable; Modified description of sysContact and sysLocation;

Modified Access of ipAddressStorageType.

Modified description of isisRouterID, isisSysLevelTEEnabled, isisNextCircIndex,

13

rfc2465-ipv6.mib

hh3c-splat-mstp.mib rfc2933-igmp-std.mib

rfc2863-if.mib

hh3c-dns.mib

hh3c-domain.mib

hh3c-sys-man.mib

hh3c-config-man.mib

rfc2933-igmp-std.mib

rfc2925-disman-ping.mib

IPV6-MIB

HH3C-LswMSTP-MIB

IGMP-STD-MIB

IF-MIB

HH3C-DNS-MIB

H3C-DOMAIN-MIB

HH3C-SYS-MAN-MIB

HH3C-CONFIG-MAN-MIB

IGMP-STD-MIB

DISMAN-PING-MIB isisCirc3WayEnabled, isisCircExtendedCircID, isisISAdj3WayState

和 isisISAdjNbrExtendedCirc

ID

Modified description of ipv6IfDescr

Modified description of hh3cdot1sStpForceVersi on

Modified description and

PDS of

IGMP-STD-MIB

Updated the rfc2863-if.mib from rfc2233-if.mib

Modified description of

HH3C-DNS-MIB

Modified description of

HH3C-DOMAIN-MIB

Modified example of hh3cSysBtmLoadTable

Modified description of hh3cCfgLogTerminalUser and hh3cCfgLogCmdSrcAddress

Modified description of igmpInterfaceQueryMaxRes ponseTime, igmpInterfaceRobustness, igmpInterfaceLastMembQue ryIntvl, mldInterfaceQueryMaxResp onseDelay, mldInterfaceRobustness, mldInterfaceLastListenQuer yIntvl;

Modified PDS of igmpCacheAddress, igmpCacheIfIndex, igmpCacheSelf, mldCacheAddress, mldCacheIfIndex, mldCacheSelf

Modified description of pingCtlIfIndex;

Added pingProbeFailed, pingTestFailed, pingTestCompleted, hh3cNqaProbeTimeOverThr eshold, hh3cNqaJitterRTTOverThre shold, hh3cNqaProbeFailure, hh3cNqaJitterPacketLoss, hh3cNqaJitterSDOverThres hold,

14

rfc4133-entity.mib

hh3c-if-ext.mib

hh3c-config-man.mib

hh3c-trng2.mib

rfc2925-disman-ping.mib

hh3c-ntp.mib

hh3c-entrelation.mib

hh3c-entity-ext.mib

hh3c-ssh.mib

hh3c-lsw-dev-adm.mib

hh3c-lsw-dev-adm.mib

hh3c-3gmodem.mib

hh3c-trap.mib

rfc2863-if.mib

ENTITY-MIB

HH3C-IF-EXT-MIB

HH3C-CONFIG-MAN-MIB

HH3C-TRNG2-MIB

DISMAN-PING-MIB hh3cNqaJitterDSOverThres hold, hh3cNqaICPIFOverThreshol d, hh3cNqaMOSOverThreshol d

Modified description of entPhysicalAlias, entPhysicalAssetID

Modified description of

HH3C-IF-EXT-MIB

Modified description of

HH3C-CONFIG-MAN-MIB

Modified description of

HH3C-TRNG2-MIB

Modified description of pingCtlTable

HH3C-NTP-MIB

Modified description of hh3cNTPSystemMIB

HH3C-ENTRELATION-MIB

Modified description of hh3cEntRelationTable

HH3C-ENTITY-EXT-MIB

Added hh3cEntityExtCpuUsageRec overThreshold, hh3cEntityExtMemSizeRev, hh3cEntityExtCpuUsageIn1

Minute, hh3cEntityExtCpuUsageIn5

Minutes, hh3cEntityExtVoltageTable;

Modified description and relationship of hh3cEntityExtTemperatureT hreshold,

Modified description of hh3cEntityExtTemperature.

HH3C-SSH-MIB

HH3C-LSW-DEV-ADM-MI

B

Added hh3cSTelnetServerEnable, hh3cSCPServerEnable

Added hh3cLswSlotMemRev, hh3cLswSlotPhyMemRev

, hh3cLswSlotRunTime and hh3cLswSlotMemUsedR ev

HH3C-LSW-DEV-ADM-MI

B

HH3C-3GMODEM-MIB

Added hh3cLswCpuTable

HH3C-TRAP-MIB

IF-MIB

Added hh3cLteInfoTable

Modified description of hh3cTrapConfigSwitch

Modified description of ifOutQLen

15

hh3c-ip-address.mib

fc1471-ppp-lcp.mib

ieee8023-lag.mib

hh3c-lag.mib

hh3c-domain.mib

hh3c-if-ext.mib

rfc5603-pw-enet-std.mib rfc5602-pw-mpls-std.mib hh3c-acl.mib

hh3c-stack.mib rfc2819-rmon.mib

rfc4502-rmon.mib

lldp-ext-dot1-v2.mib

rfc5603-pw-enet-std.mib

table hh3cPosParamTable

HH3C-IP-ADDRESS-MIB

PPP-LCP-MIB

IEEE8023-LAG-MIB

HH3C-LAG-MIB

HH3C-DOMAIN-MIB

HH3C-IF-EXT-MIB

PW-ENET-STD-MIB

PW-MPLS-STD-MIB

PW-ENET-STD-MIB

Added hh3cIpAddrFirstTrapTime

Modified description of pppLinkStatusBadFCSs

Modified title of

IEEE8023-LAG-MIB

Modified title of

HH3C-LAG-MIB

Modified description of hh3cDomainDefault and hh3cDomainName

Added hh3cIfOperStatus and hh3cIfDownTimes

Modified pwEnetTable

Modified the module of

PW-MPLS-STD-MIB

Modified the table of

PW-ENET-STD-MIB

HH3C-PPP-OVER-SONET

-MIB

Only support POS interfaces

HH3C-ACL-MIB

HH3C-STACK-MIB

RMON-MIB

RMON2-MIB

LLDP-EXT-DOT1-V2-MIB

Modified hh3cAclNumberGroupTable, hh3cPfilterApplyTable, hh3cPfilterAclGroupRunInfo

Table, hh3cPfilterStatisticSumTabl e and added the hh3cAclNamedGroupTable, hh3cAclIPAclNamedBscTabl e, hh3cAclIPAclNamedAdvTab le, hh3cAclNamedMACTable, hh3cAclIntervalTable hh3cAclNamedUserTable, hh3cPfilter2ApplyTable, hh3cPfilter2, hh3cPfilter2AclGroupRunInf oTable, hh3cPfilter2AclRuleRunInfo

Table, hh3cPfilter2StatisticSumTab le, hh3cAclNamedGroupTable

Modified description of hh3cStackTopology

Modified description of default value in RMON-MIB

Modified description of default value in RMON2-MIB

Removed lldpXdot1dcbxConfigETSCo nfigurationTable lldpXdot1dcbxConfigETSRe

16

17 commendationTable lldpXdot1dcbxConfigPFCTa ble lldpXdot1dcbxConfigApplicat ionPriorityTable lldpXdot1dcbxLocETSBasic

ConfigurationTable lldpXdot1dcbxLocETSConPr iorityAssignmentTable lldpXdot1dcbxLocETSConTr afficClassBandwidthTable lldpXdot1dcbxLocETSConTr afficSelectionAlgorithmTable lldpXdot1dcbxLocETSReco

TrafficClassBandwidthTable lldpXdot1dcbxLocETSReco

TrafficSelectionAlgorithmTa ble lldpXdot1dcbxLocPFCBasic

Table lldpXdot1dcbxLocPFCEnabl eTable lldpXdot1dcbxLocApplicatio nPriorityAppTable lldpXdot1dcbxRemETSBasi cConfigurationTable lldpXdot1dcbxRemETSCon

PriorityAssignmentTable lldpXdot1dcbxRemETSCon

TrafficClassBandwidthTable lldpXdot1dcbxRemETSCon

TrafficSelectionAlgorithmTa ble lldpXdot1dcbxRemETSReco

TrafficClassBandwidthTable lldpXdot1dcbxRemETSReco

TrafficSelectionAlgorithmTa ble lldpXdot1dcbxRemPFCBasi cTable lldpXdot1dcbxRemPFCEnab leTable lldpXdot1dcbxRemApplicatio nPriorityAppTable lldpXdot1dcbxAdminETSBa sicConfigurationTable lldpXdot1dcbxAdminETSCo nPriorityAssignmentTable lldpXdot1dcbxAdminETSCo nTrafficClassBandwidthTabl e lldpXdot1dcbxAdminETSCo

CMW710-E0102 rfc5060-pim-std.mib rfc5240-pim-bsr.mib hh3c-qinqv2.mib rfc3019-ipv6-mld.mibs

New hh3c-lsw-dev-adm.mib hh3c-nqa.mib hh3c-posa.mib rfc4444-isis.mib

Modified hh3c-entity-ext.mib rfc1213.mib rfc4444-isis.mib rfc2465-ipv6.mib hh3c-splat-mstp.mib rfc2933-igmp-std.mib rfc4133-entity.mib nTrafficSelectionAlgorithmT able lldpXdot1dcbxAdminETSRe coTrafficClassBandwidthTab le lldpXdot1dcbxAdminETSRe coTrafficSelectionAlgorithm

Table lldpXdot1dcbxAdminPFCBa sicTable lldpXdot1dcbxAdminPFCEn ableTable lldpXdot1dcbxAdminApplicat ionPriorityAppTable

PIM-STD-MIB

PIM-BSR-MIB

HH3C-QINQV2-MIB

IPV6-MLD-MIB

HH3C-LSW-DEV-ADM-MI

B

HH3C-NQA-MIB

HH3C-POSA-MIB

ISIS-MIB

HH3C-ENTITY-EXT-MIB

RFC1213-MIB

ISIS-MIB

IPV6-MIB

HH3C-LswMSTP-MIB

IGMP-STD-MIB

ENTITY-MIB

Added PIM-STD-MIB

Added PIM-BSR-MIB

Added HH3C-QINQV2-MIB

Added IPV6-MLD-MIB

Added hh3cLswSlotMemRev, hh3cLswSlotPhyMemRev, hh3cLswSlotRunTime and hh3cLswSlotMemUsedRev

Added HH3C-NQA-MIB

Added HH3C-POSA-MIB

Modified description of isisSysLevelMinLSPGenInt

Modified description and relationship of hh3cEntityExtTemperatureT hreshold

Modified description of sysDescr and sysObjectID

Modified description of isisRouterID, isisSysLevelTEEnabled, isisNextCircIndex, isisCirc3WayEnabled, isisCircExtendedCircID, isisISAdj3WayState and isisISAdjNbrExtendedCircID

Modified description of ipv6IfDescr

Modified description of hh3cdot1sStpForceVersion

Modified description and

PDS of nodes in

IGMP-STD-MIB

Modified description and

PDS of entPhysicalAlias and entPhysicalAssetID

18

hh3c-posa.mib rfc2863-if.mib

HH3C-POSA-MIB

IF-MIB

Modified description of hh3cPosaFcmIdleTimeout

Updated the rfc2863-if.mib from rfc2233-if.mib

CMW710-E0102

New

Modified hh3c-ike-monitor.mib

hh3c-ike-monitor.mib

lldp-v2.mib

lldp-ext-dot1-v2.mib

lldp-ext-dot3-v2.mib

b hh3c-domain.mib

hh3c-domain.mib

hh3c-user.mib

rfc3814-mpls-ftn-std.mib hh3c-dhcp4.mib

hh3c-dhcp-snoop2.mib

hh3c-common-system.mib

hh3c-splat-inf.mib

rfc2819-rmon.mib rfc4502-rmon.mib rfc5132-ipmcast.mib

rfc2620-radius-acc-client.mib rfc2618-radius-auth-client.mi

hh3c-qos-capability.mib rfc3621-power-ethernet.mib hh3c-power-eth-ext.mib rfc2662-adsl-line.mib

hh3c-rmon-ext2.mib

HH3C-IKE-MONITOR-MIB

HH3C-IPSEC-MONITOR-V

2-MIB

LLDP-V2-MIB

LLDP-EXT-DOT1-V2-MIB

LLDP-EXT-DOT3-V2-MIB

RADIUS-ACC-CLIENT-MI

B

RADIUS-AUTH-CLIENT-MI

B

HH3C-DOMAIN-MIB

HH3C-DOMAIN-MIB

HH3C-USER-MIB

HH3C-QOS-CAPABILITY-

MIB

POWER-ETHERNET-MIB

HH3C-POWER-ETH-EXT-

MIB

MPLS-FTN-STD-MIB

HH3C-DHCP4-MIB

HH3C-DHCP-SNOOP2-MI

B

ADSL-LINE-MIB

RMON-MIB

RMON2-MIB

HH3C-RMON-EXT2-MIB

IPMCAST-MIB

HH3C-COMMON-SYSTEM

-MIB

HH3C-LswINF-MIB

Added

HH3C-IKE-MONITOR-MIB

Added

HH3C-IPSEC-MONITOR-V2

-MIB

Added LLDP-V2-MIB

Added

LLDP-EXT-DOT1-V2-MIB

Added

LLDP-EXT-DOT3-V2-MIB

Added

RADIUS-ACC-CLIENT-MIB

Added

RADIUS-AUTH-CLIENT-MI

B

Added HH3C-DOMAIN-MIB

Added HH3C-DOMAIN-MIB

Added HH3C-USER-MIB

Added

HH3C-QOS-CAPABILITY-M

IB

Added

POWER-ETHERNET-MIB

Added

HH3C-POWER-ETH-EXT-M

IB

Added MPLS-FTN-STD-MIB

Added HH3C-DHCP4-MIB

Added

HH3C-DHCP-SNOOP2-MIB

Added ADSL-LINE-MIB

Added RMON-MIB

Added RMON2-MIB

Added

HH3C-RMON-EXT2-MIB

Added IPMCAST-MIB

Modified

HH3C-COMMON-SYSTEM-

MIB to V2.4

Modified HH3C-LswINF-MIB to V3.4

19

hh3c-infocenter.mib

hh3c-lsw-dev-adm.mib

rfc2465-ipv6.mib

rfc2096-ip-forward.mib

hh3c-config-man.mib

hh3c-cbqos2.mib

rfc3415-snmp-vacm.mib

rfc1213.mib

rfc3415-snmp-vacm.mib rfc2233-if.mib hh3c-common-system.mib

rfc1213.mib

Operation changes

HH3C-INFO-CENTER-MIB

Added hh3cICLogbufferContTable in

HH3C-INFO-CENTER-MIB

HH3C-LSW-DEV-ADM-MI

B

Added hh3cLswSlotPktBufFree, hh3cLswSlotPktBufInit, hh3cLswSlotPktBufMin and hh3cLswSlotPktBufMiss in hh3cLswSlotTable

IPV6-MIB

IP-FORWARD-MIB

HH3C-CONFIG-MAN-MIB

HH3C-CBQOS2-MIB

NMP-VIEW-BASED-ACM-

MIB

RFC1213-MIB

SNMP-VIEW-BASED-ACM

-MIB

IF-MIB

HH3C-COMMON-SYSTEM

-MIB

RFC1213-MIB

Added ipv6RouteNumber, ipv6DiscardedRoutes and ipv6RouteTable

Added inetCidrRouteNumber, inetCidrRouteDiscards and inetCidrRouteTable

Modified the description of hh3cCfgRunModifiedLast

Modified the description of hh3cCBQoSPolicyClassNex tIndex and hh3cCBQoSPolicyClassCfgI nfoTable,and deleted hh3cCBQoSRedirectCfgInfo

Table and hh3cCBQoSMirrorIfCfgInfoT able

Modified the description of vacmContextName

Modified the description of ipNetToMediaIfIndex

Modified the description of vacmContextName

Modified the description of ifAlias

Modified the description of hh3cSysStatisticPeriod, hh3cSysSamplePeriod, hh3cSysTrapResendPeriod, hh3cSysTrapCollectionPerio d, hh3cSysSnmpPort, hh3cSysSnmpTrapPort, hh3cSysNetID, hh3cSysLastSampleTime.A

nd Modified the PDS of hh3cSysNetID

Modified the description of sysDescr and sysObjectID

None

20

Restrictions and cautions

1.

HPE

’s FXS not supporting call transfers from an analog phone to Lync Server.

Open problems and workarounds

None

List of resolved problems

Resolved problems in CMW710-R0306P82

201612130003

Symptom: The password needs to be entered twice when the MSR router logs in to an SSH server.

Condition: This symptom occurs if the MSR router acts as an SSH client and the SSH server performs HWTACACS authentication on clients.

201612080568

Symptom: When the MSR router acts as the LNS, it cannot establish L2TP tunnels with L2TP clients.

Condition: This symptom occurs if a large number of L2TP users frequently come online and go offline and a memory leakage exists on the router.

201611110148

Symptom: The MSR router reboots unexpectedly.

Condition: This symptom occurs if MPLS L3VPN and a large number of VXLAN tunnels are configured on the router and the router handles large bursts of traffic for a long time.

201611150055

Symptom: The MSR router forwards ND packets that are supposed to be discarded.

Condition: This symptom occurs if interfaces on the router are assigned IPv6 addresses and the router receives ND packets of which the target addresses are not local IPv6 addresses.

201610280205

Symptom: The CLI of the MSR router hangs.

Condition: This symptom occurs if password control is globally enabled on the router and a large number of users frequently come online and go offline.

201609230642

Symptom: A Layer 3 subinterface on the MSR router might fail to be deleted.

Condition: This symptom occurs if a large number of Layer 3 subinterfaces are configured on the router and the shutdown and undo vlan-type commands are simultaneously issued to multiple Layer 3 subinterfaces.

201612260238

Symptom: Portal users fail authentication on the MSR router that acts as the access device.

Condition: This symptom occurs if the router performs RADIUS authentication on users and a large number of portal users come online and go offline.

21

201612260250

Symptom: The MSR router cannot correctly advertise the default route to PE neighbors.

Condition: This symptom occurs if MPLS L3VPN is configured on the router.

201612260223

Symptom: BFD performance of the MSR router decreases. Specifically, the maximum number of BFD sessions cannot be reached.

Condition: None.

201609230608

Symptom: Some traffic cannot be NATed.

Condition: This symptom might occur if the following conditions exist:

The MSR router acts as the NAT gateway.

Fast forwarding load sharing is disabled.

NAT is configured.

201609050237

Symptom: Fragmented packets cannot be forwarded and a memory leakage exists on the MSR router in an IRF fabric.

Condition: This symptom occurs if NAT is configured on the IRF fabric and fragmented packets from the external network are cross-chassis forwarded to a VLAN interface of the internal network.

Resolved problems in CMW710-R0306P81

201611090368

Symptom: The total number of error packets displayed on the network management software and that displayed from the CLI are different.

Condition: This symptom occurs when error packets uiAlignErrs and uiInDiscards are received.

201610280217

Symptom: The description command cannot be successfully executed when a PC running the

Windows 10 operating system is used to configure the device.

Condition: This symptom might occur when the description command is executed on a PC running the Windows 10 operating system.

201611100317

Symptom: In a VXLAN network, the configured DSCP marking action does not take effect when a QoS policy for incoming packets is applied to the site-facing interface that hosts an AC.

Condition: This symptom occurs when a QoS policy for incoming packets is applied to the site-facing interface that hosts an AC in a VXLAN network.

201610280181

Symptom: Clients cannot log in to a device through IPv6 SSH and Telnet.

Condition: This symptom occurs when the following conditions are met:

The tcp syn-cookie enable command is executed.

The client is not connected to the device directly.

The device uses an IPv6 address.

22

201610280192

Symptom: L2TP clients go offline.

Condition: This symptom might occur when a user that uses an incorrect username or password sends authentication requests.

201609230618

Symptom: Traffic cannot be forwarded because ARP/ND entry issuing has failed.

Condition: This symptom might occur when a large number of ARP/ND entries are learned or age out.

201611170054

Symptom: The configuration on FXS interfaces gets lost and no call progress tone is played.

Condition: This symptom occurs when over three HMIM-16FXS modules are installed on the device.

201611080238

Symptom: AAA accounting fails because the device and the server use inconsistent session ID formats.

Condition: This symptom occurs when AAA authentication uses an old-version server whose accounting session ID format is incompatible with the ID format on the device.

201611070502

Symptom: CVE-2016-8858.

Condition: Vulnerability was reported in OpenSSH. A remote user can send specially crafted data during the key exchange process to trigger a flaw in kex_input_kexinit() and consume excessive memory on the target system. This can be exploited to consume up to 384 MB per connection.

201610260739

Symptom: In an MPLS over GRE network, the device acts as a P device, and packet loss occurs when two CE devices ping each other.

Condition: This symptom might occur when two CE devices are connected through a service provider network.

201610260505

Symptom: The memory usage of the device continues to increase.

Condition: This symptom occurs when a GRE tunnel with TCP MSS set forwards fragmented packets.

201611250487

Symptom: URL redirection configured for EAD assistant does not take effect.

Condition: None.

Resolved problems in CMW710-R0306P80

201609270202

Symptom: Long ping response delay occurs when no SIM card is installed in the SIC-3G module that uses the EM660 modem chip.

Condition: This symptom might occur if no SIM card is installed in the SIC-3G module that uses the EM660 modem chip.

23

201603110069

Symptom: When the speed is set to 100 Mbps for a fiber port that uses a 1000-Mbps transceiver module, the LED of the port turns yellow or off.

Condition: This symptom might occur if the speed is set to 100 Mbps for a fiber port that uses a

1000-Mbps transceiver module.

201609220199

Symptom: A 4G router cannot access an LNS through 3G dialup.

Condition: This symptom might occur if a 4G router accesses an LNS through 3G dialup.

201610170407

Symptom: When multicast VPN is configured on the router, a switching module does not forward packets that are received from a Layer 3 interface.

Condition: This symptom might occur if multicast VPN is configured on the router, and the incoming interface of traffic is a Layer 3 interface.

201610190490

Symptom: The router can be pinged only within a short period of time after startup.

Condition: This symptom might occur if the following conditions exist:

After negotiation, the speed and duplex mode of interfaces on an SIC-4FSW or SIC-9FSW module are set to 100 Mbps and half duplex.

The module receives Layer 3 packets between 61 and 1536 bytes long at 10 Mbps and forwards the packets through VLAN interfaces.

201607230235

Symptom: The router cannot operate correctly when multiple GRE tunnels and one IPsec over

GRE tunnel are forwarding traffic.

Condition: This symptom might occur if multiple GRE tunnels and one IPsec over GRE tunnel are set up.

201607020116

Symptom: When a Telnet user logs in to the router by using a username longer than 253 bytes, memory might be exhausted, and the router might reboot unexpectedly.

Condition: This symptom might occur if SNMP and trap notifications are enabled, and a Telnet user logs in to the router by using a username longer than 253 bytes.

201606010250

Symptom: A voice VLAN-enabled Layer 2 interface fails to forward VLAN-tagged traffic.

Condition: This symptom might occur if the source MAC addresses of the received traffic belong to voice VLANs, but the VLAN tags are for non-voice VLANs.

201604280054

Symptom: QoS cannot correctly collect traffic statistics on an IRF fabric.

Condition: This symptom might occur if a rate limiting template is configured for portal users on an IRF fabric.

201609210481

Symptom: SSH login fails when accounting is enabled and no accounting server is specified.

Condition: This symptom might occur if SSH login is performed when accounting is enabled without any accounting server specified.

24

201609060727

Symptom: BFD MAD does not take effect on two connected IRF fabrics.

Condition: This symptom might occur if BFD MAD is configured on two connected IRF fabrics, and the IRF fabrics can receive BFD detection packets from each other.

201608110527

Symptom: PPPoE clients cannot come online if the PPPoE server uses the DHCP address pool of a local DHCP server for address assignment.

Condition: This symptom might occur if the PPPoE server uses the DHCP address pool of a local DHCP server for address assignment.

201607290325

Symptom: CVE-2016-1409

Condition: The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in Cisco IOS

XE 2.1 through 3.17S, IOS XR 2.0.0 through 5.3.2, and NX-OS allows remote attackers to cause a denial of service (packet-processing outage) via crafted ND messages, aka Bug ID

CSCuz66542, as exploited in the wild in May 2016.

201604210076

Symptom: Execution of RSSI commands fails on a distributed router after the router reboots with a configuration file.

Condition: This symptom might occur if RSSI commands are executed on a distributed router that has rebooted with a configuration file.

201609220670

Symptom: The router cannot operate correctly when a Layer 3 interface is changed to a Layer 2 interface during traffic forwarding.

Condition: This symptom might occur if a Layer 3 interface is changed to a Layer 2 interface during traffic forwarding.

201607290311

Symptom: CVE-2016-2177

Condition: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

201606280170

Symptom: PBR does not fake effect when it is configured after the router starts up without any configuration file.

Condition: This symptom might occur if PBR is configured after the router starts up without any configuration file.

201607250050

Symptom: RBAC does not define access control for the ip load-sharing local-first enable command.

Condition: This symptom might occur if the ip load-sharing local-first enable command is configured, and trace logs are displayed.

201610170025

Symptom: The router cannot provide services when IPsec is enabled.

Condition: This symptom might occur if the following conditions exist:

a. IPsec is configured on the router.

25

b. Multiple data flows trigger IKE SA negotiations simultaneously, and the negotiations fail.

201609260311

Symptom: Incorrect PVST status causes broadcast storms.

Condition: This symptom might occur if the following conditions exist:

A PVST-enabled VLAN is deleted.

The stpd process is restarted, or the stpd process restarts during patch installation.

201610180122

Symptom: When QoS policy nesting is configured on an interface, long ping response delay occurs.

Condition: This symptom might occur if QoS policy nesting is configured on an interface, and

GTS is configured in the parent policy.

201609260288

Symptom: When global password control is enabled, an SSH user cannot log in after multiple login failures.

Condition: This symptom might occur if global password control is enabled, and an SSH user logs in repeatedly by using a correct username and an incorrect password.

201609230633

Symptom: Installation of a patch or devkit package takes more than 40 minutes or fails.

Condition: This symptom might occur if a patch or devkit package is installed.

201608030540

Symptom: The router cannot forward MPLS L3VPN traffic correctly after the vpn popgo command is executed.

Condition: This symptom might occur if MPLS L3VPN is configured on the router, and the vpn

popgo command is executed.

201607290305

Symptom: CVE-2012-0036

Condition: Curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2)

POP3, or (3) SMTP protocol.

Resolved problems in CMW710-R0306P70

201608120148

Symptom: The ICCID information for a 3G modem is not displayed in the display cellular command output.

Condition: None.

201608240033

Symptom: The diagnostic and monitoring (DM) feature is not available for ports on a

SIC-4G-LTE card.

Condition: None.

201608190032

Symptom: Profile 3 cannot be used by 4G modem for dialup.

26

Condition: None.

201608290384

Symptom: The CPU usage of an MSR router reaches 50 percent and the delay of audio signals increases.

Condition: This symptom occurs if 12 concurrent calls exist on the MSR router.

201608250025

Symptom: LEDs on the 8GSW card installed in an MSR5660 device cannot operate correctly.

Condition: None.

201609060155

Symptom: Ports on an 8GEE card of an MSR router cannot forward traffic.

Condition: This symptom might occur if the 8GEE card is used in a VRRP network.

201609050247

Symptom: An MSR2004 router runs out of memory after a certain period of use.

Condition: This symptom occurs if a VLAN interface is created on the MSR3600 router and the actual forwarding speed of the VLAN interface is higher than the set speed 10 Mbps.

201608300072

Symptom: Portal authentication cannot correctly control user access to the network after users switch to different VLANs.

Condition: None.

201608290529

Symptom: CVE-2009-3238

Condition: The get_random_int function in drivers/char/random.c in the Linux kernel before

2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."

201607190451

Symptom: The CLI of an MSR router hangs.

Condition: This symptom occurs if the following conditions exist:

LLDP and 802.1X authentication are enabled on the MSR router.

A port is configured to be shut down upon receiving an illegal frame.

An IP phone fails 802.1X authentication and triggers intrusion protection.

201605200138

Symptom: An MSR router does not support EAD quick deployment. However, no error message is displayed when EAD quick deployment is configured on a 9FSW card installed in the router.

Condition: None.

201607190461

Symptom: An MSR router cannot work with a Cisco NX9000 switch in an IS-IS network.

Condition: None.

27

201608110387

Symptom: The BGP NSR status of a two-MPU router is not correct, and the status cannot recover.

Condition: This symptom occurs if the memory threshold is reached during an active/standby switchover.

201608160017

Symptom: Ports on the MSR device are always in loopback state.

Condition: This symptom occurs if an external loopback test is performed on a card configured with PPP.

201608090279

Symptom: No voices but only signals are exchanged in the channels for voice services.

Condition: This symptom occurs if PPP compression and VAD are used during satellite link switchover for VHF services.

201607260049

Symptom: The country mode for call progress tones does not take effect on a voice card of an

MSR router.

Condition: This symptom occurs if call program tones are changed to non-default ones.

201607010523

Symptom: An MSR router in a full-mesh mGRE network reboots unexpectedly.

Condition: This symptom occurs if an aggregate interface is used as the mGRE tunnel interface and the port link modes of member ports in the aggregation group are changed.

201606280148

Symptom: In an MSR IRF fabric, errors exist in VLAN-instance mappings and STP status on ports cannot be correctly set.

Condition: This symptom occurs if the following conditions are met:

a. The spanning tree mode on the IRF fabric is PVST.

b. VLANs are created in the ascending order of VLAN IDs and then some VLANs are deleted.

Or, VLANs are not created in the ascending order of VLAN IDs. For example, create VLAN

10 and then create 5.

c. An interface card on the IRF fabric is rebooted.

d. An IRF master/subordinate switchover occurs. Or, the STP process restarts because a patch is installed or uninstalled or an ISSU is performed.

201607180362

Symptom: The AAA NAS-ID profile configuration on an MSR router does not take effect after the router reboots.

Condition: This symptom occurs if the running configuration is saved and the router is rebooted.

201607190489

Symptom: Stream media services are interrupted, because NAT 444 does not create correct entries for RTSP traffic.

Condition: This symptom occurs if the service client instead of the server initiates the service negotiation.

201607280123

Symptom: Fast forwarding does not take effect on a one-armed MSR router.

28

Condition: This symptom occurs if the one-armed router uses the same Layer 3 interface to perform traffic forwarding. For example, VLAN-interface 361 is configured with a primary interface and secondary interfaces. Traffic arrives at VLAN-interface 361 and then is forwarded out of VLAN-interface 361.

Resolved problems in CMW710-R0306P52

201605260540

Symptom: After the APN-profile is configured, only the authentication mode is modified, but the configuration does not take effect.

Condition: None.

201606200046

Symptom: The device reboots unexpectedly.

Condition: This symptom occurs if the device acts as an SSL VPN gateway and the user logs into the device through the Web interface.

201606290087

Symptom: The device reboots because of memory leak.

Condition: This symptom occurs if the SIM card is absent or fails on the 4G interface.

201605300494

Symptom: 802.1X authentication on the SIC-4FSW/DSIC-9FSW cards fails. Layer 2/Layer 3 forwarding is performed without authentication.

Condition: This symptom occurs if the EAD assistant feature is configured on the

SIC-4FSW/DSIC-9FSW cards.

201605060278

Symptom: The system fails to obtain the next startup configuration file through MIB.

Condition: None.

201603040253

Symptom: When both voice VLAN and MAC authentication are configured on an interface,

MAC authentication is also performed for packets with OUI addresses.

Condition: None.

201605040492

Symptom: When an SSL client policy is configured, the configuration takes effect only after you disable SSL session renegotiation, save the configuration, and reboot the device.

Condition: None.

201604150420

Symptom: If the MAC address of data packets is learned in a voice VLAN, the packets are not forwarded.

Condition: This symptom occurs if the source MAC address of the data packets is an OUI address and the VLAN tag of the packets is not the voice VLAN.

201605260553

Symptom: The PIM process exits exceptionally.

Condition: This symptom occurs if the PIM DM mode is used to create 32K entries and an outgoing interface is configured as the multicast forwarding boundary.

29

201606070297

(1)Symptom: CVE-2016-2105

(1)Condition: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in

OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.

(2)Symptom: CVE-2016-2106

(2)Condition: Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in

OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.

(3)Symptom: CVE-2016-2107

(3)Condition: The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES

CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

(4)Symptom: CVE-2016-2108

(4)Condition: The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

(5)Symptom: CVE-2016-2109

(5)Condition: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

(6)Symptom: CVE-2016-2176

(6)Condition: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before

1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC

ASN.1 data.

201605200360

Symptom: A voice call fails.

Condition: This symptom occurs if the longest match is configured and the dialed number is a short number.

201605030252

Symptom: An L2TP user fails to come online through dialup.

Condition: This symptom occurs if the device acts as an LNS and the idle-timeout assigned by the AAA server is 0.

201606290046

Symptom: When the RADIUS server remotely assigns an address, you must configure an IKE address pool.

Condition: None.

201605030237

Symptom: When IKE local extended authentication and address authorization are configured, the configuration is an old version is incompatible with the configuration in a new version.

Condition: None.

30

201511200124

Symptom: An E1/T1 interface still processes RAI alarms when RAI detection is disabled on the interface.

Condition: None.

201606280531

Symptom: An HMIM-2/4/8E1T1 (-F) card fails to start up.

Condition: This symptom occurs if the device is powered off when the card updates the logic.

201607020231

Symptom: The device reboots unexpectedly because of memory exhaustion.

Condition: This symptom occurs if a user telnets to the device by using a username longer than

127 bytes.

201606290412

Symptom: An interface on which the maximum number of secure MAC addresses is limited goes down when forwarding traffic.

Condition: This symptom might occur if the maximum number of secure MAC addresses set on the interface is small.

201607010400

Symptom: The free-rule 1 source any configuration is added to the configuration file after the device reboots.

Condition: This symptom occurs if the device starts up with a .cfg startup configuration file.

201607010364

Symptom: Portal users can come online through an interface with portal authentication disabled, but the status of portal users is not correct.

Condition: None.

201607150110

Symptom: A busy error occurs when an asynchronous serial interface operating in flow mode reversely telnets to the device.

Condition: This symptom occurs if the asynchronous serial interface reversely telnets to the device when it is enabled with terminal service.

201607040302

(1)Symptom: CVE-2016-4953

(1)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service by sending a spoofed packet with incorrect authentication data at a certain time.

(2)Symptom: CVE-2016-4954

(2)Condition: Fixed vulnerability in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service by sending spoofed packets from source IP addresses in a certain scenario.

(3)Symptom: CVE-2016-4956

(3)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service via a spoofed broadcast packet.

201605060581

(1)Symptom: CVE-2015-8138

31

(1)Condition: Fixed vulnerability in ntpd which attackers may be able to disable time synchronization by sending a crafted NTP packet to the NTP client.

(2)Symptom: CVE-2015-7979

(2)Condition: Fixed vulnerability in ntpd allows attackers to send special crafted broadcast packets to broadcast clients, which may cause the affected NTP clients to become out of sync over a longer period of time.

(3)Symptom: CVE-2015-7974

(3)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key.

(4)Symptom: CVE-2015-7973

(4)Condition: Fixed vulnerability when NTP is configured in broadcast mode, a man-in-the-middle attacker or a malicious client could replay packets received from the broadcast server to all (other) clients, which cause the time on affected clients to become out of sync over a longer period of time.

201605180120

(1)Symptom: CVE-2016-1547

(1)Condition: Fixed vulnerability where an off-path attacker can deny service to ntpd clients by demobilizing preemptable associations using spoofed crypto-NAK packets.

(2)Symptom: CVE-2016-1548

(2)Condition: Fixed vulnerability where an attacker can change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode.

(3)Symptom: CVE-2016-1550

(3)Condition: Fixed vulnerability in ntpd function allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by ntpd.

(4)Symptom: CVE-2016-1551

(4)Condition: Fixed vulnerability in ntpd allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering.

(5)Symptom: CVE-2016-2519

(5)Condition: Fixed vulnerability in ntpd will abort if an attempt is made to read an oversized value.

(6)Symptom: CVE-2015-7704

(6)Condition: Fixed vulnerability in ntpd that a remote attacker could use, to send a packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server.

201607140270

Symptom: A user fails to dial up by using a POS terminal.

Condition: This symptom occurs if the SoftX device sends an 18x response with an SDP, a 180 response without an SDP, and a 200 OK response without an SDP in order. The media of the devices is not connected, so fax or modem switchover fails.

201607080214

Symptom: When SIP session refresh using re-INVITE requests is enabled, calls are cut off at about 3 minutes.

Condition: This symptom might occur if SIP session refresh using re-INVITE requests is enabled.

32

201607130473

Symptom: When command accounting is enabled for a Telnet user that passes TACACS authentication, long command execution delay exists.

Condition: This symptom might occur if one of the following conditions exists:

The router does not have connectivity to the TACACS server.

The TACACS server does not respond to accounting requests.

The network has great latency.

201607140274

Symptom: Both the calling party and the called party are silent during a call established between the device and a SoftX device.

Condition: This symptom occurs if the SoftX device sends an 18x response with an SDP, a 180 response without an SDP, and a 200 OK response without an SDP in order. The media of the devices is not connected, so both parties cannot hear any voices.

201607120078

Symptom: When a TTY user logs in through an asynchronous serial interface of an SIC-16AS card, the user connection is not terminated after the idle timeout, the user cannot be forcibly logged off, and reverse Telnet is unavailable.

Condition: This symptom might occur if the following conditions exist:

The flow mode is enabled for the asynchronous serial interface.

The undo shell command is not configured for the user line.

The interface goes down when receiving and sending data.

201608230032

Symptom: An MSR3012 router reboots unexpectedly.

Condition: This symptom might occur if an HMIM-8E1T1 card with CPLD version 7.0 is hot plugged into the MSR3012 router when the router is being powered on.

Resolved problems in CMW710-R0306P30

201603140497

Symptom: An MSR2003 router displays the message "Watchdog timeout ==MSR2003 Reboot with CW7 e0402l10" if GRE over IPsec runs on a subinterface and MPLS L3VPN settings are configured on the GRE tunnel interface.

Condition: This symptom might occur if GRE over IPsec runs on a subinterface and MPLS

L3VPN settings are configured on the GRE tunnel interface.

201604200661

Symptom: When the full duplex mode is configured and the speed is set to 1000 Mbps for a

Layer 2 interface on an SIC-4GSW card, the interface cannot come up or uses an incorrect duplex mode.

Condition: This symptom might occur if the full duplex mode is configured and the speed is set to 1000 Mbps for a Layer 2 interface on an SIC-4GSW card.

201604280272

Symptom: On a China Telecom 3G interface, when the EVDO mode is enabled, an hh3c3GRssiWeakSignalTrap notification for the CDMA-1x RTT mode is falsely generated.

33

When the CDMA-1x RTT mode is enabled, an hh3c3GRssiWeakSignalTrap notification for the

EVDO mode is falsely generated.

Condition: None.

201604220195

Symptom: Modem dialups fail on FXS, FXO, E&M, and BSV cards when modem pass-through and fax pass-through are enabled.

Condition: This symptom might occur if modem pass-through and fax pass-through are enabled.

201604220017

Symptom: When the receiving power and transmitting power of a transceiver module change, the corresponding values in the MIB are not updated on time.

Condition: None.

201603140402

Symptom: The router provides 4G dialup services to an LTE network with two LNSs. When the primary LNS fails, services are not switched to the standby LNS.

Condition: None.

201604260058

Symptom: The error packet suppression feature is removed.

Condition: None.

201605060432

Symptom: The format of POSA hello messages is incorrect, and the handshaking feature does not take effect.

Condition: None.

201512230234

Symptom: In a dynamic link aggregation group, an Ethernet subinterface is not Selected after certain operations are performed.

Condition: This symptom might occur if the following operations are performed:

a. Create a dynamic link aggregation group and assign an Ethernet subinterface to the group.

b. Delete the link aggregation group.

c. Re-create the link aggregation group and assign the Ethernet subinterface to the group.

201604110398

Symptom: CVE-2016-2842。

Condition: Fixed vulnerability in the doapr_outch function in crypto/bio/b_print.c, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string.

201603230025

Symptom(1): CVE-2016-0705。

Condition(1):Fixed vulnerability when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources.

Symptom(2): CVE-2016-0798

Condition(2): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt.

34

Symptom(3): CVE-2016-0797

Condition(3): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference).

Symptom(4): CVE-2016-0799

Condition(4): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service which could lead to memory allocation failure or memory leaks.

Symptom(5): CVE-2016-0702

Condition(5): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g which makes it easier for local users to discover RSA keys leveraging cache-bank conflicts, aka a

"CacheBleed" attack.

201603170257

Symptom(1): CVE-2016-0701:

Condition(1): The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.

Symptom(2): CVE-2015-3197。

Condition(2): ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.

201605040142

Symptom: IKE SA setup fails because "Number of negotiating IKE SAs exceeded the limit" after certain operations are performed.

Condition: This symptom might occur if the IKE keychain settings at the two ends of an IKE SA are inconsistent and the IKE SA is repeatedly created and deleted.

201604260409

Symptom: IPv6 policy-based routing does not take effect.

Condition: None.

201604280185

Symptom: A device using non-standard protocols might drop the frames sent by the router when the frames are VLAN-tagged and 64-byte long (including padding and CRC).

Condition: None.

201604260624

Symptom: After a port goes down, the FIB entry for a direct route that contains the port is deleted after a delay of 20 seconds.

Condition: This symptom might occur if the router keeps forwarding traffic matching the direct route.

201604180578

Symptom: The router does not process R2 B3 messages and forwards a wrong B message to a

PBX when receiving a SIP 410 message.

Condition: None.

35

201602180272

Symptom: An incorrect PSTN cause code is returned for an ISDN link down event.

Condition: None.

201605040146

Symptom: The undo mac-address dynamic mac-address vlan vlan-id command cannot delete a dynamic MAC address entry.

Condition: None.

201603220579

Symptom: An MFR subinterface cannot forward traffic if the PVC is deleted at one end of the link or the type of the PVC is modified from dynamic to static on the DTE.

Condition: This symptom might occur if the PVC of an MFR subinterface is deleted on one end of the link or the type of the PVC is modified from dynamic to static on the DTE.

201605100011

Symptom: NetStream has incorrect outgoing traffic statistics for an interface if the interface forwards traffic from an IP network to an MPLS network.

Condition: This symptom might occur if an interface forwards traffic from an IP network to an

MPLS network.

201605160128

Symptom: The router sends a wrong Release Cause code in a no pickup call.

Condition: None.

201605130382

Symptom: An incorrect PSTN cause code results in an incorrect SIP status code.

Condition: None.

201604290522

Symptom: Mirrored packets from a Layer 3 mirroring source port might carry an incorrect IP version value.

Condition: None.

201603140262

Symptom: On an MSR4000 router, a GRE tunnel goes down because the router does not receive GRE keepalive responses from the peer.

Condition: This symptom might occur if the router can receive GRE keepalive requests from the peer, but no GRE keepalive responses are received.

201604090478

Symptom: On a voice VLAN-enabled Layer 2 port, MAC address entries of a non-voice VLAN age out even when the port constantly receives traffic of the non-voice VLAN.

Condition: None.

201605260501

Symptom: After the debugging physical card e1posdm calling command is executed in probe view, the undo form of the command does not take effect.

Condition: None.

201606060042

Symptom: A call is disconnected 30 seconds after a user places the call on hold.

36

Condition: This symptom occurs if the router does not send an RTCP message to the

Lync server within 30 seconds.

Resolved problems in CMW710-R0306P12

201602290360

Symptom: After a .cfg configuration file is used to restore the configuration of the router, OSPF sessions that are not configured with a router ID do not use the global router ID.

Condition: This symptom might occur if a .cfg configuration file is used to restore the configuration of the router.

201604010161

Symptom: MAC address entries age out on a voice VLAN-enabled Layer 2 interface when the interface has been forwarding traffic to and from the corresponding MAC addresses.

Condition: This symptom might occur if voice VLAN is enabled on a Layer 2 interface.

201604130088

Symptom: On an MSR4000 router, interfaces remain in discarding state after spanning tree is globally enabled.

Condition: This symptom might occur if spanning tree is globally enabled on an MSR4000 router.

201604090420

Symptom: The QoS policy configuration issued by IMC contains incorrect parameters for the

CAR action of a traffic behavior.

Condition: None.

201603050111

Symptom: After voice VLAN is enabled, and the router is rebooted, the priority of voice VLAN packets is incorrect.

Condition: This symptom might occur if voice VLAN is enabled, and the router is rebooted.

201512310070

Symptom: CVE-2015-3194

Condition: Certificate verify crash with missing PSS parameter.

Symptom: CVE-2015-3195

Condition: X509_ATTRIBUTE memory leak.

Symptom: CVE-2015-3196

Condition: Race condition handling PSK identify hint.

Symptom: CVE-2015-1794

Condition: Anon DH ServerKeyExchange with 0 p parameter.

201603160152

Symptom: Aggressive IKE negotiation fails for specific Android phones, for example, phones running Android 5.1.1.

Condition: This symptom might occur if the router authenticates specific Android phones.

201511160131

Symptom: POS terminal listening fails if the listening port or the adjacent ports are used by other applications.

37

Condition: This symptom might occur if the POS terminal listening port or the adjacent ports are used by other applications.

201604060109

Symptom: The 4G MIB is inaccessible.

Condition: None.

201604230042

Symptom: IMC SNMP cannot automatically discover LNS IP addresses.

Condition: None.

201603140262

Symptom: A GRE tunnel goes down unexpectedly.

Condition: This symptom might occur if the router and its peer send keepalive packets to each other, but the router does not receive any keepalive acknowledgment packet from the peer.

Resolved problems in CMW710-R0306P11

201602290064

Symptom: After the pre-shared key is modified, IKE negotiation fails, and the router displays the

"2th byte of the structure ISAKMP Identification Payload must be 0" message.

Condition: This symptom might occur if the old pre-shared key is not deleted when the new key is set.

201602170270

Symptom: On a CDMA-1xRTT/CDMA-EVDO network, 3G VPDN access fails if the mode of the

SIC-4G-LTE module is switched to 3G.

Condition: This symptom might occur if the mode of the SIC-4G-LTE module is switched to 3G.

201601260255

Symptom: After the router reboots, BFD sessions cannot be set up on subinterfaces that are in an aggregation group.

Condition: This symptom might occur if the router reboots.

201603150157

Symptom: IMC obtains incorrect packet statistics for Layer 2 interfaces on an MSR2004-24 router.

Condition: This symptom might occur if IMC reads the packet statistics on Layer 2 interfaces of an MSR2004-24 router.

201602260225

Symptom: An interface on an SIC-4/9FSW module cannot send broadcast traffic in its VLAN after certain operations are performed.

Condition: This symptom might occur if the following operations are performed:

a. Enable STP globally, and form a loop on an interface of an SIC-4/9FSW module.

b. Remove the blocked interface from its VLAN.

c. Disable STP globally, and assign the interface to its original VLAN.

201602260270

Symptom: The router does not display the command execution result after AT commands are manually executed.

38

Condition: None.

201603110385

Symptom: The router does not send a trap message after a warm or cold reboot.

Condition: This symptom might occur if a warm or cold reboot is performed.

201603240091

Symptom: Dialup fails if a 4G module is operating in 3G mode.

Condition: This symptom might occur if the following operations are performed:

a. Install a 4G SIM card in a 4G module.

b. Set the mode of the 4G module to 3G, and reboot the module.

201603100323

Symptom: When a portal preauthentication domain and MAC-based quick portal authentication are used together, authorization attributes in the preauthentication domain do not take effect on preauthentication users.

Condition: This symptom might occur if a portal preauthentication domain and MAC-based quick portal authentication are used together, and MAC-based quick portal authentication is triggered when preauthentication users access the network.

201601210332

Symptom: After a subcard is removed and the router is rebooted, the interface indexes for the subcard change in the MIB.

Condition: This symptom might occur if a subcard is removed and the router is rebooted.

201601180511

Symptom: When OpenFlow is enabled, application layer processing is slow and packet loss occurs.

Condition: This symptom might occur if OpenFlow is enabled.

201603290254

Symptom: The router reboots unexpectedly if it has 4 GB of memory.

Condition: This symptom might occur if the router has 4 GB of memory.

201602290118

Symptom: The route filtering settings of RIP processes running in VPNs are lost after the running configuration is saved and the router is rebooted.

Condition: This symptom might occur if one of the following operations is performed:

Upgrade the software and reboot the router.

Use a .cfg configuration file when rebooting the router.

201602260072

Symptom: An L2TP LAC does not have uplink traffic statistics for users.

Condition: None.

201602200075

Symptom: PPPoE clients fail to come online when the router acts as the PPPoE server if the

DNS server IP address is an IPCP configuration option in IPCP negotiation.

Condition: This symptom might occur if the DNS server IP address is an IPCP configuration option in IPCP negotiation.

39

201602010352

Symptom: When network congestion occurs, high-priority packets are dropped on a

CBQ-enabled MP link.

Condition: This symptom might occur if CBQ is configured for an MP link, and network congestion occurs.

201602150740

Symptom: 4G dialup fails if an APN profile specifies the username and password.

Condition: This symptom might occur if an APN profile specifies the username and password for 4G dialup.

201604060109

Symptom: No information can be obtained from the 4G MIB.

Condition: None.

201604070435

Symptom: An HMIM module might drop packets or stop forwarding traffic.

Condition: None.

201604130088

Symptom: When STP is globally enabled on a distributed router, the state of Layer 2 interfaces becomes discarding.

Condition: None.

Resolved problems in CMW710-R0306P07

201601190330

Symptom: The VPM light of the RT-SPU-100 module fails the equipment test.

Condition: None.

201601200375

Symptom: The GPS track curve reported by the router is inaccurate.

Condition: This symptom occurs when the 4G modem just starts to work.

201601220079

Symptom: Repeated satellite information is displayed when you view the 4G modem information.

Condition: None.

201512300275

Symptom: TACACS accounting configured at the CLI does not take effect.

Condition: This symptom occurs if the super command is used to obtain another user role.

201511270766

Symptom: The status of a Layer 2 aggregate interface is incorrect.

Condition: This symptom occurs if master/subordinate switchover is repeatedly performed for the router.

40

201601080547

Symptom: The configuration of an Ethernet subinterface is lost after it is assigned to an aggregation group.

Condition: This symptom occurs if the router reboots after the software is upgraded or the router is started by using a .cfg configuration file.

201601120609

Symptom: The user profile name cannot contain periods (.).

Condition: None.

201601130385

Symptom: The router reboots unexpectedly.

Condition: This symptom occurs if LDP receives abnormal TCP PDUs with the length field value

0 in the header.

201601120436

Symptom: The CPU usage reaches 100% in the core where the LDP active process resides.

Condition: This symptom occurs if the following conditions exist:

LDP NSR is configured. After the session comes up, active/standby switchover has occurred.

The number of messages that the session sends by using TCP is incorrectly counted.

201511260615

Symptom: The router reboots unexpectedly.

Condition: This symptom occurs if IPsec SAs and IKE SAs are repeatedly set up and deleted.

201511050564

Symptom: The router reboots unexpectedly.

Condition: This symptom occurs if IPsec protects OSPFv3 routes, and active/standby switchover is performed for the router.

201411190490

Symptom: An ADVPN tunnel fails to be established.

Condition: This symptom occurs if the ADVPN tunnel interface is bound to a VPN instance.

201510300470

Symptom: The operating mode configuration for an SIC-1VE1T1 module does not take effect.

Condition: This symptom occurs if the following operations are performed:

a. Configure the module to operate in T1 mode, and save the configuration.

b. Switch the operating mode to E1.

Reboot the router without saving the configuration.

201601270151

Symptom: The cable impedance of a CE1/PRI interface on an SIC-1VE1T1 module is set to

120 ohm, but the command output shows that the interface's cable impedance is 75 ohm.

Condition: This symptom might occur if the cable impedance of a CE1/PRI interface on an

SIC-1VE1T1 module is set to 120 ohm.

201602030487

Symptom: A Layer 3 subinterface on an SIC-4/9FSW(P) module cannot forward traffic if the

VLAN numbered with the subinterface number is not created.

41

Condition: This symptom might occur if a Layer 3 subinterface is created on an SIC-4/9FSW(P) module and the VLAN numbered with the subinterface number is not created.

201512110251

Symptom: The router does not have packet statistics for an aggregate interface that uses subinterfaces as members.

Condition: None.

201601240052

Symptom: MFR subinterfaces cannot be created.

Condition: None.

201512250041

Symptom: Modification of the service type for users in an ISP domain takes effect, but the router still displays the old configuration.

Condition: This symptom might occur if the service type for users in an ISP domain is modified.

201601280133

Symptom: The expired license of the router is reactivated, but some features are still unavailable after the router automatically loads the image file.

Condition: This symptom might occur if the expired license is reactivated.

201602240243

Symptom: The router might reboot unexpectedly after running for 497 days.

Condition: None.

201602010060

Symptom: RIP route filtering settings on the router are lost after the running configuration is saved and the router is rebooted.

Condition: This symptom might occur if one of the following operations is performed:

Upgrade the software and reboot the router.

Use a .cfg configuration file when rebooting the router.

201603090066

Symptom: An ADVPN tunnel cannot be set up if a loopback interface provides the tunnel source address and the physical tunnel outgoing interface is a NAT-enabled PPPoE dialer interface.

Condition: This symptom might occur if a loopback interface provides the tunnel source address and the physical tunnel outgoing interface is a NAT-enabled PPPoE dialer interface.

201603090064

Symptom: The DVPN service is interrupted during IPsec SA renegotiation.

Condition: This symptom might occur if the IPsec SA expires and IPsec SA renegotiation is performed.

201603020540

Symptom: The memory usage keeps rising if no ACL is specified for an IPsec policy template.

Condition: This symptom might occur if no ACL is specified for an IPsec policy template.

201601120419

Symptom: An NMS returns an error when it reads the 3G modem table from the MIB of the router.

Condition: This symptom might occur if two SIC-3G cards are installed on the router.

42

201601160235

Symptom: The router as a PPPoE server has duplicate PPPoE client information.

Condition: None.

201601180617

Symptom: The global DHCP address pool usage is incorrect.

Condition: None.

201601260049

Symptom: The router reboots unexpectedly when it receives GRE packets with the DF bit set.

Condition: This symptom might occur if the router receives GRE packets with the DF bit set.

201601190036

Symptom: The secondary IP addresses of a Virtual-Template interface are unavailable.

Condition: None.

201601210335

Symptom: The PPP IP segment match feature does not take effect if the

user-basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } command is not configured.

Condition: This symptom might occur if the user-basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } command is not configured.

201602010492

Symptom: A VLAN interface cannot forward IPv6 traffic if a Layer 2 aggregate interface performs forwarding for the VLAN interface.

Condition: This symptom might occur if a Layer 2 aggregate interface performs forwarding for a

VLAN interface.

201601210099

Symptom: When the FTP, SSH, Telnet, DNS, HTTP, or HTTPS service is enabled, 31 irrelevant

TCP ports are also opened.

Condition: This symptom might occur if the FTP, SSH, Telnet, DNS, HTTP, or HTTPS service is enabled.

201601120047

Symptom: When execution of the description command in interface view fails because the specified description contains unsupported special characters, no prompt is displayed for the failure.

Condition: This symptom might occur if the description command specifies a description that contains unsupported special characters.

201601260439

Symptom: Memory leaks and the device reboots unexpectedly.

Condition: This symptom probably occurs if GRE tunnels/ADVPN tunnels are established over

PPPoE and traffic are forwarded through these tunnels.

Resolved problems in CMW710-R0305P08

201512030136

Symptom: A nested QoS policy cannot classify traffic correctly.

43

Condition: This symptom occurs if QoS pre-classify is enabled for IPsec, and a nested QoS policy is configured to classify the encrypted traffic by using DSCP values.

201508060073

Symptom: GTS cannot well process bursty traffic, and traffic is not sent evenly. When a small burst size is configured, the traffic cannot reach the expected rate.

Condition: This symptom occurs if GTS is configured on an interface to shape traffic.

201512090619

Symptom: The system displays an invalid version notification when the software of a distributed router or an IRF fabric is upgraded from R0305P04.

Condition: This symptom occurs if one of the following conditions exists:

On the distributed router, the slot number of the active MPU is higher than the slot number of the standby MPU, and the software image is stored on the active MPU.

On the IRF fabric, the chassis number of the master IRF member router is higher than the chassis numbers of the subordinate IRF member routers, and the software image is stored on the master IRF member router.

201511200241

Symptom: HMIM-8GEE interface cards might stop sending packets.

Condition: This symptom might occur if interfaces on the HMIM-8GEE interface cards receive

MPLS frames greater than 3072 bytes.

201509250085

Symptom: Operating modes do not take effect on interfaces on DSIC-1SHDSL-8W interface cards.

Condition: This symptom might occur if the DSIC-1SHDSL-8W interface cards are installed in the router together with other interface cards.

201512210405

Symptom: After a static MAC address entry is configured on the MSR2004, MAC address table synchronization fails and the static MAC address entry cannot be deleted from switching chips.

Condition: This symptom might occur if the MAC address in the static MAC address entry is the source MAC address of traffic.

201511050149

Symptom: Memory leak occurs.

Condition: This symptom occurs if the display debugging command is repeatedly executed.

201512230491

Symptom: A serial interface goes down and then comes up.

Condition: This symptom occurs if the following operations have been performed:

a.

The operating mode of the serial interface is changed from synchronous to asynchronous.

b.

A master/subordinate switchover occurs.

201511140166

Symptom: The system fails to display or clear statistics for FCM interfaces.

Condition: This symptom occurs if you do not specify an FCM interface when executing the

display fcm statistics or reset fcm statistics command.

201512030136

Symptom: No traffic matches a child QoS policy.

44

Condition: This symptom occurs if the child QoS policy is nested in a parent QoS policy.

201508060073

Symptom: The download speed is slow when a QoS GTS action is configured.

Condition: This symptom occurs if you set a small CBS value for the QoS GTS action.

201511060514

Symptom: QoS queuing configuration cannot be modified on an interface on the MSR4000 after a master/subordinate switchover.

Condition: None.

201512110364

Symptom: The L2VE interface and L3VE interface display up state twice after a master/subordinate switchover.

Condition: None.

201512010186

Symptom: CVE-2015-7704

Condition: Denial of Service by Spoofed Kiss-of-Death.

Symptom: CVE-2015-7705

Condition: Denial of Service by Priming the Pump.

Symptom: CVE-2015-7855

Condition: Denial of Service Long Control Packet Message.

Symptom: CVE-2015-7871

Condition: NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability.

201507140251

Symptom: VRRPv3 does not support packet authentication. However, no error is displayed when packet authentication is configured for VRRPv3.

Condition: None.

201505270318

Symptom: No prompt is displayed when the router finishes downloading a file as an FTP client.

Condition: This symptom occurs if the downloaded file is greater than 2147483647 bytes.

201512300140

Symptom: NTP time synchronization fails between the router and a Cisco device with a time accuracy of 2

32

.

Condition: This symptom occurs if NTP time synchronization occurs between the device and a

Cisco device with a time accuracy of 2

32

.

201507210022

Symptom: IPsec RRI cannot be implemented based on negotiated traffic flow in the IPsec VPN.

Condition: None.

201511260648

Symptom: Traffic cannot be forwarded through ADVPN tunnels.

Condition: This symptom occurs if ADVPN tunnels are established over an IPv6 network.

201511300165

Symptom: The results of tests that FIPS performs for 3DES and AES-wrap are unexpected.

45

Condition: None.

201507020257

Symptom: The DF bit setting in IPsec packets does not take effect.

Condition: This symptom occurs if the DF bit of IPsec packers is set on the source interface bound to an IPsec policy.

201512091595

Symptom: IKEv2 uses protocol number 5000 instead of 4500.

Condition: This symptom occurs if IKEv2 NAT traversal is configured.

201510080297

Symptom: The router fails to perform PPTP dial-up.

Condition: This symptom might occur if the router accesses the PPTP server through the NAT server.

201512100696

Symptom: The OpenFlow controller fails to discover the router during topology discovery.

Condition: This symptom occurs if the OpenFlow controller uses BDDP to perform topology discovery.

201509160400

Symptom: A user line cannot be configured by using the line number command.

Condition: This symptom occurs if you use the line number command to configure the user line.

201509180141

Symptom: In CWMP, a CPE fails to establish a connection to a server.

Condition: This symptom occurs if the CWMP connection interface belongs to a VPN instance.

201511040399

Symptom: The expected bandwidth configuration on a VLAN interface is lost.

Condition: This symptom occurs after two master/subordinate switchovers.

201512010078

Symptom: The boot-loader file command fails to specify a startup image file.

Condition: This symptom occurs if the startup image file resides on the standby MPU.

201510300441

Symptom: Unexpected page break occurs during faxing or fax negotiation fails.

Condition: This symptom occurs if multiple voice calls are established during faxing.

201512110328

Symptom: MAC address entries age out when they are configured not to age.

Condition: None.

201510160271

Symptom: The dual-stack PPPoE server that mainly provides IPv6 services exhausts IPv6 addresses in the DHCPv6 address pool. PPPoE users who have no IPv6 addresses assigned can log in.

Condition: This symptom occurs if two master/subordinate switchovers occur after IPv6 address exhaustion.

46

201510220524

Symptom: A logged-in PPPoE user cannot receive traffic.

Condition: This symptom occurs if the following conditions exist:

Two routers form an IRF fabric.

The PPPoE user logs in through an IRF port.

The master device reboots.

201510130373

Symptom: A SIP call cannot be established.

Condition: This symptom occurs if the router receives an INVITE request without SDP information.

201507200041

Symptom: The VE1 PRI Layer 3 test fails.

Condition: This symptom occurs if the device receives a SETUP message in which the value of the cap. field is video.

201510160206

Symptom: The dual-stack PPPoE server that mainly provides IPv6 services has available IPv6 addresses in the DHCPv6 address pool. PPPoE users who have no IPv4 addresses assigned cannot log in.

Condition: None.

201509220301

Symptom: The Cellular process reboots unexpectedly.

Condition: This symptom occurs if the profile main command is executed on a cellular interface on the MSR4000.

201510230327

Symptom: If a PPPoE user logs in and then logs out, the CIR specified in the user profile for the user does not take effect.

Condition: This symptom occurs if the following conditions exist:

Two routers form an IRF fabric.

The PPPoE user logs in through an IRF port.

The master device reboots.

201508100249

Symptom: No information is displayed after the display voice sip call command is executed on the MSR4000.

Condition: None.

201512180019

Symptom: The AC of an MPLS L2VPN cannot receive packets from a CE.

Condition: This symptom occurs if a Layer 3 aggregate subinterface is used as the AC of the

MPLS L2VPN.

201511250428

Symptom: Settings of the answer-time, idle-time, and trade-time parameters cannot be deployed to interface cards related to POS terminal access.

Condition: This symptom occurs if you set the answer-time, idle-time, and trade-time parameters in system view.

47

201512010169

Symptom: An error occurs on an IRF physical interface after the router reboots and some operations are performed on the router.

Condition: This symptom occurs if two GigabitEthernet interfaces are used as IRF physical interfaces and one of the IRF physical interfaces goes down.

201512030468

Symptom: Packet filtering does not take effect on an Ethernet interface operating in bridge mode.

Condition: This symptom occurs if packet filtering is enabled on the Ethernet interface operating in bridge mode.

201511210055

Symptom: Interfaces on the HMIM-8GSW or HMIM-24GSW interface card receive a large number of ARP requests. Then, a packet statistics error occurs and the switching modules cannot operate correctly.

Condition: This symptom occurs if ARP snooping is enabled on interfaces on the HMIM-8GSW or HMIM-24GSW interface card.

201512180334

Symptom: The MSR2004-24 or MSR2004-48 router reboots unexpectedly.

Condition: This symptom occurs if the parameter of an SDK function on the switching chip of the router is null.

201511120124

Symptom: Packets are sent out of order.

Condition: This symptom occurs if packets are sent in per-flow mode.

201511270774

Symptom: A silent call is established after the called party goes off-hook.

Condition: This symptom occurs if the router uses the SIC-1VE1 or SIC-1VT1 voice card to initiate calls.

201512140104

Symptom: The mac-address max-mac-count command does not take effect, and no error message that the router does not support this command is displayed.

Condition: This symptom occurs if the mac-address max-mac-count command is executed on a Layer 2 aggregate interface.

201511300156

Symptom: The static IPv6 address binding feature does not take effect on an interface of the

HMIM-8GSW interface card.

Condition: This symptom occurs if the static IPv6 address binding feature is configured on the interface of the HMIM-8GSW card.

201512100157

Symptom: Transceiver modules on the HMIM-8GSW interface card might fail the equipment test.

Condition: This symptom occurs if the equipment test is performed on the HMIM-8GSW interface card.

48

201511170229

Symptom: When a POS terminal hangs up, the FCM interface stays in up state and the FCM card becomes unavailable.

Condition: This symptom occurs if the router uses the FCM card for POS dial-up access and a large number of POS terminals repeatedly dial up.

201511250418

Symptom: The 3G chip MC8705 fails to update the firmware.

Condition: This symptom occurs if an MSR2004/4000 router is used to update the firmware of the 3G chip MC8705.

201510190389

Symptom: An L2TP tunnel cannot be established because the router performs strict check on packets with hidden AVPs.

Condition: This symptom occurs if the router acts as the L2TP LNS and receives packets with hidden AVPs sent by the LAC.

201510290199

Symptom: An L2TP user with a matching full username fails L2TP authentication. An L2TP tunnel cannot be established.

Condition: This symptom occurs if the router acts as the L2TP LNS and is configured with the

ppp user attach-format imsi-sn split command.

201510290176

Symptom: An L2TP user whose authentication information does not contain an at sign (@) fails

L2TP authentication. An L2TP tunnel cannot be established.

Condition: This symptom occurs if the router acts as the L2TP LNS and is configured with the

ppp user accept-format imsi-sn split @ command.

201508190420

Symptom: Memory loss occurs after a voice interface card on the router reboots.

Condition: This symptom occurs if the CPU usage of the router reaches 100%.

201510160215

Symptom: The router acts as the PPPoE server and uses DHCPv6 to assign IPv6 addresses to hosts. No IPv6 addresses are displayed for PPPoE users in the display ppp access-user command output.

Condition: This symptom occurs if a master/subordinate switchover occurs after PPPoE users log in.

201511250195

Symptom: The MAC address entry for a VRRP group still exists on the router after the VRRP group is deleted.

Condition: This symptom occurs if you assign an IP address to the VRRP group and then delete the VRRP group.

201506180269

Symptom: The router stops sending packets when a POS terminal accesses the router.

Condition: This symptom might occur if the number of concurrent connections reaches 30 on the AM interface multiple times and configuration of the AM interface changes.

201511170159

Symptom: IPsec does not support SM4 algorithms.

49

Condition: None.

Resolved problems in CMW710-R0305P04

201510300500

Symptom: Packets are out of order if flow-based forwarding is enabled.

Condition: This symptom might occur if flow-based forwarding is enabled.

201510220351

Symptom: The IMSIs of some China Telecom 3G SIM cards cannot be correctly identified.

Condition: This symptom might occur if the Vodafone IMSIs are stored as the 3GPP IMSIs of the SIM cards.

201509300412

Symptom: The peer drops the ARP packets sent by the router if the ARP packets carry 802.1Q

VLAN tags with the CFI bit set to 1.

Condition: This symptom might occur if the ARP packets carry 802.1Q VLAN tags with the CFI bit set to 1.

201509240177

Symptom: The router reboots unexpectedly if an HMIM-CNDE module is removed by using the

remove command during the IPsec packet forwarding process.

Condition: This symptom might occur if an HMIM-CNDE module is removed by using the

remove command during the IPsec packet forwarding process.

201510260569

Symptom: If port isolation is configured on both a Layer 2 aggregate interface and its member ports, the configuration fails on the aggregate interface or its member ports. Removal of the port isolation configuration also fails.

Condition: This symptom might occur if port isolation is configured on a Layer 2 aggregate interface and its member ports.

201509240346

Symptom: Channel configuration on radio interfaces is lost after a reboot.

Condition: None.

201509300064

Symptom: The traffic statistics for 3G/4G serial and Eth-channel interfaces are 0 in the MIB.

Condition: None.

201510300208

Symptom: The router cannot communicate with the peer if the router acts as the LNS to set up an L2TP tunnel to the peer by using a SIC-4FSW module.

Condition: This symptom might occur if the router acts as the LNS to set up an L2TP tunnel to the peer by using a SIC-4FSW module.

201511110304

Symptom: The router reboots unexpectedly if VLAN interfaces are created or deleted during the traffic forwarding process.

Condition: This symptom might occur if VLAN interfaces are created or deleted during the traffic forwarding process.

50

201508290046

Symptom: The CPU usage of the router rises if the router acts as a Telnet server and Telnet login to the router is aborted abnormally.

Condition: This symptom might occur if the router acts as a Telnet server and Telnet login to the router is aborted abnormally.

201509290092

Symptom: Telnet login with remote TACACS/RADIUS authentication fails.

Condition: This symptom might occur if Telnet login with remote TACACS/RADIUS authentication is performed.

201505130349

Symptom: Static NAT444 traffic does not trigger NAT444 user logging.

Condition: None.

201507070217

Symptom: ACL mismatches occur if a connection limit policy is applied to DS-Lite tunnels.

Condition: This symptom might occur if a connection limit policy is applied to DS-Lite tunnels.

201510200471

Symptom: The routing, multicast, authentication, and voice modules stop working, and incorrect information is displayed for the TRAP, NetStream, and DHCP modules.

Condition: This symptom might occur if the router has been running for more than seven months (214 days).

201508260173

Symptom: The time range status is incorrect if NTP is used.

Condition: This symptom might occur if NTP is used.

201510140128

Symptom: DDNS dynamic domain name update fails if the DDNS password contains forward slashes (/).

Condition: This symptom might occur if the DDNS password contains forward slashes (/).

201509160563

Symptom: The router reboots unexpectedly if the router acts as a PPPoE server and PPPoE users repeatedly come online and go offline.

Condition: This symptom might occur if the router acts as a PPPoE server and PPPoE users repeatedly come online and go offline.

201401100267

Symptom: PPP IPCP negotiation fails when a PPPoE client initiates a connection request to the router, and the VA interface goes up and comes down constantly.

Condition: This symptom might occur if NAT is performed for the PPPoE client, and IP address negotiation is enabled on the dialer interface.

201509170256

Symptom: Information about the last login is not displayed for a user that passes authentication.

Condition: None.

201507160359

Symptom: CVE-2014-8176

51

Condition: If a DTLS peer receives application data between the ChangeCipherSpec and

Finished messages. May result in a segmentation fault or potentially, memory corruption.

Symptom:CVE-2015-1788

Condition: When processing an ECParameters structure OpenSSL enters an infinite loop. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates.

Symptom: CVE-2015-1789

Condition: X509_cmp_time does not properly check the length of the ASN1_TIME string and/or accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs.

Symptom: CVE-2015-1790

Condition: The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed PKCS#7 blobs with missing content and trigger a

NULL pointer dereference on parsing.

Symptom: CVE-2015-1791

Condition: If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data.

Symptom: CVE-2015-1792

Condition: When verifying a signedData message the CMS code can enter an infinite loop. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code.

201510130373

Symptom: SIP calls cannot be placed if the router receives INVITE requests with no SDP information.

Condition: This symptom might occur if the router receives INVITE requests with no SDP information.

201507200041

Symptom: The router sends a SIP response message that contains an incorrect call release cause code if the router receives an INVITE request with SDP information that contains the video capability.

Condition: This symptom might occur if the router receives an INVITE request with SDP information that contains the video capability.

201508100249

Symptom: The display voice sip call command outputs nothing if an MSR4000 router is a single-chassis IRF fabric and uses the chassis number 2.

Condition: This symptom might occur if an MSR4000 router is a single-chassis IRF fabric and uses the chassis number 2.

201508190420

Symptom: Memory leaks occur if the voice card is rebooted at the CLI when the CPU usage is

100%.

Condition: This symptom might occur if the voice card is rebooted at the CLI when the CPU usage is 100%.

201510270033

Symptom: Upgrading the standby MPU of the MSR4000 router fails.

52

Condition: This symptom might occur if the active MPU only has an .ipe startup image file, and the

boot-loader command specifies the .ipe file for upgrading the standby MPU.

Resolved problems in CMW710-R0305

201509070388

Symptom: A fiber port cannot come up if a 100-Mbps optical transceiver module is installed in the port and the speed 100 command is executed on the port.

Condition: This symptom might occur if a 100-Mbps optical transceiver module is installed in the port and the speed 100 command is executed on the port.

201504130290

Symptom: Fax transmission fails if fax pass-through by using the G.711alaw or G711ulaw codec is used for DIS signal transmission.

Condition: This symptom might occur if fax pass-through by using the G.711alaw or G711ulaw codec is used for DIS signal transmission.

201509240046

Symptom: Some interfaces on the HMIM-8E1T1-F module cannot come up if the module is produced on 11 August 2015 or after that date.

Condition: This symptom might occur if the HMIM-8E1T1-F module is produced on 11 August

2015 or after that date.

201508040165

Symptom: Some transactions of POS terminals fail if TCP FIN packets contain transaction data.

Condition: This symptom might occur if TCP FIN packets contain transaction data.

201507150251

Symptom: Layer 3 aggregate interfaces cannot be created by using IMC.

Condition: This symptom might occur if IMC is used to create Layer 3 aggregate interfaces.

201508290021

Symptom: The CPU usage is high if the TCP maximum segment size is set to 1400 bytes.

Condition: This symptom might occur if the following operations have been performed:

a.

Use the tcp mss command to set the TCP maximum segment size to 1400 bytes.

b.

Save the configuration and reboot the router.

201508250213

Symptom: The delay in the result of the NQA ICMP jitter operation is much larger than the delay in the ping operation result.

Condition: This symptom might occur if the NQA ICMP jitter operation is performed.

201509140123

Symptom: The router cannot communicate with a Cisco device through the HDLC link between them.

Condition: This symptom might occur if the ip address slarp interval 1 command is executed on the Cisco device.

201508270343

Symptom: Tracert returns the destination IP address as the first hop if it is used on an L2TP over IPsec tunnel.

53

Condition: This symptom might occur if tracert is used on an L2TP over IPsec tunnel.

201510130060

Symptom: The signature algorithm does not support HMAC-SHA256 when a certificate request is made in non-FIPS mode.

Condition: This symptom might occur if the certificate request is made in non-FIPS mode.

201510200471

Symptom: The OSPF LSAs on the router do not age out. As a result, peers cannot learn routes from the router.

Condition: This symptom might occur if OSPF is enabled on the router, and the router has been operating for more than 210 days.

201507140154

Symptom: The router can be successfully logged in to by using a public key through SSH1, but

RSA fails to encrypt the public key.

Condition: This symptom might occur if a public key and SSH are used to log in to the router.

201508280355

Symptom: The HDLC process does not respond if the display interface serial command is executed when the router receives ADDR_REQ packets.

Condition: This symptom might occur if the display interface serial command is executed when the router receives ADDR_REQ packets.

201509220038

Symptom: The router fails TACACS authentication for an incorrect password or invalid shared key if the TACACS server uses ACS V5.6 or later versions.

Condition: This symptom might occur if the TACACS server uses ACS V5.6 or later versions.

Resolved problems in CMW710-R0304P12

201507250134

Symptom: The router can be successfully logged in to by using an incorrect password.

Condition: This symptom might occur if remote TACACS authentication and NETCONF are used to log in to the router.

201508030326

Symptom: An interface goes down and the router reboots unexpectedly if PPPoE sessions are established on a large number of subinterfaces on the interface.

Condition: This symptom might occur if PPPoE sessions are established on a large number of subinterfaces on the interface.

201508030334

Symptom: The secondary RADIUS authentication/authorization server cannot be reconfigured if it has been deleted.

Condition: This symptom might occur if the secondary RADIUS authentication/authorization server is deleted and then reconfigured.

201506190329

Symptom: An interface on an HMIM-8GSWF module cannot communicate with the directly connected peer.

54

Condition: This symptom might occur if the port security mode of the interface is set to autoLearn, and the HMIM module is rebooted.

201507300171

Symptom: The router reboots unexpectedly if the RADIUS server sends a DM request to log off a user by session ID.

Condition: This symptom might occur if the RADIUS server sends a DM request to log off a user by session ID.

201505200410

Symptom: Matching packets are not assigned to the RTP queue.

Condition: This symptom might occur if the UDP port number of the packets is an odd number before byte order reversing.

201508030336

Symptom: The router reboots unexpectedly if the IPsec tunnels on the router have been forwarding traffic for a long period of time.

Condition: This symptom might occur if the IPsec tunnels on the router have been forwarding traffic for a long period of time.

201507270023

Symptom: The router chooses a dynamic address pool over a static address pool when the router processes DHCP INFORM packets sent by a client that uses an IP address in the static address pool.

Condition: This symptom might occur if the dynamic address pool contains all IP addresses of the static address pool.

201508120238

Symptom: When the router acts as a DHCP server, DHCP clients obtain IP addresses after a long delay.

Condition: This symptom might occur if the DHCP clients have errors and are moved from another network.

201508030441

Symptom: Routes configured by using the ppp ip-pool route command are lost after an IRF master/subordinate switchover.

Condition: This symptom might occur if an IRF master/subordinate switchover occurs.

201507160240

Symptom: IMC cannot display the rules of ACLs.

Condition: None.

201508130129

Symptom: The router does not prompt for LDP session reset after the LSR ID is modified, and then MPLS has status or forwarding errors.

Condition: This symptom might occur if the mpls lsr-id command is used to modify the LSR ID.

201508110265

Symptom: The FTP user is logged off after FTP finishes transferring files to the storage medium of the standby MPU.

Condition: This symptom might occur if FTP is used to transfer large files to the storage medium of the standby MPU.

55

201508110026

Symptom: The router reboots unexpectedly if the IPsec over L2TP tunnels on the router have been forwarding traffic for a long period of time.

Condition: This symptom might occur if the IPsec over L2TP tunnels on the router have been forwarding traffic for a long period of time.

201504210203

Symptom: A centralized IRF member router halts during reboot after its operating mode is changed from IRF to standalone.

Condition: This symptom might occur if the following operations have been performed on the router:

a.

Save the configuration.

b.

Shut down the IRF physical interfaces.

c.

Change the operation mode from IRF to standalone after the IRF fabric splits.

201507090504

Symptom: When a PoE profile is configured, the router warns that the maximum PI power specified by using the poe max-power command is invalid even if the value is in the valid power range.

Condition: None.

201508120439

Symptom: The router reboots unexpectedly if the router is deleted from IMC.

Condition: This symptom might occur if the following conditions exist:

The router connects to IMC through a tunnel and passes portal authentication.

The router is deleted from IMC after portal authentication.

201508050381

Symptom: MAC address check on a DHCP relay agent does not take effect after DHCP is disabled.

Condition: This symptom might occur if DHCP is disabled.

201507130082

Symptom: The router reboots unexpectedly if the HMIM-2/4/8GE module is repeatedly rebooted when the module receives traffic.

Condition: This symptom might occur if the HMIM-2/4/8GE module is repeatedly rebooted when the module receives traffic.

201508180093

Symptom: Two terminals in the same 3G or 4G network cannot communicate with each other.

Condition: This symptom might occur if the terminals are assigned the same network segment but different subnet masks.

201508240276

Symptom: The router does not display the legal banner before authentication when an SSH user logs in to the router.

Condition: None.

201508240106

Symptom: Some interfaces on the HMIM-2/4/8E1T1-F module cannot come up.

Condition: None.

56

201507300132

Symptom: Though the fixed Ethernet interfaces of the MSR2004 router are up, they cannot receive packets.

Condition: This symptom occurs after the MSR2004 router has been operating for a certain period of time.

201507240120

Symptom: Very rarely, the fixed GE0/1 or GE0/2 of MSR2004 router can't UP, and the interface can't receive and send the packets (this occurs in a very small percentage of BCM5221 chips).

Condition: None.

201508060025

Symptom: The settings of MP-group interfaces are incompatible after an MSR router is upgraded to E0302P06 or a later version.

Condition: This symptom occurs if an MSR router is upgraded to E0302P06 or a later version.

201507080421

Symptom: The display qos policy interface command outputs incorrect statistics.

Condition: This symptom might occur if MPLS forwarding, PPP IP header compression, and

QoS CBQ are enabled on PPP interfaces of the router.

201506050279

Symptom: A POS transaction fails if it has multiple interaction messages.

Condition: This symptom might occur if the following conditions exist:

POS terminal access is enabled on the router.

The background process of POS transactions requires that the messages of a transaction must have the same source TPDU.

201506030302

Symptom: Memory leakage occurs when the router is sending NetStream data packets.

Condition: This symptom might occur if NetStream is enabled on the router.

201507200403

Symptom: In the RADIUS packets that the router sends, '\000' is incorrectly added to the

NAS-ID attribute.

Condition: This symptom might occur if RADIUS authentication is configured on the router.

Resolved problems in CMW710-R0304P04

201501200401

Symptom: RBAC cannot control access to the content filtering feature.

Condition: None.

201503020376

Symptom: Packets are dropped after a BGP GR process is completed.

Condition: This symptom occurs if both BFD and GR are enabled for BGP.

201507170124

Symptom: The MPLS ILM entry is not updated after the traffic processing unit is changed for an outgoing interface.

57

Condition: This symptom occurs if the traffic processing unit is changed for an outgoing interface.

201504190023

Symptom: The BGP process on the PE is stuck.

Condition: This symptom occurs if the following conditions exist:

There is a large number of routes and many types of traffic.

The PE runs for a long time.

201507020251

Symptom: A PW is re-created after the L2VPN process is re-optimized by using the placement

reoptimize command.

Condition: This symptom occurs if split horizon is enabled for the PW.

201506300136

Symptom: An interface on the SIC-4GSW card cannot ping the directly connected interface on the same subnet after the interface is changed to a Layer 3 interface.

Condition: This symptom occurs if the following operations are performed:

a.

Enable port security globally.

b.

Configure port security on the interface operating as a Layer 2 interface.

c.

Change the interface to a Layer 3 interface.

201505290258

Symptom: Subinterfaces cannot be created or deleted when there are more than 4000 subinterfaces on the router.

Condition: This symptom might occur if the following operations are performed:

a.

Perform an active/standby switchover.

b.

Restart the standby MPU.

c.

Change a main interface between Layer 2 mode and Layer 3 mode.

d.

Bring up and shut down the main interface.

201507170043

Symptom: A router in an MPLS network reboots unexpectedly.

Condition: This symptom occurs if the public interface of the router goes down and comes up repeatedly.

201507030323

Symptom: Memory leaks.

Condition: This symptom occurs if NETCONF is used to download files for the FileSystem node.

201506190348

Symptom: The xmlcfgd process crashes.

Condition: This symptom occurs if the xmlcfgd process is accessed through XML when there is no Envelope namespace.

201506190151

Symptom: The router does not preferentially use static address allocation when receiving a

DHCP-INFORM message from a client.

Condition: This symptom occurs if the following conditions exist:

58

The client is bound to an IP address in a DHCP address pool.

Another DHCP address pool includes the IP address bound to the client.

201506100354

Symptom: The router configured with WAAS sends a receiving buffer size different from the set value to the peer device.

Condition: This symptom occurs if the receiving buffer size is modified.

201507020391

Symptom: The TTL of a static blacklist entry is different from the actual aging time.

Condition: This symptom occurs if the static blacklist entry is added after a master/subordinate switchover in an IRF fabric.

201505150461

Symptom: An interface cannot forward packets when it is up.

Condition: This symptom occurs if a large number of portal users come online and go offline through the interface.

201506100261

Symptom: ARP reply packets are forwarded through the trusted interface even if there is a match in the MAC address table.

Condition: This symptom occurs when ARP restricted forwarding is enabled.

201506120046

Symptom: The ToS bits in the outer IP header are not set to the same as the ToS bits in the inner header after IP packets are encapsulated with MPLS L3VPN or GRE.

Condition: This symptom occurs if IP packets are encapsulated with MPLS L3VPN or GRE.

201506230020

Symptom: A POS interface cannot forward packets that are greater than 2048 bytes.

Condition: None.

201504270304

Symptom: Only up to 256 ports can be specified in one nat server command.

Condition: None.

201503110416

Symptom: Assertion information is displayed and accounting stops when a user comes online.

Condition: This symptom occurs if the accounting quota-out redirect-url command is configured.

201411190412

Symptom: The tunnel source cannot return Packet Too Big messages for packets tunneled through an IPv6 over IPv4 tunnel.

Condition: This symptom occurs when fragmentation check is enabled for packets to be tunneled.

201503090076

Symptom: IPv4 addresses must be configured on the AFTR of a DS-Lite tunnel.

Condition: This symptom occurs when the AFTR of a DS-Lite tunnel is configured.

59

201507070230

Symptom: The router establishes calls slowly when using R2 signaling.

Condition: This symptom occurs if R2 signaling is used.

201505200402

Symptom: Too much log information is displayed after RTP packets are interrupted.

Condition: This symptom occurs if the network link fails after a call is established.

201505290049

Symptom: The hh3cTransceiver node does not return new information for a different transceiver module type.

Condition: This symptom occurs if the following operations are performed:

a.

Replace a transceiver module.

b.

Walk the hh3cTransceiver node by using a MIB browser.

201506250411

Symptom: CVE-2015-3143

Condition: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request.

Symptom: CVE-2015-3148

Condition: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated

Negotiate connections, which allows remote attackers to connect as other users via a request.

201411190504

Symptom: The number of packets in the ADVPN session statistics is a negative value.

Condition: This symptom occurs if the router forwards traffic for a long time.

201504140088

Symptoms: CVE-2015-0209

Condition: A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources.

Symptoms: CVE-2015-0286

Condition: DoS vulnerability in certificate verification operation. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.

Symptoms: CVE-2015-0287

Condition: Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Applications that parse structures containing CHOICE or ANY

DEFINED BY components may be affected.

Symptoms:CVE-2015-0288

Condition: The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid.

Symptoms: CVE-2015-0289

Condition: The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a

NULL pointer dereference on parsing.

Symptoms: CVE-2015-0292

60

Condition: A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data.

Symptoms: CVE-2015-0293

Condition: A malicious client can trigger an OPENSSL_assert in servers that both support

SSLv2 and enable export cipher suites by sending a specially crafted SSLv2

CLIENT-MASTER-KEY message.

201505250363

Symptom: Services are interrupted for about 50 minutes after the router runs for a long time with traffic load.

Condition: This symptom might occur if the DH-Group2 algorithm is used in an IPsec VPN environment.

201507200433

Symptom: An interface on an MSR2004 router is up, but does not receive packets.

Condition: This symptom occurs if the following conditions exist:

The router runs for a long time with traffic load.

The interface is configured with multiple features.

201506240472

Symptom: Of multiple EVI tunnels, only one tunnel can forward traffic.

Condition: This symptom occurs if the following conditions exist:

The EVI tunnels have the same source IP address and the same destination IP address.

Each EVI tunnel is used for a different VLAN.

201506030356

Symptom: The feature images are not selected from the storage medium where the current boot and system images reside.

Condition: This symptom occurs if the router has multiple storage media.

201506230200

Symptom: The WAAS optimization effect is bad in per-flow load sharing mode.

Condition: None.

201507070433

Symptom: The peer port is up when the local fiber port is down.

Condition: This symptom occurs after the fiber port is changed from Layer 2 mode to Layer 3 mode.

201506250378

Symptom: An MSR3024 or MSR3044 router cannot forward 65-byte packets at wire speed when fast forwarding is enabled.

Condition: This symptom occurs if fast forwarding is enabled.

201506020161

Symptom: BGP neighbors flap after the IRF fabric is restarted.

Condition: This symptom occurs if a large number of BGP neighbors are established dynamically.

201507270061

Symptom: An aggregate interface with two or more member ports cannot ping the directly connected interface.

61

Condition: This symptom occurs after the aggregate interface is changed between Layer 2 mode and Layer 3 mode more than 20 times.

201507090496

Symptom: The ARP packets of one VLAN interface are sent out of a member port of another

VLAN interface .

Condition: This symptom occurs if more than two VLANs exist and their VLAN interfaces are assigned IP addresses.

201504230195

Symptom: On an IRF fabric, assertion information is displayed and subordinate routers reboot when the IPv4 device is pinged from the IPv6 side.

Condition: This symptom occurs if the traffic processing unit for the AFT traffic of a VLAN interface is not on the same forwarding card as the member interfaces of the VLAN interface.

201506090049

Symptom: The FCM card behaves unexpectedly .

Condition: This symptom occurs if FCM subinterfaces are deleted through MIB.

201507070310

Symptom: The link layer protocol of a DTE interface goes down .

Condition: This symptom occurs if the clock selection mode is set to autonegotiation for the

DTE interface.

201507010073

Symptom: The router reboots repeatedly after traffic statistics are cleared .

Condition: This symptom occurs if the following operations are performed:

a.

Perform an active/standby switchover for HDLC interfaces that forward Layer 3 IP traffic .

b.

Configure NetStream.

c.

Enable the application statistics feature by using the application statistics enable command.

201411030517

Symptom: Web redirection fails for a PPPoE user.

Condition: This symptom occurs if Web redirection parameters are assigned through RADIUS.

201503110069

Symptom: The VLAN ID sent to the RADIUS server is incorrect.

Condition: This symptom occurs if a QinQ PPPoE user comes online.

201503090276

Symptom: Users of a domain cannot be displayed or forcibly logged out.

Condition: This symptom occurs if the users come online without domain information.

201503110472

Symptom: Redirection fails after a PPPoE client issues a redirection attribute.

Condition: This symptom occurs if a PPPoE client issues a redirection attribute.

201503110566

Symptom: The redirection attribute issued through a COA message does not take effect.

Condition: This symptom occurs if the redirection attribute is issued through a COA message.

62

201507150201

Symptom: Assertion information appears when the pppoesd process is restarted on the L2TP

LNS.

Condition: This symptom occurs if a user comes online in NAS-initiated tunneling mode.

201505190435

Symptom: Some BGP peers go down and come up after the router is rebooted.

Condition: This symptom might occur if the following conditions exist:

The router is in an IRF fabric or is a distributed router in standalone mode.

The router has a large number of BGP peers.

201507200270

Symptom: An MSR1000 router reboots repeatedly .

Condition: This symptom occurs if the following operations are performed:

a.

Install a SIC4SAE card into the router.

b.

Send bidirectional traffic between the router and its peer device.

Resolved problems in CMW710-R0304P02

201505200131

Symptom: Voice services are interrupted during long calls.

Condition: This symptom might occur if E&M non-signaling mode and PCM pass-through are enabled.

201506290040

Symptom: On a single-MPU router, the fan speed does not increase when the CPU temperature keeps rising.

Condition: This symptom might occur if the router starts in high-temperature environments.

201505250288

Symptom: NQA TCP operations fail after the router runs for a period of time.

Condition: This symptom might occur if one of following conditions exists:

The interval between NQA probes is shorter than 10 milliseconds.

NQA operations are frequently performed over a long period of time.

201504230250

Symptom: The router displays garbled bandwidth usage-based load-sharing information for an aggregate interface.

Condition: This symptom might occur if bandwidth usage-based load-sharing is enabled on the aggregate interface.

201505250277

Symptom: OpenFlow cannot correctly send ARP packets to the SDN controller.

Condition: This symptom might occur if the following operations have been performed:

a.

Save the running configuration and reboot the router.

b.

Restore OpenFlow configuration by using an .mdb binary file.

63

201505150431

Symptom: 802.1X authentication fails.

Condition: This symptom might occur if the server issues VLAN IDs, but the length of the

Tunnel-Private-Group-id attribute is not 6 bytes in RADIUS packets sent by the server.

201504230250

Symptom: Traffic forwarding is interrupted on the router.

Condition: This symptom might occur if portal users repeatedly come online and go offline over a long period of time when the router is forwarding traffic.

201506120253

Symptom: When the display qos policy interface command is executed for a VT interface configured with QoS policies, nothing is displayed or the console halts.

Condition: This symptom might occur if QoS policies are configured on the VT interface, and more than 2000 online PPPoE users exist on the interface.

201505140232

Symptom: An SD or CF card on the router is not accessible.

Condition: This symptom might occur if the SD or CF card stores more than 15000 files.

201505180304

Symptom: An IRF member router halts after a reboot if it is switched from the IRF mode to the standalone mode.

Condition: This symptom might occur if the following operations have been performed on the router:

a.

Save the running configuration.

b.

Shut down the IRF physical interfaces.

c.

Switch the router to the standalone mode after the IRF fabric splits, and then reboot the router.

201505250207

Symptom: SIP source interface bindings do not take effect after the router reboots.

Condition: This symptom might occur if the following operations have been performed:

a.

Configure SIP source interface bindings.

b.

Save the running configuration and reboot the router.

201506230030

Symptom: When one of the E1 links on the router goes down, fast forwarding entries update slowly, and forwarding services are affected.

Condition: This symptom might occur if the following conditions exist:

Multiple equal-cost E1 links are configured on the router.

PPP IP header compression is enabled on the serial interfaces for the E1 links.

The router is forwarding multiple data flows.

201506080129(CVE-2015-5434)

Symptoms: When an interface without MPLS enabled receives MPLS-labeled packets, the interface incorrectly forwards the MPLS-labeled packets to the next LSR by LFIB entry.

Condition: This symptom occurs when the interface does not have MPLS enabled and the interface receives MPLS-labeled packet that match the FIB entries.

64

Resolved problems in CMW710-R0304

201504210231

Symptom: CVE-2015-1799

Condition: Authentication doesn't protect symmetric associations against DoS attacks.

201504230275

Symptom: A router replies with a re-INVITE message with the Referred-By header field after receiving a REFER request without the Referred-By header field from a Lync server.

Condition: This symptom occurs when a Lync server sends a REFER request without the

Referred-By header field to the router.

201504230289

Symptom: A called phone rings once before going on-hook.

Condition: This symptom occurs if the following conditions exist:

The calling router and called router use different codecs.

The called router connects to the called phone through a VE interface.

201505110326

Symptom: NATed packets fail to be forwarded after the original route becomes unavailable.

Condition: This symptom might occur if the interface used as the backup outgoing interface is not configured with NAT.

201505150401

Symptom: A router configured with IPsec fails to be authenticated by a Comware-V5-based peer device.

Condition: This symptom might occur if the router is configured with an IKE-based IPsec policy and the PFS feature is enabled for the IPsec policy.

Resolved problems in CMW710-E0302P06

201411280347

Symptom: When the MTU of a physical interface is configured greater than 1500 bytes, the interface still uses 1492 as the MTU.

Condition: This symptom occurs when the MTU of the physical interface bound to PPPoE is not

1500.

Workaround: For TPC application, modify the TCP MSS on the dialer or VT interface to avoid improper packet fragmentation.

201502020298

Symptom: On an IRF fabric formed by MSR4000 routers and configured with multichassis

Layer 3 aggregation, after a master/subordinate switchover, all users that log in through

Selected interfaces on the rebooted router are logged out.

Condition: This symptom occurs when the IRF fabric formed by MSR4000 routers acts as the

PPPoE server and the multichassis Layer 3 aggregate interface is used to respond to PPPoE login request.

Workaround: None.

65

201502100609

Symptom: In an FR L2VPN with one end as an FR network and the other end as an Ethernet link, CEs cannot communicate.

Condition: This symptom occurs when one end of the FR L2VPN is an FR network and the other end is an Ethernet link.

Workaround: None.

201501290181

Symptom: When a L2VPN cross-connect is bound to a Layer 3 aggregate interface, receiving

LACPDUs times out, and the aggregation group member ports flap frequently.

Condition: This symptom occurs when the L2VPN cross-connect is bound to a Layer 3 aggregate interface.

Workaround: None.

201501080118

Symptom: The VAM process reboots repeatedly.

Condition: This symptom occurs when the hub device also acts as the VAM server.

Workaround: Use a separate device as the VAM server.

201411140486

Symptom: Ping packets are lost on an eight-wire G.SHDSL.BIS EFM interface of the MSR router after the interface is shut down and then brought up.

Condition: This symptom might occur if the EFM interface is connected to a Cisco device.

201502150313

Symptom: Packet loss occurs on an interface that is configured with both policy nesting and

CBQ.

Condition: This symptom might occur if the interface has been forwarding traffic at near wire rate for a long time.

201502030476

Symptom: The MSR router forwards some packets out of their incoming interface after an active/standby link switchover.

Condition: This symptom might occur if the active/standby link switchover occurs when the router is forwarding a large amount of traffic.

201502270045

Symptom: The serial communication protocol goes down and LCP packets are lost on a serial interface when it is processing bidirectional traffic during the T1 delay test.

Condition: This symptom might occur if the qos qmtoken 1 command is executed on the interface.

201503090250

Symptom: The MSR router does not update the media channel after it receives a re-INVITE message with only the c field updated.

Condition: This symptom might occur if the MSR router receives a re-INVITE message with only the c field updated.

201503160098

Symptom: CAR does not support the bandwidth percentage method.

Condition: This symptom might occur if CAR is configured by using the bandwidth percentage method.

66

201407180184

Symptom: A local PBR policy does not take effect when no other services are configured.

Condition: This symptom might occur if only a local PBR policy is configured on the router.

Resolved problems in CMW710-E0102

RTV7D000933

Symptom: The fragments can

’t be filtered by ACL.

Condition: The fragments can

’t be filtered by ACL when using fragment in the rule.

RTV7D000932

Symptom: The statuses of the router in the VRRP group are both Master when using MD5 authentication mode.

Condition: Using MD5 authentication mode.

Resolved problems in CMW710-E0006P02

CM13040119

Symptom: The devices testing failed for manufacture.

Condition: Test for manufacturing devices.

Support and other resources

Accessing Hewlett Packard Enterprise Support

For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance

To access documentation and support services, go to the Hewlett Packard Enterprise Support

Center website: www.hpe.com/support/hpesc

Information to collect:

Technical support registration number (if applicable).

Product name, model or version, and serial number.

Operating system name and version.

Firmware version.

Error messages.

Product-specific reports and logs.

Add-on products or components.

Third-party products or components.

Documents

To find related documents, see the Hewlett Packard Enterprise Support Center website at http://www.hpe.com/support/hpesc .

67

Enter your product name or number and click Go. If necessary, select your product from the resulting list.

For a complete list of acronyms and their definitions, see HPE FlexNetwork technology acronyms.

Related documents

The following documents provide related information:

HPE FlexNetwork MSR2000 Routers Installation Guide

HPE FlexNetwork MSR3000 Routers Installation Guide

HPE FlexNetwork MSR4000 Routers Installation Guide

HPE FlexNetwork MSR2000 Routers Quick Start

HPE FlexNetwork MSR3000 Routers Quick Start

HPE FlexNetwork MSR4000 Routers Quick Start

HPE FlexNetwork MSR Router Series Interface Module Guide

HPE FlexNetwork MSR2000/3000/4000 Routers Compliance and Safety Manual

About the HPE FlexNetwork MSR Router Series Command References(V7)

HPE FlexNetwork MSR Router Series ACL and QoS Command Reference(V7)

HPE FlexNetwork MSR Router Series EVI Command Reference(V7)

HPE FlexNetwork MSR Router Series Fundamentals Command Reference(V7)

HPE FlexNetwork MSR Router Series High Availability Command Reference(V7)

HPE FlexNetwork MSR Router Series Interface Command Reference(V7)

HPE FlexNetwork MSR Router Series IP Multicast Command Reference(V7)

HPE FlexNetwork MSR Router Series Layer 2 - LAN Switching Command Reference(V7)

HPE FlexNetwork MSR Router Series Layer 2 - WAN Access Command Reference(V7)

HPE FlexNetwork MSR Router Series Layer 3 - IP Routing Command Reference(V7)

HPE FlexNetwork MSR Router Series Layer 3 - IP Services Command Reference(V7)

HPE FlexNetwork MSR Router Series MPLS Command Reference(V7)

HPE FlexNetwork MSR Router Series NEMO Command Reference(V7)

HPE FlexNetwork MSR Router Series Network Management and Monitoring Command

Reference(V7)

HPE FlexNetwork MSR Router Series OAA Command Reference(V7)

HPE FlexNetwork MSR Router Series OpenFlow Command Reference(V7)

HPE FlexNetwork MSR Router Series Probe Command Reference(V7)

HPE FlexNetwork MSR Router Series Security Command Reference(V7)

HPE FlexNetwork MSR Router Series Virtual Technologies Command Reference(V7)

HPE FlexNetwork MSR Router Series Voice Command Reference(V7)

HPE FlexNetwork MSR Router Series WLAN Command Reference(V7)

About the HPE FlexNetwork MSR Router Series Configuration Guides(V7)

HPE FlexNetwork MSR Router Series ACL and QoS Configuration Guide(V7)

HPE FlexNetwork MSR Router Series EVI Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Fundamentals Configuration Guide(V7)

HPE FlexNetwork MSR Router Series High Availability Configuration Guide(V7)

68

HPE FlexNetwork MSR Router Series Interface Configuration Guide(V7)

HPE FlexNetwork MSR Router Series IP Multicast Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Layer 2 - LAN Switching Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Layer 2 - WAN Access Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Layer 3 - IP Routing Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Layer 3 - IP Services Configuration Guide(V7)

HPE FlexNetwork MSR Router Series MPLS Configuration Guide(V7)

HPE FlexNetwork MSR Router Series NEMO Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Network Management and Monitoring Configuration

Guide(V7)

HPE FlexNetwork MSR Router Series OAA Configuration Guide(V7)

HPE FlexNetwork MSR Router Series OpenFlow Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Probe Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Security Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Virtual Technologies Configuration Guide(V7)

HPE FlexNetwork MSR Router Series Voice Configuration Guide(V7)

HPE FlexNetwork MSR Router Series WLAN Configuration Guide(V7)

Documentation feedback

Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation

Feedback ( [email protected]

). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.

69

Appendix A Feature list

Hardware features

Table 5 MSR1000 specifications

Item

Console/AUX port

USB port

MSR1002-4

1

1

Gigabit Ethernet port

SFP port

Asynchronous/synchronous serial interface

Memory

Flash

SIC/DSIC slot

Dimensions (H × W × D)

(excluding rubber feet and mounting brackets)

5

1

1

512 MB DDR3

256 MB

2 SIC slot (1 DSIC slot)

44.2 × 360 × 300 mm (1.74 ×

14.17 × 11.81 in)

AC power supply

Relative humidity

(noncondensing)

Rated voltage range: 90 VAC to

264 VAC @ 50 Hz/60 Hz

Rated power for AC power supply 30 W

Operating temperature 0°C to 45°C (32°F to 113°F)

5% to 90%

Table 6 MSR2000/MSR2000 TAA specifications

MSR1003-8S

1

1

10

N/A

N/A

1 GB DDR3

256 MB

3 SIC slots (1 DSIC slot)

44.2 × 360 × 300 mm (1.74 ×

14.17 × 11.81 in)

Rated voltage range: 90 VAC to

264 VAC @ 50 Hz/60 Hz

30 W

0°C to 45°C (32°F to 113°F)

5% to 90%

Item

Console/AUX port

USB console port

USB port

GE WAN port

GE LAN port

SFP port

Memory

Flash/CF

SIC/DSIC slot

MSR2003/MSR2003T

AA

1

MSR2004-24

1

1

2

-

1

-

1

3

-

1GB DDR3

1

1GB DDR3

256MB Flash

3 SIC slots

(Slots 1 and 2 can be used for a DSIC interface module by removing the slot divider.)

256MB CF

4 SIC slots

MSR2004-48

1

3

1

-

-

1GB DDR3

256MB CF

4 SIC slots

70

Dimensions (H × W × D)

(excluding rubber feet and mounting brackets)

AC power supply

360mm×305.3mm×44.2

mm

DC power supply

440mm×363.5mm×44.2

440mm×403.5mm×4

4.2

Rated voltage range: 100 VAC to 240 VAC @ 50 Hz/60 Hz

- -

Rated voltage range:

-48V d.c.~-60V d.c

Maximum power for

AC/DC power supply

54W 54W 150W

Operating temperature 0 ~ 45℃

Relative humidity

(noncondensing)

5% to 90%

Table 7 MSR3000/MSR3000 TAA specifications

MSR3024/MSR

3024 TAA

MSR3044 MSR3064 Item MSR3012

CON/AUX ports

USB console ports

USB ports

1

1

2

Gigabit Ethernet ports 3

SIC/DSIC slots 2 SIC slots

HMIM slots

VPM slots

1

1

Memory

DDR3

1 GB/2 GB

2

1

DDR3

2 GB

(default)

4 GB

(maximum)

4 SIC slots/2 DSIC slots

4

2

6

2

DDR3

2 GB (default)

4 GB (maximum)

CF card memory

(inside)

CF card memory

(outside)

CF card slot

Dimensions (H × W ×

D) (excluding rubber feet and mounting brackets)

AC power supply

DC power supply

Maximum power for

AC/DC power supply

Maximum power for

PoE power supply

Maximum power for each PoE port

256 MB (default)

-

0

44.2 × 440 ×

484.3 mm

Rated voltage range: 100 VAC to 240 VAC @ 50 Hz/60 Hz

Rated voltage range:

–48 VDC to –60 VDC

125 W 125 W 300 W 300 W

-

15.4 W

44.2 × 440 ×

484.3 mm

275 W

4 GB (maximum)

1

88.1 × 440 × 480 mm

750 W

130.5 × 440 × 480 mm

750 W

71

RPS power supply

Power pluggable and buckup

800 W

-

Operating temperature 0°C to 45°C (32°F to 113°F)

Relative humidity

(noncondensing)

5% to 90%

Table 8 MSR4000 specifications

Item

MPU slot

SPU slot

HMIM slot

Dimensions (H × W × D), excluding rubber feet and mounting brackets

Power pluggable and buckup

1

6

MSR4060

2

175.1 × 440 × 480 mm

N+1

Operating temperature 0°C to 45°C (32°F to 113°F)

Operating humidity

(noncondensing)

5% to 90%

Table 9 MSR4000/MSR4000 TAA MPU Specification

Item

Console port

AUX port

GE management port

USB console port

USB port

Memory

CF card

Specification

1

1

1

1

1

2 GB DDR3 (default)

4 GB DDR3 (maximum)

512 MB (default)

4 GB (maximum)

CF card slot 1

Flash 8 MB

Table 10 MSR4000 SPU Specification

Item

USB port

VPM slot

SPU-100

2

2

-

Dule power

MSR4080

8

219.5 × 440 × 480 mm

N+1

SPU-200&SPU-300

72

Combo

SFP+ port

Applicable router model

4

0

MSR4060/MSR4080

1

Applicable MPU MPU-100

Table 11 MSR2004-24 AC power module specifications

Item Specification

Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz

Rated power 150 W

Table 12 MSR2004-48 DC power module specifications

Item Specification

Rated input voltage range

–48 VDC to –60 VDC

Rated power 150 W

Table 13 MSR3044/MSR3064/MSR4060/MSR4080 AC power module specifications

Item

Model

Specification

PSR300-12A1

Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz

Max power 300 W

Table 14 MSR3044/MSR3064/MSR4060/MSR4080 DC power module specifications

Item Specification

Model PSR300-12D2

Rated input voltage range

–48 VDC to –60 VDC

Max power 300 W

Table 15 MSR3044/MSR3064/MSR4060/MSR4080 PoE power module specifications

Item

Model

Specification

PSR750-A

Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz

Max power 750 W

Table 16 MSR series routes Module List

Module Description

SIC

Ethernet interface modules:

4-port 10/100 Mbps Ethernet L2 switching module (RJ45) (SIC-4FSW)

73

DSIC

1-port 10/100 Mbps Ethernet electrical SIC interface module (RJ45) (SIC-1FEA)

1-port 100 Mbps Ethernet electrical SIC interface module-SIC-1FEF

4-port 10/100 Mbps Ethernet L2 switching module-PoE card(SIC-4FSW-POE)

1-port 10/100/1000BASE-T(RJ45) and 100BASE-FX/1000BASE-X(SFP,Combo)Ethernet

SIC module(RT-SIC-1GEC-V2(JG738A))

4-port 10/100/1000BASE-T Ethernet L2 switching electrical SIC interface module(RT-SIC-4GSW(JG739A))

4-port 10/100/1000BASE-T Ethernet L2 switching electrical SIC interface module-PoE(RT-SIC-4GSWP(JG740A))

4-port 100BASE-FX/1000BASE-X(SFP) Ethernet L2/L3 SIC Module-RT-SIC-4GSWF

WAN interface modules:

1-port enhanced synchronous/asynchronous serial SIC interface module (SIC-1SAE)

1-port fractional E1 SIC interface module (SIC-1E1-F-V3)

1-port E1/CE1/PRI SIC interface module (SIC-1EPRI)

1-port analog modem SIC interface module (SIC-1AM)

8-port asynchronous serial interface card (SIC-8AS)

16-port asynchronous serial interface card (SIC-16AS)

1-port ISDN BRI S/T interface card (SIC-1BS)

2-port fractional E1 interface module (SIC-2E1-F)

3G access module ( RT-SIC-3G-HSPA)

CDMA 2000 1x RTT/1x EV-DO Rev.0/1x EV-DO Rev.A 3G access module

( RT-SIC-3G-CDMA)

1-port ADSL over POTS SIC interface module (SIC-1ADSL)

1 port E1/CE1/PRI SIC interface module(SIC-1EPRI-V3)

4G LTE Verizon SIC module(RT-SIC-4G-LTE-V(JG742A))

4G LTE AT&T SIC module(SIC-4G-LTE-A(JG743A))

4G LTE Global SIC module(RT-SIC-4G-LTE-G(JG744A))

2-port enhanced synchronous/asynchronous serial SIC interface module(RT-SIC-2SAE(JG736A))

4-port enhanced synchronous/asynchronous serial SIC interface module(RT-SIC-4SAE(JG737A))

HPE MSR 4GLTE SIC Mod for CDMA/WCDMA (JG742B)

HPE MSR 4G LTE SIC Mod for ATT (JG743B)

HPE MSR 4GLTE SIC Mod for Global (JG744B)

HPE MSR HSPA+/WCDMA SIC Module (JG929A)

Voice interface modules:

1-port voice module subscriber circuit SIC interface module (SIC-1FXS)

2-port voice module subscriber circuit SIC interface module (SIC-2FXS)

1-port voice module FXO SIC interface module (SIC-1FXO)

2-port voice module FXO SIC interface module (SIC-2FXO)

1-channel E1 voice SIC interface module (SIC-1VE1)

1-channel T1 voice SIC interface module (SIC-1VT1)

1-port ISDN BRI S/T voice interface card (SIC-1BSV)

2-port ISDN BRI S/T voice interface card (SIC-2BSV)

2-port voice subscriber circuit & 1-port voice AT0 analog trunk interface card-SIC-2FXS1FXO

1-port E1 / T1 Voice SIC Module(JH240A)

9-port 10/100 Mbps Ethernet L2 switching module (RJ45) (DSIC-9FSW)

4-port voice subscriber circuit & 1-port voice AT0 analog trunk interface card

(DSIC-4FXS1FXO)

9-port 10/100 Mbps Ethernet L2 switching module -PoE card (DSIC-9FSW-POE)

74

HMIM

1-port 8-wire G.SHDSL (RJ45) DSIC Module

Ethernet interface modules:

2-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-2GEE)

4-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-4GEE)

8-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-8GEE)

2-port 1000BASE-X HMIM Module (HMIM-2GEF)

4-port 1000BASE-X HMIM Module (HMIM-4GEF)

8-port 1000BASE-X HMIM Module (HMIM-8GEF)

24-port Gig-T Switch HMIM Module (HMIM-24GSW)

24-port Gig-T PoE Switch HMIM Module (HMIM-24GSW-POE)

8-port 10/100/1000BASE-T(RJ45)+2-port100BASE-FX/1000BASE-X(SFP,Combo) Ethernet

L2 switching HMIM module(RT-HMIM-8GSW(JG741A))

8-port 100BASE-FX/1000BASE-X / 4-port 1000BASE-T (Combo) L2/L3 HMIM Module

(JH238A)

WAN interface modules:

2 port CE1/PRI interface module (HMIM-2E1)

4 port CE1/PRI interface module (HMIM-4E1)

8 port CE1/PRI interface module (HMIM-8E1)

4-port fractional E1 interface module (HMIM-4E1-F)

8-port fractional E1 interface module (HMIM-8E1-F)

2 port CT1/PRI interface module (HMIM-2T1)

8 port CT1/PRI interface module (HMIM-8T1)

4-port fractional T1 interface module HMIM-4T1-F)

8-port fractional T1 interface module HMIM-8T1-F)

1-port T3/CT3 compatible interface module (HMIM-1CT3)

1-port T3/CT3 compatible interface module (HMIM-1CE3)

2 channel enhanced synchronous/asynchronous interface module (HMIM-2SAE)

4 channel enhanced synchronous/asynchronous interface module (HMIM-4SAE)

8 channel enhanced synchronous/asynchronous interface module (HMIM-8SAE)

8 port asynchronous serial interface panel (RJ45) (HMIM-8ASE)

16 port asynchronous serial interface panel (RJ45) (HMIM-16ASE)

1-port OC-3 / STM-1 CPOS HMIM Module (HMM-1CPOS)

2-port OC-3 / STM-1 CPOS HMIM Module (HMIM-2CPOS)

1-port OC-3c / STM-1c ATM SFP HMIM Module (HMIM-ATMOC3)

8-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH169A)

4-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH170A)

2-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH171A)

8-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH172A)

4-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH173A)

2-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH174A)

Voice interface modules:

16-port voice module subscriber circuit interface board(HMIM-16FXS)

1 channel E1 voice HMIM interface module (HMIM-1VE1)

2 channel E1 voice HMIM interface module (HMIM-2VE1)

1 channel T1 voice HMIM interface module (HMIM-1VT1)

2 channel T1 voice HMIM interface module (HMIM-2VT1)

4-port voice module subscriber circuit interface board (HMIM-4FXS)

4-port voice module FXO interface module (HMIM-4FXO)

75

VPM

HMIM

Adapter

MIM(nee d to config the

HMIM-A dapter)

4 channel voice processing board E&M trunk interface module (HMIM-4EM)

128-channel voice processing module (RT-VPM2-128)

256-channel voice processing module (RT-VPM2-256)

512-channel voice processing module (RT-VPM2-512)

0.5U MIM to HMIM adapter (HMIM Adapter)

1U MIM to HMIM adapter (HMIM Adapter-H)

Ethernet interface modules:

1-port 10M100M Ethernet electrical MIM interface module (RJ45) (MIM-1FE)

2-port 10M/100M Ethernet electrical MIM interface module (RJ45) (MIM-2FE)

4-port 10M/100M Ethernet electrical MIM interface module (RJ45) (MIM-4FE)

1-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-1GBE)

2-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-2GBE)

1-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-1GEF)

2-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-2GEF)

WAN interface modules:

2 channel enhanced synchronous/asynchronous interface module (MIM-2SAE)

4 channel enhanced synchronous/asynchronous interface module (MIM-4SAE)

8 channel enhanced synchronous/asynchronous interface module (MIM-8SAE)

8 port asynchronous serial interface panel (RJ45) (MIM-8ASE)

16 port asynchronous serial interface panel (RJ45) (MIM-16ASE)

1 port CE1/PRI interface module (MIM-1E1)

2 port CE1/PRI interface module (MIM-2E1)

4 port CE1/PRI interface module (MIM-4E1)

8 port E1 interface module (75ohm) (MIM-8E1 (75))

1-port fractional E1 interface module (MIM-1E1-F)

2-port fractional E1 interface module (MIM-2E1-F)

4-port fractional E1 interface module (MIM-4E1-F)

8 port E1 interface module (75ohm) (MIM-8E1 (75)-F)

2 port CT1/PRI interface module (MIM-2T1)

8 port T1 interface module (MIM-8T1)

2-port fractional T1 interface module MIM-2T1-F)

4-port fractional T1 interface module MIM-4T1-F)

8-port fractional T1 interface module MIM-8T1-F)

1-port T3/CT3 compatible interface module (MIM-1CT3-V2)

1-port T3/CT3 compatible interface module (MIM-1CE3-V2)

1-port SDH/SONET interface module (MIM-1POS-V2)

1-port dual-pair G.SHDSL interface module (MIM-1SHL-4W)

HPE MSR OAP MIM Module with VMware vSphere (JG532A)

Voice interface modules:

1 channel E1 voice MIM interface module (MIM-1VE1)

1 channel T1 voice MIM interface module (MIM-1VT1)

2 channel E1 voice MIM interface module (MIM-2VE1)

2 channel T1 voice MIM interface module (MIM-2VT1)

4-port voice module subscriber circuit interface board (MIM-4FXS)

2-port voice module FXO interface module (MIM-2FXO)

4-port voice module FXO interface module (MIM-4FXO)

8-port voice module FXS-FXO interface module (MIM-8FXS-8FXO)

4 channel voice processing board E&M trunk interface module (MIM-4EM)

76

4-port ISDN BRI S/T voice interface card (MIM-4BSV)

16-port voice module subscriber circuit interface board (MIM-16FXS)

Table 17 Sierra Modem Module and Host/card compatibility matrix

HPE description

HPE MSR 4G LTE SIC Mod for Verizon

HPE MSR 4G LTE SIC Mod for ATT

HPE MSR 4G LTE SIC Mod for Global

Product code

JG742A

JG743A

JG744A

Module name

Sierra-MC7750

Sierra-MC7700

Sierra-MC7710

CAUTION:

The support and restriction of modules on HPE FlexNetwork MSR Routers Interface Configuration

Guide(V7), Appendix Purchase Guide.

Software features

Table 18 MSR Series routers software features

Category

LAN protocol:

WAN protocols:

IP services

Features

ARP (proxy ARP, free ARP, authorization ARP)

Ethernet_II

Ethernet_SNAP

VLAN (PORT-BASED VLAN/MAC-BASED VLAN/VLAN-BASED PORT ISOLATE/

VOICE VLAN)

802.3x

LACP(802.3ad)

802.1p

802.1Q

802.1x

QinQ

RSTP(802.1w)

MSTP(802.1s)

GVRP

PORT MUTILCAST suppression

EVI

PPP

PPPoE Client

DCC, Dialer Watch

ISDN

Modem

3G Modem

FR

Fast forwarding (unicast/multicast)

TCP

UDP

77

Non-IP services:

IP application

IP route

MPLS

IPv6

IP Option

IP unnumber

Policy routing (unicast/multicast)

Netstream

Ping and Trace

DHCP Server

DHCP Client

DNS client

DNS Static

NQA

IP Accounting

NTP

Telnet

TFTP Client

FTP Client

FTP Server

Static routing management

Dynamic routing protocols:

RIP

OSPF

BGP

IS-IS

Multicast routing protocols:

IGMP

PIM-DM

PIM-SM

MBGP

MSDP

Routing policy

LDP

LSPM

MPLS TE

MPLS FW

MPLS/BGP VPN

VPLS

IPv6 basic functions

IPv6 ND

IPv6 PMTU

IPv6 FIB

IPv6 ACL

IPv6 transition technologies

NAT-PT

IPv6 tunneling

6PE, 6VPE

IPv6 routing

IPv6 static routing management

Multicast routing protocols:

78

AAA

Firewall

Security

Reliability

L2 QoS

Traffic supervision

Congestion management

Congestion avoidance

Traffic shaping

Other QOS technologies

MLD

PIM-DM

PIM-SM

PIM-SSM

Local authentication

Radius

HWTacacs

LDAP

ASPF

ACL

FILTER

Port security

IPSec

PORTAL

L2TP

NAT/NAPT

PKI

RSA

SSH V1.5/2.0

URPF

GRE

VRRP

Backup center

BFD

IRF

LR

Flow-base QOS Policy

Port-Based Mirroring

Packet Remarking

Priority Mapping

Port Trust Mode

Port Priority

Flow Filter

FlowControl

ACL

CAR (Committed Access Rate)

LR (Line Rate)

FIFO, PQ, CQ, WFQ, CBQ, RTPQ

WRED/RED

GTS (Generic Traffic Shaping)

MPLS QOS

IPHC

Sub-interface QOS

79

Voice Interfaces

Voice Signaling

SIP

Codec

Media Process

Network management

Local management

User access management

FXS

FXO

E&M

E1VI/T1VI

BSV

R2

DSS1

SIP

SIP Operation

G.711A law

G.711U law

G.723R53

G.723R63

G.729a

G.729R8

G.729bR8

RTP

SNMP V1/V2c/V3

MIB

SYSLOG

RMON

NETCONF

Command line management

License management

File system management

Auto-configure

Dual Image

Console interface login

AUX interface login

TTY interface login

Telnet (VTY) login

SSH login

FTP login

XMODEM

80

Appendix B Upgrading software

This section describes how to upgrade system software while the router is operating normally or when the router cannot correctly start up.

Software types

The following software types are available:

Boot ROM image

—A .bin file that comprises a basic section and an extended section. The basic section is the minimum code that bootstraps the system. The extended section enables hardware initialization and provides system management menus. You can use these menus to load application software and the startup configuration file or manage files when the device cannot correctly start up.

Comware image

—Includes the following image subcategories:

Boot image

—A .bin file that contains the Linux operating system kernel. It provides process management, memory management, file system management, and the emergency shell.

System image—A .bin file that contains the minimum feature modules required for device operation and some basic features, including device management, interface management, configuration management, and routing. To have advanced features, you must purchase feature packages.

Feature package

—Includes a set of advanced software features. Users purchase feature packages as needed.

Patch packages

—Irregularly released packages for fixing bugs without rebooting the device. A patch package does not add new features or functions.

Comware software images that have been loaded are called "current software images."

Comware images specified to load at the next startup are called "startup software images."

Boot ROM image, boot image, and system image are required for the system to work. These images might be released separately or as a whole in one .ipe package file. If an .ipe file is used, the system automatically decompresses the file, loads the .bin boot and system images and sets them as startup software images.

Upgrade methods

You can upgrade system software by using one of the following methods:

Upgrade method Remarks

Centralized devices upgrading from the

CLI

You must reboot the router to complete the upgrade.

This method can interrupt ongoing network services.

Distributed devices upgrading from the

CLI

You must reboot the router to complete the upgrade.

This method can interrupt ongoing network services.

Distributed devices ISSU

This method upgrades the router with the least amount of downtime.

Managing files from the BootWare menu

Use this method when the router cannot correctly start up.

81

Preparing for the upgrade

Before you upgrade system software, complete the following tasks:

Set up the upgrade environment as shown in Table 20 .

 Configure routes to make sure that the router and the file server can reach each other.

Run a TFTP or FTP server on the file server.

Log in to the CLI of the router through the console port.

Copy the upgrade file to the file server and correctly set the working directory on the

TFTP or FTP server.

Make sure the upgrade has minimal impact on the network services. During the upgrade, the router cannot provide any services.

IMPORTANT:

In the BootWare menu, if you choose to download files over Ethernet, the Ethernet port must be

GE0 on an MSR2003, MSR2004-24, MSR2004-48, MSR3012, MSR3024, MSR3044, and

MSR3064 router, and must be M-GE0 on an MSR4060 and MSR4080 router.

Table 19 Storage media

Model

MSR2003

MSR2004-24

MSR2004-48

MSR3012

MSR3024

MSR3044

MSR3064

Storage medium

Flash

Flash

Flash

CF card

CF card

CF card

CF card

MSR4060 CF card

MSR4080 CF card

Figure 1 Set up the upgrade environment

Path

flash:/ flash:/ flash:/ cfa0:/ cfa0:/ cfa0:/ cfa0:/ cfa0:/ cfa0:/

Router Types

Centralized devices

Centralized devices

Centralized devices

Centralized devices

Centralized devices

Centralized devices

Centralized devices

Centralized devices

Distributed devices

82

Centralized devices upgrading from the CLI

You can use the TFTP or FTP commands on the router to access the TFTP or FTP server to back up or download files.

Saving the running configuration and verifying the storage space

1.

2.

Save the running configuration

<HPE>save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

Validating file. Please wait...

Configuration is saved to device successfully.

<HPE>

Identify the system software image and configuration file names and verify that the flash has sufficient space for the new system software image.

<HPE>dir

Directory of flash:

0 drw- - Aug 15 2012 12:03:13 diagfile

1 -rw- 84 Aug 15 2012 12:17:59 ifindex.dat

2 drw- - Aug 15 2012 12:03:14 license

3 drw- - Aug 15 2012 12:03:13 logfile

4 -rw- 11418624 Dec 15 2011 09:00:00 msr2000-cmw710-boot-a0005.bin

5 -rw- 1006592 Dec 15 2011 09:00:00 msr2000-cmw710-data-a0005.bin

6 -rw- 10240 Dec 15 2011 09:00:00 msr2000-cmw710-security-a0005.bin

7 -rw- 24067072 Dec 15 2011 09:00:00 msr2000-cmw710-system-a0005.bin

8 -rw- 1180672 Dec 15 2011 09:00:00 msr2000-cmw710-voice-a0005.bin

9 drw- - Aug 15 2012 12:03:13 seclog

10 -rw- 1632 Aug 15 2012 12:18:00 startup.cfg

11 -rw- 25992 Aug 15 2012 12:18:00 startup.mdb

262144 KB total (223992 KB free)

<HPE>

Downloading the image file to the router

Using TFTP

Download the system software image file, for example, msr2000.ipe to the flash on the router.

<HPE>tftp 192.168.1.100 get msr2000.ipe

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 35.9M 100 35.9M 0 0 559k 0 0:01:05 0:01:05 --:--:-- 546k

<HPE>

83

Using FTP

1.

2.

From FTP client view, download the system software image file (for example, msr2000.ipe) to the CF card on the router. ftp> get msr2000.ipe msr2000.ipe already exists. Overwrite it? [Y/N]:y

227 Entering passive mode (192,168,1,100,5,20)

125 Using existing data connection

226 Closing data connection; File transfer successful.

37691392 bytes received in 17.7 seconds (2.03 Mbyte/s)

[ftp]

Return to user view.

[ftp]quit

221 Service closing control connection

<HPE>

Specifying the startup image file

1.

2.

Specify the msr2000.ipe file as the main image file at the next reboot.

<HPE>boot-loader file flash:/msr2000.ipe main

Images in IPE:

msr2000-cmw710-boot-a0005.bin

msr2000-cmw710-system-a0005.bin

msr2000-cmw710-security-a0005.bin

msr2000-cmw710-voice-a0005.bin

msr2000-cmw710-data-a0005.bin

This command will set the main startup software images. Continue? [Y/N]:y

Add images to the device.

Successfully copied flash:/msr2000-cmw710-boot-a0005.bin to flash:/msr2000-cmw710-boot-a0005.bin.

Successfully copied flash:/msr2000-cmw710-system-a0005.bin to flash:/msr2000-cmw710-system-a0005.bin.

Successfully copied flash:/msr2000-cmw710-security-a0005.bin to flash:/msr2000-cmw710-security-a0005.bin.

Successfully copied flash:/msr2000-cmw710-voice-a0005.bin to flash:/msr2000-cmw710-voice-a0005.bin.

Successfully copied flash:/msr2000-cmw710-data-a0005.bin to flash:/msr2000-cmw710-data-a0005.bin.

The images that have passed all examinations will be used as the main startup software images at the next reboot on the device.

<HPE>

Verify that the file has been loaded.

84

<HPE> display boot-loader

Software images on the device:

Current software images:

flash:/msr2000-cmw710-boot-a0004.bin

flash:/msr2000-cmw710-system-a0004.bin

flash:/msr2000-cmw710-security-a0004.bin

flash:/msr2000-cmw710-voice-a0004.bin

flash:/msr2000-cmw710-data-a0004.bin

Main startup software images:

flash:/msr2000-cmw710-boot-a0005.bin

flash:/msr2000-cmw710-system-a0005.bin

flash:/msr2000-cmw710-security-a0005.bin

flash:/msr2000-cmw710-voice-a0005.bin

flash:/msr2000-cmw710-data-a0005.bin

Backup startup software images:

None

<HPE>

Rebooting and completing the upgrade

1.

2.

Reboot the router.

<HPE>reboot

Start to check configuration with next startup configuration file, please wait.........DONE!

This command will reboot the device. Continue? [Y/N]:y

Now rebooting, please wait...

<HPE>

System is starting...

After the reboot is complete, verify that the system software image is correct.

<HPE> display version

HPE Comware Software, Version 7.1.042, Release 000702

Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.

HPE MSR2003 uptime is 0 weeks, 0 days, 13 hours, 23 minutes Last reboot reason : User reboot

Boot image: flash:/msr2000-cmw710-boot-a0005.bin

Boot image version: 7.1.040, Alpha 0005

System image: flash:/msr2000-cmw710-system-a0005.bin

System image version: 7.1.040, Alpha 0005

CPU ID: 0x1

1G bytes DDR3 SDRAM Memory

2M bytes Flash Memory

PCB Version: 3.0

CPLD Version: 1.0

Basic BootWare Version: 1.04

Extended BootWare Version: 1.04

[SLOT 0]AUX (Hardware)3.0 (Driver)1.0, (Cpld)1.0

[SLOT 0]GE0/0 (Hardware)3.0 (Driver)1.0, (Cpld)1.0

[SLOT 0]GE0/1 (Hardware)3.0 (Driver)1.0, (Cpld)1.0

85

[SLOT 0]CELLULAR0/0 (Hardware)3.0 (Driver)1.0, (Cpld)1.0

<HPE>

Distributed devices upgrading from the CLI

You can use the TFTP or FTP commands on the router to access the TFTP or FTP server to back up or download files.

Display the slot number of the active MPU

Perform the display device command in any view to display the slot number of the active MPU. By default, the standby MPU will automatically synchronize the image files from active MPU.

<HPE>display device

Slot No. Board Type Status Primary SubSlots

-----------------------------------------------------------------------------

0 MPU-100 Normal Master 0

1 MPU-100 Normal Standby 0

2 SPU-100 Normal N/A 10

<HPE>

Save the current configuration and verify the storge space

1.

2.

Perform the save command in any view to save the current configuration.

<HPE>save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[cfa0:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

Validating file. Please wait...

Configuration is saved to device successfully.

<HPE>

Perform the dir command in user view to identify the system software image and configuration file names and verify that the CF card has sufficient space for the new system software image.

<HPE>dir

Directory of cfa0:

0 drw- - Jan 07 2013 14:02:12 diagfile

1 -rw- 307 Jan 22 2013 17:02:02 ifindex.dat

2 drw- - Jan 07 2013 14:02:12 license

3 drw- - Jan 22 2013 13:42:00 logfile

4 -rw- 21412864 Jan 22 2013 16:49:00 MSR4000-cmw710-boot-r0005p01.bin

5 -rw- 1123328 Jan 22 2013 16:50:30 MSR4000-cmw710-data-r0005p01.bin

6 -rw- 11264 Jan 22 2013 16:50:26 MSR4000-cmw710-security-r0005p01.bin

7 -rw- 45056000 Jan 22 2013 16:49:34 MSR4000-cmw710-system-r0005p01.bin

8 -rw- 2746368 Jan 22 2013 16:50:26 MSR4000-cmw710-voice-r0005p01.bin

9 drw- - Jan 07 2013 14:02:12 seclog

10 -rw- 2166 Jan 22 2013 17:02:02 startup.cfg

11 -rw- 34425 Jan 22 2013 17:02:02 startup.mdb

507492 KB total (438688 KB free)

86

<HPE>

Download the image file to the router

Using TFTP

Perform the tftp get command in user view to download the system software image file, for example, msr4000.ipe to the CF card on the router.

<HPE>tftp 192.168.1.100 get msr4000.ipe

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

45 67.0M 45 30.4M 0 0 792k 0 0:01:26 0:00:39 0:00:47 844k

100 67.0M 100 67.0M 0 0 772k 0 0:01:28 0:01:28 --:--:-- 745k

<HPE>

Using FTP

1.

2.

Perform the get command in FTP client view to download the system software image file msr4000.ipe to the CF card on the router. ftp> get msr4000.ipe msr4000.ipe already exists. Overwrite it? [Y/N]:y

227 Entering passive mode (192,168,1,100,5,20)

125 Using existing data connection

226 Closing data connection; File transfer successful.

37691392 bytes received in 17.7 seconds (2.03 Mbyte/s)

[ftp]

Perform the quit command in FTP client view to return to user view.

[ftp]quit

221 Service closing control connection

<HPE>

Copy the image file to CF card root directory of the standby MPU

<HPE> copy msr4000.ipe slot1#cfa0:/

Copy cfa0:/msr4000.ipe to slot1#cfa0:/msr4000.ipe?[Y/N]:y

Copying file cfa0:/msr4000.ipe to slot1#cfa0:/ msr4000.ipe...Done.

Specifying the startup image file

1.

Perform the boot-loader command in user view to d specify the msr4000.ipe file as the main image file for the active MPU on slot 0 at the next reboot.

<HPE>boot-loader file flash:/msr4000.ipe slot 0 main

Images in IPE:

msr4000-cmw710-boot-a0005.bin

msr4000-cmw710-system-a0005.bin

msr4000-cmw710-security-a0005.bin

msr4000-cmw710-voice-a0005.bin

msr4000-cmw710-data-a0005.bin

This command will set the main startup software images. Continue? [Y/N]:y

Add images to the device.

87

2.

3.

Successfully copied flash:/msr4000-cmw710-boot-a0005.bin to cfa0:/msr4000-cmw710-boot-a0005.bin.

Successfully copied flash:/msr4000-cmw710-system-a0005.bin to cfa0:/msr4000-cmw710-system-a0005.bin.

Successfully copied flash:/msr4000-cmw710-security-a0005.bin to cfa0:/msr4000-cmw710-security-a0005.bin.

Successfully copied flash:/msr4000-cmw710-voice-a0005.bin to cfa0:/msr4000-cmw710-voice-a0005.bin.

Successfully copied flash:/msr4000-cmw710-data-a0005.bin to cfa0:/msr4000-cmw710-data-a0005.bin.

The images that have passed all examinations will be used as the main startup software images at the next reboot on the device.

<HPE>

Perform the boot-loader command in user view to d specify the msr4000.ipe file as the main image file for the standby MPU on slot 1 at the next reboot.

<HPE>boot-loader file flash:/msr4000.ipe slot 0 main

Images in IPE:

msr4000-cmw710-boot-a0005.bin

msr4000-cmw710-system-a0005.bin

msr4000-cmw710-security-a0005.bin

msr4000-cmw710-voice-a0005.bin

msr4000-cmw710-data-a0005.bin

This command will set the main startup software images. Continue? [Y/N]:y

Add images to the device.

Successfully copied flash:/msr4000-cmw710-boot-a0005.bin to cfa0:/msr4000-cmw710-boot-a0005.bin.

Successfully copied flash:/msr4000-cmw710-system-a0005.bin to cfa0:/msr4000-cmw710-system-a0005.bin.

Successfully copied flash:/msr4000-cmw710-security-a0005.bin to cfa0:/msr4000-cmw710-security-a0005.bin.

Successfully copied flash:/msr4000-cmw710-voice-a0005.bin to cfa0:/msr4000-cmw710-voice-a0005.bin.

Successfully copied flash:/msr4000-cmw710-data-a0005.bin to cfa0:/msr4000-cmw710-data-a0005.bin.

The images that have passed all examinations will be used as the main startup software images at the next reboot on the device.

<HPE>

Perform the display boot-loader command in user view to verify that the file has been loaded.

<HPE> display boot-loader

Software images on slot 0:

Current software images:

cfa0:/MSR4000-cmw710-boot-a0004.bin

cfa0:/MSR4000-cmw710-system-a0004.bin

cfa0:/MSR4000-cmw710-security-a0004.bin

cfa0:/MSR4000-cmw710-voice-a0004.bin

cfa0:/MSR4000-cmw710-data-a0004.bin

Main startup software images:

cfa0:/MSR4000-cmw710-boot-a0005.bin

cfa0:/MSR4000-cmw710-system-a0005.bin

cfa0:/MSR4000-cmw710-security-a0005.bin

88

cfa0:/MSR4000-cmw710-voice-a0005.bin

cfa0:/MSR4000-cmw710-data-a0005.bin

Backup startup software images:

None

Software images on slot 1:

Current software images:

cfa0:/MSR4000-cmw710-boot-r0005p01.bin

cfa0:/MSR4000-cmw710-system-r0005p01.bin

cfa0:/MSR4000-cmw710-security-r0005p01.bin

cfa0:/MSR4000-cmw710-voice-r0005p01.bin

cfa0:/MSR4000-cmw710-data-r0005p01.bin

Main startup software images:

cfa0:/MSR4000-cmw710-boot-r0005p01.bin

cfa0:/MSR4000-cmw710-system-r0005p01.bin

cfa0:/MSR4000-cmw710-security-r0005p01.bin

cfa0:/MSR4000-cmw710-voice-r0005p01.bin

cfa0:/MSR4000-cmw710-data-r0005p01.bin

Backup startup software images:

None

Reboot and completing the upgrade

1.

2.

Perform the reboot command in user view to reboot the router.

<HPE>reboot

Start to check configuration with next startup configuration file, please wait.........DONE!

This command will reboot the device. Continue? [Y/N]:y

Now rebooting, please wait...

<HPE>

System is starting..

After the reboot is complete, perform the display version command to verify that the system software image is correct.

<HPE> display version

HPE Comware Software, Version 7.1.042, Release 000702

Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.

HPE MSR4060 uptime is 0 weeks, 0 days, 11 hours, 49 minutes

Last reboot reason : Power on

Boot image: cfa0:/MSR4000-cmw710-boot-a0005.bin

Boot image version: 7.1.040, Alpha 0005

System image: cfa0:/MSR4000-cmw710-system-a0005.bin

System image version: 7.1.040, Alpha 0005

Feature image(s) list:

cfa0:/MSR4000-cmw710-security-a0005.bin, version: 7.1.040

cfa0:/MSR4000-cmw710-voice-a0005.bin, version: 7.1.040

cfa0:/MSR4000-cmw710-data-a0005.bin, version: 7.1.040

Slot 0: MPU-100 uptime is 0 week, 0 day, 1 hour, 20 minutes

Last reboot reason : Power on

CPU ID: 0x3

89

2G bytes DDR3 SDRAM Memory

8M bytes Flash Memory

PCB Version: 2.0

CPLD Version: 1.0

Basic BootWare Version: 1.04

Extended BootWare Version: 1.04

[SUBSLOT 0]CON (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]AUX (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]MGE0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

Slot 1: MPU-100 uptime is 0 week, 0 day, 1 hour, 8 minutes

Last reboot reason : User reboot

CPU ID: 0x3

2G bytes DDR3 SDRAM Memory

8M bytes Flash Memory

PCB Version: 2.0

CPLD Version: 1.0

Basic BootWare Version: 1.05

Extended BootWare Version: 1.05

[SUBSLOT 0]CON (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]AUX (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]MGE0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

Slot 2: SPU-100 uptime is 0 week, 0 day, 1 hour, 19 minutes

Last reboot reason : Power on

CPU ID: 0x5

2G bytes DDR3 SDRAM Memory

8M bytes Flash Memory

PCB Version: 2.0

CPLD Version: 1.0

Basic BootWare Version: 1.02

Extended BootWare Version: 1.02

[SUBSLOT 0]GE2/0/0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]GE2/0/1 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]GE2/0/2 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]GE2/0/3 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]CELLULAR2/0/0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 0]CELLULAR2/0/1 (Hardware)2.0 (Driver)1.0, (Cpld)1.0

[SUBSLOT 1]HMIM-4SAE (Hardware)3.0 (Driver)1.0, (Cpld)4.0

Distributed devices ISSU

The In-Service Software Upgrade (ISSU) function enables software upgrade with the least amount of downtime.

To implement ISSU of a distributed device, use these guidelines:

Make sure the device has two MPUs.

Upgrade the standby MPU is upgraded first to form a new forwarding plane and a new control plane.

90

Upgrade the active MPU after the standby MPU operates correctly. The standby MPU will synchronize data and configuration from the active MPU and take over the forwarding and control functions.

Disabling the standby MPU auto-update function

When you upgrade the active MPU of a dual-MPU distributed device, the standby MPU auto-update function automatically upgrades the standby MPU by default. To use ISSU, you must disable the function.

To disable the standby MPU auto-update function:

1.

View the roles of the MPUs.

<HPE>display device

Slot No. Board Type Status Primary SubSlots

-----------------------------------------------------------------------------

0 MPU-100 Normal Master 0

1 MPU-100 Normal Standby 0

2 SPU-100 Normal N/A 10

<HPE>

The output shows that the MPU in slot 0 is the active MPU.

2.

Disable the standby MPU auto-update function.

<HPE>system-view

[Sysname]version check ignore

[Sysname]undo version auto-update enable

Saving the running configuration and verifying the storage space

1.

Save the running configuration.

<HPE>save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[cfa0:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

Validating file. Please wait...

Configuration is saved to device successfully.

<HPE>

2.

Check the storage space.

<HPE>dir

Directory of cfa0:

0 drw- - Jan 07 2014 14:02:12 diagfile

1 -rw- 307 Jan 22 2014 17:02:02 ifindex.dat

2 drw- - Jan 07 2014 14:02:12 license

3 drw- - Jan 22 2014 13:42:00 logfile

4 -rw- 20050944 Jan 10 2014 09:06:48 msr4000-cmw710-boot-e010204.bin

5 -rw- 2001920 Jan 10 2014 09:08:28 msr4000-cmw710-data-e010204.bin

6 -rw- 11264 Jan 10 2014 09:08:18 msr4000-cmw710-security-e010204.bin

7 -rw- 61538304 Jan 10 2014 09:07:36 msr4000-cmw710-system-e010204.bin

8 -rw- 3232768 Jan 10 2014 09:08:22 msr4000-cmw710-voice-e010204.bin

9 drw- - Jan 07 2014 14:02:12 seclog

91

10 -rw- 2166 Jan 22 2014 17:02:02 startup.cfg

11 -rw- 34425 Jan 22 2014 17:02:02 startup.mdb

507492 KB total (438688 KB free)

<HPE>

The output shows the CF card has 438688 KB of free storage space. If the CF card of your device is not sufficient for the upgrade image, delete unused files.

Downloading the upgrade image file to the router

Using TFTP

Download the upgrade image file (for example, msr4000.ipe) to the CF card on the router.

<HPE>tftp 192.168.1.100 get msr4000.ipe

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

45 67.0M 45 30.4M 0 0 792k 0 0:01:26 0:00:39 0:00:47 844k

100 67.0M 100 67.0M 0 0 772k 0 0:01:28 0:01:28 --:--:-- 745k

<HPE>

Using FTP

1.

2.

From FTP client view, download the upgrade image file (for example, msr4000.ipe) to the CF card on the router. ftp> get msr4000.ipe msr4000.ipe already exists. Overwrite it? [Y/N]:y

227 Entering passive mode (192,168,1,100,5,20)

125 Using existing data connection

226 Closing data connection; File transfer successful.

37691392 bytes received in 17.7 seconds (2.03 Mbyte/s)

[ftp]

Return to user view.

[ftp]quit

221 Service closing control connection

<HPE>

Copying the image file to the root directory of the CF card on the standby MPU

<HPE> copy msr4000.ipe slot1#cfa0:/

Copy cfa0:/msr4000.ipe to slot1#cfa0:/msr4000.ipe?[Y/N]:y

Copying file cfa0:/msr4000.ipe to slot1#cfa0:/ msr4000.ipe...Done.

Upgrading the standby MPU

1.

Specify the msr4000.ipe file as the main startup image file for the standby MPU.

<HPE>boot-loader file msr4000.ipe slot 1 main

Verifying the IPE file and the images......Done.

HPE MSR4060 images in IPE:

msr4000-cmw710-boot-e010305.bin

msr4000-cmw710-system-e010305.bin

msr4000-cmw710-security-e010305.bin

92

2.

3.

msr4000-cmw710-voice-e010305.bin

msr4000-cmw710-data-e010305.bin

This command will set the main startup software images. Continue? [Y/N]:y

Add images to slot 1.

Decompressing file msr4000-cmw710-boot-e010305.bin to slot1#cfa0:/msr4000-cmw710-boo t-e010305.bin...............Done.

Decompressing file msr4000-cmw710-system-e010305.bin to slot1#cfa0:/msr4000-cmw710-s ystem-e010305.bin...............................................Done.

Decompressing file msr4000-cmw710-security-e010305.bin to slot1#cfa0:/msr4000-cmw710

-security-e010305.bin...Done.

Decompressing file msr4000-cmw710-voice-e010305.bin to slot1#cfa0:/msr4000-cmw710-vo ice-e010305.bin....Done.

Decompressing file msr4000-cmw710-data-e010305.bin to slot1#cfa0:/msr4000-cmw710-dat a-e010305.bin...Done.

The images that have passed all examinations will be used as the main startup so ftware images at the next reboot on slot 1.

Reboot the standby MPU.

<HPE>reboot slot 1

This command will reboot the specified slot, Continue? [Y/N]:y

Now rebooting, please wait...

After the standby MPU starts up, verify the startup image files.

<HPE>display boot-loader

Software images on slot 0:

Current software images:

cfa0:/msr4000-cmw710-boot-e010204.bin

cfa0:/msr4000-cmw710-system-e010204.bin

cfa0:/msr4000-cmw710-security-e010204.bin

cfa0:/msr4000-cmw710-voice-e010204.bin

cfa0:/msr4000-cmw710-data-e010204.bin

Main startup software images:

cfa0:/msr4000-cmw710-boot-e010204.bin

cfa0:/msr4000-cmw710-system-e010204.bin

cfa0:/msr4000-cmw710-security-e010204.bin

cfa0:/msr4000-cmw710-voice-e010204.bin

cfa0:/msr4000-cmw710-data-e010204.bin

Backup startup software images:

cfa0:/msr4000-cmw710-boot-e010203.bin

cfa0:/msr4000-cmw710-system-e010203.bin

cfa0:/msr4000-cmw710-security-e010203.bin

cfa0:/msr4000-cmw710-voice-e010203.bin

cfa0:/msr4000-cmw710-data-e010203.bin

Software images on slot 1:

Current software images:

cfa0:/msr4000-cmw710-boot-e010305.bin

93

cfa0:/msr4000-cmw710-system-e010305.bin

cfa0:/msr4000-cmw710-security-e010305.bin

cfa0:/msr4000-cmw710-voice-e010305.bin

cfa0:/msr4000-cmw710-data-e010305.bin

Main startup software images:

cfa0:/msr4000-cmw710-boot-e010305.bin

cfa0:/msr4000-cmw710-system-e010305.bin

cfa0:/msr4000-cmw710-security-e010305.bin

cfa0:/msr4000-cmw710-voice-e010305.bin

cfa0:/msr4000-cmw710-data-e010305.bin

Backup startup software images:

cfa0:/msr4000-cmw710-boot-e010203.bin

cfa0:/msr4000-cmw710-system-e010203.bin

cfa0:/msr4000-cmw710-security-e010203.bin

cfa0:/msr4000-cmw710-voice-e010203.bin

cfa0:/msr4000-cmw710-data-e010203.bin

The output shows that the standby MPU is running the new images.

Upgrading the active MPU

1.

2.

Specify the msr4000.ipe file as the main startup image file for the active MPU.

<HPE>boot-loader file msr4000.ipe slot 0 main

Verifying the IPE file and the images......Done.

HPE MSR4060 images in IPE:

msr4000-cmw710-boot-e010305.bin

msr4000-cmw710-system-e010305.bin

msr4000-cmw710-security-e010305.bin

msr4000-cmw710-voice-e010305.bin

msr4000-cmw710-data-e010305.bin

This command will set the main startup software images. Continue? [Y/N]:y

Add images to slot 0.

Decompressing file msr4000-cmw710-boot-e010305.bin to cfa0:/msr4000-cmw710-boot-e010

305.bin...............Done.

Decompressing file msr4000-cmw710-system-e010305.bin to cfa0:/msr4000-cmw710-system- e010305.bin..............................................Done.

Decompressing file msr4000-cmw710-security-e010305.bin to cfa0:/msr4000-cmw710-secur ity-e010305.bin...Done.

Decompressing file msr4000-cmw710-voice-e010305.bin to cfa0:/msr4000-cmw710-voice-e0

10305.bin....Done.

Decompressing file msr4000-cmw710-data-e010305.bin to cfa0:/msr4000-cmw710-data-e010

305.bin...Done.

The images that have passed all examinations will be used as the main startup so ftware images at the next reboot on slot 0.

Reboot the active MPU.

94

3.

4.

<HPE>reboot slot 0

This command will reboot the specified slot, Continue? [Y/N]:y

Now rebooting, please wait...

The standby MPU takes over the forwarding and controlling functions before the active MPU reboots.

After the active MPU starts up, verify the startup image files.

<HPE>display boot-loader

Software images on slot 0:

Current software images:

cfa0:/msr4000-cmw710-boot-e010305.bin

cfa0:/msr4000-cmw710-system-e010305.bin

cfa0:/msr4000-cmw710-security-e010305.bin

cfa0:/msr4000-cmw710-voice-e010305.bin

cfa0:/msr4000-cmw710-data-e010305.bin

Main startup software images:

cfa0:/msr4000-cmw710-boot-e010305.bin

cfa0:/msr4000-cmw710-system-e010305.bin

cfa0:/msr4000-cmw710-security-e010305.bin

cfa0:/msr4000-cmw710-voice-e010305.bin

cfa0:/msr4000-cmw710-data-e010305.bin

Backup startup software images:

cfa0:/msr4000-cmw710-boot-e010203.bin

cfa0:/msr4000-cmw710-system-e010203.bin

cfa0:/msr4000-cmw710-security-e010203.bin

cfa0:/msr4000-cmw710-voice-e010203.bin

cfa0:/msr4000-cmw710-data-e010203.bin

Software images on slot 1:

Current software images:

cfa0:/msr4000-cmw710-boot-e010305.bin

cfa0:/msr4000-cmw710-system-e010305.bin

cfa0:/msr4000-cmw710-security-e010305.bin

cfa0:/msr4000-cmw710-voice-e010305.bin

cfa0:/msr4000-cmw710-data-e010305.bin

Main startup software images:

cfa0:/msr4000-cmw710-boot-e010305.bin

cfa0:/msr4000-cmw710-system-e010305.bin

cfa0:/msr4000-cmw710-security-e010305.bin

cfa0:/msr4000-cmw710-voice-e010305.bin

cfa0:/msr4000-cmw710-data-e010305.bin

Backup startup software images:

cfa0:/msr4000-cmw710-boot-e010203.bin

cfa0:/msr4000-cmw710-system-e010203.bin

cfa0:/msr4000-cmw710-security-e010203.bin

cfa0:/msr4000-cmw710-voice-e010203.bin

cfa0:/msr4000-cmw710-data-e010203.bin

Perform the display boot-loader command in user view to verify that the file has been loaded.

<HPE> display boot-loader

Software images on slot 0:

95

Current software images:

cfa0:/MSR4000-cmw710-boot-r0005p01.bin

cfa0:/MSR4000-cmw710-system-r0005p01.bin

cfa0:/MSR4000-cmw710-security-r0005p01.bin

cfa0:/MSR4000-cmw710-voice-r0005p01.bin

cfa0:/MSR4000-cmw710-data-r0005p01.bin

Main startup software images:

cfa0:/MSR4000-cmw710-boot-a0005.bin

cfa0:/MSR4000-cmw710-system-a0005.bin

cfa0:/MSR4000-cmw710-security-a0005.bin

cfa0:/MSR4000-cmw710-voice-a0005.bin

cfa0:/MSR4000-cmw710-data-a0005.bin

Backup startup software images:

None

Software images on slot 1:

Current software images:

cfa0:/MSR4000-cmw710-boot-r0005p01.bin

cfa0:/MSR4000-cmw710-system-r0005p01.bin

cfa0:/MSR4000-cmw710-security-r0005p01.bin

cfa0:/MSR4000-cmw710-voice-r0005p01.bin

cfa0:/MSR4000-cmw710-data-r0005p01.bin

Main startup software images:

cfa0:/MSR4000-cmw710-boot-r0005p01.bin

cfa0:/MSR4000-cmw710-system-r0005p01.bin

cfa0:/MSR4000-cmw710-security-r0005p01.bin

cfa0:/MSR4000-cmw710-voice-r0005p01.bin

cfa0:/MSR4000-cmw710-data-r0005p01.bin

Backup startup software images:

None

Upgrading from the BootWare menu

You can use the following methods to upgrade software from the BootWare menu:

Using TFTP/FTP to upgrade software through an Ethernet port

Using XMODEM to upgrade software through the console port

Accessing the BootWare menu

1.

Power on the router (for example, an HPE MSR 2003 router), and you can see the following information:

System is starting...

Press Ctrl+D to access BASIC-BOOTWARE MENU...

Booting Normal Extended BootWare

The Extended BootWare is self-decompressing....Done.

****************************************************************************

* *

* HPE MSR2003 BootWare, Version 1.20 *

96

* *

****************************************************************************

Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.

Compiled Date : Jun 22 2013

CPU ID : 0x1

Memory Type : DDR3 SDRAM

Memory Size : 1024MB

Flash Size : 2MB

Nand Flash size : 256MB

CPLD Version : 2.0

PCB Version : 3.0

BootWare Validating...

Press Ctrl+B to access EXTENDED-BOOTWARE MENU...

2.

Press Ctrl + B to access the BootWare menu.

Password recovery capability is enabled.

Note: The current operating device is flash

Enter < Storage Device Operation > to select device.

===========================<EXTEND-BOOTWARE MENU>===========================

|<1> Boot System |

|<2> Enter Serial SubMenu |

|<3> Enter Ethernet SubMenu |

|<4> File Control |

|<5> Restore to Factory Default Configuration |

|<6> Skip Current System Configuration |

|<7> BootWare Operation Menu |

|<8> Skip authentication for console login |

|<9> Storage Device Operation |

|<0> Reboot |

============================================================================

Ctrl+Z: Access EXTENDED ASSISTANT MENU

Ctrl+F: Format File System

Enter your choice(0-9):

Table 20 BootWare menu options

Item

<1> Boot System

<2> Enter Serial SubMenu

<3> Enter Ethernet SubMenu

<4> File Control

Description

Boot the system software image.

Access the Serial submenu (see Table 23 ) for upgrading

system software through the console port or changing the serial port settings.

Access the Ethernet submenu (see Table 21 ) for upgrading

system software through an Ethernet port or changing

Ethernet settings.

Access the File Control submenu (see Table 24 ) to retrieve

and manage the files stored on the router.

97

<5> Restore to Factory Default

Configuration

<6> Skip Current System Configuration

Delete the next-startup configuration files and load the factory-default configuration.

Start the router with the factory default configuration. This is a one-time operation and does not take effect at the next reboot.

You use this option when you forget the console login password.

<7> BootWare Operation Menu

<0> Reboot

Access the BootWare Operation menu for backing up, restoring, or upgrading BootWare. When you upgrade the system software image, BootWare is automatically upgraded.

HPE does not recommend upgrading BootWare separately.

This document does not cover using the BootWare Operation menu.

<8> Skip authentication for console login Clear all the authentication schemes on the console port.

<9> Storage Device Operation

Access the Storage Device Operation menu to manage storage devices. Using this option is beyond this chapter.

Restart the router.

Using TFTP/FTP to upgrade software through an Ethernet port

1.

Enter 3 in the BootWare menu to access the Ethernet submenu.

===============================<File CONTROL>===============================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Download Files(*.*) |

|<5> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

Table 21 Ethernet submenu options

Item

<1> Download Application Program To SDRAM And

Run

Description

Download a system software image to the SDRAM and run the image.

<2> Update Main Image File

<3> Update Backup Image File

<4> Download Files(*.*)

Upgrade the main system software image.

Upgrade the backup system software image.

Download a system software image to the Flash or

CF card.

Modify network settings. <5> Modify Ethernet Parameter

<0> Exit To Main Menu Return to the BootWare menu.

2.

Enter 5 to configure the network settings.

=========================<ETHERNET PARAMETER SET>=========================

|Note: '.' = Clear field. |

| '-' = Go to previous field. |

98

| Ctrl+D = Quit. |

==========================================================================

Protocol (FTP or TFTP) :ftp

Load File Name :msr2000.ipe

:

Target File Name :msr2000.ipe

:

Server IP Address :192.168.1.1

Local IP Address :192.168.1.100

Subnet Mask :255.255.255.0

Gateway IP Address :0.0.0.0

FTP User Name :user001

FTP User Password :********

Table 22 Network parameter fields and shortcut keys

Field

'.' = Clear field

'-' = Go to previous field

Ctrl+D = Quit

Protocol (FTP or TFTP)

Load File Name

Target File Name

Server IP Address

Local IP Address

Subnet Mask

Gateway IP Address

FTP User Name

Description

Press a dot (.) and then Enter to clear the setting for a field.

Press a hyphen (-) and then Enter to return to the previous field.

Press Ctrl + D to exit the Ethernet Parameter Set menu.

Set the file transfer protocol to FTP or TFTP.

Set the name of the file to be downloaded.

Set a file name for saving the file on the router. By default, the target file name is the same as the source file name.

Set the IP address of the FTP or TFTP server. If a mask must be set, use a colon (:) to separate the mask length from the IP address.

For example, 192.168.80.10:24.

Set the IP address of the router.

Subnet Mask of the local IP address.

Set a gateway IP address if the router is on a different network than the server.

Set the username for accessing the FTP server. This username must be the same as configured on the FTP server. This field is not available for TFTP.

FTP User Password

Set the password for accessing the FTP server. This password must be the same as configured on the FTP server. This field is not available for TFTP.

3.

Select an option in the Ethernet submenu to upgrade a system software image. For example, enter 2 to upgrade the main system software image.

Loading.....................................................................

............................................................................

............................................................................

.........................................Done.

37691392 bytes downloaded!

The file is exist,will you overwrite it? [Y/N]Y

Image file msr2000-cmw710-boot-a0005.bin is self-decompressing...

Saving file flash:/msr2000-cmw710-boot-a0005.bin .............................

99

......Done.

Image file msr2000-cmw710-system-a0005.bin is self-decompressing...

Saving file flash:/msr2000-cmw710-system-a0005.bin ...........................

.........................................Done.

Image file msr2000-cmw710-security-a0005.bin is self-decompressing...

Saving file flash:/msr2000-cmw710-security-a0005.bin Done.

Image file msr2000-cmw710-voice-a0005.bin is self-decompressing...

Saving file flash:/msr2000-cmw710-voice-a0005.bin ......Done.

Image file msr2000-cmw710-data-a0005.bin is self-decompressing...

Saving file flash:/msr2000-cmw710-data-a0005.bin ..Done.

==========================<Enter Ethernet SubMenu>==========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Download Files(*.*) |

|<5> Modify Ethernet Parameter |

|<0> Exit To Main Menu |

|<Ensure The Parameter Be Modified Before Downloading!> |

============================================================================

Enter your choice(0-4):

4.

Enter 0 to return to the BootWare menu

===========================<EXTEND-BOOTWARE MENU>===========================

|<1> Boot System |

|<2> Enter Serial SubMenu |

|<3> Enter Ethernet SubMenu |

|<4> File Control |

|<5> Modify BootWare Password |

|<6> Skip Current System Configuration |

|<7> BootWare Operation Menu |

|<8> Skip authentication for console login |

|<9> Storage Device Operation |

|<0> Reboot |

============================================================================

Enter your choice(0-9):

5.

1 to boot the system.

Loading the main image files...

Loading file flash:/msr2000-cmw710-system-a0005.bin..........................

Done.

Loading file flash:/msr2000-cmw710-boot-a0005.bin..............Done.

Image file flash:/msr2000-cmw710-boot-a0005.bin is self-decompressing.........

.....Done.

System image is starting...

Line aux0 is available.

100

Press ENTER to get started.

Using XMODEM to upgrade software through the console port

1.

Enter 2 in the BootWare menu to access the Serial submenu.

===========================<Enter Serial SubMenu>===========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Download Files(*.*) |

|<5> Modify Serial Interface Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

Table 23 Serial submenu options

Item

<1> Download Application Program To SDRAM And

Run

<2> Update Main Image File

<3> Update Backup Image File

<4>Download Files(*.*)

Description

Download an application to SDRAM through the serial port and run the program.

Upgrade the main system software image.

Upgrade the backup system software image.

Download a system software image to the Flash or

CF card.

<5> Modify Serial Interface Parameter Modify serial port parameters

<0> Exit To Main Menu Return to the BootWare menu.

2.

Select an appropriate baud rate for the console port. For example, enter 5 to select 115200 bps.

===============================<BAUDRATE SET>===============================

|Note:'*'indicates the current baudrate |

| Change The HyperTerminal's Baudrate Accordingly |

|---------------------------<Baudrate Available>---------------------------|

|<1> 9600(Default)* |

|<2> 19200 |

|<3> 38400 |

|<4> 57600 |

|<5> 115200 |

|<0> Exit |

============================================================================

Enter your choice(0-5):

The following messages appear:

Baudrate has been changed to 115200 bps.

Please change the terminal's baudrate to 115200 bps, press ENTER when ready.

101

NOTE:

Typically the size of a .bin file is over 10 MB. Even at 115200 bps, the download takes about 30 minutes.

3.

Select Call > Disconnect in the HyperTerminal window to disconnect the terminal from the router.

Figure 2 Disconnect the terminal connection

NOTE:

If the baud rate of the console port is 9600 bps, jump to step 9.

4.

Select File > Properties, and in the Properties dialog box, click Configure.

Figure 3 Properties dialog box

5.

Select 115200 from the Bits per second list and click OK.

102

Figure 4 Modify the baud rate

6.

Select Call > Call to reestablish the connection.

Figure 5 Reestablish the connection

7.

Press Enter.

The following menu appears:

The current baudrate is 115200 bps

===============================<BAUDRATE SET>===============================

|Note:'*'indicates the current baudrate |

| Change The HyperTerminal's Baudrate Accordingly |

|---------------------------<Baudrate Available>---------------------------|

|<1> 9600(Default) |

|<2> 19200 |

|<3> 38400 |

|<4> 57600 |

|<5> 115200* |

|<0> Exit |

============================================================================

Enter your choice(0-5):

103

8.

Enter 0 to return to the Serial submenu.

===========================<Enter Serial SubMenu>===========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Download Files(*.*) |

|<5> Modify Serial Interface Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

9.

Select an option from options 2 to 3 to upgrade a system software image. For example, enter 2 to upgrade the main system software image.

Please Start To Transfer File, Press <Ctrl+C> To Exit.

Waiting ...CCCCC

10. Select Transfer > Send File in the HyperTerminal window.

Figure 6 Transfer menu

11. In the dialog box that appears, click Browse to select the source file, and select Xmodem from the Protocol list.

Figure 7 File transmission dialog box

12. Click Send. The following dialog box appears:

104

Figure 8 File transfer progress

13. When the Serial submenu appears after the file transfer is complete, enter 0 at the prompt to return to the BootWare menu.

Download successfully!

37691392 bytes downloaded!

Input the File Name:main.bin

Updating File flash:/main.bin..............................................

.....................................................Done!

===========================<Enter Serial SubMenu>===========================

|Note:the operating device is flash |

|<1> Download Image Program To SDRAM And Run |

|<2> Update Main Image File |

|<3> Update Backup Image File |

|<4> Download Files(*.*) |

|<5> Modify Serial Interface Parameter |

|<0> Exit To Main Menu |

============================================================================

Enter your choice(0-4):

14. Enter 1 in the BootWare menu to boot the system.

15. If you are using a download rate other than 9600 bps, change the baud rate of the terminal to

9600 bps. If the baud rate has been set to 9600 bps, skip this step.

Managing files from the BootWare menu

To change the type of a system software image, retrieve files, or delete files, enter 4 in the BootWare menu.

The File Control submenu appears:

==============================<File CONTROL>==============================

|Note:the operating device is cfa0 |

105

|<1> Display All File(s) |

|<2> Set Image File type |

|<3> Set Bin File type |

|<4> Set Configuration File type |

|<5> Delete File |

|<6> Copy File |

|<0> Exit To Main Menu |

==========================================================================

Enter your choice(0-6):

Table 24 File Control submenu options

Item

<1> Display All File

<2> Set Image File type

<3> Set Bin File type

<4> Set Configuration File type

<5> Delete File

<6> Copy File

<0> Exit To Main Menu

Description

Display all files.

Change the type of a system software image (.ipe).

Change the type of a system software image (.bin).

Change the type of a configuration file.

Delete files.

Copy File

Return to the BootWare menu.

Displaying all files

To display all files, enter 1 in the File Control submenu:

Display all file(s) in flash:

'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED

============================================================================

|NO. Size(B) Time Type Name |

|1 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe |

|2 25992 Aug/15/2012 12:18:00 N/A flash:/startup.mdb |

|3 1632 Aug/15/2012 12:18:00 M flash:/startup.cfg |

|4 84 Aug/15/2012 12:17:59 N/A flash:/ifindex.dat |

|5 11029 Aug/15/2012 13:31:16 N/A flash:/logfile/logfile1.log |

|6 17 Aug/16/2012 07:47:24 N/A flash:/.pathfile |

|7 1006592 Aug/16/2012 07:44:16 M flash:/msr2000-cmw710-data-a0005.bin|

|8 815 Aug/15/2012 12:03:14 N/A flash:/license/DeviceID.did |

|9 1180672 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-voice-a0005. bin|

|10 10240 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-security-a0005.bin|

|11 24067072 Aug/16/2012 07:44:10 M flash:/msr2000-cmw710-system-a0005.bin|

|12 11418624 Aug/16/2012 07:44:05 M flash:/msr2000-cmw710-boot-a0005.bin|

============================================================================

Changing the type of a system software image

System software image file attributes include main (M), and backup (B). You can store only one main image, and one backup image on the router. A system software image can have any combination of the M, and B attributes. If the file attribute you are assigning has been assigned to an image, the

106

assignment removes the attribute from that image. The image is marked as N/A if it has only that attribute.

To change the type of a system software image:

1.

Enter 2 in the File Control submenu.

'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED

============================================================================

|NO. Size(B) Time Type Name |

|1 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe |

|0 Exit |

============================================================================

Enter file No:1

2.

Enter the number of the file you are working with, and press Enter.

Modify the file attribute:

==========================================================================

|<1> +Main |

|<2> +Backup |

|<0> Exit |

==========================================================================

Enter your choice(0-2):

3.

Enter a number in the range of 1 to 4 to add or delete a file attribute for the file.

Set the file attribute success!

Deleting files

When storage space is insufficient, you can delete obsolete files to free up storage space.

To delete files:

1.

Enter 5 in the File Control submenu.

Deleting the file in cfa0:

'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED

Deleting the file in flash:

'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED

============================================================================

|NO. Size(B) Time Type Name |

|1 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe |

|2 25992 Aug/15/2012 12:18:00 N/A flash:/startup.mdb |

|3 1632 Aug/15/2012 12:18:00 M flash:/startup.cfg |

|4 84 Aug/15/2012 12:17:59 N/A flash:/ifindex.dat |

|5 11029 Aug/15/2012 13:31:16 N/A flash:/logfile/logfile1.log |

|6 17 Aug/16/2012 07:47:24 N/A flash:/.pathfile |

|7 1006592 Aug/16/2012 07:44:16 M flash:/msr2000-cmw710-data-a0005.bin|

|8 815 Aug/15/2012 12:03:14 N/A flash:/license/DeviceID.did |

|9 1180672 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-voice-a0005. bin|

|10 10240 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-security-a0005.bin|

|11 24067072 Aug/16/2012 07:44:10 M flash:/msr2000-cmw710-system-a0005.bin|

|12 11418624 Aug/16/2012 07:44:05 M flash:/msr2000-cmw710-boot-a0005.bin|

0 Exit

Enter file No.:

2.

Enter the number of the file to delete.

107

3.

When the following prompt appears, enter Y.

The file you selected is flash:/msr2000-cmw710-security-a0005.bin,Delete it?

[Y/N]Y

Deleting...Done.

Handling software upgrade failures

If a software upgrade fails, the system runs the old software version. To handle a software failure:

1.

Check the physical ports for a loose or incorrect connection.

2.

If you are using the console port for file transfer, check the HyperTerminal settings (including the baud rate and data bits) for any wrong setting.

3.

Check the file transfer settings:

If XMODEM is used, you must set the same baud rate for the terminal as for the console port.

If TFTP is used, you must enter the same server IP addresses, file name, and working directory as set on the TFTP server.

If FTP is used, you must enter the same FTP server IP address, source file name, working directory, and FTP username and password as set on the FTP server.

4.

Check the FTP or TFTP server for any incorrect setting.

5.

Check that the storage device has sufficient space for the upgrade file.

6.

If the message “Something is wrong with the file” appears, check the file for file corruption.

Appendix C Handling console login password loss

Disabling password recovery capability

Password recovery capability controls console user access to the device configuration and SDRAM from BootWare menus.

If password recovery capability is enabled, a console user can access the device configuration without authentication to configure new passwords.

If password recovery capability is disabled, console users must restore the factory-default configuration before they can configure new passwords. Restoring the factory-default configuration deletes the next-startup configuration files.

To enhance system security, disable password recovery capability.

Table 25 summarizes options whose availability varies with the password recovery capability setting.

Table 25 BootWare options and password recovery capability compatibility matrix

BootWare menu option

Download Image

Program To SDRAM

And Run

Password recovery enabled

Password recovery disabled

Tasks that can be performed

Yes No

Load and run Comware software images in

SDRAM.

108

Skip Authentication for

Console Login

Skip Current System

Configuration

Yes

Yes

No

No

Restore to Factory

Default Configuration

No Yes

To disable password recovery capability:

Enable console login without authentication.

Load the factory-default configuration without deleting the next-startup configuration files.

Delete the next-startup configuration files and load the factory-default configuration.

Step

1.

Enter system view.

Command system-view

Remarks

N/A

2.

Disable password recovery capability.

undo password-recovery enable

By default, password recovery capability is enabled.

When password recovery capability is disabled, you cannot downgrade the device software to a version that does not support the capability through the BootWare menus. You can do so at the CLI, but the BootWare menu password configured becomes effective again.

Handling console login password loss

CAUTION:

Handling console login password loss causes service outage.

The method for handling console login password loss depends on the password recovery capability

setting (see Figure 9 ).

Figure 9 Handling console login password loss

Console login password lost

Reboot the router to access

EXTENDED-BOOTWARE menu

Yes

Password recovery capability enabled?

No

Skip Current System

Configuration

Skip Authentication for Console Login

Reboot the router

Configure new passwords in system view

Save the running configuration

109

Restore to Factory Default

Configuration

Examining the password recovery capability setting

1.

Reboot the router.

System is starting...

Press Ctrl+D to access BASIC-BOOTWARE MENU...

Press Ctrl+T to start heavy memory test

Booting Normal Extended BootWare........

The Extended BootWare is self-decompressing....Done.

****************************************************************************

* *

* HPE MSR3000 BootWare, Version 1.20 *

* *

****************************************************************************

Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.

Compiled Date : May 13 2013

CPU ID : 0x2

Memory Type : DDR3 SDRAM

Memory Size : 2048MB

BootWare Size : 1024KB

Flash Size : 8MB cfa0 Size : 247MB

CPLD Version : 2.0

PCB Version : 2.0

BootWare Validating...

Press Ctrl+B to access EXTENDED-BOOTWARE MENU...

2.

Press Ctrl + B within three seconds after the "Press Ctrl+B to access

EXTENDED-BOOTWARE MENU..." prompt message appears.

3.

Read the password recovery capability setting information displayed before the

EXTEND-BOOTWARE menu.

Password recovery capability is enabled.

Note: The current operating device is cfa0

Enter < Storage Device Operation > to select device.

===========================<EXTEND-BOOTWARE MENU>===========================

|<1> Boot System |

|<2> Enter Serial SubMenu |

|<3> Enter Ethernet SubMenu |

|<4> File Control |

|<5> Restore to Factory Default Configuration |

|<6> Skip Current System Configuration |

|<7> BootWare Operation Menu |

|<8> Skip Authentication for Console Login |

|<9> Storage Device Operation |

|<0> Reboot |

110

============================================================================

Ctrl+Z: Access EXTEND ASSISTANT MENU

Ctrl+F: Format File System

Enter your choice(0-9):

Using the Skip Current System Configuration option

1.

Reboot the router to access the EXTEND-BOOTWARE menu, and then enter

6.

The current mode is password recovery.

Note: The current operating device is cfa0

Enter < Storage Device Operation > to select device.

===========================<EXTEND-BOOTWARE MENU>===========================

|<1> Boot System |

|<2> Enter Serial SubMenu |

|<3> Enter Ethernet SubMenu |

|<4> File Control |

|<5> Restore to Factory Default Configuration |

|<6> Skip Current System Configuration |

|<7> BootWare Operation Menu |

|<8> Skip Authentication for Console Login |

|<9> Storage Device Operation |

|<0> Reboot |

============================================================================

Ctrl+Z: Access EXTEND ASSISTANT MENU

Ctrl+F: Format File System

Enter your choice(0-9): 6

After the configuration skipping flag is set successfully, the following message appears:

Flag Set Success.

2.

When the EXTEND-BOOTWARE menu appears again, enter

1 to reboot the router.

The router starts up with the factory-default configuration without deleting the next-startup configuration files.

3.

To use the configuration in a next-startup configuration file, load the file in system view.

<HPE> system-view

[HPE] configuration replace file cfa0:/startup.cfg

Current configuration will be lost, save current configuration? [Y/N]:n

Info: Now replacing the current configuration. Please wait...

Info: Succeeded in replacing current configuration with the file startup.cfg.

4.

Configure a new console login authentication mode and a new console login password.

In the following example, the console login authentication mode is password and the authentication password is 123456. For security purposes, the password is always saved in ciphertext, whether you specify the

simple or cipher keyword for the set authentication

password command.

<HPE> system-view

[HPE] line aux 0

[HPE-line-aux0] authentication-mode password

[HPE-line-aux0] set authentication password simple 123456

111

Use the

line aux 0 command on an MSR2000 or MSR 3000 routers. The console port and the

AUX port are the same physical port.

Use the

line console 0 command on an MSR4000 routers. An MSR4000 router has a separate console port.

5.

To make the settings take effect after a reboot, save the running configuration to the next-startup configuration file.

[HPE-line-aux0] save

Using the Skip Authentication for Console Login option

1.

Reboot the router to access the EXTEND-BOOTWARE menu, and then enter

8.

The current mode is password recovery.

Note: The current operating device is cfa0

Enter < Storage Device Operation > to select device.

===========================<EXTEND-BOOTWARE MENU>===========================

|<1> Boot System |

|<2> Enter Serial SubMenu |

|<3> Enter Ethernet SubMenu |

|<4> File Control |

|<5> Restore to Factory Default Configuration |

|<6> Skip Current System Configuration |

|<7> BootWare Operation Menu |

|<8> Skip Authentication for Console Login |

|<9> Storage Device Operation |

|<0> Reboot |

============================================================================

Ctrl+Z: Access EXTEND ASSISTANT MENU

Ctrl+F: Format File System

Enter your choice(0-9): 8

The router deletes the console login authentication configuration commands from the main next-startup configuration file. After the operation is completed, the following message appears:

Clear Image Password Success!

2.

When the EXTEND-BOOTWARE menu appears again, enter

1 to reboot the router.

The router starts up with the main next-startup configuration file.

3.

Configure a console login authentication mode and a new console login password. See

"Configure a new console login authentication mode and a new console login password.Configure a new console login authentication mode and a new console login password."

4.

To make the setting take effect after a reboot, save the running configuration to the next-startup configuration file.

[HPE-line-aux0] save

Using the Restore to Factory Default Configuration option

CAUTION:

Using the Restore to Factory Default Configuration option deletes both the main and backup next-configuration files.

112

1.

Reboot the router to access the EXTEND-BOOTWARE menu, and enter

5.

The current mode is no password recovery.

Note: The current operating device is cfa0

Enter < Storage Device Operation > to select device.

===========================<EXTEND-BOOTWARE MENU>===========================

|<1> Boot System |

|<2> Enter Serial SubMenu |

|<3> Enter Ethernet SubMenu |

|<4> File Control |

|<5> Restore to Factory Default Configuration |

|<6> Skip Current System Configuration |

|<7> BootWare Operation Menu |

|<8> Skip Authentication for Console Login |

|<9> Storage Device Operation |

|<0> Reboot |

============================================================================

Ctrl+Z: Access EXTEND ASSISTANT MENU

Ctrl+F: Format File System

Enter your choice(0-9): 5

2.

At the prompt for confirmation, enter

Y.

The router deletes its main and backup next-startup configuration files and restores the factory-default configuration.

The current mode is no password recovery. The configuration files will be deleted, and the system will start up with factory defaults, Are you sure to

continue?[Y/N]Y

Setting...Done.

3.

When the EXTEND-BOOTWARE menu appears again, enter

1 to reboot the router.

The router starts up with the factory-default configuration.

4.

Configure a new console login authentication mode and a new console login password. See

"Configure a new console login authentication mode and a new console login password.Configure a new console login authentication mode and a new console login password.".

5.

To make the settings take effect after a reboot, save the running configuration to the next-startup configuration file.

[HPE] save

113

HPE

MSR1000_MSR2000_MSR3000_MSR4000-

CMW710-R0306P82

Software Feature Changes

The information in this document is subject to change without notice.

© Copyright [First Year]2013, [Current Year] 2017 Hewlett Packard Enterprise Development LP

1

Contents

Release 0306P82 ··········································································· 13

Release 0306P81 ··········································································· 13

Release 0306P80 ··········································································· 13

Release 0306P70 ··········································································· 13

Release 0306P52 ··········································································· 13

New feature: MAC address recording in TCP packets ···························· 14

Configuring MAC address recording in TCP packets ········································································· 14

Command reference ··················································································································· 14

New command: tcp mac-record enable ···················································································· 14

New command: tcp mac-record local ······················································································ 15

New feature: Configuring the leased line service for an ISDN BRI interface 16

Configuring the leased line service for an ISDN BRI interface ····························································· 16

Command reference ··················································································································· 16

New command: isdn leased-line ····························································································· 16

New feature: LLDP PVID inconsistency check ······································ 17

Disabling LLDP PVID inconsistency check ······················································································ 17

Command reference ··················································································································· 18 lldp ignore-pvid-inconsistency ································································································ 18

Modified feature: High encryption ······················································ 18

Feature change description ··································································································· 18

Modified feature: OSPF ··································································· 19

Feature change description ·········································································································· 19

Command reference ··················································································································· 19

Modified command: OSPF ···································································································· 19

Modified feature: Policy-based routing ················································ 19

Feature change description ·········································································································· 19

Command reference ··················································································································· 19

New command: apply remark-vpn ·························································································· 19

Modified feature: MIB objects ···························································· 20

Feature change description ·········································································································· 20

Modified feature: Setting ISP domain status ········································· 21

Feature change description ·········································································································· 21

Command changes ···················································································································· 21

Modified command: state ······································································································ 21

New command: state block time-range name ··········································································· 21

Modified feature: Excluding an attribute from portal protocol packets ········· 22

Excluding an attribute from portal protocol packets ··········································································· 22

Command reference ··················································································································· 23

New command: exclude-attribute ··························································································· 23

Modified command: display portal server ················································································· 24

Modified feature: NTP ····································································· 25

Feature change description ·········································································································· 25

Command changes ···················································································································· 25

i

Modified command: ntp-service authentication-keyid ·································································· 25

Modified command: sntp authentication-keyid ··········································································· 25

Modified feature: Transceiver modules················································ 26

Feature change description ·········································································································· 26

Modified feature: E1POS ································································· 26

Feature change description ·········································································································· 26

Release 0306P30 ··········································································· 26

New feature: SIP compatibility ·························································· 26

Configuring SIP compatibility ········································································································ 26

Command reference ··················································································································· 27 sip-compatible ···················································································································· 27

Modified feature: OSPF performance optimization ································· 28

Feature change description ·········································································································· 28

Command changes ···················································································································· 28

Modified command: spf-schedule-interval ················································································ 28

Modified command: transmit-pacing ························································································ 29

Modified feature: Telnet redirect ························································ 29

Feature change description ·········································································································· 29

Modified feature: POS terminal access ··············································· 29

Feature change description ·········································································································· 29

Command changes ···················································································································· 29

Modified command: posa auto-stop-service enable ···································································· 29

Modified feature: License ································································· 30

Feature change description ·········································································································· 30

Modified feature: IP performance optimization ······································ 30

Feature change description ·········································································································· 30

Command changes ···················································································································· 30

New command: tcp mac-record enable ···················································································· 30

New command: tcp mac-record local ······················································································ 31

Release 0306P12 ··········································································· 32

Modified feature: Configuring an SSH user ·········································· 32

Feature change description ·········································································································· 32

Modified feature: AAA ····································································· 32

Feature change description ·········································································································· 32

Command changes ···················································································································· 32

New command: authorization ike ···························································································· 32

Modified feature: Configuring a cellular interface for a 3G/4G modem ········ 33

Feature change description ·········································································································· 33

Command changes ···················································································································· 34

New command: rssi ············································································································· 34

Modified feature: VXLAN ································································· 35

Feature change description ·········································································································· 35

Command changes ···················································································································· 35

Modified feature: DHCP ··································································· 35

Feature change description ·········································································································· 35

Command changes ···················································································································· 35

New command: dhcp server reply-exclude-option60 ·································································· 35

ii

Release 0306P11 ··········································································· 36

New feature: Voice VLAN ································································ 36

Configuring a voice VLAN ············································································································ 36

Configuring a port to operate in automatic voice VLAN assignment mode ······································ 36

Configuring a port to operate in manual voice VLAN assignment mode ········································· 37

Enabling LLDP for automatic IP phone discovery ······································································ 38

Configuring LLDP to advertise a voice VLAN ············································································ 39

Configuring CDP to advertise a voice VLAN ············································································· 39

Displaying and maintaining voice VLANs ················································································· 39

Command reference ··················································································································· 40

Modified feature: MPLS QoS support for matching the EXP field ·············· 40

Matching the EXP field in the second MPLS label ············································································ 40

Command reference ··················································································································· 40

New command: if-match second-mpls-exp ··············································································· 40

Modified feature: MPLS QoS support for marking the EXP field ················ 41

Marking the EXP field in the second MPLS label ·············································································· 41

Command reference ··················································································································· 41

New command: remark second-mpls-exp ················································································ 41

Modified feature: Automatic configuration ············································ 42

Feature change description ·········································································································· 42

Removed feature: Tinyproxy ····························································· 42

Feature change description ·········································································································· 42

Removed command ··················································································································· 42 http-proxy ·························································································································· 42

Release 0306P07 ··········································································· 43

New feature: L2TP-based EAD ························································· 43

Enabling L2TP-based EAD ·········································································································· 43

Command reference ··················································································································· 44 ppp access-control enable ···································································································· 44 display ppp access-control interface ······················································································· 44

New feature: CFD configuration························································· 45

Configuring CFD configuration ······································································································ 45

Command reference ··················································································································· 46

Modified feature: Support using dots in user profile name ······················· 46

Feature change description ·········································································································· 46

Command changes ···················································································································· 47

Modified command: user-profile ····························································································· 47

Modified feature: Default size of the TCP receive and send buffer ············ 47

Feature change description ·········································································································· 47

Command changes ···················································································································· 47

Modified command: tcp window ····························································································· 47

Modified feature: Support for obtaining fan tray and power module vendor information through MIB ·································································· 48

Feature change description ·········································································································· 48

Command changes ···················································································································· 48

Modified feature: Supporting per-packet load sharing ····························· 48

Feature change description ·········································································································· 48

Command changes ···················································································································· 48

iii

Modified command: ip load-sharing mode ················································································ 48

Modified feature: Automatic configuration ············································ 49

Feature change description ·········································································································· 49

Command changes ···················································································································· 49

Modified feature: Software image signature ········································· 49

Feature change description ·········································································································· 49

Command changes ···················································································································· 50

Modified command: display install active ·················································································· 50

Modified command: display install backup ················································································ 50

Modified command: display install committed ··········································································· 51

Modified command: display install inactive ··············································································· 51

Modified command: display install ipe-info ················································································ 52

Modified command: display install package ·············································································· 52

Modified command: display install which ·················································································· 53

Release 0305P08 ··········································································· 53

New feature: mGRE ········································································ 54

Overview ·································································································································· 54 mGRE operation scheme ······································································································ 54 mGRE operation procedure ··································································································· 54

mGRE support for NAT traversal ···························································································· 57 mGRE configuration task list ········································································································ 57

Configuring an mGRE tunnel ········································································································ 57

Configuring routing ····················································································································· 58

Configuring IPsec for an mGRE tunnel ··························································································· 59

Displaying and maintaining mGRE ································································································ 59

Command reference ··················································································································· 60

New command: display mgre session ····················································································· 60

New command: display nhrp map ··························································································· 63

New command: display nhrp statistics ····················································································· 65

New command: nhrp authentication ························································································ 67

New command: nhrp holdtime ······························································································· 68

New command: nhrp network-id ····························································································· 69

New command: nhrp nhs ······································································································ 69

New command: reset mgre session ························································································ 70

New command: reset mgre statistics ······················································································· 71

New command: reset nhrp statistics ························································································ 71

New feature: Disabling transceiver module alarm ·································· 72

Configuring Disabling transceiver module alarm ··············································································· 72

Command reference ··················································································································· 72

New command: transceiver phony-alarm-disable ······································································· 72

Modified feature: Default user role ····················································· 73

Feature change description ·········································································································· 73

Command changes ···················································································································· 73

Modified command: role default-role enable ············································································· 73

Modified feature: Debugging ····························································· 74

Feature change description ·········································································································· 74

Command changes ···················································································································· 74

Modified command: debugging ······························································································ 74

Release 0305P04 ··········································································· 74

New feature: Public key management support for Suite B ······················· 75

Configuring Suite B in public key management ················································································ 75

Command reference ··················································································································· 75

Modified command: public-key local create ·············································································· 75

iv

New feature: PKI support for Suite B ·················································· 76

Configuring Suite B in PKI ··········································································································· 76

Command reference ··················································································································· 76

Modified command: public-key ecdsa ······················································································ 76

New feature: IPsec support for Suite B ················································ 77

Overview ·································································································································· 77

IKEv2 negotiation process····································································································· 77

New features in IKEv2 ·········································································································· 78

Protocols and standards ······································································································· 79

IKEv2 configuration task list ········································································································· 79

Configuring an IKEv2 profile ········································································································· 80

Configuring an IKEv2 policy ········································································································· 83

Configuring an IKEv2 proposal ····································································································· 84

Configuring an IKEv2 keychain ····································································································· 85

Configure global IKEv2 parameters ······························································································· 86

Enabling the cookie challenging feature ··················································································· 86

Configuring the IKEv2 DPD feature ························································································· 86

Configuring the IKEv2 NAT keepalive feature ··········································································· 87

Configuring IKEv2 address pools ···························································································· 87

Displaying and maintaining IKEv2 ································································································· 88

Command reference ··················································································································· 88

New command: aaa authorization··························································································· 88

New command: address ······································································································· 89

New command: authentication-method ···················································································· 90

New command: certificate domain ·························································································· 92

New command: config-exchange ···························································································· 93

New command: description ··································································································· 94

New command: display ike statistics ······················································································· 95

New command: display ikev2 policy ························································································ 96

New command: display ikev2 profile ······················································································· 97

New command: display ikev2 proposal ···················································································· 99

New command: display ikev2 sa ·························································································· 100

New command: display ikev2 statistics ·················································································· 104

New command: dh············································································································· 105

New command: dpd ··········································································································· 106

New command: encryption ·································································································· 107

New command: hostname··································································································· 108

New command: identity ······································································································ 109

New command: identity local ······························································································· 110

New command: ikev2 address-group ···················································································· 111

New command: ikev2 cookie-challenge ················································································· 112

New command: ikev2 dpd ··································································································· 113

New command: ikev2 ipv6-address-group ·············································································· 114

New command: ikev2 keychain ···························································································· 115

New command: ikev2 nat-keepalive ······················································································ 116

New command: ikev2 policy ································································································ 117

New command: ikev2 profile ································································································ 118

New command: ikev2 proposal ···························································································· 118

New command: inside-vrf ···································································································· 120

New command: integrity ····································································································· 121

New command: keychain ···································································································· 122

New command: match local (IKEv2 profile view) ····································································· 123

New command: match local address (IKEv2 policy view) ·························································· 124

New command: match remote ····························································································· 125

New command: match vrf (IKEv2 policy view) ········································································· 126

New command: match vrf (IKEv2 profile view) ········································································ 127

New command: nat-keepalive ······························································································ 128

New command: peer ·········································································································· 129

New command: pre-shared-key ··························································································· 130

New command: prf ············································································································ 132

v

New command: priority (IKEv2 policy view) ············································································ 133

New command: priority (IKEv2 profile view) ············································································ 133

New command: proposal ···································································································· 134

New command: reset ikev2 sa ····························································································· 135

New command: reset ikev2 statistics ····················································································· 136

New command: sa duration ································································································· 137

New command: esn enable ································································································· 137

New command: ikev2-profile ······························································································· 138

New command: tfc enable ··································································································· 139

Modified command: ah authentication-algorithm ······································································ 140

Modified command: display ipsec { ipv6-policy | policy } ···························································· 141

Modified command: display ipsec { ipv6-policy-template | policy-template } ·································· 141

Modified command: display ipsec sa ····················································································· 141

Modified command: display ipsec transform-set ······································································ 142

Modified command: display ipsec tunnel ················································································ 142

Modified command: esp authentication-algorithm ···································································· 142

Modified command: esp encryption-algorithm ········································································· 143

Modified command: pfs ······································································································ 145

Modified command: pre-shared-key ······················································································ 145

Modified command: authentication-algorithm ·········································································· 146

New feature: SSL support for Suite B ··············································· 147

Configuring Suite B in SSL ········································································································· 147

Command reference ················································································································· 147

New command: display crypto version ··················································································· 147

New command: ssl version disable ······················································································· 148

New command: ssl renegotiation disable ··············································································· 149

Modified command: version ································································································· 150

Modified command: ciphersuite ···························································································· 150

Modified command: prefer-cipher ························································································· 152

New feature: FIPS support for Suit B ················································ 154

Configuring Suite B in FIPS ········································································································ 154

Command reference ················································································································· 154

New command: fips rng random size filename ········································································ 154

New command: fips rng random size round rate-statistics ························································· 155

New command: fips rng entropy size filename ········································································ 155

New command: fips rng entropy size round rate-statistics ························································· 156

New command: fips kdf ······································································································ 157

New command: fips algorithm verify param ············································································ 157

Modified command: fips self-test ·························································································· 158

New feature: SSH support for Suite B ··············································· 158

Configuring SSH based on Suite B algorithms ··············································································· 158

Specifying a PKI domain for the SSH server ··········································································· 158

Establishing a connection to an Stelnet server based on Suite B ················································ 159

Establishing a connection to an SFTP server based on Suite B ·················································· 160

Establishing a connection to an SCP server based on Suite B ··················································· 160

Specifying algorithms for SSH2 ···························································································· 161

Command reference ················································································································· 162

New command: display ssh2 algorithm ·················································································· 162

New command: ssh server pki-domain ·················································································· 163

New command: scp ipv6 suite-b ··························································································· 164

New command: scp suite-b ································································································· 166

New command: sftp ipv6 suite-b ··························································································· 168

New command: sftp suite-b ································································································· 170

New command: ssh2 ipv6 suite-b ························································································· 172

New command: ssh2 suite-b ······························································································· 174

New command: ssh2 algorithm cipher ··················································································· 176

New command: ssh2 algorithm key-exchange ········································································ 177

New command: ssh2 algorithm mac ····················································································· 178

New command: ssh2 algorithm public-key ·············································································· 179

vi

Modified command: display ssh server ·················································································· 180

Modified command: ssh user ······························································································· 181

Modified command: scp ······································································································ 182

Modified command: scp ipv6 ······························································································· 185

Modified command: sftp ······································································································ 188

Modified command: sftp ipv6 ······························································································· 191

Modified command: ssh2 ···································································································· 194

Modified command: ssh2 ipv6 ······························································································ 197

New command: fips kdf ssh ································································································· 200

New feature: Ignoring the first AS number of EBGP route updates for a peer or peer group ·················································································· 201

Configuring Ignoring the first AS number of EBGP route updates for a peer or peer group ····················· 201

Command reference ················································································································· 201 peer ignore-first-as ············································································································ 201

Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces ··············································································· 203

Feature change description ········································································································ 203

Command changes ·················································································································· 205

Modified command: lacp mode ···························································································· 205

Modified command: lacp period short ···················································································· 205

Modified command: link-aggregation port-priority ····································································· 205

Modified command: port link-aggregation group ······································································ 205

Modified feature: Changing the maximum number of FIB table entries ····· 206

Feature change description ········································································································ 206

Command changes ·················································································································· 206

Modified feature: Enabling CWMP ··················································· 207

Feature change description ········································································································ 207

Command changes ·················································································································· 207

Modified command: cwmp enable························································································· 207

Release 0305 ·············································································· 207

New feature: IKE ·········································································· 208

Feature change description ········································································································ 208

Command changes ·················································································································· 208

New command: IKEv2 command ·························································································· 208

Modified feature: IPsec ·································································· 208

Feature change description ········································································································ 208

Command changes ·················································································································· 208

Modified command: ah authentication-algorithm ······································································ 208

New command: esn enable ································································································· 209

Modified command: esp authentication-algorithm ···································································· 210

Modified command: esp encryption-algorithm ········································································· 211

Modified command: pfs ······································································································ 212

New command: tfc enable ··································································································· 213

Modified command: public-key local create ············································································ 214

Modified command: public-key ecdsa ···················································································· 214

Release 0304P12 ········································································· 215

New feature: Including vendor information in PPP accounting requests ··· 215

Configuring Including vendor information in PPP accounting requests ················································ 215

Command reference ················································································································· 215 pppoe-server account-vendor ······························································································ 215

vii

New feature: BFD for an aggregation group ······································· 216

Configuring BFD for an aggregation group ···················································································· 216

Configuration restrictions and guidelines ················································································ 217

Configuration procedure ····································································································· 217

Command reference ················································································································· 217 link-aggregation bfd ipv4 ····································································································· 217

Modified feature: SSH username ····················································· 218

Feature change description ········································································································ 218

Command changes ·················································································································· 219

Modified command: ssh user ······························································································· 219

Modified feature: IS-IS hello packet sending interval ···························· 219

Feature change description ········································································································ 219

Command changes ·················································································································· 220

Modified command: isis timer hello ······················································································· 220

Modified feature: MP-group interface numbering ································· 220

Feature change description ········································································································ 220

Command changes ·················································································································· 220

Modified command: interface mp-group ················································································· 220

Modified command: display interface mp-group ······································································· 220

Modified command: ppp mp mp-group ·················································································· 221

Modified command: reset counters interface mp-group ····························································· 221

Release 0304P04 ········································································· 221

New feature: Media Stream Control (MSC) logging ······························ 221

Command reference ················································································································· 222 sip log enable ··················································································································· 222

Modified feature: ESP encryption algorithms ······································ 222

Feature change description ········································································································ 222

Command changes ·················································································································· 223

Modified command: esp encryption-algorithm ········································································· 223

Release 0304P02 ········································································· 223

New feature: IMSI/SN binding authentication ······································ 224

Command reference ················································································································· 224 ppp lcp imsi accept ············································································································ 224 ppp lcp imsi request ··········································································································· 224

ppp lcp imsi string·············································································································· 225

ppp lcp sn accept ·············································································································· 226 ppp lcp sn request ············································································································· 226

ppp lcp sn string ················································································································ 227

ppp user accept-format imsi-sn split ······················································································ 228

ppp user attach-format imsi-sn split······················································································· 229 ppp user replace ··············································································································· 229

New feature: Specifying a band for a 4G modem ································ 230

Command reference ················································································································· 230 lte band ··························································································································· 230

New feature: CFD ········································································ 231

New feature: Using tunnel interfaces as OpenFlow ports ······················ 231

New feature: NETCONF support for ACL filtering ································ 231

Command reference ················································································································· 232 netconf soap http acl ·········································································································· 232

viii

netconf soap https acl ········································································································ 233

New feature: Specifying a backup traffic processing unit ······················· 234

Specifying a backup traffic processing unit ···················································································· 234

Command reference ················································································································· 234 service standby ················································································································· 234

New feature: WAAS ······································································ 234

Configuring WAAS ··················································································································· 234

Command reference ················································································································· 234

New feature: Support for the MKI field in SRTP or SRTCP packets ········· 234

Command reference ················································································································· 235 mki ································································································································· 235

New feature: SIP domain name ······················································· 235

Command reference ················································································································· 236 sip-domain ······················································································································· 236

New feature: E&M logging ······························································ 236

Command reference ················································································································· 236 em log enable ··················································································································· 236

Modified feature: Setting the global link-aggregation load-sharing mode ·· 237

Feature change description ········································································································ 237

Command changes ·················································································································· 237

Modified command: link-aggregation global load-sharing mode ·················································· 237

Release 0304 ·············································································· 238

New feature: Setting the RTC version ··············································· 238

Configuring Setting the RTC version ···························································································· 238

Command reference ················································································································· 239 rta rtc version ··················································································································· 239

New feature: Setting the maximum size of advertisement files ··············· 240

Configuring the maximum size of advertisement files ······································································ 240

Command reference ················································································································· 240

New feature: IRF ·········································································· 240

Configuring IRF ······················································································································· 240

Command reference ················································································································· 240

New feature: Frame Relay ····························································· 240

Configuring Frame Relay ··········································································································· 240

Command reference ················································································································· 240

New feature: EVI ·········································································· 241

Configuring EVI ······················································································································· 241

Command reference ················································································································· 241

New feature: VPLS ······································································· 241

Configuring VPLS ···················································································································· 241

Command reference ················································································································· 241

New feature: Multicast VPN support for inter-AS option B ····················· 241

Configuring Multicast VPN support for inter-AS option B ·································································· 241

Command reference ················································································································· 241

Modified feature: 802.1X redirect URL ·············································· 242

Feature change description ········································································································ 242

Command changes ·················································································································· 242

ix

Modified command: dot1x ead-assistant url ············································································ 242

Modified feature: Displaying information about NTP servers from the reference source to the primary NTP server ···················································· 242

Feature change description ········································································································ 242

Command changes ·················································································································· 242

Modified command: display ntp-service trace ·········································································· 242

Modified feature: Saving, rolling back, and loading the configuration ······· 243

Feature change description ········································································································ 243

Command changes ·················································································································· 243

Modified feature: Displaying information about SSH users ···················· 243

Feature change description ········································································································ 243

Command changes ·················································································································· 244

Modified command: display ssh user-information ····································································· 244

Removed feature: Displaying fabric utilization ····································· 244

Feature change description ········································································································ 244

Removed command ················································································································· 244 display fabric utilization ······································································································· 244

ESS 0302P06 ·············································································· 244

New feature: Object policies ··························································· 246

Configuring Object policies ········································································································ 246

Command reference ················································································································· 247

New feature: IPHC ······································································· 247

Configuring IPHC ····················································································································· 247

Command reference ················································································································· 247

New feature: Support of PPPoE server for IPv6 ·································· 247

Configuring Support of PPPoE server for IPv6 ··············································································· 247

Command reference ················································································································· 247

New feature: QSIG tunneling over SIP-T ··········································· 247

Configuring QSIG tunneling over SIP-T ························································································ 247

Command reference ················································································································· 248

New feature: Playout delay ····························································· 248

Configuring Playout delay ·········································································································· 248

Command reference ················································································································· 248

New feature: BGP L2VPN support for NSR ········································ 248

Configuring BGP L2VPN support for NSR ····················································································· 248

Command reference ················································································································· 248

New feature: BGP support for dynamic peers ····································· 249

Configuring BGP support for dynamic peers ·················································································· 249

Command reference ················································································································· 249

New feature: ARP PnP ·································································· 249

Configuring ARP PnP ··············································································································· 249

Command reference ················································································································· 249

New feature: Support of Syslog for DNS and support of customlog&userlog for

IPv6 hosts ·················································································· 250

Configuring Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts ······················ 250

Command reference ················································································································· 250

x

New feature: QoS soft forwarding ···················································· 250

Configuring QoS soft forwarding ································································································· 250

Command reference ················································································································· 251

New feature: Filtering by application layer protocol status ····················· 251

Configuring Filtering by application layer protocol status ·································································· 251

Command reference ················································································································· 251

New feature: ADVPN support for multicast forwarding ·························· 251

Configuring ADVPN support for multicast forwarding ······································································ 251

Command reference ················································································································· 251

New feature: MPLS LDP support for IPv6 ·········································· 252

Configuring MPLS LDP support for IPv6 ······················································································· 252

Command reference ················································································································· 252

New feature: Port security ······························································ 252

Configuring Port security ··········································································································· 252

Command reference ················································································································· 253

New feature: Customizable IVR ······················································· 253

Configuring Customizable IVR ···································································································· 253

Command reference ················································································································· 253

New feature: SRST ······································································· 253

Configuring SRST ···················································································································· 253

Command reference ················································································································· 253

New feature: NEMO ······································································ 254

Configuring NEMO ··················································································································· 254

Command reference ················································································································· 254

New feature: Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation······················································· 254

Configuring Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation ········· 254

Command reference ················································································································· 254

New feature: Support for LLDP on CPOS interfaces ···························· 255

Configuring Support for LLDP on CPOS interfaces ········································································· 255

Command reference ················································································································· 255

New feature: SMS-based automatic configuration ······························· 255

Configuring SMS-based automatic configuration ············································································ 255

Command reference ················································································································· 255

New feature: ARP attack protection ·················································· 255

Configuring ARP attack protection ······························································································· 255

Command reference ················································································································· 256

New feature: SIP support for VRF ···················································· 256

Configuring SIP support for VRF ································································································· 256

Configuration guidelines ····································································································· 256

Configuration procedure ····································································································· 256

Command reference ················································································································· 256 vpn-instance ····················································································································· 256

ESS 0102 ··················································································· 257

New feature: Portal authentication ··················································· 258

Command reference ················································································································· 258

xi

New feature: MSDP ······································································ 258

Configuring MSDP ··················································································································· 258

Command reference ················································································································· 259

New feature: IPsec MIB and IKE MIB ··············································· 259

New feature: PoE ········································································· 259

Configuring PoE ······················································································································ 259

Command reference ················································································································· 260

New feature: CoPP software forwarding feature ·································· 260

Configuring CoPP ···················································································································· 260

Command reference ················································································································· 260 control-plane ···················································································································· 260

control-plane management ·································································································· 261 qos apply policy (interface view, control plane view) ································································· 261

New feature: Configuring MPLS LDP FRR ········································· 263

Configuring MPLS LDP FRR ······································································································ 263

Command reference ················································································································· 263 igp sync delay ··················································································································· 263

igp sync delay on-restart ····································································································· 265

mpls ldp igp sync disable ···································································································· 266

New feature: Enhanced routing features ············································ 266

Configuring enhanced routing features ························································································· 266

Command reference ················································································································· 267 non-stop-routing ················································································································ 267 ip route-static fast-reroute auto ···························································································· 267

import-route (RIP view) ······································································································· 268

import-route (OSPF view) ··································································································· 269

import-route (IS-IS view) ····································································································· 271

import-route (BGP view) ····································································································· 273

import-route (RIPng view) ··································································································· 275

import-route (OSPFv3 view) ································································································ 276

ipv6 import-route (IPv6 IS-IS view)························································································ 278

New feature: Python ····································································· 279

Using Python··························································································································· 279

Command reference ················································································································· 280

New feature: ATM ········································································ 280

Configuring ATM ······················································································································ 280

Command reference ················································································································· 280

New feature: DHCP MIB ································································ 280

DHCP MIB ······························································································································ 280

Command reference ················································································································· 280 if-match ··························································································································· 280

ESS 0006P02 ·············································································· 282

xii

Release 0306P82

None.

Release 0306P81

None.

Release 0306P80

None.

Release 0306P70

None.

Release 0306P52

This release has the following changes:

New feature: MAC address recording in TCP packets

New feature: Configuring the leased line service for an ISDN BRI interface

New feature: LLDP PVID inconsistency check

Modified feature: High encryption

Modified feature: OSPF

Modified feature: Policy-based routing

Modified feature: MIB objects

Modified feature: Setting ISP domain status

Modified feature: Excluding an attribute from portal protocol packets

Modified feature: NTP

Modified feature: Transceiver modules

Modified feature: E1POS

13

New feature: MAC address recording in

TCP packets

Configuring MAC address recording in TCP packets

The router supports to add an option in each TCP packet sent from the terminal user to record the

MAC address of the terminal user.

Command reference

New command: tcp mac-record enable

Use tcp mac-record enable to enable the MAC address recording in TCP packets.

Use undo tcp mac-record to restore the default.

Syntax tcp mac-record enable undo mac-record

Default

The MAC address recording in TCP packets is disabled.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

This feature enables the device to add an option in each TCP packet to record MAC addresses.

Examples

# Enable the MAC address recording in TCP packets on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitEthernet1/0/1] tcp mac-record enable

Related commands tcp mac-record local

14

New command: tcp mac-record local

Use tcp mac-record local to specify the MAC address of the local device for MAC address recording.

Use undo tcp mac-record local to restore the default.

Syntax

tcp mac-record local mac-address

undo tcp mac-record local

Default

The MAC address of the local device for MAC address recording is not specified.

Parameters

mac-address: Specifies the MAC address of the local device. This MAC address cannot be all 0s, broadcast MAC address or multicast MAC address.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command is typically configured on the access devices that connect to terminal users, and is used together with the tcp mac-record enable command.

With these two commands configured, the device adds options to each TCP packet to record the specified MAC address of itself, and the MAC address of the terminal user.

Examples

# Specify the MAC address of the local device as 0102-0304-0506.

<Sysname> system-view

[Sysname] tcp mac-record local 0102-0304-0506

Related commands tcp mac-record enable

15

New feature: Configuring the leased line service for an ISDN BRI interface

Configuring the leased line service for an ISDN

BRI interface

ISDN leased lines are implemented by establishing semi-permanent connections. This requires the

PBXs of your telecommunication service provider to provide leased lines and be connected to the remote device.

To configure the leased line service for an ISDN BRI interface:

Step

3.

Enter system view.

4.

Enter ISDN BRI interface view.

5.

Configure the leased line service for the ISDN BRI interface.

Command system-view

interface bri interface-number

isdn leased-line [ B1 | B2 | 128 ]

Remarks

N/A

N/A

By default, the leased line service is not configured for an ISDN BRI interface.

Command reference

New command: isdn leased-line

Use isdn leased-line [ B1 | B2 | 128 ] to configure the leased line service for an ISDN BRI interface.

Use undo isdn leased-line [ B1 | B2 | 128 ] to remove the leased line service configuration for an

ISDN BRI interface.

Syntax

isdn leased-line [ B1 | B2 | 128 ]

undo isdn leased-line [ B1 | B2 | 128 ]

Default

The leased line service is not configured for an ISDN BRI interface.

Views

ISDN BRI interface view

Predefined user roles

network-admin network-operator

16

Parameters

B1: Uses channel B1 as a 64-kbps leased line.

B2: Uses channel B2 as a 64-kbps leased line.

128: Combines channels B1 and B2 into a 128-kbps leased line.

Usage guidelines

The isdn leased-line command without any keywords configures both the B1 and B2 channels as

64-kbps leased lines.

The undo isdn leased-line command without any keywords removes the leased line service configuration from the specified BRI interface.

You can directly switch an ISDN BRI interface from 64-kbps leased line service to 128-kbps leased line service, or vice versa.

This command is not available on BSV interfaces.

Examples

# Combine channels B1 and B2 on BRI 2/1 to provide a 128-kbps leased line.

<Sysname> system-view

[Sysname] interface bri 2/1

[Sysname-Bri2/1] isdn leased-line 128

New feature: LLDP PVID inconsistency check

Disabling LLDP PVID inconsistency check

By default, when the system receives an LLDP packet, it compares the PVID value contained in packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log message will be printed to notify the user.

You can disable PVID inconsistency check if different PVIDs are required on a link.

To disable LLDP PVID inconsistency check:

Step

6.

Enter system view.

7.

Disable LLDP PVID inconsistency check.

Command system-view

lldp ignore-pvid-inconsistency

Remarks

N/A

By default, LLDP PVID inconsistency check is enabled.

17

Command reference

lldp ignore-pvid-inconsistency

Use lldp ignore-pvid-inconsistency to disable LLDP PVID inconsistency check.

Use undo lldp ignore-pvid-inconsistency to enable LLDP PVID inconsistency check.

Syntax lldp ignore-pvid-inconsistency undo lldp ignore-pvid-inconsistency

Default

LLDP PVID inconsistency check is enabled.

Views

System view

Default command level

network-admin

Usage guidelines

By default, when the system receives an LLDP packet, it compares the PVID value contained in packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log message will be printed to notify the user.

You can disable PVID inconsistency check if different PVIDs are required on a link.

Examples

# Disable LLDP PVID inconsistency check.

<Sysname> system-view

[Sysname] lldp ignore-pvid-inconsistency

Modified feature: High encryption

Feature change description

In this release, the HPE router does not require a license to support high encryption. It operates in high encryption mode by default.

18

Modified feature: OSPF

Feature change description

The device can automatically obtain a router ID from an OSPF interface.

Command reference

Modified command: OSPF

Old syntax

ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] *

undo ospf [ process-id ]

New syntax

ospf [ process-id | router-id { auto-select | router-id } | vpn-instance vpn-instance-name ] *

undo ospf [ process-id ] [ router-id ]

Views

System view

Change description

The auto-select keyword was added to the command for the device to automatically obtain a router

ID from an OSPF interface.

Modified feature: Policy-based routing

Feature change description

The apply remark-vpn command was newly added. You can execute this command in policy node view or IPv6 policy node view to mark the VPN instance for matching packets.

Command reference

New command: apply remark-vpn

Use apply remark-vpn to mark the VPN instance for matching packets.

Use undo apply remark-vpn to restore the default.

19

Syntax apply remark-vpn undo apply remark-vpn

Default

The VPN instance is not marked for matching packets.

Views

Policy node view

Predefined user roles

network-admin

Usage guidelines

The apply access-vpn vpn-instance command is used to forward matching packets in a specified

VPN instance. To make the VPN instance known to the service modules, use the apply remark-vpn command to mark the VPN instance in the packets.

This command must be used together with the apply access-vpn vpn-instance command.

This command marks a VPN instance in a packet only when the packet is forwarded in the VPN instance specified by the apply access-vpn vpn-instance command.

Examples

# Mark VPN instance vpn1 for packets that match ACL 3000.

<Sysname> system-view

[Sysname] policy-based-route aaa permit node 10

[Sysname-pbr-aaa-10] if-match acl 3000

[Sysname-pbr-aaa-10] apply access-vpn vpn-instance vpn1

[Sysname-pbr-aaa-10] apply remark-vpn

Modified feature: MIB objects

Feature change description

The startup2Net object in the hh3c-config-man.mib was modified to specify the startup configure file. The description for the startup object was changed accordingly.

20

Modified feature: Setting ISP domain status

Feature change description

An ISP domain can be blocked based on time ranges.

Command changes

Modified command: state

Old syntax

state { active | block }

New syntax

state { active | block [ time-range ] [ offline ] }

Views

ISP domain view

Change description

The time-range and offline keywords were added to this command.

time-range: Blocks the ISP domain based on time ranges. If you do not specify this keyword, the ISP domain is in blocked state until you manually set the state to active.

offline: Logs off all online users when the ISP domain state changes from active to blocked.

New command: state block time-range name

Use state block time-range name to specify a time range during which an ISP domain is in blocked state.

Use undo state block time-range name to remove a time range or all time ranges during which an

ISP domain is in blocked state.

Syntax

Default

state block time-range name time-range-name

undo state block time-range { all | name time-range-name }

No time ranges are specified to block an ISP domain.

Views

ISP domain view

21

Predefined user roles

network-admin

Parameters

time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters.

The name must start with a letter and cannot be the word all.

all: Removes all time ranges.

Usage guidelines

An ISP domain is blocked during the specified time ranges only when the ISP domain is set to be blocked based on time ranges. To block an ISP domain based on time ranges, use the state block

time-range command.

Execute this command multiple times to specify multiple time ranges during which an ISP domain is blocked.

Examples

# Specify ISP domain test to be blocked during time ranges t1 and t2.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] state block time-range name t1

[Sysname-isp-test] state block time-range name t2

Modified feature: Excluding an attribute from portal protocol packets

Excluding an attribute from portal protocol packets

Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.

To address this issue, you can configure portal protocol packets to not carry the attributes unsupported by the portal authentication server.

To exclude an attribute from portal protocol packets:

Step

8.

Enter system view.

9.

Enter portal authentication server view.

Command system-view

portal server server-name

Remarks

N/A

N/A

10. Exclude an attribute from portal protocol packets.

exclude-attribute number

{ ack-auth | ntf-logout |

ack-logout }

By default, no attributes are excluded from portal protocol packets.

22

Command reference

New command: exclude-attribute

Use exclude-attribute to exclude an attribute from portal protocol packets.

Use undo exclude-attribute to not exclude an attribute from portal protocol packets.

Syntax

exclude-attribute number { ack-auth | ntf-logout | ack-logout }

undo exclude-attribute number { ack-auth | ntf-logout | ack-logout }

Default

No attributes are excluded from portal protocol packets.

Views

Portal authentication server view

Predefined user roles

network-admin

Parameters

number: Specifies an attribute by its number in the range of 1 to 255.

ack-auth: Excludes the attribute from ACK_AUTH packets.

ntf-logout: Excludes the attribute from NTF_LOGOUT packets.

ack-logout: Excludes the attribute from ACK_LOGOUT packets.

Usage guidelines

Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.

To address this issue, you can configure this command to exclude the unsupported attributes from specific portal protocol packets sent to the portal authentication server.

You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).

Table 1 describes all attributes of the portal protocol.

Table 1 Portal attributes

Name

UserName

PassWord

Number Description

1 Username of the user to be authenticated.

2 Plaintext password submitted by the user.

23

Name

Challenge

ChapPassWord

TextInfo

Number Description

3 Random challenge for CHAP authentication.

4

5

6

CHAP password encrypted by MD5.

The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server.

The attribute value can be a string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.

Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB. UpLinkFlux

DownLinkFlux 7 Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.

Port 8 Port information, a string excluding the end character '\0'.

IP-Config 9

This attribute has different meanings in different types of packets.

The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP.

The device uses this attribute in ACK_LOGOUT (Type=0x06) and

NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.

Examples

# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.

<Sysname> system-view

[Sysname] portal server pts

[Sysname-portal-server-pts] exclude-attribute 6 ack-auth

Related commands display portal server

Modified command: display portal server

Syntax

display portal server [ server-name ]

Views

Any view

Change description

The Exclude-attribute field was added to the output of this command.

24

Modified feature: NTP

Feature change description

NTP can use advanced ACLs to filter packets by source and destination IP addresses.

Command changes

Modified command: ntp-service authentication-keyid

Old syntax

ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value

New syntax

ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value [ acl

ipv4-acl-number | ipv6 acl ipv6-acl-number ] *

Views

System view

Change description

The acl ipv4-acl-number and ipv6 acl ipv6-acl-number options were added to the command.

Modified command: sntp authentication-keyid

Old syntax

sntp authentication-keyid keyid authentication-mode md5 { cipher | simple } value

New syntax

sntp authentication-keyid keyid authentication-mode md5 { cipher | simple } value [ acl

ipv4-acl-number | ipv6 acl ipv6-acl-number ] *

Views

System view

Change description

The acl ipv4-acl-number and ipv6 acl ipv6-acl-number options were added to the command.

25

Modified feature: Transceiver modules

Feature change description

The names of SFP-GE-LH70-SM1550 and SFP-GE-LH70-SM1550-D transceiver modules were changed to SFP-GE-LH80-SM1550 and SFP-GE-LH80-SM1550-D, respectively. Their transmission distance was increased from 70 km (43.50 miles) to 80 km (49.71 miles).

Modified feature: E1POS

Feature change description

This release added support for displaying the modem negotiation rate of E1POS by using the debug command.

Release 0306P30

This release has the following changes:

New feature: SIP compatibility

Modified feature: OSPF performance optimization

Modified feature: Telnet redirect

Modified feature: POS terminal access

Modified feature: License

Modified feature: IP performance optimization

New feature: SIP compatibility

Configuring SIP compatibility

If a third-party device does not implement SIP in strict accordance with the RFC standard, you can configure SIP compatibility for the router to interoperate with the third-party device.

With the sip-compatible t38 command configured, the router excludes :0 from the following SDP parameters in the originated re-INVITE messages:

26

T38FaxTranscodingJBIG.

T38FaxTranscodingMMR.

T38FaxFillBitRemoval.

With the sip-compatible x-param command configured, the router adds SDP description information (a=X-fax and a=X-modem) for fax pass-through and modem pass-through in the originated re-INVITE messages.

To configure SIP compatibility:

Step

11. Enter system view.

12. Enter voice view.

13. Enter SIP view.

Command system-view

voice-setup

sip

14. Configure SIP compatibility. sip-compatible { t38 | x-param }

Remarks

N/A

N/A

N/A

By default, SIP compatibility is not configured.

Command reference

sipcompatible

Use sip-compatible to configure SIP compatibility with a third-party device.

Use undo

sip-compatible to restore the default.

Syntax

sip-compatible { t38 | x-param }

undo sip-compatible { t38 | x-param }

Default

SIP compatibility is not configured.

Views

SIP view

Predefined user roles

network-admin

Parameters

t38: Configures SIP compatibility for standard T.38 fax. With this keyword specified, the router excludes :0 from the following SDP parameters in the originated re-INVITE messages:

T38FaxTranscodingJBIG.

T38FaxTranscodingMMR.

T38FaxFillBitRemoval.

27

This keyword is required when the router interoperates with a third-party softswitch device to exchange T.38 fax messages.

x-param: Configures SIP compatibility for fax pass-through and modem pass-through. With this keyword specified, the router adds SDP description information for fax pass-through and modem pass-through to outgoing re-INVITE messages. This keyword is required when the router interoperates with a third-party softswitch device to perform fax pass-through and modem pass-through.

Usage guidelines

The t38 and x-param keywords can be both configured to interoperate with a third-party softswitch device.

Examples

# Configure SIP compatibility for standard T.38 fax.

<Sysname> system-view

[Sysname] voice-setup

[Sysname-voice] sip

[Sysname-voice-sip] sip-compatible t38

Modified feature: OSPF performance optimization

Feature change description

You can set a fixed OSPF SPF calculation interval in the range of 0 to 10000 milliseconds.

The value range for the LSU packet sending interval was changed to 0 to 1000 milliseconds.

Command changes

Modified command: spf-schedule-interval

Old syntax

spf-schedule-interval { maximum-interval [ minimum-interval [ incremental-interval ] ] }

New syntax

spf-schedule-interval { maximum-interval [ minimum-interval [ incremental-interval ] ] | millisecond

interval }

Views

OSPF view

28

Change description

The millisecond interval argument was added to the command. You can specify this argument to set a fixed OSPF SPF calculation interval in the range of 0 to 10000 milliseconds.

Modified command: transmit-pacing

Syntax

transmit-pacing interval interval count count

Views

OSPF view

Change description

Before modification: The value range for the interval argument was 10 to 1000 milliseconds.

After modification: The value range for the interval argument is 0 to 1000 milliseconds.

Modified feature: Telnet redirect

Feature change description

Authentication was added on MSR 3000 series routers for Telnet redirect users.

Logging was added for Telnet redirect login events and Telnet redirect exit events.

Modified feature: POS terminal access

Feature change description

The posa auto-stop-service enable command added the function of setting the access interfaces for all E1POS terminal templates to reply with busy tones when all FEPs are unreachable.

Command changes

Modified command: posa auto-stop-service enable

Syntax posa auto-stop-service enable

Views

System view

29

Change description

Before modification, this command enables automatic shutdown of the listening ports for TCP-based

POS terminal templates when all FEPs that correspond to TCP-based POS application templates are unreachable. When any of the FEPs becomes reachable, the router automatically opens the listening ports for all TCP-based POS terminal templates.

After modification, this command enables the router to automatically perform the following operations when all FEPs that correspond to TCP-based POS application templates are unreachable:

Shuts down the listening ports for all TCP-based POS terminal templates.

Sets the access interfaces for all E1POS terminal templates to reply with busy tones.

When any of the FEPs becomes reachable, the router automatically performs the following operations:

Opens the listening ports for all TCP-based POS terminal templates.

Disables busy tone for all E1POS terminal templates.

Modified feature: License

Feature change description

The device uses high encryption algorithms by default and does not require a license.

Modified feature: IP performance optimization

Feature change description

The device supports recording MAC addresses in TCP packets. You can also configure the device to record the MAC address of the local device in TCP packets.

Command changes

New command: tcp mac-record enable

Use tcp mac-record enable to enable MAC address recording in TCP packets.

Use undo tcp mac-record enable to disable MAC address recording in TCP packets.

Syntax tcp mac-record enable

30

undo tcp mac-record enable

Default

MAC address recording in TCP packets is disabled.

Views

Interface view

Default command level

network-admin

Usage guidelines

This feature records the MAC address of the packet originator in a TCP option. When an attack occurs, the administrator can quickly locate the attack source according to the recorded MAC addresses.

Examples

# Enable MAC address recording in TCP packets on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 0/1

[Sysname-GigabitEthernet0/1] tcp mac-record enable

New command: tcp mac-record local

Use tcp mac-record local to record the MAC address of the local device in TCP packets.

Use undo tcp mac-record local to restore the default.

Syntax

tcp mac-record local mac-address

undo tcp mac-record local

Default

The destination MAC address is recorded.

Views

System view

Default command level

network-admin

Parameters

mac-address: Specifies the MAC address of the local device. The MAC address cannot be all 0s, broadcast MAC address, or multicast MAC address.

Usage guidelines

To make this command take effect, you must enable MAC address recording in TCP packets by using the tcp mac-record enable command.

31

Examples

# Record the MAC address of the local device 0605-0403-0201 in TCP packets.

<Sysname> system-view

[Sysname] tcp mac-record local 0605-0403-0201

Release 0306P12

This release has the following changes:

Modified feature: Configuring an SSH user

Modified feature: AAA

Modified feature: Configuring a cellular interface for a 3G/4G modem

Modified feature: VXLAN

Modified feature: DHCP

Modified feature: Configuring an SSH user

Feature change description

Starting from this software version, the device checks the username validity when an SSH user is created.

Modified feature: AAA

Feature change description

Starting from this software version, you can configure the authorization method for IKE extended authentication.

Command changes

New command: authorization ike

Syntax

Use authorization ike to configure the authorization method for IKE extended authentication.

Use undo authorization ike to restore the default.

In non-FIPS mode:

32

authorization ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }

undo authorization ike

In FIPS mode:

authorization ike { local | radius-scheme radius-scheme-name [ local ] }

undo authorization ike

Default

The default authorization method for the ISP domain is used for IKE extended authentication.

Views

ISP domain view

Predefined user roles

network-admin

Parameters

local: Performs local authorization.

none: Does not perform authorization.

radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.

Examples

# In ISP domain test, perform local authorization for IKE extended authentication.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization ike local

# In ISP domain test, use RADIUS scheme rd as the primary authorization method and local authorization as the backup authorization method for IKE extended authentication.

<Sysname> system-view

[Sysname] domain test

[Sysname-isp-test] authorization ike radius-scheme rd local

Modified feature: Configuring a cellular interface for a 3G/4G modem

Feature change description

In this release, you can set the RSSI thresholds for a 3G/4G modem.

33

Command changes

New command: rssi

Use rssi to set the RSSI thresholds for a 3G/4G modem.

Use undo rssi to restore the default.

Syntax

rssi { gsm | 1xrtt | evdo | lte } { low lowthreshold | medium mediumthreshold } *

undo rssi { gsm | 1xrtt | evdo | lte } [ low | medium ]

Default

The lower and upper thresholds for a 3G/4G modem are

–150 dBm and 0 dBm, respectively.

Views

Cellular interface view

Predefined user roles

network-admin

Parameters

1xrtt: Specifies the 1xRTT mode.

evdo: Specifies the EVDO mode.

gsm: Specifies the GSM mode.

lte: Specifies the LTE mode.

low lowthreshold: Specifies the lower RSSI threshold value in the range of 0 to 150, which represent a lower RSSI threshold in the range of

–150 dBm to 0 dBm. The value of lowthreshold cannot be smaller than the value of mediumthreshold because the system automatically adds a negative sign to the RSSI thresholds.

medium mediumthreshold: Specifies the upper RSSI threshold value in the range of 0 to 150, which represent an upper RSSI threshold in the range of

–150 dBm to 0 dBm.

Usage guidelines

The device performs the following operations based on the actual RSSI of the 3G/4G modem:

Sends a trap that indicates high RSSI when the RSSI exceeds the upper threshold.

Sends a trap that indicates normal RSSI when the RSSI is between the lower threshold and upper threshold (included).

Sends a trap that indicates low RSSI when the RSSI drops to or below the lower threshold.

Sends a trap that indicates low RSSI every 10 minutes when the RSSI remains equal to or smaller than the lower threshold.

To view the RSSI change information for a 3G/4G modem, use the display cellular command.

34

Examples

# Set the lower threshold for a 3G/4G modem in GSM mode to

–110 dBm.

<Sysname> system-view

[Sysname] interface cellular 0/0

[Sysname-Cellular0/0] rssi gsm low 110

Modified feature: VXLAN

Feature change description

This release added support for QoS in the outbound direction of VXLAN tunnel interfaces.

Command changes

None.

Modified feature: DHCP

Feature change description

Starting from this software version, you can configure the DHCP server to send DHCP replies that do not contain Option 60.

Command changes

New command: dhcp server reply-exclude-option60

Use dhcp server reply-exclude-option60 to configure the DHCP server to send DHCP replies that do not contain Option 60.

Use undo dhcp server reply-exclude-option60 to restore the default.

Syntax

Default

The DHCP server sends DHCP replies containing Option 60.

Views

dhcp server reply-exclude-option60

undo dhcp server reply-exclude-option60

System view

35

Predefined user roles

network-admin

Example

# Configure the DHCP server to send DHCP replies that do not contain Option 60.

<Sysname> system-view

[Sysname] dhcp server reply-exclude-option6

Release 0306P11

This release has the following changes:

New feature: Voice VLAN

Modified feature: MPLS QoS support for matching the EXP field

Modified feature: MPLS QoS support for marking the EXP field

Modified feature: Automatic configuration

Removed feature: Tinyproxy

New feature: Voice VLAN

Configuring a voice VLAN

Configuring a port to operate in automatic voice VLAN assignment mode

Step

15. Enter system view.

16. (Optional.) Set the voice

VLAN aging timer.

Command system-view

voice-vlan aging minutes

Remarks

N/A

By default, the aging timer of a voice VLAN is 1440 minutes.

17. (Optional.) Enable the voice VLAN security mode.

18. (Optional.) Add an OUI address for voice packet identification.

voice-vlan security enable

voice-vlan mac-address oui mask

oui-mask [ description text ]

By default, the voice VLAN security mode is enabled.

By default, system default

OUI addresses exist.

36

Step

19. Enter interface view.

20. Set the link type of the port.

21. Configure the port to operate in automatic voice VLAN assignment mode.

22. Enable the voice VLAN feature on the port.

Command

Enter Layer 2 Ethernet interface view:

interface interface-type

interface-number

Enter Layer 2 aggregate interface view:

interface bridge-aggregation

interface-number

Enter S-channel interface view:

interface s-channel

interface-number.channel-id

Enter S-channel aggregate interface view:

interface schannel-aggregation

interface-number:channel-id

Enter Layer 2 RPR logical interface view:

interface rpr-bridge

interface-number

Set the port link type to trunk:

port link-type trunk

Set the port link type to hybrid:

port link-type hybrid

Remarks

N/A

N/A

voice-vlan mode auto

By default, the automatic voice VLAN assignment mode is enabled.

voice-vlan vlan-id enable

By default, the voice VLAN feature is disabled.

Before you execute this command, make sure the specified VLAN already exists.

Configuring a port to operate in manual voice VLAN assignment mode

Step

23. Enter system view.

Command system-view

24. (Optional.) Enable the voice VLAN security mode.

25. (Optional.) Add an OUI address for voice packet identification.

voice-vlan security enable

voice-vlan mac-address oui mask

oui-mask [ description text ]

Remarks

N/A

By default, the voice VLAN security mode is enabled.

By default, system default OUI addresses exist.

37

Step

26. Enter interface view.

Command

Enter Layer 2 Ethernet interface view:

interface interface-type

interface-number

Enter Layer 2 aggregate interface view:

interface bridge-aggregation

interface-number

Enter S-channel interface view:

interface s-channel

interface-number.channel-id

Enter S-channel aggregate interface view:

interface schannel-aggregation

interface-number:channel-id

Enter Layer 2 RPR logical interface view:

interface rpr-bridge

interface-number

Remarks

N/A

27. Configure the port to operate in manual voice

VLAN assignment mode.

undo voice-vlan mode auto

28. Set the link type of the port.

29. Assign the access, trunk, or hybrid port to the voice VLAN.

30. (Optional.) Configure the voice VLAN as the

PVID of the trunk or hybrid port.

31. Enable the voice VLAN feature on the port.

By default, a port operates in automatic voice VLAN assignment mode.

Set the port link type to access:

port link-type access

Set the port link type to trunk:

port link-type trunk

Set the port link type to hybrid:

port link-type hybrid

For the access port:

port access vlan vlan-id

For the trunk port:

port trunk permit vlan { vlan-id-list |

all }

For the hybrid port:

port hybrid vlan vlan-id-list { tagged |

untagged }

For the trunk port:

port trunk pvid vlan vlan-id

For the hybrid port:

port hybrid pvid vlan vlan-id

By default, each port is an access port.

After you assign an access port to the voice VLAN, the voice VLAN becomes the

PVID of the port.

This step is required for untagged incoming voice traffic and prohibited for tagged incoming voice traffic.

voice-vlan vlan-id enable

By default, the voice VLAN feature is disabled.

Before you execute this command, make sure the specified VLAN already exists.

Enabling LLDP for automatic IP phone discovery

Step

32. Enter system view.

33. Enable LLDP for automatic

IP phone discovery.

Command system-view voice-vlan track lldp

Remarks

N/A

By default, LLDP for automatic IP phone discovery is disabled.

38

Configuring LLDP to advertise a voice VLAN

For IP phones that support LLDP, the device advertises the voice VLAN information to the IP phones through LLDP-MED TLVs.

To configure LLDP to advertise a voice VLAN:

Step

34. Enter system view.

35. Enter Layer 2 Ethernet interface view.

36. Configure an advertised voice VLAN ID.

Command system-view

interface interface-type

interface-number

lldp tlv-enable med-tlv

network-policy vlan-id

Remarks

N/A

N/A

By default, no advertised voice VLAN ID is configured.

Configuring CDP to advertise a voice VLAN

If an IP phone supports CDP but does not support LLDP, it sends CDP packets to the device to request the voice VLAN ID. If the IP phone does not receive the voice VLAN ID within a time period, it sends out untagged voice packets. These untagged voice packets cannot be differentiated from other types of packets.

You can configure CDP compatibility on the device to enable it to perform the following operations:

Receive and identify CDP packets from the IP phone.

Send CDP packets to the IP phone. The voice VLAN information is carried in the CDP packets.

After receiving the advertised VLAN information, the IP phone starts automatic voice VLAN configuration. Packets from the IP phone will be transmitted in the dedicated voice VLAN.

To configure CDP to advertise a voice VLAN:

Step

37. Enter system view.

Command system-view

38. Enable CDP compatibility.

lldp compliance cdp

Remarks

N/A

By default, CDP compatibility is disabled.

39. Enter Layer 2 Ethernet interface view.

40. Configure CDP-compatible

LLDP to operate in TxRx mode.

41. Configure an advertised voice VLAN ID.

interface interface-type

interface-number

lldp compliance admin-status cdp txrx

cdp voice-vlan vlan-id

N/A

By default, CDP-compatible

LLDP operates in disable mode.

By default, no advertised voice VLAN ID is configured.

Displaying and maintaining voice VLANs

Execute display commands in any view.

39

Task

Display the voice VLAN state.

Display OUI addresses on a device.

Command display voice-vlan state display voice-vlan mac-address

Command reference

The following commands were added:

display voice-vlan mac-address.

display voice-vlan state.

voice-vlan aging.

voice-vlan enable.

voice-vlan mac-address.

voice-vlan mode auto.

voice-vlan security enable.

voice-vlan track lldp.

For more information about these commands, see H3C MSR Series Routers Layer 2

—LAN

Switching Command Reference(V7).

Modified feature: MPLS QoS support for matching the EXP field

Matching the EXP field in the second MPLS label

In this release, MPLS QoS supports matching the EXP fields in both the topmost (first) MPLS label and the second MPLS label.

Command reference

New command: if-match second-mpls-exp

Syntax

Use if-match second-mpls-exp to define a criterion to match the EXP field in the second MPLS label.

Use undo if-match second-mpls-exp to delete the match criterion.

if-match [ not ] second-mpls-exp exp-value&<1-8>

undo if-match [ not ] second-mpls-exp exp-value&<1-8>

40

Default

No criterion is defined to match the EXP field in the second MPLS label.

Views

Traffic class view

Predefined user roles

network-admin

Parameters

not: Matches packets not conforming to the specified criterion.

exp-value&<1-8>: Specifies a space-separated list of up to eight EXP values. The value range for the exp-value argument is 0 to 7. If the same MPLS EXP value is specified multiple times, the system considers them as one. If a packet matches one of the defined MPLS EXP values, it matches the

if-match clause.

Examples

# Define a criterion to match packets with EXP value 3 or 4 in the second MPLS label.

<Sysname> system-view

[Sysname] traffic classifier database

[Sysname-classifier-database] if-match second-mpls-exp 3 4

Modified feature: MPLS QoS support for marking the EXP field

Marking the EXP field in the second MPLS label

In this release, MPLS QoS supports marking the EXP fields in both the topmost (first) MPLS label and the second MPLS label.

Command reference

New command: remark second-mpls-exp

Use remark

second-mpls-exp to configure an EXP value marking action for the second MPLS label in a traffic behavior.

Use undo remark

second-mpls-exp to delete the action.

Syntax remark

second-mpls-exp second-mpls-exp-value

undo remark

second-mpls-exp second-mpls-exp-value

41

Default

No EXP value marking action for the second MPLS label is configured in a traffic behavior.

Views

Traffic behavior view

Predefined user roles

network-admin

Parameters

second-mpls-exp-value: Specifies an EXP value for the second MPLS label, in the range of 0 to 7.

Examples

# Define a traffic behavior to mark packets with EXP value 3 for the second MPLS label.

<Sysname> system-view

[Sysname] traffic behavior b1

[Sysname-behavior-b1] remark second-mpls-exp 3

Modified feature: Automatic configuration

Feature change description

In this release, you can set the maximum retry attempts for automatic configuration. The device will retry obtaining the settings until the retry attempts reach the limit. If you set the maximum retry attempts to 0, the device does not perform a retry when encountering an automatic configuration failure.

Removed feature: Tinyproxy

Feature change description

Support for the tinyproxy feature was removed.

Removed command

http-proxy

Syntax http-proxy undo http-proxy

42

Views

System view

Release 0306P07

This release has the following changes:

New feature: L2TP-based EAD

New feature: CFD configuration

Modified feature: Support using dots in user profile name

Modified feature: Default size of the TCP receive and send buffer

Modified feature: Support for obtaining fan tray and power module vendor information through MIB

Modified feature: Supporting per-packet load sharing

Modified feature: Automatic configuration

Modified feature: Software image signature

New feature: L2TP-based EAD

Enabling L2TP-based EAD

EAD authenticates PPP users that pass the access authentication. PPP users that pass EAD authentication can access network resources. PPP users that fail EAD authentication can only access the resources in the quarantine areas.

EAD uses the following procedure:

1.

The iNode client uses L2TP to access the LNS. After the client passes the PPP authentication, the CAMS/IMC server assigns isolation ACLs to the LNS. The LNS uses the isolation ACLs to filter incoming packets.

2.

After the IPCP negotiation, the LNS sends the IP address of the CAMS/IMC server to the iNode client. The server IP address is permitted by the isolation ACLs.

3.

The CAMS/IMC sever authenticates the iNode client and performs security check for the iNode client. If the iNode client passes security check, the CAMS/IMC server assigns security ACLs for the iNode client to the LNS. The iNode client can access network resources.

To enable L2TP-based EAD:

Step

42. Enter system view.

43. Create a VT interface and enter its view

Command system-view interface virtual-template

virtual-template-number

Remarks

N/A

N/A

43

Step Command

44. Enable L2TP-based EAD.

ppp access-control enable

Command reference

Remarks

By default, L2TP-based EAD is disabled.

ppp access-control enable

Use ppp access-control enable to enable L2TP-based EAD.

Use undo ppp access-control enable to disable L2TP-based EAD.

Syntax

ppp access-control enable

undo ppp access-control enable

Default

L2TP-based EAD is disabled.

Views

VT interface view

Predefined user roles

network-admin

Usage guidelines

This command does not apply to VA interfaces that already existed in the VT interface. It only applies to newly created VA interfaces.

Different ACLs are required for different users if the VT interface is used as the access interface for the LNS.

After L2TP-based EAD is enabled, the LNS transparently passes CAMS/IMC packets to the iNode client to inform the client of EAD server information, such as the IP address.

Examples

# Enable L2TP-based EAD.

<Sysname> system-view

[Sysname] interface virtual-template 10

[Sysname-Virtual-Template10] ppp access-control enable

display ppp access-control interface

Use display ppp access-control interface to display access control information for VA interfaces on a VT interface.

Syntax

display ppp access-control interface { interface-type interface-number | interface-name }

44

Views

Any view

Predefined user roles

network-admin network-operator

Parameters

interface-type interface-number: Specifies an interface by its type and number.

interface-name: Specifies an interface by its name.

Examples

# Display access control information for VA interfaces on VT interface 2.

<Sysname> display ppp access-control interface virtual-template 2

Interface: Virtual-Template2:0

User Name: mike

In-bound Policy: acl 3000

Totally 0 packets, 0 bytes, 0% permitted,

Totally 0 packets, 0 bytes, 0% denied.

Interface: Virtual-Template2:1

User Name: tim

In-bound Policy: acl 3001

Totally 0 packets, 0 bytes, 0% permitted,

Totally 0 packets, 0 bytes, 0% denied.

Table 1 Command output

Field Description

Interface

User Name

VA interface that the PPP user accesses.

Username of the PPP user.

In-bound Policy

Totally x packets, x bytes, x% denied

Security ACLs for the PPP user.

Totally x packets, x bytes, x% permitted

Total number, data rate, and pass percentage of permitted packets.

Total number, data rate, and reject percentage of denied packets.

New feature: CFD configuration

Configuring CFD configuration

Configuring a two-way DM continuity test.

Setting the delay thresholds in a two-way DM continuity test.

45

Configuring a one-way packet loss continuity test.

Setting the packet loss ratio thresholds in a one-way packet loss continuity test.

Setting the time that a blocked port must wait before it comes up in a one-way packet loss continuity test.

Configuring a bit error continuity test.

Setting the error packet ratio thresholds in a bit error continuity test.

Displaying two-way DM continuity test results.

Displaying one-way packet loss continuity test results.

Setting the test mode and action for triggering port association.

Displaying bit error test results.

Command reference

cfd dm two-way continual

cfd dm two-way threshold

cfd slm continual

cfd slm threshold

cfd slm port-trigger up-delay

cfd tst continual

cfd tst threshold

display cfd dm two-way history

display cfd slm history

cfd port-trigger

display cfd tst history

See HPE FlexNetwork MSR Router Series Command References(V7).

Modified feature: Support using dots in user profile name

Feature change description

In this release, the user profile name supports using dots (.).

46

Command changes

Modified command: user-profile

Syntax

user-profile profile-name

undo user-profile profile-name

Views

System view

Change description

Before modification: The user profile name is a case-sensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_), and the name must start with an English letter.

After modification: The user profile name is a case-sensitive string of 1 to 31 characters. Valid characters are letters, digits, underscores (_), and dots (.), and the name must start with an English letter.

Modified feature: Default size of the TCP receive and send buffer

Feature change description

The default value for the TCP receive and send buffer size was changed to 63 KB.

To set the TCP buffer size:

Step

45. Enter system view.

Command system-view

46. Set the TCP receive and send buffer size.

tcp window window-size

Remarks

N/A

By default, the TCP receive and send buffer size is 63 KB.

Command changes

Modified command: tcp window

Syntax

tcp window window-size

undo tcp window

47

Views

System view

Change description

Before modification: The default value for the window-size argument was 64 KB.

After modification: The default value for the window-size argument is 63 KB.

Modified feature: Support for obtaining fan

tray and power module vendor information through MIB

Feature change description

In this release, the device supports obtaining fan tray and power module vendor information through

MIB.

Command changes

None

Modified feature: Supporting per-packet load sharing

Feature change description

The per-packet keyword was added to the ip load-sharing mode command to support per-packet load sharing.

Command changes

Modified command: ip load-sharing mode

Old syntax

Centralized devices:

ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ]

Centralized IRF devices

–Distributed devices–In standalone mode:

ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] [ slot

slot-number ]

48

Distributed devices

–In IRF mode:

ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] [ chassis

chassis-number slot slot-number ]

New syntax

Centralized devices:

ip load-sharing mode { per-flow [ [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }

Centralized IRF devices

–Distributed devices–In standalone mode:

ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }

Distributed devices

–In IRF mode:

ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }

Views

System view

Change description

The per-packet keyword was added to the ip load-sharing mode command to support per-packet load sharing.

Modified feature: Automatic configuration

Feature change description

A limit was added to the number of automatic configuration attempts. If the device fails to be automatically configured within the limit, the device quits the automatic configuration process.

Command changes

None

Modified feature: Software image signature

Feature change description

A field was added to output from a set of display commands to display software image signature information.

49

Command changes

Modified command: display install active

Syntax

Centralized devices:

display install active [ verbose ]

Centralized IRF devices

–Distributed devices–In standalone mode:

display install active [ slot slot-number ] [ verbose ]

Distributed devices

–In IRF mode:

display install active [ chassis chassis-number slot slot-number ] [ verbose ]

Views

Any view

Change description

The Software image signature field was added to display software image signature information.

Table 2 Command output

Field

Software image signature

Description

Signature for the software image:

HP

—For software images of the HP version.

HP-US

—For software images of the HP US version.

HPE

—For software images of the HPE version.

Modified command: display install backup

Syntax

Centralized devices:

display install backup [ verbose ]

Centralized IRF devices

–Distributed devices–In standalone mode:

display install backup [ slot slot-number ] [ verbose ]

Distributed devices

–In IRF mode:

display install backup [ chassis chassis-number slot slot-number ] [ verbose ]

Views

Any view

Change description

The Software image signature field was added to display software image signature information.

50

Table 3 Command output

Field

Software image signature

Description

Signature for the software image:

HP

—For software images of the HP version.

HP-US

—For software images of the HP US version.

HPE

—For software images of the HPE version.

Modified command: display install committed

Syntax

Centralized devices:

display install committed [ verbose ]

Centralized IRF devices

–Distributed devices–In standalone mode:

display install committed [ slot slot-number ] [ verbose ]

Distributed devices

–In IRF mode:

display install committed [ chassis chassis-number slot slot-number ] [ verbose ]

Views

Any view

Change description

The Software image signature field was added to display software image signature information.

Table 4 Command output

Field

Software image signature

Description

Signature for the software image:

HP

—For software images of the HP version.

HP-US

—For software images of the HP US version.

HPE

—For software images of the HPE version.

Modified command: display install inactive

Syntax

Centralized devices:

display install inactive [ verbose ]

Centralized IRF devices

–Distributed devices–In standalone mode:

display install inactive [ slot slot-number ] [ verbose ]

Distributed devices

–In IRF mode:

display install inactive [ chassis chassis-number slot slot-number ] [ verbose ]

51

Views

Any view

Change description

The Software image signature field was added to display software image signature information.

Table 5 Command output

Field

Software image signature

Description

Signature for the software image:

HP

—For software images of the HP version.

HP-US

—For software images of the HP US version.

HPE

—For software images of the HPE version.

Modified command: display install ipe-info

Syntax

display install ipe-info ipe-filename

Views

Any view

Change description

The Software image signature field was added to display software image signature information.

Table 6 Command output

Field

Software image signature

Description

Signature for the software image:

HP

—For software images of the HP version.

HP-US

—For software images of the HP US version.

HPE

—For software images of the HPE version.

Modified command: display install package

Syntax

display install package { filename | all } [ verbose ]

Views

Any view

Change description

The Software image signature field was added to display software image signature information.

52

Table 7 Command output

Field

Software image signature

Description

Signature for the software image:

HP

—For software images of the HP version.

HP-US

—For software images of the HP US version.

HPE

—For software images of the HPE version.

Modified command: display install which

Syntax

Centralized devices:

display install which { component name | file filename }

Centralized IRF devices

–Distributed devices–In standalone mode:

display install which { component name | file filename } [ slot slot-number ]

Distributed devices

–In standalone mode:

Distributed devices

–In IRF mode:

display install which { component name | file filename } [ chassis chassis-number slot

slot-number ]

Views

Any view

Change description

The Software image signature field was added to display software image signature information.

Table 8 Command output

Field

Software image signature

Release 0305P08

Description

Signature for the software image:

HP

—For software images of the HP version.

HP-US

—For software images of the HP US version.

HPE

—For software images of the HPE version.

This release has the following changes:

New feature: mGRE

New feature: Disabling transceiver module alarm

53

Modified feature: Default user role

Modified feature: Debugging

New feature: mGRE

Overview

Multipoint Generic Routing Encapsulation (mGRE) is a dynamic VPN technology that uses the Next

Hop Resolution Protocol (NHRP).

Traditional GRE tunnels for a VPN are static and require manual configuration and maintenance, resulting in poor extensibility. If branches of an enterprise accesses the public network by using dynamic IP addresses, it is difficult to set GRE tunnels between the branches. mGRE can dynamically establish tunnels for the branches, because NHRP can map the private IP address of a branch to its public IP address.

mGRE operation scheme

An mGRE network uses the client/server model. It has the following types of nodes:

NHS

—NHRP server, the hub device in the mGRE network. The NHS is the routing information exchange center. It is also the data forwarding center in a NHS-NHC network.

NHC

—NHRP client, a spoke device in the mGRE network. Typically, it is the gateway of a branch network. An NHC does not forward data received from other mGRE nodes. mGRE obtains dynamic public addresses of NHCs through their private addresses to establish mGRE tunnels and forward packets. The public address is the IP address of the interface connected to the Internet. The private address is the IP address of the mGRE tunnel interface.

An NHC registers its public and private addresses with the NHS and it registers its public address whenever the public address changes. An NHC obtains the current public address of a peer NHC from the NHS through NHRP, so the two NHCs can establish an mGRE tunnel over the Internet.

mGRE operation procedure

The mGRE operation includes the following phases:

Registration.

Tunnel establishment.

Route learning and packet forwarding.

Registration

As shown in Figure 10 , the registration process is as follows:

54

1.

The NHC sends a registration request to the NHS.

2.

After the NHS receives the request, it performs the NHRP packet authentication key and GRE key matching. If both keys are matched, registration succeeds. The NHS sends a registration success message to the NHC.

Figure 10 Registration process

NHC NHS

1) Registration request

2) Registration acknowledgment

Tunnel establishment

mGRE networks support the following types of networking:

Full-mesh network

—NHCs can establish tunnels between each other for direct communication. The NHS acts as the routing information exchange center.

Figure 11 Full-mesh network

NHS

N

H

S

-N

H

C

Public network

N

H

S

-N

H

C

NHC 1

NHC 2

NHC-NHC

Site 1

Data

Site 2

NHS-NHC network

—NHCs cannot establish tunnels between each other. Instead, they establish tunnels with the NHS. The NHS forwards data for the NHCs. The NHS acts as both the routing information exchange center and the data forwarding center.

55

Figure 12 NHS-NHC network

NHS

D at a

N

H

S

-N

H

C

Public network

N

H

S

-N

H

C

D ata

NHC 1 NHC 2

Site 1 Site 2

A mGRE tunnel is as established as follows:

NHC-NHS tunnel establishment process:

An NHC-NHS tunnel is established in the registration process. During registration, the

NHC-NHS tunnel is in initialization state. After registration succeeds, the NHC-NHS tunnel is in success state.

An NHC-NHS tunnel is permanent. An NHC can establish permanent tunnels to any number of

NHSs.

NHC-NHC tunnel establishment process:

a. In a full-mesh network, when an NHC receives a data packet but finds no tunnel for forwarding the packet, the NHC (initiator) sends an address resolution request to the NHS.

b. After receiving the request, the NHS looks up the local NHRP mapping table to find the peer

NHC (responder) and forwards the request to the peer NHC.

c. After receiving the request, the peer NHC creates a temporary tunnel and sends an address resolution response to the initiator.

An NHC-NHC tunnel is dynamic. If no data is exchanged within the NHC-NHC tunnel idle timeout, the tunnel will be deleted.

Route learning and packet forwarding

mGRE nodes learn private routes by using dynamic routing protocols.

Dynamic routing must be configured for all private networks and mGRE tunnel interfaces to ensure

IP connectivity among the private networks. From the perspective of private networks, an mGRE tunnel is a link that connects different private networks. A dynamic routing protocol discovers neighbors and updates routes over mGRE tunnels, and establishes a routing table.

56

When an NHC receives a packet destined for a remote private network, it performs the following operations:

1.

Searches the routing table for the next hop address to the target private network.

2.

Looks up the local NHRP mapping table to obtain the public address that corresponds to the next hop address.

3.

Uses the public address as the tunnel destination address to encapsulate the packet.

4.

Sends the encapsulated packet to the peer NHC over the mGRE tunnel.

mGRE support for NAT traversal

An NHC-NHC tunnel can traverse a NAT gateway. The tunnel can be established when the tunnel initiator, receiver, or both ends reside behind the NAT gateway. mGRE configuration task list

To set up an mGRE network, first configure the NHSs and then the NHCs.

IMPORTANT:

The device can act only as an NHC. It cannot act as an NHS.

To configure mGRE on an NHC:

Tasks at a glance

(Required.)

Configuring an mGRE tunnel

(Required.) Configuring routing

(Optional.) Configuring IPsec for an mGRE tunnel

Configuring an mGRE tunnel

The public address of an NHC can be statically configured or dynamically assigned. The private address of an NHC must be statically configured.

For more information about tunnel interfaces, see tunneling configuration in Layer 3

—IP Services

Configuration Guide. For more information about the interface tunnel, source, and tunnel dfbit

enable commands and other commands for a tunnel interface, see tunneling commands in Layer

3

—IP Services Command Reference.

To configure an mGRE tunnel:

57

Step

47. Enter system view.

48. Create an mGRE tunnel interface and enter tunnel interface view.

49. Configure a private address for the tunnel interface.

Command system-view

interface tunnel number

mode mgre

Remarks

N/A

By default, no tunnel interfaces exist.

ip address ip-address { mask |

mask-length } [ sub ]

By default, no private address is configured for a tunnel interface.

50. Configure a source address or source interface for the tunnel interface.

51. Configure an NHRP packet authentication key.

source { ip-address |

interface-type

interface-number }

nhrp authentication [ cipher |

simple ] string

By default, no source address or source interface is configured for a tunnel interface.

If you specify a source address, it is used as the source IP address of tunneled packets.

If you specify a source interface, the primary IP address of this interface is used as the source IP address of tunneled packets.

By default, no NHRP packet authentication key is configured.

NHRP nodes do not authenticate

NHRP packets received from each other.

52. Configure an NHRP network

ID for the mGRE tunnel.

nhrp network-id number

By default, an mGRE tunnel does not have an NHRP network ID.

53. Configure the holdtime for

NHRP mapping entries.

nhrp holdtime seconds

By default, the holdtime of NHRP mapping entries is 7200 seconds.

54. Configure an NHS private-to-public address mapping.

nhrp nhs nhs-address nbma

nbma-address

By default, no NHS private-to-public address mappings are configured.

55. (Optional.) Configure a GRE key for the tunnel interface.

gre key key

56. (Optional.) Set the DF bit for tunneled packets.

tunnel dfbit enable

By default, no GRE key is configured for an mGRE tunnel interface.

You must configure the same GRE key or configure no key on both ends of a tunnel.

On the device, you must configure different GRE keys for mGRE tunnel interfaces that have the same source address or source interface.

For more information about the GRE key, see GRE in Layer 3

—IP

Services Configuration Guide.

By default, the DF bit is not set.

Tunneled packets can be fragmented for forwarding.

Configuring routing mGRE clients support dynamic routing protocols of OSPF, RIP, and BGP.

When you configure routing for mGRE client, following these restrictions and guidelines:

58

When OSPF is used, specify the OSPF interface network type as broadcast in a full-mesh network and as p2mp in a NHS-NHC network.

Full-mesh networks do not support RIP. NHS-NHC networks must use the RIP-2 multicast mode and disable the split horizon feature for NHS nodes.

When BGP is used, configure routing polices to ensure the following:

In a full-mesh network, ensure that the local NHC learns a route to the remote private network, and the route's next hop address is the address of the remote NHC.

In an NHS-NHC network, ensure that the local NHC learns a route to the remote private network, and the route's next hop address is the address of the NHS.

For more information about OSPF, RIP, BGP, and routing policy configuration, see Layer 3

—IP

Routing Configuration Guide.

Configuring IPsec for an mGRE tunnel

The device supports protecting mGRE tunnel data and control packets by using IPsec profiles.

To configure IPsec for an mGRE tunnel:

1.

Configure an IPsec transform set to specify the security protocol, authentication and encryption algorithms, and encapsulation type.

2.

Configure an IKE-based IPsec profile.

3.

Apply the IKE-based IPsec profile to the mGRE tunnel interface.

For more information about IPsec configuration, see "Configuring IPsec."

Displaying and maintaining mGRE

Execute display commands in any view and reset commands in user view.

Task

Display information about NHRP mapping entries.

Command

display nhrp map [ interface tunnel

interface-number [ peer ipv4-address ] ] [ verbose ]

Display NHRP packet statistics for tunnel interfaces.

display nhrp statistics [ interface tunnel

interface-number ]

Display mGRE session information.

display mgre session [ interface tunnel

interface-number [ peer ipv4-address ] ] [ verbose ]

Clear NHRP packet statistics for tunnel interfaces.

Reset mGRE sessions.

Clear mGRE session statistics.

reset nhrp statistics [ interface tunnel

inteface-number ]

reset mgre session [ interface tunnel

interface-number [ peer ipv4-address ] ]

reset mgre statistics [ interface tunnel

interface-number [ peer ipv4-address ] ]

59

Command reference

New command: display mgre session

Use display mgre session to display mGRE session information.

Syntax

display mgre session [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]

Views

Any view

Predefined user roles

network-admin network-operator

Parameters

interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command displays mGRE session information for all mGRE tunnel interfaces.

peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command displays all mGRE session information for the specified mGRE tunnel interface.

verbose: Displays detailed information about IPv4 mGRE sessions. If you do not specify this keyword, the command displays brief information about mGRE sessions.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all mGRE sessions on all tunnel interfaces.

Examples

# Display brief information about all mGRE sessions.

<Sysname> display mgre session

Interface : Tunnel1

Number of sessions: 2

Peer NBMA address Peer protocol address Type State State duration

10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01

10.0.1.4 192.168.180.137 C-C Establishing 00:30:02

# Display brief information about mGRE sessions on the specified tunnel interface.

<Sysname> display mgre session interface tunnel 1

Interface : Tunnel1

Number of sessions: 2

Peer NBMA address Peer protocol address Type State State duration

10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01

10.0.1.4 192.168.180.137 C-C Establishing 00:30:02

60

# Display brief information about the mGRE session with the specified peer address.

<Sysname> display mgre session interface tunnel 1 peer 10.0.0.3

Interface : Tunnel1

Number of sessions: 1

Peer NBMA address Peer protocol address Type State State duration

10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01

Table 26 Command output

Field Description

Interface

Number of sessions

Peer NBMA address

Peer protocol address

Type

State

State duration

Name of the mGRE tunnel interface.

Total number of mGRE sessions on the tunnel interface.

Public address of the peer.

IP address of the peer tunnel interface. mGRE session type:

C-S

—The local end is an NHC, and the peer end is the NHS.

C-C

—The local end is an NHC, and the peer end is an NHC.

UNKNOWN

—The local end is an NHC, and the peer end type is unknown.

mGRE session state:

Succeeded.

Establishing.

Duration of the current session state, in the format of hh:mm:ss.

# Display detailed information about all IPv4 mGRE sessions.

<Sysname> display mgre session verbose

Interface : Tunnel1

Link protocol : GRE

Number of sessions: 2

Peer NBMA address : 10.0.1.3

Peer protocol address: 192.168.180.136

Session type : C-S

State : Succeeded

State duration : 00:30:01

Input : 2201 packets, 218 data packets, 3 control packets

2191 multicasts, 0 errors

Output: 2169 packets, 2168 data packets, 1 control packets

2163 multicasts, 0 errors

Peer NBMA address : 10.0.1.4

Peer protocol address: 192.168.180.137

Session type : C-S

State : Succeeded

State duration : 00:31:01

Input : 1 packets, 0 data packets, 1 control packets

61

0 multicasts, 0 errors

Output: 16 packets, 0 data packets, 16 control packets

0 multicasts, 0 errors

Interface : Tunnel2

Link protocol : IPsec-GRE

SA's SPI :

Inbound : 187199087 (0xb286e6f) [ESP]

Outbound: 3562274487 (0xd453feb7) [ESP]

Number of sessions: 1

Peer NBMA address : 20.0.0.3

Peer protocol Aaddress: 192.168.181.137

Behind NAT : No

Session type : C-C

SA's SPI :

Inbound : 187199087 (0xb286e6f) [ESP]

Outbound: 3562274487 (0xd453feb7) [ESP]

State : Establishing

State duration : 00:31:01

Input : 0 packets, 0 data packets, 0 control packets

0 multicasts, 0 errors

Output: 1 packets, 0 data packets, 1 control packets

0 multicasts, 0 errors

# Display detailed information about IPv4 mGRE sessions on interface Tunnel1.

<Sysname> display mgre session interface tunnel 1 verbose

Interface : Tunnel1

Link protocol : GRE

Number of sessions: 1

Peer NBMA address : 20.0.0.3

Peer protocol address: 192.168.181.137

Behind NAT : No

Session type : C-C

State : Succeeded

State duration : 00:31:01

Input : 0 packets, 0 data packets, 0 control packets

0 multicasts, 0 errors

Output: 1 packets, 0 data packets, 1 control packets

0 multicasts, 0 errors

# Display detailed information about the mGRE session with the peer public address 202.12.12.12.

<Sysname> display mgre session peer 202.12.12.12 verbose

Interface : Tunnel1

Link protocol : GRE

Number of sessions: 1

Peer NBMA address : 202.12.12.12

Peer protocol address: 192.168.180.136

Session type : C-S

State : Succeeded

62

State duration : 00:30:01

Input : 2201 packets, 218 data packets, 3 control packets

2191 multicasts, 0 errors

Output: 2169 packets, 2168 data packets, 1 control packets

2163 multicasts, 0 errors

Table 27 Command output

Field

Interface

Link protocol

Number of sessions

Peer NBMA address

Peer protocol address

SA's SPI

Behind NAT

Session type

State

State duration

Input

Output

Description

Name of the mGRE tunnel interface.

Encapsulation protocol used by the mGRE tunnel:

GRE.

IPsec-GRE.

Total number of mGRE sessions on the tunnel interface.

Public address of the peer.

IP address of the peer tunnel interface.

SPI of the inbound and outbound SAs. This field is available when the mGRE tunnel is carried over IPsec.

Whether the peer NHC has traversed a NAT device. mGRE session type:

C-S

—The local end is an NHC, and the peer end is the NHS.

C-C

—The local end is an NHC, and the peer end is an NHC. mGRE session state:

Succeeded.

Establishing.

Duration of the current session state, in the format of hh:mm:ss.

Statistics on received packets:

packets

—Total number of packets.

data packets

—Number of data packets.

control packets

—Number of control packets.

multicasts

—Number of multicast packets.

errors

—Number of error packets.

Statistics on received packets:

packets

—Total number of packets.

data packets

—Number of data packets.

control packets

—Number of control packets.

multicasts

—Number of multicast packets.

errors

—Number of error packets.

New command: display nhrp map

Use display nhrp map to display information about NHRP mapping entries.

63

Syntax

display nhrp map [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]

Views

Any view

Predefined user roles

network-admin network-operator

Parameters

interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command displays NHRP mapping table information for all mGRE tunnel interfaces.

peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command displays NHRP mapping entries for all peers.

verbose: Displays detailed information about NHRP mapping entries. If you do not specify this keyword, the command displays brief information about NHRP mapping entries.

Usage guidelines

If you do not specify any parameters, this command displays brief information about all NHRP mapping entries.

Examples

# Display brief information about all NHRP mapping entries.

<Sysname> display nhrp map

Destination/mask Next hop NBMA address Type Interface

172.16.1.1/32 172.16.1.1 105.112.100.4 cached Tunnel0

172.16.1.2/32 172.16.1.2 105.112.100.92 cached Tunnel0

# Display detailed information about all NHRP mapping entries.

<Sysname> display nhrp map verbose

Interface : Tunnel0

Destination/mask : 172.16.1.1/32

Next hop : 172.16.1.1

Creation time : 00:38:44

Expiration time : 01:21:15

Type : cached

Flags : unique, up, used

NBMA address : 105.112.100.4

Interface : Tunnel0

Destination/mask : 172.16.1.2/32

Next hop : 172.16.1.2

Creation time : 00:25:53

Expiration time : 01:34:06

64

Type : cached

Flags : unique, up, used, ipsec

NBMA address : 105.112.100.92

Table 28 Command output

Field

Destination/mask

Nexthop

Creation time

Expiration time

Type

Flags

Description

Destination tunnel interface address and mask of the mapping entry.

Next hop address to reach the destination network.

Period of time for which the mapping entry has been created.

Period of time in which the mapping entry will expire.

Mapping entry type:

static

—The entry is statically configured.

cached

—The entry is dynamically obtained.

Incomplete

—The entry is dynamic and incomplete.

Mapping entry flags:

unique

—The mapping entry in the registration request cannot be overwritten by a mapping entry that has the same protocol address and different public addresses. A client can register the new entry with the server only after the mapping entry on the server expires.

used

—This mapping entry is used for packet forwarding.

up

—Packets can be forwarded.

ipsec

—IPsec negotiation succeeded. Packets will be protected by IPsec.

init

—Initialization state.

New command: display nhrp statistics

Use display nhrp statistics to display NHRP packet statistics for a tunnel interface.

Syntax

display nhrp statistics [ interface tunnel interface-number ]

Views

Any view

Predefined user roles

network-admin network-operator

Parameters

interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command displays NHRP packet statistics for all tunnel interfaces.

65

Examples

# Display NHRP packet statistics.

<Sysname> display nhrp statistics

Tunnel0:

NHRP packets sent : 815

Resolution requests : 15

Resolution replies : 1

Registration requests : 0

Registration replies : 797

Purge requests : 2

Purge replies : 0

Error indications : 0

Traffic indications : 0

NHRP packets received : 1453

Resolution requests : 15

Resolution replies : 1

Registration requests : 1435

Registration replies : 2

Purge requests : 0

Purge replies : 0

Error indications : 0

Traffic indications : 0

Tunnel1:

NHRP packets sent : 3

Resolution Requests : 0

Resolution replies : 0

Registration requests : 0

Registration replies : 3

Purge requests : 0

Purge replies : 0

Error indications : 0

Traffic indications : 0

NHRP packets received : 3

Resolution requests : 0

Resolution replies : 0

Registration requests : 3

Registration replies : 0

Purge requests : 0

Purge replies : 0

Error indications : 0

Traffic indications : 0

# Display NHRP packet statistics for the specified tunnel interface.

<Sysname> display nhrp statistics interface tunnel 0

Tunnel0:

66

NHRP packets sent : 815

Resolution requests : 15

Resolution replies : 1

Registration requests : 0

Registration replies : 797

Purge requests : 2

Purge replies : 0

Error indications : 0

Traffic indications : 0

NHRP packets received : 1453

Resolution requests : 15

Resolution replies : 1

Registration requests : 1435

Registration replies : 2

Purge requests : 0

Purge replies : 0

Error indications : 0

Traffic indications : 0

New command: nhrp authentication

Use nhrp authentication to configure an NHRP packet authentication key.

Use undo nhrp authentication to restore the default.

Syntax

nhrp authentication { cipher | simple } string

undo nhrp authentication

Default

No NHRP packet authentication key is configured. NHRP nodes do not authenticate NHRP packets received from each other.

Views

mGRE tunnel interface view

Predefined user roles

network-admin

Parameters

cipher: Specifies an authentication key in encrypted form.

simple: Specifies an authentication key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key string. Its plaintext form is a case-sensitive string of 1 to 8 characters. Its encrypted form is a case-sensitive string of 1 to 41 characters.

67

Usage guidelines

After an NHRP packet authentication key is configured for a tunnel interface, the tunnel interface adds the key in packets sent to the peer. The tunnel interface also uses the key to authenticate

NHRP packets it receives. If a packet fails the authentication, the packet will be dropped.

For mGRE tunnels to be established successfully, configure the same NHRP authentication key for all NHCs and servers in the same mGRE network.

Examples

# On interface Tunnel1, set the NHRP packet authentication key to 123456.

<Sysname> system-view

[Sysname] interface tunnel 1 mode mgre

[Sysname-Tunnel1] nhrp authentication simple 123456

Related commands

interface tunnel (Layer 3

—IP Services Command Reference)

New command: nhrp holdtime

Use nhrp holdtime to configure the holdtime for NHRP mapping entries.

Use undo nhrp holdtime to restore the default.

Syntax

nhrp holdtime seconds

undo nhrp holdtime

Default

The holdtime of NHRP mapping entries is 7200 seconds.

Views

mGRE tunnel interface view

Predefined user roles

network-admin

Parameters

seconds: Specifies the holdtime in the range of 1 to 65535 seconds.

Usage guidelines

After the holdtime is configured, the local NHRP holdtime carried in outgoing packets is updated to the configured holdtime.

Examples

# On interface Tunnel1, set the holdtime of NHRP mapping entries to 600 seconds

<Sysname> system-view

[Sysname] interface tunnel 1 mode mgre

[Sysname-Tunnel1] nhrp holdtime 600

68

Related commands

interface tunnel (Layer 3

—IP Services Command Reference)

New command: nhrp network-id

Use nhrp network-id to configure an NHRP network ID for an mGRE tunnel.

Use undo nhrp network-id to delete the NHRP network ID of an mGRE tunnel.

Syntax

nhrp network-id number

undo nhrp network-id

Default

An mGRE tunnel does not have an NHRP network ID.

Views

mGRE tunnel interface view

Predefined user roles

network-admin

Parameters

number: Specifies an NHRP network ID in the range of 1 to 4294967295.

Usage guidelines

A network ID is only locally significant. You can configure different NHRP network IDs for different tunnel interfaces on the device. The NHC and server can have different NHRP network IDs.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the NHRP network ID to 10 for mGRE tunnel interface Tunnel1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode mgre

[Sysname-Tunnel1] nhrp network-id 10

Related commands

interface tunnel (Layer 3

—IP Services Command Reference)

New command: nhrp nhs

Syntax

Use nhrp nhs to configure an NHS private-to-public address mapping.

Use undo nhrp nhs to delete an NHS private-to-public address mapping.

nhrp nhs nhs-address nbma nbma-address

69

undo nhrp nhs nhs-address nbma nbma-address

Default

No NHS private-to-public address mappings are configured.

Views

mGRE tunnel interface view

Predefined user roles

network-admin

Parameters

nhs-address: Specifies the private address of an NHS.

nbma-address: Specifies the public address (NBMA address) of the NHS.

Usage guidelines

You can configure multiple NHSs for redundancy. If multiple NHSs are configured, NHCs register with all the NHSs.

Examples

# On interface Tunnel1, configure the NHS private address as 1.1.1.1 and public address as

120.1.1.120.

<Sysname> system-view

[Sysname] interface tunnel 1 mode mgre

[Sysname-Tunnel1] nhrp nhs 1.1.1.1 nbma 120.1.1.120

Related commands

interface tunnel (Layer 3

—IP Services Command Reference)

New command: reset mgre session

Use reset mgre session to reset dynamic mGRE sessions.

Syntax

reset mgre session [ interface tunnel interface-number [ peer ipv4-address ] ]

Views

User view

Predefined user roles

network-admin

Parameters

interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command resets dynamic mGRE sessions for all mGRE tunnel interfaces.

peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command resets all dynamic mGRE sessions for the specified mGRE tunnel interface.

70

Usage guidelines

If you do not specify any parameters, this command resets all dynamic mGRE sessions. When an mGRE session is reset, the NHC reregisters with the NHS.

Examples

# Reset the mGRE sessions on interface Tunnel1.

<Sysname> reset mgre session interface tunnel 1

# Reset the mGRE session with peer address 202.12.12.12 on interface Tunnel1.

<Sysname> reset mgre session interface tunnel 1 peer 202.12.12.12

Related commands display mgre session

New command: reset mgre statistics

Use reset mgre statistics to clear mGRE session statistics.

Syntax

reset mgre statistics [ interface tunnel interface-number [ peer ipv4-address ] ]

Views

User view

Predefined user roles

network-admin

Parameters

interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command clears mGRE session statistics for all mGRE tunnel interfaces.

peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command clears statistics about all mGRE sessions on the specified mGRE tunnel interface.

Examples

# Clear statistics about mGRE sessions on interface Tunnel1.

<Sysname> reset mgre statistics interface tunnel 1

# Clear statistics about the mGRE session with peer public address 192.168.1.200 on interface

Tunnel1.

<Sysname> reset mgre statistics interface tunnel 1 peer 192.168.1.200

New command: reset nhrp statistics

Use reset nhrp statistics to clear NHRP packet statistics.

71

Syntax

reset nhrp statistics [ interface tunnel interface-number ]

Views

User view

Predefined user roles

network-admin

Parameters

interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command clears NHRP packet statistics for all mGRE tunnel interfaces.

Examples

# Clear NHRP packet statistics for interface Tunnel1.

<Sysname> reset nhrp statistics interface tunnel 1

Related commands display nhrp statistics

New feature: Disabling transceiver module alarm

Configuring Disabling transceiver module alarm

The device regularly checks transceiver modules for their vendor information. If a transceiver module does not have a vendor name or the vendor name is not HPE, the device outputs traps and logs to prompt you to replace the module. This feature enables you to suppress the traps and logs.

Command reference

New command: transceiver phony-alarm-disable

Use transceiver phony-alarm-disable to disable the transceiver module alarm feature.

Use undo transceiver phony-alarm-disable to restore the default.

Syntax transceiver phony-alarm-disable undo transceiver phony-alarm-disable

72

Default

The transceiver module alarm feature is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The device regularly checks transceiver modules for their vendor information. If a transceiver module does not have a vendor name or the vendor name is not HPE, the device outputs traps and logs to prompt you to replace the module. To suppress the traps and alarms, execute this command.

Examples

#Disable the transceiver module alarm feature.

<Sysname> system-view

[Sysname] transceiver phony-alarm-disable

Modified feature: Default user role

Feature change description

The default user role can be changed. The role-name argument was added to the role default-role

enable command for specifying a user role as the default user role.

Command changes

Modified command: role default-role enable

Old syntax role default-role enable undo role default-role enable

New syntax

role default-role enable [ role-name ]

undo role default-role enable

Views

System view

Change description

Before modification: The default user role is network-operator.

73

After modification: The role-name argument was added to specify any user role that exists in the system as the default user role. The argument is a case-sensitive string of 1 to 63 characters. If you do not specify this argument, the default user role is network-operator.

Modified feature: Debugging

Feature change description

The all keyword and the timeout time option were removed from the debugging command. You can no longer use the command to enable debugging for all modules at the same time or automatically disable debugging for all modules after a specific period of time.

Command changes

Modified command: debugging

Old syntax

debugging { all [ timeout time ] | module-name [ option ] }

undo debugging { all | module-name [ option ] }

New syntax

debugging module-name [ option ]

undo debugging module-name [ option ]

Views

User view

Change description

The following parameters were removed from the debugging command:

all: Enables debugging for all modules.

timeout time: Specifies the timeout time for the debugging all command. The system automatically executes the undo debugging all command after the timeout time. The time argument is in the range of 1 to 1440 minutes. If you do not specify a timeout time, you must manually execute the undo debugging all command to disable debugging for all modules.

Release 0305P04

This release has the following changes:

New feature: Public key management support for Suite B

74

New feature: PKI support for Suite B

New feature: IPsec support for Suite B

New feature: SSL support for Suite B

New feature: FIPS support for Suit B

New feature: SSH support for Suite B

New feature: Ignoring the first AS number of EBGP route updates for a peer or peer group

Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces

Modified feature: Changing the maximum number of FIB table entries

Modified feature: Enabling CWMP

New feature: Public key management support for Suite B

Configuring Suite B in public key management

Suite B contains a set of encryption and authentication algorithms that meet high security requirements.

In this software version, Suite B is available in public key management. Support for new elliptic curve algorithms was added for generating ECDSA key pairs.

Command reference

Modified command: public-key local create

Old syntax

public-key local create { dsa | ecdsa | rsa } [ name key-name ]

New syntax

public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1] | rsa } [ name

key-name ]

Views

System view

Change description

Before modification: The secp192r1 curve was used to generate the ECDSA key pair by default. No other elliptic curve algorithms were available.

75

After modification: You can specify the elliptic curve used to generate the ECDSA key pair. The following elliptic curve algorithms are available:

secp192r1: Uses the secp192r1 curve to generate a 192-bit ECDSA key pair. The secp192r1 curve is used by default.

secp256r1: Uses the secp256r1 curve to generate a 256-bit ECDSA key pair.

secp384r1: Uses the secp384r1 curve to generate a 384-bit ECDSA key pair.

New feature: PKI support for Suite B

Configuring Suite B in PKI

Suite B contains a set of encryption and authentication algorithms that meet high security requirements. PKI commands were modified to support Suite B.

Command reference

Modified command: public-key ecdsa

Old syntax

public-key ecdsa name key-name

undo public-key

New syntax

public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1]

undo public-key

Views

PKI domain view

Change description

Before modification: The secp192r1 curve was used to generate the ECDSA key pair by default. No other elliptic curve algorithms were available.

After modification: You can specify the elliptic curve used to generate the ECDSA key pair. The following elliptic curve algorithms are available:

secp192r1: Uses the secp192r1 curve to generate the key pair. The secp192r1 curve is used by default.

secp256r1: Uses the secp256r1 curve to generate the key pair.

secp384r1: Uses the secp384r1 curve to generate the key pair.

76

New feature: IPsec support for Suite B

Suite B contains a set of encryption and authentication algorithms that meet high security requirements. IPsec provide stronger protection by supporting Suite B and IKEv2.

Overview

Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1,

IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs less message exchanges than

IKEv1.

IKEv2 negotiation process

Compared with IKEv1, IKEv2 simplifies the negotiation process and is much more efficient.

IKEv2 defines three types of exchanges: initial exchanges, CREATE_CHILD_SA exchange, and

INFORMATIONAL exchange.

As shown in

Figure 13 , IKEv2 uses two exchanges during the initial exchange process:

IKE_SA_INIT and IKE_AUTH, each with two messages.

IKE_SA_INIT exchange

—Negotiates IKE SA parameters and exchanges keys.

IKE_AUTH exchange

—Authenticates the identity of the peer and establishes IPsec SAs.

After the four-message initial exchanges, IKEv2 sets up one IKE SA and one pair of IPsec SAs. For

IKEv1 to set up one IKE SA and one pair of IPsec SAs, it must go through two phases that use a minimum of six messages.

To set up one more pair of IPsec SAs within the IKE SA, IKEv2 goes on to perform an additional two-message exchange

—the CREATE_CHILD_SA exchange. One CREATE_CHILD_SA exchange creates one pair of IPsec SAs. IKEv2 also uses the CREATE_CHILD_SA exchange to rekey IKE

SAs and Child SAs.

IKEv2 uses the INFORMATIONAL exchange to convey control messages about errors and notifications.

77

Figure 13 IKEv2 Initial exchange process

Peer 1

Peer 2

Send the local

IKE policy and

SA exchange, key exchange key info

Initiator

’s policy and key information

Confirmed policy and key information

Search for a matched policy and generate the key

Negotiate algorithms and generate the key

Receive the policy and generate the key

Initiator

’s identity, authentication data, and

IPsec proposals

ID exchange, authentication,

IPsec SA setup

Perform ID and exchange authentication and negotiate IPsec SAs

Responder

’s identity, authentication data, and

IPsec proposals

Perform ID and exchange authentication and negotiate IPsec SAs

Authenticate the identity and negotiate IPsec

SAs

New features in IKEv2

DH guessing

In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished. If the guess is wrong, the responder responds with an INVALID_KE_PAYLOAD message that contains the DH group that it wants to use. The initiator then uses the DH group selected by the responder to reinitiate the IKE_SA_INIT exchange. The DH guessing mechanism allows for more flexible DH group configuration and enables the initiator to adapt to different responders.

Cookie challenging

Messages for the IKE_SA_INIT exchange are in plain text. An IKEv1 responder cannot confirm the validity of the initiators and must maintain half-open IKE SAs, which makes the responder susceptible to DoS attacks. An attacker can send a large number of IKE_SA_INIT requests with forged source IP addresses to the responder, exhausting the responder's system resources.

IKEv2 introduces the cookie challenging mechanism to prevent such DoS attacks. When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation.

The cookie challenging mechanism automatically stops working when the number of half-open IKE

SAs drops below the threshold.

78

IKEv2 SA rekeying

For security purposes, both IKE SAs and IPsec SAs have a lifetime and must be rekeyed when the lifetime expires. An IKEv1 SA lifetime is negotiated. An IKEv2 SA lifetime, in contrast, is configured. If two peers are configured with different lifetimes, the peer with the shorter lifetime always initiates the

SA rekeying. This mechanism reduces the possibility that two peers will simultaneously initiate a rekeying. Simultaneous rekeying results in redundant SAs and SA status inconsistency on the two peers.

IKEv2 message retransmission

Unlike IKEv1 messages, IKEv2 messages appear in request/response pairs. IKEv2 uses the

Message ID field in the message header to identify the request/response pair. If an initiator sends a request but receives no response with the same Message ID value within a specific period of time, the initiator retransmits the request.

It is always the IKEv2 initiator that initiates the retransmission, and the retransmitted message must use the same Message ID value.

Protocols and standards

RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)

RFC 4306, Internet Key Exchange (IKEv2) Protocol

RFC 4718, IKEv2 Clarifications and Implementation Guidelines

RFC 2412, The OAKLEY Key Determination Protocol

RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2)

IKEv2 configuration task list

Determine the following parameters prior to IKEv2 configuration:

The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.

The local and remote identity authentication methods.

To use the pre-shared key authentication method, you must determine the pre-shared key.

To use the RSA digital signature authentication method, you must determine the PKI domain for the local end to use. For information about PKI, see "Configuring PKI."

To configure IKEv2, perform the following tasks:

79

Tasks at a glance

(Required.) Configuring an IKEv2 profile

(Required.) Configuring an IKEv2 policy

(Optional.) Configuring an IKEv2 proposal

Remarks

N/A

N/A

If you specify an IKEv2 proposal in an

IKEv2 policy, you must configure the

IKEv2 proposal.

Required when either end or both ends use the pre-shared key authentication method.

Configuring an IKEv2 keychain

Configure global IKEv2 parameters

(Optional.) Enabling the cookie challenging feature

(Optional.) Configuring the IKEv2 DPD feature

(Optional.) Configuring the IKEv2 NAT keepalive feature

(Optional.) Configuring IKEv2 address pools

Configuring an IKEv2 profile

The cookie challenging feature takes effect only on IKEv2 responders.

An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation. To configure an

IKEv2 profile, perform the following tasks:

1.

Specify the local and remote identity authentication methods.

The local and remote identity authentication methods must both be specified and they can be different. You can specify only one local identity authentication method and multiple remote identity authentication methods.

2.

Configure the IKEv2 keychain or PKI domain for the IKEv2 profile to use:

To use digital signature authentication, configure a PKI domain.

To use pre-shared key authentication, configure an IKEv2 keychain.

3.

Configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2 negotiation:

For digital signature authentication, the device can use an ID of any type. If the local ID is an

IP address that is different from the IP address in the local certificate, the device uses the

FQDN as the local ID. The FQDN is the device name configured by using the sysname command.

For pre-shared key authentication, the device can use an ID of any type other than the DN.

4.

Configure peer IDs.

The device compares the received peer ID with the peer IDs of its local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. IKEv2 profiles will be compared in descending order of their priorities.

5.

Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.

80

6.

Specify a priority number for the IKEv2 profile. To determine the priority of an IKEv2 profile:

a. First, the device examines the existence of the match local command. An IKEv2 profile with the match local command configured has a higher priority.

b. If a tie exists, the device compares the priority numbers. An IKEv2 profile with a smaller priority number has a higher priority.

c. If a tie still exists, the device prefers an IKEv2 profile configured earlier.

7.

Specify a VPN instance for the IKEv2 profile. The IKEv2 profile is used for IKEv2 negotiation only on the interfaces that belong to the VPN instance.

8.

Configure the IKEv2 SA lifetime.

The local and remote ends can use different IKEv2 SA lifetimes. They do not negotiate the lifetime. The end with a smaller SA lifetime will initiate an SA negotiation when the lifetime expires.

9.

Configure IKEv2 DPD to detect dead IKEv2 peers. You can also configure this feature in system view. If you configure IKEv2 DPD in both views, the IKEv2 DPD settings in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.

10. Specify an inside VPN instance. This setting determines where the device should forward received IPsec packets after it de-encapsulates them. If you specify an inside VPN instance, the device looks for a route in the specified VPN instance to forward the packets. If you do not specify an inside VPN instance, the internal and external networks are in the same VPN instance. The device looks for a route in this VPN instance to forward the packets.

11. Configure the NAT keepalive interval.

Configure this task when the device is behind a NAT gateway. The device sends NAT keepalive packets regularly to its peer to prevent the NAT session from being aged because of no matching traffic.

12. Enable the configuration exchange feature.

The configuration exchange feature enables the local and remote ends to exchange configuration data, such as gateway address, internal IP address, and route. The exchange includes data request and response, and data push and response.

This feature typically applies to scenarios where branches and the headquarters communicate through virtual tunnels.

This feature enables the IPsec gateway at a branch to send IP address requests to the IPsec gateway at the headquarters. When the headquarters receives the request, it sends an IP address to the branch in the response packet. The headquarters can also actively push an IP address to the branch. The branch uses the allocated IP address as the IP address of the virtual tunnel to communicate with the headquarters.

13. Enable AAA authorization.

81

The AAA authorization feature enables IKEv2 to request authorization attributes, such as the

IKEv2 address pool, from AAA. IKEv2 uses the address pool to assign IP addresses to remote users. For more information about AAA authorization, see "Configuring AAA."

To configure an IKEv2 profile:

Step

57. Enter system view.

Command system-view

58. Create an IKEv2 profile and enter IKEv2 profile view.

ikev2 profile profile-name

59. Configure the local and remote identity authentication methods.

authentication-method { local |

remote } { dsa-signature |

ecdsa-signature | pre-share |

rsa-signature }

Remarks

N/A

By default, no IKEv2 profiles exist.

By default, no local or remote identity authentication method is configured.

60. Specify a keychain.

61. Specify a PKI domain.

62. Configure the local ID.

keychain keychain-name

certificate domain domain-name

[ sign | verify ]

By default, the device uses PKI domains configured in system view.

Perform this task when the digital signature authentication method is specified.

identity local { address

{ ipv4-address | ipv6 ipv6-address }

| dn | email email-string | fqdn

fqdn-name | key-id key-id-string }

By default, no local ID is configured, and the device uses the IP address of the interface where the IPsec policy applies as the local ID.

63. Configure peer IDs.

match remote { certificate

policy-name | identity { address

{ { ipv4-address [ mask |

mask-length ] | range

low-ipv4-address

high-ipv4-address } | ipv6

{ ipv6-address [ prefix-length ] |

range low-ipv6-address

high-ipv6-address } } | fqdn

fqdn-name | email email-string |

key-id key-id-string } }

64. (Optional.) Specify the local interface or IP address to which the

IKEv2 profile can be applied.

65. (Optional.) Specify a priority for the IKEv2 profile.

66. (Optional.) Specify a

VPN instance for the

IKEv2 profile.

67. (Optional.) Set the

IKEv2 SA lifetime for the

IKEv2 profile.

match local address

{ interface-type interface-number |

{ ipv4-address | ipv6

ipv6-address } }

priority priority

match vrf { name vrf-name | any }

sa duration seconds

By default, no keychain is specified for an IKEv2 profile.

Perform this task when the pre-shared key authentication method is specified.

By default, no peer ID is configured.

You must configure a minimum of one peer ID on each of the two peers.

By default, an IKEv2 profile can be applied to any local interface or IP address.

By default, the priority of an IKEv2 profile is 100.

By default, an IKEv2 profile belongs to the public network.

By default, the IKEv2 SA lifetime is

86400 seconds.

82

68. (Optional.) Configure the DPD feature for the

IKEv2 profile.

69. (Optional.) Specify an inside VPN instance for the IKEv2 profile.

dpd interval interval [ retry

seconds ] { on-demand | periodic }

By default, DPD is disabled for an

IKEv2 profile. The global DPD settings in system view are used. If

DPD is also disabled in system view, the device does not perform DPD.

inside-vrf vrf-name

By default, no inside VPN instance is specified for an IKEv2 profile. The internal and external networks are in the same VPN instance. The device forwards protected data to this VPN instance.

70. (Optional.) Set the

IKEv2 NAT keepalive interval.

71. (Optional.) Enable the configuration exchange feature.

nat-keepalive seconds

config-exchange { request | set

{ accept | send } }

By default, the global IKEv2 NAT keepalive setting is used.

By default, all configuration exchange options are disabled.

72. (Optional.) Enable AAA authorization.

aaa authorization domain

domain-name username

user-name

By default, AAA authorization is disabled for IKEv2.

Configuring an IKEv2 policy

During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address of the local security gateway as the matching criterion.

If IKEv2 policies are configured, IKEv2 searches for an IKEv2 policy that uses the IP address of the local security gateway. If no IKEv2 policy uses the IP address or the policy is using an incomplete proposal, the IKE_SA_INIT exchange fails.

If no IKEv2 policy is configured, IKEv2 uses the system default IKEv2 policy default.

The device matches IKEv2 policies in the descending order of their priorities. To determine the priority of an IKEv2 policy:

1.

First, the device examines the existence of the match local address command. An IKEv2 policy with the match local address command configured has a higher priority.

2.

If a tie exists, the device compares the priority numbers. An IKEv2 policy with a smaller priority number has a higher priority.

3.

If a tie still exists, the device prefers an IKEv2 policy configured earlier.

To configure an IKEv2 policy:

Step

73. Enter system view.

Command system-view

Remarks

N/A

74. Create an IKEv2 policy and enter IKEv2 policy view.

75. Specify the local interface or address used for IKEv2 policy matching.

ikev2 policy policy-name

By default, an IKEv2 policy named

default exists.

match local address

{ interface-type interface-number |

{ { ipv4-address | ipv6

ipv6-address } } }

By default, no local interface or address is used for IKEv2 policy matching, and the policy matches any local interface or address.

83

76. Specify a VPN instance for

IKEv2 policy matching.

77. Specify an IKEv2 proposal for the IKEv2 policy.

78. Specify a priority for the

IKEv2 policy.

match vrf { name vrf-name | any }

By default, no VPN instance is specified for IKEv2 policy matching. The IKEv2 policy matches all local addresses in the public network.

proposal proposal-name

By default, no IKEv2 proposal is specified for an IKEv2 policy.

priority priority

By default, the priority of an IKEv2 policy is 100.

Configuring an IKEv2 proposal

An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm specified earlier has a higher priority.

A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.

You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.

To configure an IKEv2 proposal:

Step

79. Enter system view.

80. Create an IKEv2 proposal and enter IKEv2 proposal view.

ikev2 proposal proposal-name

81. Specify the encryption algorithms.

Command system-view

In non-FIPS mode:

encryption { 3des-cbc |

Remarks

N/A

By default, an IKEv2 proposal named default exists.

In non-FIPS mode, the default proposal uses the following settings:

Encryption algorithms

AES-CBC-128 and 3DES.

Integrity protection algorithms

HMAC-SHA1 and HMAC-MD5.

PRF algorithms HMAC-SHA1 and HMAC-MD5.

DH groups 2 and 5.

In FIPS mode, the default proposal uses the following settings:

Encryption algorithms

AES-CBC-128 and

AES-CTR-128.

Integrity protection algorithms

HMAC-SHA1 and

HMAC-SHA256.

PRF algorithms HMAC-SHA1 and HMAC-SHA256.

DH groups 14 and 19.

By default, an IKEv2 proposal does not have any encryption algorithms.

84

82. Specify the integrity protection algorithms.

83. Specify the PRF algorithms.

84. Specify the DH groups.

aes-cbc-128 | aes-cbc-192 |

aes-cbc-256 | aes-ctr-128 |

aes-ctr-192 | aes-ctr-256 |

camellia-cbc-128 |

camellia-cbc-192 |

camellia-cbc-256 | des-cbc } *

In FIPS mode:

encryption { aes-cbc-128 |

aes-cbc-192 | aes-cbc-256 |

aes-ctr-128 | aes-ctr-192 |

aes-ctr-256 } *

In non-FIPS mode:

integrity { aes-xcbc-mac | md5 |

sha1 | sha256 | sha384 | sha512 }

*

In FIPS mode:

integrity { sha1 | sha256 | sha384

| sha512 } *

By default, an IKEv2 proposal does not have any integrity protection algorithms.

In non-FIPS mode:

prf { aes-xcbc-mac | md5 | sha1 |

sha256 | sha384 | sha512 } *

In FIPS mode:

prf { sha1 | sha256 | sha384 |

sha512 } *

By default, an IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.

In non-FIPS mode:

dh { group1 | group14 | group2 |

group24 | group5 | group19 |

group20 } *

In FIPS mode:

dh { group14 | group24 | group19

| group20 } *

By default, an IKEv2 proposal does not have any DH groups.

Configuring an IKEv2 keychain

An IKEv2 keychain specifies the pre-shared keys used for IKEv2 negotiation.

An IKEv2 keychain can have multiple IKEv2 peers. Each peer has a symmetric pre-shared key or an asymmetric pre-shared key pair, and information for identifying the peer (such as the peer's host name, IP address or address range, or ID).

An IKEv2 negotiation initiator uses the peer host name or IP address/address range as the matching criterion to search for a peer. A responder uses the peer host IP address/address range or ID as the matching criterion to search for a peer.

To configure an IKEv2 keychain:

Step

85. Enter system view.

86. Create an IKEv2 keychain and enter IKEv2 keychain view.

Command system-view

ikev2 keychain keychain-name

Remarks

N/A

By default, no IKEv2 keychains exist.

85

87. Create an IKEv2 peer and enter IKEv2 peer view.

88. Configure the information for identifying the IKEv2 peer.

89. Configure a pre-shared key for the peer.

peer name By default, no IKEv2 peers exist.

To configure a host name for the peer:

hostname host-name

To configure a host IP address or address range for the peer:

address { ipv4-address

[ mask | mask-length ] | ipv6

ipv6-address

[ prefix-length ] }

To configure an ID for the peer:

identity { address

{ ipv4-address | ipv6

{ ipv6-address } } | fqdn

fqdn-name | email

email-string | key-id

key-id-string }

By default, no hostname, host IP address, address range, or identity information is configured for an

IKEv2 peer.

You must configure different IP addresses/address ranges for different peers.

pre-shared-key [ local | remote ]

{ ciphertext | plaintext } string

By default, an IKEv2 peer does not have a pre-shared key.

Configure global IKEv2 parameters

Enabling the cookie challenging feature

Enable cookie challenging on responders to protect them against DoS attacks that use a large number of source IP addresses to forge IKE_SA_INIT requests.

To enable cookie challenging:

Step

90. Enter system view.

91. Enable cookie challenging.

Command system-view

ikev2 cookie-challenge number

Remarks

N/A

By default, IKEv2 cookie challenging is disabled..

Configuring the IKEv2 DPD feature

IKEv2 DPD detects dead IKEv2 peers in periodic or on-demand mode.

Periodic DPD

—Verifies the liveness of an IKEv2 peer by sending DPD messages at regular intervals.

On-demand DPD

—Verifies the liveness of an IKEv2 peer by sending DPD messages before sending data.

86

Before the device sends data, it identifies the time interval for which the last IPsec packet has been received from the peer. If the time interval exceeds the DPD interval, it sends a

DPD message to the peer to detect its liveliness.

If the device has no data to send, it never sends DPD messages.

If you configure IKEv2 DPD in both IKEv2 profile view and system view, the IKEv2 DPD settings in

IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.

To configure global IKEv2 DPD:

Step

92. Enter system view.

93. Configure global IKEv2

DPD.

Command system-view

ikev2 dpd interval interval [ retry

seconds ] { on-demand | periodic }

Remarks

N/A

By default, global DPD is disabled.

Configuring the IKEv2 NAT keepalive feature

Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.

The NAT keepalive interval must be shorter than the NAT session lifetime.

This feature takes effect after the device detects the NAT device.

To configure the IKEv2 NAT keepalive feature:

Step

94. Enter system view.

Command system-view

95. Set the IKEv2 NAT keepalive interval.

ikev2 nat-keepalive seconds

Remarks

N/A

By default, the IKEv2 NAT keepalive interval is 10 seconds.

Configuring IKEv2 address pools

To perform centralized management on remote users, an IPsec gateway can use an address pool to assign private IP addresses to remote users.

You must use an IKEv2 address pool together with AAA authorization by specifying the IKEv2 address pool as an AAA authorization attribute. For more information about AAA authorization, see

"Configuring AAA."

To configure IKE address pools:

Step

96. Enter system view.

Command system-view

Remarks

N/A

87

Step

97. Configure an IKEv2 IPv4 address pool.

98. Configure an IKEv2 IPv6 address pool.

Command

ikev2 address-group

group-name start-ipv4-address

end-ipv4-address [ mask |

mask-length ]

ikev2 ipv6-address-group

group-name prefix

prefix/prefix-len assign-len

assign-len

Remarks

By default, no IKEv2 IPv4 address pool exists.

By default, no IKEv2 IPv6 address pool exists.

Displaying and maintaining IKEv2

Execute display commands in any view and reset commands in user view.

Task

Display the IKEv2 proposal configuration.

Display the IKEv2 policy configuration.

Display the IKEv2 profile configuration.

Display the IKEv2 SA information.

Display IKEv2 statistics.

Delete IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs.

Clear IKEv2 statistics.

Command

display ikev2 proposal [ name | default ]

display ikev2 policy [ policy-name | default ]

display ikev2 profile [ profile-name ]

display ikev2 sa [ { local | remote } { ipv4-address |

ipv6 ipv6-address } [ vpn-instance

vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ]

display ikev2 statistics

reset ikev2 sa [ [ { local | remote } { ipv4-address |

ipv6 ipv6-address } [ vpn-instance

vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]

reset ikev2 statistics

Command reference

New command: aaa authorization

Use aaa authorization to enable IKEv2 AAA authorization.

Use undo aaa authorization to disable IKEv2 AAA authorization.

Syntax

Default

IKEv2 AAA authorization is disabled.

Views

aaa authorization domain domain-name username user-name

undo aaa authorization

IKEv2 profile view

88

Predefined user roles

network-admin

Parameters

domain domain-name: Specifies the ISP domain used for requesting authorization attributes. The

ISP domain name is a case-insensitive string of 1 to 255 characters and must meet the following requirements:

The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).

The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn,

if-unkno, if-unknow, or if-unknown.

username user-name: Specifies the username used for requesting authorization attributes. The username is a case-sensitive string of 1 to 55 characters and must meet the following requirements:

The username cannot contain the domain name.

The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).

The username cannot be a, al, or all.

Usage guidelines

The AAA authorization feature enables IKEv2 to request authorization attributes, such as the IKEv2

IPv4 address pool, from AAA.

IKEv2 uses the ISP domain and username to request authorization attributes. AAA uses the authorization settings in the ISP domain to request the user's authorization attributes from the remote AAA server or the local user database. After IKEv2 passes the username authentication, it obtains the authorization attributes.

This feature is applicable when AAA is used to centrally manage and deploy authorization attributes.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Enable AAA authorization. Specify the ISP domain name abc and the username test.

[Sysname-ikev2-profile-profile1] aaa authorization domain abc username test

Related commands display ikev2 profile

New command: address

Use address to specify the IP address or IP address range of an IKEv2 peer.

Use undo address to restore the default.

89

Syntax

address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }

undo address

Default

An IKEv2 peer's IP address or IP address range is not specified.

Views

IKEv2 peer view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the IPv4 address of the IKEv2 peer.

mask: Specifies the subnet mask of the IPv4 address.

mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.

ipv6 ipv6-address: Specifies the IPv6 address of the IKEv2 peer.

prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.

Usage guidelines

Both the initiator and the responder can look up an IKEv2 peer by IP address in IKEv2 negotiation.

The IP addresses of different IKEv2 peers in the same IKEv2 keychain cannot be the same.

Examples

# Create an IKEv2 keychain named key1.

<Sysname> system-view

[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

# Specify the IKEv2 peer's IP address 3.3.3.3 with the subnet mask 255.255.255.0.

[Sysname-ikev2-keychain-key1-peer-peer1] address 3.3.3.3 255.255.255.0

Related commands

ikev2 keychain

peer

New command: authentication-method

Use authentication-method to specify the local or remote identity authentication method.

Use undo authentication-method to remove the local or remote identity authentication method.

90

Syntax

authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share |

rsa-signature }

undo authentication-method local

undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share |

rsa-signature }

Default

No local or remote identity authentication method is specified.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

local: Specifies the local identity authentication method.

remote: Specifies the remote identity authentication method.

dsa-signature: Specifies the DSA signatures as the identity authentication method.

ecdsa-signature: Specifies the ECDSA signatures as the identity authentication method.

pre-share: Specifies the pre-shared key as the identity authentication method.

rsa-signature: Specifies the RSA signatures as the identity authentication method.

Usage guidelines

The local and remote identity authentication methods must both be specified and they can be different.

You can specify only one local identity authentication method. You can specify multiple remote identity authentication methods by executing this command multiple times when there are multiple remote ends whose authentication methods are unknown.

If you use RSA, DSA, or ECDSA signature authentication, you must specify PKI domains for obtaining certificates. You can specify PKI domains by using the certificate domain command in

IKEv2 profile view. If you do not specify PKI domains in IKEv2 profile view, the PKI domains configured by the pki domain command in system view will be used.

If you specify the pre-shared key method, you must specify a pre-shared key for the IKEv2 peer in the keychain used by the IKEv2 profile.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

91

# Specify the pre-shared key and RSA signatures as the local and remote authentication methods, respectively.

[Sysname-ikev2-profile-profile1] authentication local pre-share

[Sysname-ikev2-profile-profile1] authentication remote rsa-signature

# Specify the PKI domain genl as the PKI domain for obtaining certificates.

[Sysname-ikev2-profile-profile1] certificate domain genl

# Specify the keychain keychain1.

[Sysname-ikev2-profile-profile1] keychain keychain1

Related commands

display ikev2 profile

certificate domain (IKEv2 profile view)

keychain (IKEv2 profile view)

New command: certificate domain

Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.

Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2 negotiation.

Syntax

certificate domain domain-name [ sign | verify ]

undo certificate domain domain-name

Default

PKI domains configured in system view are used.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.

sign: Uses the local certificate in the PKI domain to generate a signature.

verify: Uses the CA certificate in the PKI domain to verify the remote end's certificate.

Usage guidelines

If you do not specify the sign or verify keyword, the PKI domain is used for both sign and verify purposes. You can specify a PKI domain for each purpose by executing this command multiple times.

If you specify the same PKI domain for both purposes, the later configuration takes effect. For example, if you execute certificate domain abc sign and certificate domain abc verify successively, the PKI domain abc will be used only for verification.

92

If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for verifying the remote end's certificate. If you do not specify PKI domains, the PKI domains configured in system view will be used.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Specify the PKI domain abc for signature. Specify the PKI domain def for verification.

[Sysname-ikev2-profile-profile1] certificate domain abc sign

[Sysname-ikev2-profile-profile1] certificate domain def verify

Related commands

authentication-method

pki domain

New command: config-exchange

Use config-exchange to enable the configuration exchange feature.

Use undo config-exchange to disable the configuration exchange feature.

Syntax

config-exchange { request | set { accept | send } }

undo config-exchange { request | set { accept | send } }

Default

Configuration exchange is disabled.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

request: Enables the device to send request messages carrying the configuration request payload during the IKE_AUTH exchange.

set: Specifies the configuration set payload exchange.

accept: Enables the device to accept the configuration set payload carried in Info messages.

send: Enables the device to send Info messages carrying the configuration set payload.

93

Usage guidelines

The configuration exchange feature enables the local and remote ends to exchange configuration data, such as gateway address, internal IP address, and route. The exchange includes data request and response, and data push and response. The enterprise center can push IP addresses to branches. The branches can request IP addresses, but the requested IP addresses cannot be used.

You can specify both request and set for the device.

If you specify request for the local end, the remote end will respond if it can obtain the requested data through AAA authorization.

If you specify set send for the local end, you must specify set accept for the remote end.

The device with set send specified pushes an IP address after the IKEv2 SA is set up if it does not receive any configuration request from the peer.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Enable the local end to add the configuration request payload to the request message of

IKE_AUTH exchange.

[Sysname-ikev2-profile-profile1] config-exchange request

Related commands

aaa authorization

configuration policy

display ikev2 profile

New command: description

Use description to configure a description for an IKE proposal.

Use undo description to restore the default.

Syntax

description text

undo description

Default

An IKE proposal does not have a description.

Views

IKE proposal view

Predefined user roles

network-admin

94

Parameters

text: Specifies a description, a case-sensitive string of 1 to 80 characters.

Usage guidelines

If multiple IKE proposals exist, you can use this command to configure different descriptions for them to distinguish them.

Examples

# Configure the description test for the IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] description test

New command: display ike statistics

Use display ike statistics to display IKE statistics.

Syntax

display ike statistics

Views

Any view

Predefined user roles

network-admin network-operator

Examples

# Display IKE statistics.

<Sysname> display ike statistics

IKE statistics:

No matching proposal: 0

Invalid ID information: 0

Unavailable certificate: 0

Unsupported DOI: 0

Unsupported situation: 0

Invalid proposal syntax: 0

Invalid SPI: 0

Invalid protocol ID: 0

Invalid certificate: 0

Authentication failure: 0

Invalid flags: 0

Invalid message id: 0

Invalid cookie: 0

Invalid transform ID: 0

Malformed payload: 0

Invalid key information: 0

95

Invalid hash information: 0

Unsupported attribute: 0

Unsupported certificate type: 0

Invalid certificate authority: 0

Invalid signature: 0

Unsupported exchange type: 0

No available SA: 0

Retransmit timeout: 0

Not enough memory: 0

Enqueue fails: 0

New command: display ikev2 policy

Use display ikev2 policy to display the IKEv2 policy configuration.

Syntax

display ikev2 policy [ policy-name | default ]

Views

Any view

Predefined user roles

network-admin network-operator

Parameters

policy-name: Specifies an IKEv2 policy by its name, a case-insensitive string of 1 to 63 characters.

default: Specifies the default IKEv2 policy.

Usage guidelines

If you do not specify any parameters, this command displays the configuration of all IKEv2 policies.

Examples

# Display the configuration of all IKEv2 policies.

<Sysname> display ikev2 policy

IKEv2 policy: 1

Priority: 100

Match local address: 1.1.1.1

Match local address ipv6: 1:1::1:1

Match VRF: vpn1

Proposal: 1

Proposal: 2

IKEv2 policy: default

Match local address: Any

Match VRF: Any

Proposal: default

96

Table 29 Command output

Field

IKEv2 policy

Priority

Match local address

Match local address ipv6

Match VRF

Proposal

Related commands

ikev2 policy

Description

Name of the IKEv2 policy.

Priority of the IKEv2 policy.

IPv4 address to which the IKEv2 policy can be applied.

IPv6 address to which the IKEv2 policy can be applied.

VPN instance to which the IKEv2 policy can be applied.

IKEv2 proposal that the IKEv2 policy uses.

New command: display ikev2 profile

Use display ikev2 profile to display the IKEv2 profile configuration.

Syntax

display ikev2 profile [ profile-name ]

Views

Any view

Predefined user roles

network-admin network-operator

Parameters

profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an IKEv2 profile, this command displays the configuration of all IKEv2 profiles.

Examples

# Display the configuration of all IKEv2 profiles.

<Sysname> display ikev2 profile

IKEv2 profile: 1

Priority: 100

Match criteria:

Local address 1.1.1.1

Local address GigabitEthernet1/0/1

Local address 1:1::1:1

Remote identity address 3.3.3.3/32

VRF vrf1

Inside VRF: vrf1

Local identity: address 1.1.1.1

Local authentication method: pre-share

97

Remote authentication methods: pre-share

Keychain: Keychain1

Sign certificate domain:

Domain1

abc

Verify certificate domain:

Domain2

yy

SA duration: 500 seconds

DPD: Interval 32 secs, retry-interval 23 secs, periodic

Config exchange: request, set accept, set send

NAT keepalive: 10 seconds

AAA authorization: Domain domain1, username ikev2

Table 30 Command output

Field

IKEv2 profile

Priority

Match criteria

Inside vrf

Local identity

Local authentication method

Remote authentication methods

Keychain

Sign certificate domain

Verify certificate domain

SA duration

DPD

Config exchange

NAT keepalive

AAA authorization

Description

Name of the IKEv2 profile.

Priority of the IKEv2 profile.

Criteria for looking up the IKEv2 profile.

Inside VPN instance.

ID of the local end.

Method that the local end uses for authentication.

Methods that the remote end uses for authentication.

IKEv2 keychain that the IKEv2 profile uses.

PKI domain used for signature generation.

PKI domain used for verifying the remote end's certificate.

Lifetime of the IKEv2 SA.

DPD settings:

Detection interval in seconds.

Retry interval in seconds.

Detection mode, on demand or periodically.

If DPD is disabled, this field displays Disabled.

Configuration exchange settings:

request

—The local end sends request messages carrying the configuration request payload during the

IKE_AUTH exchange.

set accept

—The local end accepts the configuration set payload carried in Info messages.

set send

—The local end sends Info messages carrying the configuration set payload.

NAT keepalive interval in seconds.

AAA authorization settings:

ISP domain name.

Username.

98

Related commands

ikev2 profile

New command: display ikev2 proposal

Use display ikev2 proposal to display the IKEv2 proposal configuration.

Syntax

display ikev2 proposal [ name | default ]

Views

Any view

Predefined user roles

network-admin network-operator

Parameters

name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.

default: Specifies the default IKEv2 proposal.

Usage guidelines

This command displays IKEv2 proposals in descending order of priorities. If you do not specify any parameters, this command displays the configuration of all IKEv2 proposals.

Examples

# Display the configuration of all IKEv2 proposals.

<Sysname> display ikev2 proposal

IKEv2 proposal: 1

Encryption: 3DES-CBC, AES-CBC-128, AES-CTR-192, CAMELLIA-CBC-128

Integrity: MD5, SHA256, AES-XCBC

PRF: MD5, SHA256, AES-XCBC

DH group: MODP1024/Group 2, MODP1536/Group 5

IKEv2 proposal: default

Encryption: AES-CBC-128, 3DES-CBC

Integrity: SHA1, MD5

PRF: SHA1, MD5

DH group: MODP1536/Group 5, MODP1024/Group 2

Table 31 Command output

Field

IKEv2 proposal

Encryption

Integrity

Description

Name of the IKEv2 proposal.

Encryption algorithms that the IKEv2 proposal uses.

Integrity protection algorithms that the IKEv2 proposal uses.

99

Field

PRF

DH group

Related commands

ikev2 proposal

Description

PRF algorithms that the IKEv2 proposal uses.

DH groups that the IKEv2 proposal uses.

New command: display ikev2 sa

Use display ikev2 sa to display the IKEv2 SA information.

Syntax

display ikev2 sa [ { count | local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance

vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ]

Views

Any view

Predefined user roles

network-admin network-operator

Parameters

count:Displays the number of IKEv2 SAs.

local: Displays IKEv2 SA information for a local IP address.

remote: Displays IKEv2 SA information for a remote IP address.

ipv4-address: Specifies a local or remote IPv4 address.

ipv6 ipv6-address: Specifies a local or remote IPv6 address.

vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays information about IKEv2 SAs for the public network.

verbose: Displays detailed information. If you do not specify this keyword, the command displays the summary information.

tunnel tunnel-id: Displays detailed IKEv2 SA information for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.

Usage guidelines

If you do not specify any parameters, this command displays summary information about all IKEv2

SAs.

100

Examples

# Display summary information about all IKEv2 SAs.

<Sysname> display ikev2 sa

Tunnel ID Local Remote Status

--------------------------------------------------------------------

1 1.1.1.1/500 1.1.1.2/500 EST

2 2.2.2.1/500 2.2.2.2/500 EST

Status:

IN-NEGO: Negotiating, EST: Established, DEL: Deleting

# Display summary IKEv2 SA information for the remote IP address 1.1.1.2.

<Sysname> display ikev2 sa remote 1.1.1.2

Tunnel ID Local Remote Status

--------------------------------------------------------------------

1 1.1.1.1/500 1.1.1.2/500 EST

Status:

IN-NEGO: Negotiating, EST: Established, DEL: Deleting

Table 32 Command output

Field

Tunnel ID

Description

ID of the IPsec tunnel to which the IKEv2 SA belongs.

Local

Remote

Status

Local IP address of the IKEv2 SA.

Remote IP address of the IKEv2 SA.

Status of the IKEv2 SA:

IN-NEGO (Negotiating)

—The IKEv2 SA is under negotiation.

EST (Established)

—The IKEv2 SA has been set up.

DEL (Deleting)

—The IKEv2 SA is about to be deleted.

# Display detailed information about all IKEv2 SAs.

<Sysname> display ikev2 sa verbose

Tunnel ID: 1

Local IP/Port: 1.1.1.1/500

Remote IP/Port: 1.1.1.2/500

Outside VRF: -

Inside VRF: -

Local SPI: 8f8af3dbf5023a00

Remote SPI: 0131565b9b3155fa

Local ID type: FQDN

Local ID: router_a

Remote ID type: FQDN

Remote ID: router_b

Auth sign method: Pre-shared key

Auth verify method: Pre-shared key

Integrity algorithm: HMAC_MD5

101

PRF algorithm: HMAC_MD5

Encryption algorithm: AES-CBC-192

Life duration: 86400 secs

Remaining key duration: 85604 secs

Diffie-Hellman group: MODP1024/Group2

NAT traversal: Not detected

DPD: Interval 20 secs, retry interval 2 secs

Transmitting entity: Initiator

Local window: 1

Remote window: 1

Local request message ID: 2

Remote request message ID:2

Local next message ID: 0

Remote next message ID: 0

Pushed IP address: 192.168.1.5

Assigned IP address: 192.168.2.24

# Display detailed IKEv2 SA information for the remote IP address 1.1.1.2.

<Sysname> display ikev2 sa remote 1.1.1.2 verbose

Tunnel ID: 1

Local IP/Port: 1.1.1.1/500

Remote IP/Port: 1.1.1.2/500

Outside VRF: -

Inside VRF: -

Local SPI: 8f8af3dbf5023a00

Remote SPI: 0131565b9b3155fa

Local ID type: FQDN

Local ID: router_a

Remote ID type: FQDN

Remote ID: router_b

Auth sign method: Pre-shared key

Auth verify method: Pre-shared key

Integrity algorithm: HMAC_MD5

PRF algorithm: HMAC_MD5

Encryption algorithm: AES-CBC-192

Life duration: 86400 secs

Remaining key duration: 85604 secs

Diffie-Hellman group: MODP1024/Group2

NAT traversal: Not detected

DPD: Interval 30 secs, retry 10 secs

Transmitting entity: Initiator

102

Local window: 1

Remote window: 1

Local request message ID: 2

Remote request message ID: 2

Local next message ID: 0

Remote next message ID: 0

Pushed IP address: 192.168.1.5

Assigned IP address: 192.168.2.24

Table 33 Command output

Field

Tunnel ID

Local IP/Port

Remote IP/Port

Outside VRF

Inside VRF

Local SPI

Remote SPI

Local ID type

Local ID

Remote ID type

Remote ID

Auth sign method

Auth verify method

Integrity algorithm

PRF algorithm

Encryption algorithm

Life duration

Remaining key duration

Diffie-Hellman group

NAT traversal

DPD

Description

ID of the IPsec tunnel to which the IKEv2 SA belongs.

IP address and port number of the local security gateway.

IP address and port number of the remote security gateway.

Name of the VPN instance to which the protected outbound data flow belongs.

If the protected outbound data flow belongs to the public network, this field displays a hyphen (-).

Name of the VPN instance to which the protected inbound data flow belongs.

If the protected inbound data flow belongs to the public network, this field displays a hyphen (-).

SPI that the local end uses.

SPI that the remote end uses.

ID type of the local security gateway.

ID of the local security gateway.

ID type of the remote security gateway.

ID of the remote security gateway.

Signature method that the IKEv2 proposal uses in authentication.

Verification method that the IKEv2 proposal uses in authentication.

Integrity protection algorithms that the IKEv2 proposal uses.

PRF algorithms that the IKEv2 proposal uses.

Encryption algorithms that the IKEv2 proposal uses.

Lifetime of the IKEv2 SA, in seconds.

Remaining lifetime of the IKEv2 SA, in seconds.

DH groups used in IKEv2 key negotiation.

Whether a NAT gateway is detected between the local and remote ends.

DPD settings:

Detection interval in seconds.

Retry interval in seconds.

103

Field

Transmitting entity

Local window

Remote window

Local request message ID

Remote request message ID

Local next message ID

Remote next message ID

Pushed IP address

Assigned IP address

Description

If DPD is disabled, this field displays Disabled.

Role of the local end in IKEv2 negotiation, initiator or responder.

Window size that the local end uses.

Window size that the remote end uses.

ID of the request message that the local end is about to send.

ID of the request message that the remote end is about to send.

ID of the message that the local end expects to receive.

ID of the message that the remote end expects to receive.

IP address pushed to the local end by the remote end.

IP address assigned to the remote end by the local end .

New command: display ikev2 statistics

Use display ikev2 statistics to display IKEv2 statistics.

Syntax

display ikev2 statistics

Views

Any view

Predefined user roles

network-admin network-operator

Examples

# Display IKEv2 statistics.

<Sysname> display ikev2 statistics

IKEv2 statistics:

Unsupported critical payload: 0

Invalid IKE SPI: 0

Invalid major version: 0

Invalid syntax: 0

Invalid message ID: 0

Invalid SPI: 0

No proposal chosen: 0

Invalid KE payload: 0

Authentication failed: 0

Single pair required: 0

TS unacceptable: 0

Invalid selectors: 0

104

Temporary failure: 0

No child SA: 0

Unknown other notify: 0

No enough resource: 0

Enqueue error: 0

No IKEv2 SA: 0

Packet error: 0

Other error: 0

Retransmit timeout: 0

DPD detect error: 0

Del child for IPsec message: 0

Del child for deleting IKEv2 SA: 0

Del child for receiving delete message: 0

New command: dh

Use dh to specify DH groups to be used in IKEv2 key negotiation.

Use undo group to restore the default.

Syntax

In non-FIPS mode:

dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *

undo dh

In FIPS mode:

dh { group14 | group24 | group19 | group20 } *

undo dh

Default

No DH group is specified for an IKEv2 proposal.

Views

IKEv2 proposal view

Predefined user roles

network-admin

Parameters

group1: Uses the 768-bit Diffie-Hellman group.

group2: Uses the 1024-bit Diffie-Hellman group.

group5: Uses the 1536-bit Diffie-Hellman group.

group14: Uses the 2048-bit Diffie-Hellman group.

group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.

105

group19: Uses the 256-bit ECP Diffie-Hellman group.

group20: Uses the 384-bit ECP Diffie-Hellman group.

Usage guidelines

A DH group with a higher group number provides higher security but needs more time for processing.

To achieve the best trade-off between processing performance and security, choose proper DH groups for your network.

You must specify a minimum of one DH group for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless.

You can specify multiple DH groups for an IKEv2 proposal. A group specified earlier has a higher priority.

Examples

# Specify DH groups 1 for the IKEv2 proposal 1.

<Sysname> system-view

[Sysname] ikev2 proposal 1

[Sysname-ikev2-proposal-1] dh group1

Related commands

ikev2 proposal

New command: dpd

Use dpd to configure the IKEv2 DPD feature.

Use undo dpd to disable the IKEv2 DPD feature.

Syntax

dpd interval interval [ retry seconds ] { on-demand | periodic }

undo dpd interval

Default

IKEv2 DPD is disabled. The global IKEv2 DPD settings are used.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.

retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds.

106

on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.

periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.

Usage guidelines

DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.

The triggering interval must be longer than the retry interval, so that the device will not trigger a new round of DPD during a DPD retry.

Examples

# Configure on-demand IKEv2 DPD. Set the DPD triggering interval to 10 seconds and the retry interval to 5 seconds.

<Sysname> system-view

[Sysname] ikev2 profile profile1

[Sysname-ikev2-profile-profile1] dpd interval 10 retry 5 on-demand

Related commands ikev2 dpd

New command: encryption

Use encryption to specify encryption algorithms for an IKEv2 proposal.

Use undo encryption to restore the default.

Syntax

In non-FIPS mode:

encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 |

aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *

undo encryption

In FIPS mode:

encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 } *

undo encryption

Default

No encryption algorithm is specified for an IKEv2 proposal.

Views

IKEv2 proposal view

Predefined user roles

network-admin

107

Parameters

3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.

aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.

aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key.

aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.

aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key.

aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key.

aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key.

camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key.

camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key.

camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key.

des-cbc: Specifies the DES algorithm in CBC mode, which uses a 56-bit key.

Usage guidelines

You must specify a minimum of one encryption algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. You can specify multiple encryption algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.

Examples

# Specify the 168-bit 3DES algorithm in CBC mode as the encryption algorithm for the IKE proposal

prop1.

<Sysname> system-view

[Sysname] ikev2 proposal prop1

[Sysname-ikev2-proposal-prop1] encryption-algorithm 3des-cbc

Related commands

ikev2 proposal

New command: hostname

Use hostname to specify the host name of an IKEv2 peer.

Use undo hostname to restore the default.

Syntax

Default

hostname name

undo hostname

An IKEv2 peer's host name is not specified.

108

Views

IKEv2 peer view

Predefined user roles

network-admin

Parameters

name: Specifies the host name of the IKEv2 peer, a case-insensitive string of 1 to 253 characters.

Usage guidelines

Only the initiator can look up an IKEv2 peer by host name in IKEv2 negotiation, and the initiator must use an IPsec policy rather than an IPsec profile.

Examples

# Create an IKEv2 keychain named key1.

<Sysname> system-view

[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

# Specify the host name test of the IKEv2 peer.

[Sysname-ikev2-keychain-key1-peer-peer1] hostname test

Related commands

ikev2 keychain

peer

New command: identity

Use identity to specify the ID of an IKEv2 peer.

Use undo identity to restore the default.

Syntax

identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn fqdn-name | email email-string |

key-id key-id-string }

undo identity

Default

An IKEv2 peer's ID is not specified.

Views

IKEv2 peer view

Predefined user roles

network-admin

109

Parameters

ipv4-address: Specifies the IPv4 address of the peer.

ipv6 ipv6-address: Specifies the IPv6 address of the peer.

fqdn fqdn-name: Specifies the FQDN of the peer. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.

email email-string: Specifies the email address of the peer. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as [email protected].

key-id key-id-string: Specifies the remote gateway's key ID. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.

Usage guidelines

Only the responder can look up an IKEv2 peer by ID in IKEv2 negotiation. The initiator does not know the peer ID when initiating the IKEv2 negotiation, so it cannot use an ID for IKEv2 peer lookup.

Examples

# Create an IKEv2 keychain named key1.

<Sysname> system-view

[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

# Specify the peer IPv4 address 1.1.1.2 as the ID of the IKEv2 peer.

[Sysname-ikev2-keychain-key1-peer-peer1] identity address 1.1.1.2

Related commands

ikev2 keychain

peer

New command: identity local

Syntax

Use identity local to configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2 negotiation.

Use undo identity local to restore the default.

identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn

fqdn-name | key-id key-id-string }

undo identity local

110

Default

No local ID is specified. The IP address of the interface to which the IPsec policy is applied is used as the local ID.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.

dn: Uses the DN in the local certificate as the local ID.

email email-string: Uses an email address as the local ID. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as [email protected].

fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.

key-id key-id-string: Uses the device's key ID as the local ID. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.

Usage guidelines

Peers exchange local IDs for identifying each other in negotiation.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Use the IP address 2.2.2.2 as the local ID.

[Sysname-ikev2-profile-profile1] identity local address 2.2.2.2

Related commands

peer

New command: ikev2 address-group

Syntax

Use ikev2 address-group to configure an IKEv2 IPv4 address pool for assigning IPv4 addresses to remote peers.

Use undo ikev2 address-group to delete an IKEv2 IPv4 address pool.

ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]

undo ikev2 address-group group-name

111

Default

No IKEv2 IPv4 address pools exist.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies an name for the IKEv2 IPv4 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters.

start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4 address.

mask: Specifies the IPv4 address mask.

mask-length: Specifies the length of the IPv4 address mask.

Usage guidelines

An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses.

Examples

# Configure an IKEv2 IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2, and the mask 255.255.255.0.

<Sysname> system-view

[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0

# Configure an IKEv2 IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2, and the mask length 32.

<Sysname> system-view

[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 32

Related commands address-group

New command: ikev2 cookie-challenge

Use ikev2 cookie-challenge to enable the cookie challenging feature.

Use undo ikev2 cookie-challenge to disable the cookie challenging feature.

Syntax

Default

ikev2 cookie-challenge number

undo ikev2 cookie-challenge

The cookie challenging feature is disabled.

112

Views

System view

Predefined user roles

network-admin

Parameters

number: Specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 0 to 1000 half-open IKE SAs.

Usage guidelines

When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation.

This feature can protect the responder against DoS attacks which aim to exhaust the responder's system resources by using a large number of IKE_SA_INIT requests with forged source IP addresses.

Examples

# Enable the cookie challenging feature and set the threshold to 450.

<Sysname> system-view

[Sysname] ikev2 cookie-challenge 450

New command: ikev2 dpd

Use ikev2 dpd to configure the global IKEv2 DPD feature.

Use undo ikev2 dpd to disable the global IKEv2 DPD feature.

Syntax

ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }

undo ikev2 dpd interval

Default

The global IKEv2 DPD feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.

113

retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds.

on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.

periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.

Usage guidelines

DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.

The triggering interval must be longer than the retry interval, so that the device will not trigger a new round of DPD during a DPD retry.

You can configure IKEv2 DPD in both IKEv2 profile view and system view. The IKEv2 DPD settings in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.

Examples

# Configure the device to trigger IKEv2 DPD if it has IPsec traffic to send and has not received any

IPsec packets from the peer for 15 seconds.

<Sysname> system-view

[Sysname] ikev2 dpd interval 15 on-demand

# Configure the device to trigger IKEv2 DPD every 15 seconds.

<Sysname> system-view

[Sysname] ikev2 dpd interval 15 periodic

Related commands

dpd (IKEv2 profile view)

New command: ikev2 ipv6-address-group

Use ikev2 ipv6-address-group to configure an IKEv2 IPv6 address pool for assigning IPv6 addresses to remote peers.

Use undo ikev2 ipv6-address-group to delete an IKEv2 IPv6 address pool.

Syntax

Default

No IKEv2 IPv6 address pools exist.

Views

ikev2 ipv6-address-group group-name prefix prefix/prefix-len assign-len assign-len

undo ikev2 ipv6-address-group group-name

System view

114

Predefined user roles

network-admin

Parameters

group-name: Specifies a name for the IKEv2 IPv6 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters.

prefix prefix/prefix-len: Specifies an IPv6 prefix in the format of prefix/prefix length. The value range for the prefix-len argument is 1 to 128.

assign-len assign-len: Specifies the assigned prefix length. The value range for the assign-len argument is 0 to 128, and the value must be greater than or equal to prefix-len. The difference between assign-len and prefix-len must be no more than 16.

Usage guidelines

Different from the IKEv2 IPv4 address pool, the device assigns an IPv6 subnet to a peer from the

IKEv2 IPv6 address pool. The peer can use the assigned IPv6 subnet to assign IPv6 addresses to other devices.

IKEv2 IPv6 address pools cannot overlap with each other.

Examples

# Configure an IKEv2 IPv6 address pool with the name ipv6group, prefix 1:1::/64, and the assigned prefix length 80.

<Sysname> system-view

[Sysname] ikev2 ipv6-address-group ipv6group prefix :1:1::/64 assign-len 80

Related commands ipv6-address-group

New command: ikev2 keychain

Use ikev2 keychain to create an IKEv2 keychain and enter its view, or enter the view of an existing

IKEv2 keychain.

Use undo ikev2 keychain to delete an IKEv2 keychain.

Syntax

ikev2 keychain keychain-name

undo ikev2 keychain keychain-name

Default

No IKEv2 keychains exist.

Views

System view

Predefined user roles

network-admin

115

Parameters

keychain-name: Specifies a name for the IKEv2 keychain. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).

Usage guidelines

An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication. The pre-shared key configured on both ends must be the same.

You can configure multiple IKEv2 peers in an IKEv2 keychain.

Examples

# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.

<Sysname> system-view

[Sysname] ikev2 keychain key1

[Sysname-ikev2-keychain-key1]

New command: ikev2 nat-keepalive

Use ikev2 nat-keepalive to set the NAT keepalive interval.

Use undo ikev2 nat-keepalive to restore the default.

Syntax

ikev2 nat-keepalive seconds

undo ikev2 nat-keepalive

Default

The NAT keepalive interval is 10 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.

Usage guidelines

This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.

The NAT keepalive interval must be shorter than the NAT session lifetime.

Examples

# Set the NAT keepalive interval to 5 seconds.

<Sysname> system-view

[Sysname] ikev2 nat-keepalive 5

116

New command: ikev2 policy

Use ikev2 policy to create an IKEv2 policy and enter its view, or enter the view of an existing IKEv2 policy.

Use undo ikev2 policy to delete an IKEv2 policy.

Syntax

ikev2 policy policy-name

undo ikev2 policy policy-name

Default

An IKEv2 policy named default exists, which uses the default IKEv2 proposal and matches any local addresses.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a name for the IKEv2 policy. The policy name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs. An

IKEv2 policy uses IKEv2 proposals to define the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups to be used for negotiation.

You can configure multiple IKEv2 policies. An IKEv2 policy must have a minimum of one IKEv2 proposal. Otherwise, the policy is incomplete.

If the initiator uses an IPsec policy that is bound to a source interface, the initiator looks up an IKEv2 policy by the IP address of the source interface.

You can set priorities to adjust the match order of IKEv2 policies that have the same match criteria.

If no IKEv2 policy is configured, the default IKEv2 policy is used. You cannot enter the view of the default IKEv2 policy, nor modify it.

Examples

# Create an IKEv2 policy named policy1 and enter IKEv2 policy view.

<Sysname> system-view

[Sysname] ikev2 policy policy1

[Sysname-ikev2-policy-policy1]

117

Related commands

display ikev2 policy

New command: ikev2 profile

Use ikev2 profile to create an IKEv2 profile and enter its view, or enter the view of an existing IKEv2 profile.

Use undo ikev2 profile to delete an IKEv2 profile.

Syntax

ikev2 profile profile-name

undo ikev2 profile profile-name

Default

No IKEv2 profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a name for the IKEv2 profile. The profile name is a case-insensitive string of

1 to 63 characters.

Usage guidelines

An IKEv2 profile contains the IKEv2 SA parameters that are not negotiated, such as the identity information and authentication methods of the peers, and the matching criteria for profile lookup.

Examples

# Create an IKEv2 profile named profile1 and enter IKEv2 profile view.

<Sysname> system-view

[Sysname] ikev2 profile profile1

[Sysname-ikev2-profile-profile1]

Related commands display ikev2 profile

New command: ikev2 proposal

Use ikev2 proposal to create an IKEv2 proposal and enter its view, or enter the view of an existing

IKEv2 proposal.

Use undo ikev2 proposal to delete an IKEv2 proposal.

118

Syntax

ikev2 proposal proposal-name

undo ikev2 proposal proposal-name

Default

An IKEv2 proposal named default exists, which has the lowest priority and uses the following settings:

In non-FIPS mode:

Encryption algorithm

—AES-CBC-128 and 3DES.

Integrity protection algorithm

—HMAC-SHA1 and HMAC-MD5.

PRF algorithm

—HMAC-SHA1 and HMAC-MD5.

DH group

—Group 5 and group 2.

In FIPS mode:

Encryption algorithm

—AES-CBC-128 and AES-CTR-128.

Integrity protection algorithm

—HMAC-SHA1 and HMAC-SHA256.

PRF algorithm

—HMAC-SHA1 and HMAC-SHA256.

DH group

—Group 14 and group 19.

Views

System view

Predefined user roles

network-admin

Parameters

proposal-name: Specifies a name for the IKEv2 proposal. The proposal name is a case-insensitive string of 1 to 63 characters and cannot be default.

Usage guidelines

An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups.

An IKEv2 proposal must have a minimum of one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.

In an IKEv2 proposal, you can specify multiple parameters of the same type. The parameters of different types combine and form multiple sets of security parameters. If you want to use only one set of security parameters, configure only one set of security parameters for the IKEv2 proposal.

Examples

# Create an IKEv2 proposal named prop1. Specify the encryption algorithm AES-CBC-128, integrity protection algorithm SHA1, PRF algorithm SHA1, and DH group 2.

<Sysname> system-view

[Sysname] ikev2 proposal prop1

[Sysname-ikev2-proposal-prop1] encryption-algorithm aes-cbc-128

119

[Sysname-ikev2-proposal-prop1] authentication-algorithm sha1

[Sysname-ikev2-proposal-prop1] prf sha1

[Sysname-ikev2-proposal-prop1] dh group2

Related commands

encryption-algorithm

integrity

prf

dh

New command: inside-vrf

Use inside-vrf to specify an inside VPN instance.

Use undo inside-vrf to restore the default.

Syntax

inside-vrf vrf-name

undo inside-vrf

Default

No inside VPN instance is specified. The internal and external networks are in the same VPN instance. The device forwards protected data to this VPN instance.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

vrf-name: Specifies the VPN instance to which the protected data belongs. The vrf-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

This command determines where the device should forward received IPsec packets after it de-encapsulates them. If you configure this command, the device looks for a route in the specified

VPN instance to forward the packets. If you do not configure this command, the internal and external networks are in the same VPN instance. The device looks for a route in this VPN instance to forward the packets.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Specify the inside VPN instance vpn1.

120

[Sysname-ikev2-profile-profile1] inside-vrf vpn1

New command: integrity

Use integrity to specify integrity protection algorithms for an IKEv2 proposal.

Use undo integrity to restore the default.

Syntax

In non-FIPS mode:

integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

undo integrity

In FIPS mode:

integrity { sha1 | sha256 | sha384 | sha512 } *

undo integrity

Default

No integrity protection algorithm is specified for an IKEv2 proposal.

Views

IKEv2 proposal view

Predefined user roles

network-admin

Parameters

aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm.

md5: Uses the HMAC-MD5 algorithm.

sha1: Uses the HMAC-SHA1 algorithm.

sha256: Uses the HMAC-SHA256 algorithm.

sha384: Uses the HMAC-SHA384 algorithm.

sha512: Uses the HMAC-SHA512 algorithm.

Usage guidelines

You must specify a minimum of one integrity protection algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. You can specify multiple integrity protection algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.

Examples

# Create an IKEv2 proposal named prop1.

<Sysname> system-view

[Sysname] ikev2 proposal prop1

121

# Specify HMAC-SHA1 and HMAC-MD5 as the integrity protection algorithms, with HMAC-SHA1 preferred.

[Sysname-ikev2-proposal-prop1] integrity sha1 md5

Related commands

ikev2 proposal

New command: keychain

Use keychain to specify an IKEv2 keychain for pre-shared key authentication.

Use undo keychain to restore the default.

Syntax

keychain keychain-name

undo keychain

Default

No IKEv2 keychain is specified for an IKEv2 profile.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

keychain-name: Specifies an IKEv2 keychain by its name. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).

Usage guidelines

An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication. You can specify only one IKEv2 keychain for an IKEv2 profile.

You can specify the same IKEv2 keychain for different IKEv2 profiles.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Specify the IKEv2 keychain keychain1.

[Sysname-ikev2-profile-profile1] keychain keychain1

Related commands

display ikev2 profile

ikev2 keychain

122

New command: match local (IKEv2 profile view)

Use match local to specify a local interface or a local IP address to which an IKEv2 profile can be applied.

Use undo match local to remove a local interface or a local IP address to which an IKEv2 profile can be applied.

Syntax

match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }

undo match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }

Default

An IKEv2 profile can be applied to any local interface or IP address.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

address: Specifies a local interface or IP address to which an IKEv2 profile can be applied.

interface-type interface-number: Specifies a local interface by its type and number. It can be any

Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

Usage guidelines

Use this command to specify which address or interface can use the IKEv2 profile for IKEv2 negotiation. The interface is the interface that receives IKEv2 packets. The IP address is the IP address of the interface that receives IKEv2 packets.

An IKEv2 profile configured earlier has a higher priority. To give an IKEv2 profile that is configured later a higher priority, you can configure the priority command or this command for the profile. For example, suppose you configured IKEv2 profile A before configuring IKEv2 profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKEv2 profile

A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKEv2 profile B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKEv2 profile A is preferred because IKEv2 profile A was configured earlier. To use IKEv2 profile B, you can use this command to restrict the application scope of IKEv2 profile B to IPv4 address 3.3.3.3.

You can specify multiple applicable local interfaces or IP addresses for an IKEv2 profile.

Examples

# Create an IKEv2 profile named profile1.

123

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Apply the IKEv2 profile profile1 to the interface whose IP address is 2.2.2.2.

[Sysname-ikev2-profile-profile1] match local address 2.2.2.2

Related commands match remote

New command: match local address (IKEv2 policy view)

Use match local address to specify a local interface or a local address that an IKEv2 policy matches.

Use undo match local address to remove a local interface or a local address that an IKEv2 policy matches.

Syntax

match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }

undo match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }

Default

No local interface or address is specified, and the IKEv2 policy matches any local interface or address.

Views

IKEv2 policy view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies a local interface by its type and number. It can be any

Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

Usage guidelines

IKEv2 policies with this command configured are looked up before those that do not have this command configured.

Examples

# Configure the IKEv2 policy policy1 to match the local address 3.3.3.3.

<Sysname> system-view

[Sysname] ikev2 policy policy1

[Sysname-ikev2-policy-policy1] match local address 3.3.3.3

124

Related commands

display ikev2 policy

match vrf

New command: match remote

Use match remote to configure a peer ID that an IKEv2 profile matches.

Use undo match remote to delete a peer ID that an IKEv2 profile matches.

Syntax

match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ]

| range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range

low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }

undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask

|mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] |

range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id

key-id-string } }

Default

No matching peer ID is configured for an IKEv2 profile.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

certificate policy-name: Uses the information in the peer's digital certificate as the peer ID for IKEv2 profile matching. The policy-name argument specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters.

identity: Uses the specified information as the peer ID for IKEv2 profile matching. The specified information is configured on the peer by using the identity local command.

address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKEv2 profile matching. The value range for the mask-length argument is 0 to 32.

address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.

address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKEv2 profile matching. The value range for the prefix-length argument is 0 to 128.

address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.

125

fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKEv2 profile matching. The

fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.

email email-string: Uses peer's email address as the peer ID for IKEv2 profile matching. The

email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by

RFC 822, such as [email protected].

key-id key-id-string: Uses the peer's key ID as the peer ID for IKEv2 profile matching. The

key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.

Usage guidelines

The device compares the received peer ID with the peer IDs configured in local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. If you have configured the match local address and match vrf commands, the IKEv2 profile must also match the specified local interface or address and the specified VPN instance.

To make sure only one IKEv2 profile is matched for a peer, do not configure the same peer ID for two or more IKEv2 profiles. If you configure the same peer ID for two or more IKEv2 profiles, which IKEv2 profile is selected for IKEv2 negotiation is unpredictable.

You can configure an IKEv2 profile to match multiple peer IDs. A peer ID configured earlier has a higher priority.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Configure the IKEv2 profile to match the peer ID that is the FQDN name www.test.com.

[Sysname-ikev2-profile-profile1] match remote identity fqdn www.test.com

# Configure the IKEv2 profile to match the peer ID that is the IP address 10.1.1.1.

[Sysname-ikev2-profile-profile1]match remote identity address 10.1.1.1

Related commands

identity local

match local address

match vrf

New command: match vrf (IKEv2 policy view)

Syntax

Use match vrf to specify a VPN instance that an IKEv2 policy matches.

Use undo match vrf to restore the default.

match vrf { name vrf-name | any }

undo match vrf

126

Default

No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public network.

Views

IKEv2 policy view

Predefined user roles

network-admin

Parameters

name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.

any: Specifies the public network and all VPN instances.

Usage guidelines

Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs.

IKEv2 policies with this command configured are looked up before those that do not have this command configured.

Examples

# Create an IKEv2 policy named policy1.

<Sysname> system-view

[Sysname] ikev2 policy policy1

# Configure the IKEv2 policy to match the VPN instance vpn1.

[Sysname-ikev2-policy-policy1] match vrf name vpn1

Related commands

display ikev2 policy

match local address

New command: match vrf (IKEv2 profile view)

Use match vrf to specify a VPN instance for an IKEv2 profile.

Use undo match vrf to restore the default.

Syntax

Default

match vrf { name vrf-name | any }

undo match vrf

An IKEv2 profile belongs to the public network.

127

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.

any: Specifies the public network and all VPN instances.

Usage guidelines

If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2 profile for IKEv2 negotiation. The VPN instance is the VPN instance to which the interface that receives IKEv2 packets belongs. If you specify the any keyword, interfaces in any VPN instance can use the IKEv2 profile for IKEv2 negotiation.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Specify vrf1 as the VPN instance that the IKEv2 profile belongs to.

[Sysname-ikev2-profile-profile1] match vrf name vrf1

Related commands match remote

New command: nat-keepalive

Use nat-keepalive to set the NAT keepalive interval.

Use ikev2 nat-keepalive to restore the default.

Syntax

nat-keepalive seconds

undo nat-keepalive

Default

The NAT keepalive interval set in system view is used.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.

128

Usage guidelines

This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.

The NAT keepalive interval must be shorter than the NAT session lifetime.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Set the NAT keepalive interval to 1200 seconds.

[Sysname-ikev2-profile-profile1]nat-keepalive 1200

Related commands

display ikev2 profile

ikev2 nat-keepalive

New command: peer

Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer.

Use undo peer to delete an IKEv2 peer.

Syntax

peer name

undo peer name

Default

No IKEv2 peers exist.

Views

IKEv2 keychain view

Predefined user roles

network-admin

Parameters

name: Specifies a name for the IKEv2 peer. The peer name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

An IKEv2 peer contains a pre-shared key and the criteria for looking up the peer. The criteria for peer lookup include the peer's host name, IP address, IP address range, and ID. The IKEv2 negotiation initiator uses the peer's host name, IP address, or IP address range to look up its peer. The responder uses the peer's IP address, IP address range, or ID to look up its peer.

129

Examples

# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.

<Sysname> system-view

[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

Related commands

address

hostname

identity

ikev2 keychain

New command: pre-shared-key

Use pre-shared-key to configure a pre-shared key.

Use undo pre-shared-key to delete a pre-shared key.

Syntax

pre-shared-key [ local | remote ] { ciphertext | plaintext } string

undo pre-shared-key [ local | remote ]

Default

No pre-shared key exists.

Views

IKEv2 peer view

Predefined user roles

network-admin

Parameters

local: Specifies a pre-shared key for certificate signing.

remote: Specifies a pre-shared key for certificate authentication.

ciphertext: Specifies a pre-shared key in encrypted form.

plaintext: Specifies a pre-shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the pre-shared key. The key is case sensitive. In non-FIPS mode, its plaintext form is a string of 1 to 128 characters and its encrypted form is a string of 1 to 201 characters. In FIPS mode, its plaintext form is a string of 15 to 128 characters and its encrypted form is a string of 15 to

201 characters.

130

Usage guidelines

If you specify the local or remote keyword, you configure an asymmetric key. If you specify neither the local nor the remote keyword, you configure a symmetric key.

To delete a key by using the undo command, you must specify the correct key type. For example, if you configure a key by using the pre-shared-key local command, you cannot delete the key by using the undo pre-shared-key or undo pre-shared-key remote command.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

On the initiator:

# Create an IKEv2 keychain named key1.

<Sysname> system-view

[Sysname] ikev2 keychain key1

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-key1] peer peer1

# Configure the symmetric plaintext pre-shared key 111-key.

[Sysname-ikev2-keychain-key1-peer-peer1] pre-shared-key plaintext 111-key

[Sysname-ikev2-keychain-key1-peer-peer1] quit

# Create an IKEv2 peer named peer2.

[Sysname-ikev2-keychain-key1] peer peer2

# Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 111-key-a and the key for certificate authentication is 111-key-b.

[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key local plaintext 111-key-a

[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key remote plaintext 111-key-b

On the responder:

# Create an IKEv2 keychain named telecom.

<Sysname> system-view

[Sysname] ikev2 keychain telecom

# Create an IKEv2 peer named peer1.

[Sysname-ikev2-keychain-telecom] peer peer1

# Configure the symmetric plaintext pre-shared key 111-key.

[Sysname-ikev2-keychain-telecom-peer-peer1] pre-shared-key plaintext 111-key

[Sysname-ikev2-keychain-telecom-peer-peer1] quit

# Create an IKEv2 peer named peer2.

[Sysname-ikev2-keychain-telecom] peer peer2

# Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 111-key-b and the key for certificate authentication is 111-key-a.

[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key local plaintext

111-key-b

[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key remote plaintext

111-key-a

131

Related commands

ikev2 keychain

peer

New command: prf

Use prf to specify pseudo-random function (PRF) algorithms for an IKEv2 proposal.

Use undo prf to restore the default.

Syntax

In non-FIPS mode:

prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *

undo prf

In FIPS mode:

prf { sha1 | sha256 | sha384 | sha512 } *

undo prf

Default

An IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.

Views

IKEv2 proposal view

Predefined user roles

network-admin

Parameters

aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm.

md5: Uses the HMAC-MD5 algorithm.

sha1: Uses the HMAC-SHA1 algorithm.

sha256: Uses the HMAC-SHA256 algorithm.

sha384: Uses the HMAC-SHA384 algorithm.

sha512: Uses the HMAC-SHA512 algorithm.

Usage guidelines

You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.

Examples

# Create an IKEv2 proposal named prop1.

<Sysname> system-view

[Sysname] ikev2 proposal prop1

132

# Specify HMAC-SHA1 and HMAC-MD5 as the PRF algorithms, with HMAC-SHA1 preferred.

[Sysname-ikev2-proposal-prop1] prf sha1 md5

Related commands

ikev2 proposal

integrity

New command: priority (IKEv2 policy view)

Use priority to set a priority for an IKEv2 policy.

Use undo priority to restore the default.

Syntax

priority priority

undo priority

Default

The priority of an IKEv2 policy is 100.

Views

IKEv2 policy view

Predefined user roles

network-admin

Parameters

priority: Specifies the priority of the IKEv2 policy, in the range of 1 to 65535. A smaller number represents a higher priority.

Usage guidelines

The priority set by this command can only be used to adjust the match order of IKEv2 policies.

Examples

# Set the priority to 10 for the IKEv2 policy policy1.

<Sysname> system-view

[Sysname] ikev2 policy policy1

[Sysname-ikev2-policy-policy1] priority 10

Related commands display ikev2 policy

New command: priority (IKEv2 profile view)

Use priority to set a priority for an IKEv2 profile.

Use undo priority to restore the default.

133

Syntax

priority priority

undo priority

Default

The priority of an IKEv2 profile is 100.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

priority: Specifies the priority of the IKEv2 profile, in the range of 1 to 65535. A smaller number represents a higher priority.

Usage guidelines

The priority set by this command can only be used to adjust the match order of IKEv2 profiles.

Examples

# Set the priority to 10 for the IKEv2 profile profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

[Sysname-ikev2-profile-profile1] priority 10

New command: proposal

Use proposal to specify an IKEv2 proposal for an IKEv2 policy.

Use undo proposal to remove an IKEv2 proposal from an IKEv2 policy.

Syntax

proposal proposal-name

undo proposal proposal-name

Default

No IKEv2 proposal is specified for an IKEv2 policy.

Views

IKEv2 policy view

Predefined user roles

network-admin

Parameters

proposal-name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.

134

Usage guidelines

You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.

Examples

# Specify the IKEv2 proposal proposal1 for the IKEv2 policy policy1.

<Sysname> system-view

[Sysname] ikev2 policy policy1

[Sysname-ikev2-policy-policy1] proposal proposal1

Related commands

display ikev2 policy

ikev2 proposal

New command: reset ikev2 sa

Use reset ikev2 sa to delete IKEv2 SAs.

Syntax

reset ikev2 sa [ [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance

vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]

Views

User view

Predefined user roles

network-admin

Parameters

local: Deletes IKEv2 SAs for a local IP address.

remote: Deletes IKEv2 SAs for a remote IP address.

ipv4-address: Specifies a local or remote IPv4 address.

ipv6 ipv6-address: Specifies a local or remote IPv6 address.

vpn-instance vpn-instance-name: Deletes IKEv2 SAs in an MPLS L3VPN instance. The

vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command deletes IKEv2 SAs for the public network.

tunnel tunnel-id: Deletes IKEv2 SAs for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.

fast: Notifies the peers of the deletion and deletes IKEv2 SAs directly before receiving the peers' responses. If you do not specify this keyword, the device notifies the peers of the deletion and deletes IKEv2 SAs after it receives the peers' responses.

135

Usage guidelines

Deleting an IKEv2 SA will also delete the child SAs negotiated through the IKEv2 SA.

If you do not specify any parameters, this command deletes all IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs.

Examples

# Display information about IKEv2 SAs.

<Sysname> display ikev2 sa

Tunnel ID Local Remote Status

--------------------------------------------------------------------

1 1.1.1.1/500 1.1.1.2/500 EST

2 2.2.2.1/500 2.2.2.2/500 EST

Status:

IN-NEGO: Negotiating EST: Established, DEL: Deleting

# Delete the IKEv2 SA whose remote IP address is 1.1.1.2.

<Sysname> reset ikev2 sa remote 1.1.1.2

# Display information about IKEv2 SAs again. Verify that the IKEv2 SA is deleted.

<Sysname> display ikev2 sa

Tunnel ID Local Remote Status

--------------------------------------------------------------------

2 2.2.2.1/500 2.2.2.2/500 EST

Status:

IN-NEGO: Negotiating EST: Established, DEL: Deleting

Related commands

display ikev2 sa

New command: reset ikev2 statistics

Use reset ikev2 statistics to clear IKEv2 statistics.

Syntax

reset ikev2 statistics

Views

Any view

Predefined user roles

network-admin

Examples

# Clear IKEv2 statistics.

<Sysname> reset ikev2 statistics

136

New command: sa duration

Use sa duration to set the IKEv2 SA lifetime.

Use undo sa duration to restore the default.

Syntax

sa duration seconds

undo sa duration

Default

The IKEv2 SA lifetime is 86400 seconds.

Views

IKEv2 profile view

Predefined user roles

network-admin

Parameters

seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400.

Usage guidelines

An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot of negotiation time. However, the longer the lifetime, the higher the possibility that attackers collect enough information and initiate attacks.

Two peers can have different IKEv2 SA lifetime settings, and they do not perform lifetime negotiation.

The peer with a shorter lifetime always initiates the rekeying.

Examples

# Create an IKEv2 profile named profile1.

<Sysname> system-view

[Sysname] ikev2 profile profile1

# Set the IKEv2 SA lifetime to 1200 seconds.

[Sysname-ikev2-profile-profile1] sa duration 1200

Related commands

display ikev2 profile

New command: esn enable

Syntax

Use esn enable to enable the Extended Sequence Number (ESN) feature.

Use undo esn enable to disable the ESN feature.

esn enable [ both ]

137

undo esn enable

Default

ESN is disabled.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

both: Specifies IPsec to support both extended sequence number and traditional sequence number.

If you do not specify this keyword, IPsec only supports extended sequence number.

Usage guidelines

The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does not need to be renegotiated.

This feature must be enabled at both the initiator and the responder.

Examples

# Enable the ESN feature in the IPsec transform set tran1.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esn enable

Related commands display ipsec transform-set

New command: ikev2-profile

Syntax

Default

ikev2-profile profile-name

undo ikev2-profile

No IKEv2 profile is specified.

Views

Use ikev2-profile to specify an IKEv2 profile for an IPsec policy or IPsec policy template.

Use undo ikev2-profile to restore the default.

IPsec policy view, IPsec policy template view

138

Predefined user roles

network-admin

Parameters

profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The IKEv2 profile specified for an IPsec policy or IPsec policy template defines the parameters used for IKEv2 negotiation.

You can specify only one IKEv2 profile for an IPsec policy or IPsec policy template. On the initiator, an IKEv2 profile is required. On the responder, an IKEv2 profile is optional. If you do not specify an

IKEv2 profile, the responder can use any IKEv2 profile for negotiation.

Examples

# Specify the IKEv2 profile profile1 for the IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] ikev2-profile profile1

Related commands

display ipsec ipv6-policy

display ipsec policy

ikev2 profile

New command: tfc enable

Use tfc enable to enable the Traffic Flow Confidentiality (TFC) padding feature.

Use undo tfc enable to disable the TFC padding feature.

Syntax tfc enable

undo tfc enable

Default

TFC padding is disabled.

Views

IPsec policy view, IPsec policy template view

Predefined user roles

network-admin

Usage guidelines

The TFC padding feature can hide the length of the original packet, and might affect the packet encapsulation and de-encapsulation performance. This feature takes effect on UDP packets

139

encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel mode.

Examples

# Enable TFC padding for the IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] tfc enable

Related commands

display ipsec ipv6-policy

display ipsec policy

Modified command: ah authentication-algorithm

Old syntax

In non-FIPS mode:

ah authentication-algorithm { md5 | sha1 | sm3 } *

undo ah authentication-algorithm

In FIPS mode:

ah authentication-algorithm sha1

undo ah authentication-algorithm

New syntax

In non-FIPS mode:

ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *

undo ah authentication-algorithm

In FIPS mode:

ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *

undo ah authentication-algorithm

Views

IPsec transform set view

Change description

The following keywords were added:

aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm.

sha256: Specifies the HMAC-SHA256 algorithm.

sha384: Specifies the HMAC-SHA384 algorithm.

sha512: Specifies the HMAC-SHA512 algorithm.

140

Modified command: display ipsec { ipv6-policy | policy }

Syntax

display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ]

Views

Any view

Change description

The following fields were added to the command output:

Traffic Flow Confidentiality

—Whether Traffic Flow Confidentiality (TFC) padding is enabled.

IKEv2 profile

—IKEv2 profile used by the IPsec policy.

Modified command: display ipsec { ipv6-policy-template | policy-template }

Syntax

display ipsec { ipv6-policy-template | policy-template } [ template-name [ seq-number ] ]

Views

Any view

Change description

The following fields were added to the command output:

Traffic Flow Confidentiality

—Whether Traffic Flow Confidentiality (TFC) padding is enabled.

Selector mode

—Data flow protection mode of the IPsec policy template.

Local address

—Local end IP address of the IPsec tunnel.

IKEv2 profile

—IKEv2 profile used by the IPsec policy template.

SA idle time

—Idle timeout of the IPsec SA, in seconds.

Modified command: display ipsec sa

Syntax

display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy }

policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]

Views

Any view

Change description

The following fields were added to the command output:

141

Extended Sequence Number enable

—Whether Extended Sequence Number (ESN) is enabled.

Traffic Flow Confidentiality enable

—Whether Traffic Flow Confidentiality (TFC) padding is enabled.

Inside VRF

—VPN instance to which the protected data flow belongs.

The following values were added to the Perfect Forward Secrecy field:

dh-group19

—256-bit ECP Diffie-Hellman group.

dh-group20

—384-bit ECP Diffie-Hellman group.

Modified command: display ipsec transform-set

Syntax

display ipsec transform-set [ transform-set-name ]

Views

Any view

Change description

The following fields were added to the command output:

ESN

—Whether Extended Sequence Number (ESN) is enabled.

PFS

—Perfect Forward Secrecy (PFS) configuration.

Modified command: display ipsec tunnel

Syntax

display ipsec tunnel { brief | count | tunnel-id tunnel-id }

Views

Any view

Change description

The following values were added to the Perfect Forward Secrecy field of the command output:

dh-group19

—256-bit ECP Diffie-Hellman group.

dh-group20

—384-bit ECP Diffie-Hellman group.

Modified command: esp authentication-algorithm

Old syntax

In non-FIPS mode:

esp authentication-algorithm { md5 | sha1 | sm3 } *

142

undo esp authentication-algorithm

In FIPS mode:

esp authentication-algorithm sha1

undo esp authentication-algorithm

New syntax

In non-FIPS mode:

esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *

undo esp authentication-algorithm

In FIPS mode:

esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *

undo esp authentication-algorithm

Views

IPsec transform set view

Change description

The following keywords were added:

aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm.

sha256: Specifies the HMAC-SHA256 algorithm.

sha384: Specifies the HMAC-SHA384 algorithm.

sha512: Specifies the HMAC-SHA512 algorithm.

Modified command: esp encryption-algorithm

Old syntax

In non-FIPS mode:

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null }

*

undo esp encryption-algorithm

In FIPS mode:

esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*

undo esp encryption-algorithm

New syntax

In non-FIPS mode:

143

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 |

aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc |

gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null } *

undo esp encryption-algorithm

In FIPS mode:

esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192

| aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*

undo esp encryption-algorithm

Views

IPsec transform set view

Change description

The following keywords were added:

aes-ctr-128: Uses the AES algorithm with a 128-bit key in CTR mode. This keyword is available only for IKEv2.

aes-ctr-192: Uses the AES algorithm with a 192-bit key in CTR mode. This keyword is available only for IKEv2.

aes-ctr-256: Uses the AES algorithm with a 256-bit key in CTR mode. This keyword is available only for IKEv2.

camellia-cbc-128: Uses the Camellia algorithm with a 128-bit key in CBC mode. This keyword is available only for IKEv2.

camellia-cbc-192: Uses the Camellia algorithm with a 192-bit key in CBC mode. This keyword is available only for IKEv2.

camellia-cbc-256: Uses the Camellia algorithm with a 256-bit key in CBC mode. This keyword is available only for IKEv2.

gmac-128: Uses the GMAC algorithm with a 128-bit key. This keyword is available only for

IKEv2.

gmac-192: Uses the GMAC algorithm with a 192-bit key. This keyword is available only for

IKEv2.

gmac-256: Uses the GMAC algorithm with a 256-bit key. This keyword is available only for

IKEv2.

gcm-128: Uses the GCM algorithm with a 128-bit key. This keyword is available only for IKEv2.

gcm-192: Uses the GCM algorithm with a 192-bit key. This keyword is available only for IKEv2.

gcm-256: Uses the GCM algorithm with a 256-bit key. This keyword is available only for IKEv2.

144

Modified command: pfs

Old syntax

In non-FIPS mode:

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }

undo pfs

In FIPS mode:

pfs dh-group14

undo pfs

New syntax

In non-FIPS mode:

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 |

dh-group24 }

undo pfs

In FIPS mode:

pfs { dh-group14 | dh-group19 | dh-group20 | dh-group24 }

undo pfs

Views

IPsec transform set view

Change description

The following keywords were added:

dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.

dh-group20: Uses 384-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.

Modified command: pre-shared-key

Old syntax

pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }

| hostname host-name } key { cipher cipher-key | simple simple-key }

undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address

[ prefix-length ] } | hostname host-name }

New syntax

In non-FIPS mode:

pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }

| hostname host-name } key { cipher cipher-key | simple simple-key }

145

undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address

[ prefix-length ] } | hostname host-name }

In FIPS mode:

pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }

| hostname host-name } key [ cipher cipher-key ]

undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address

[ prefix-length ] } | hostname host-name }

Views

IKE keychain view

Change description

After modification, if you do not specify the cipher cipher-key option, you specify a plaintext pre-shared key in interactive mode. The key is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters other than the question mark (?). In non-FIPS mode, this command does not support configuring a pre-shared key in interactive mode.

Modified command: authentication-algorithm

Old syntax

In non-FIPS mode:

authentication-algorithm { md5 | sha | sm3 }

undo authentication-algorithm

In FIPS mode:

authentication-algorithm sha

undo authentication-algorithm

New syntax

In non-FIPS mode:

authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 | sm3 }

undo authentication-algorithm

In FIPS mode:

authentication-algorithm { sha| sha256 | sha384 | sha512 }

undo authentication-algorithm

Views

IKE proposal view

146

Change description

The following keywords were added:

sha256: Specifies the HMAC-SHA256 algorithm.

sha384: Specifies the HMAC-SHA384 algorithm.

sha512: Specifies the HMAC-SHA512 algorithm.

New feature: SSL support for Suite B

Configuring Suite B in SSL

Suite B contains a set of encryption and authentication algorithms that meet high security requirements.

In this software version, Suite B is available in SSL. In addition, a new command was added to display the algorithm version number on the device.

Command reference

New command: display crypto version

Use display crypto version to display the algorithm version number.

Syntax display crypto version

Views

Any view

Predefined user roles

network-admin network-operator

Usage guidelines

The algorithm version number identifies a suite of cryptographic algorithms.

Examples

# Display the algorithm version number.

<Sysname> display crypto version

7.1.886

147

Table 1 Command output

Field

7.1.1.886

Description

Version number information, in the format of 7.1.X.

7.1 represents Comware V700R001, and X represents the algorithm version number.

New command: ssl version disable

Use ssl version disable to disable SSL protocol versions on the device.

Use undo ssl version disable enable SSL protocol versions on the device.

Syntax

In non-FIPS mode:

ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable

undo ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable

In FIPS mode:

ssl version { tls1.0 | tls1.1 } * disable

undo ssl version { tls1.0 | tls1.1 } * disable

Default

In non-FIPS mode, the device supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.

In FIPS mode, the device supports TLS 1.0, TLS 1.1, and TLS 1.2.

Views

System view

Predefined user roles

network-admin

Parameters

ssl3.0: Specifies SSL 3.0.

tls1.0: Specifies TLS 1.0.

tls1.1: Specifies TLS 1.1.

Usage guidelines

Use this command to disable SSL 3.0, TLS 1.0, and TLS 1.1 on the device to enhance system security.

An SSL client always uses the SSL protocol version specified for it (by using the version command), whether you disable the SSL protocol version or not.

An SSL server supports only TLS 1.2 after SSL 3.0, TLS 1.0, and TLS 1.1 are disabled.

148

Disabling an SSL protocol version on the device does not affect the availability of earlier SSL protocol versions. For example, if you execute the ssl version tls1.1 disable command, TLS 1.1 is disabled but TLS 1.0 is still available.

In FIPS mode, the device does not support SSL 3.0.

Examples

# Disable SSL 3.0 on the device.

<Sysname> system-view

[Sysname] ssl version ssl3.0 disable

# Disable TLS 1.0 on the device.

<Sysname> system-view

[Sysname] ssl version tls1.0 disable

New command: ssl renegotiation disable

Use ssl renegotiation disable to disable SSL session renegotiation.

Use undo ssl renegotiation disable to restore the default.

Syntax ssl renegotiation disable undo ssl renegotiation disable

Default

SSL session renegotiation is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The SSL session renegotiation feature enables the SSL client and server to reuse a previously negotiated SSL session for an abbreviated handshake.

Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks. Disable SSL session renegotiation only when explicitly required.

Examples

#Disable SSL session renegotiation.

<Sysname> system-view

[Sysname] ssl renegotiation disable

149

Modified command: version

Old syntax

In non-FIPS mode:

version { ssl3.0 | tls1.0 }

undo version

In FIPS mode:

version tls1.0 undo version

New syntax

In non-FIPS mode:

version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }

undo version

In FIPS mode:

version { tls1.0 | tls1.1 | tls1.2 }

undo version

Views

SSL client policy view

Change description

The following keywords were added:

tls1.1: Specifies TLS 1.0 for the SSL client policy.

tls1.2: Specifies TLS 1.2 for the SSL client policy.

Modified command: ciphersuite

Old syntax

In non-FIPS mode:

ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |

exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |

rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |

rsa_rc4_128_sha } *

undo ciphersuite

In FIPS mode:

150

ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha

| rsa_aes_256_cbc_sha } *

undo ciphersuite

New syntax

In non-FIPS mode:

ciphersuite

{

dhe_rsa_aes_128_cbc_sha

|

dhe_rsa_aes_256_cbc_sha

|

exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |

rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |

rsa_rc4_128_sha

|

rsa_aes_128_cbc_sha256 dhe_rsa_aes_128_cbc_sha256

|

|

rsa_aes_256_cbc_sha256 dhe_rsa_aes_256_cbc_sha256

|

|

ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_128_cbc_sha256

|

|

|

ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_256_gcm_sha384 ecdhe_ecdsa_aes_256_cbc_sha384

ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_gcm_sha384 } *

|

|

|

undo ciphersuite

In FIPS mode:

cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha256 |

rsa_aes_256_cbc_sha256

|

ecdhe_rsa_aes_128_cbc_sha256

|

ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_256_gcm_sha384

|

|

ecdhe_rsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_128_cbc_sha256

|

|

ecdhe_ecdsa_aes_256_cbc_sha384

ecdhe_ecdsa_aes_256_gcm_sha384 } *

|

ecdhe_ecdsa_aes_128_gcm_sha256

|

undo ciphersuite

Views

SSL server policy view

Change description

The following keywords were added:

rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES CBC , and the MAC algorithm SHA256.

rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256.

dhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.

dhe_rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256.

ecdhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.

151

ecdhe_rsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.

ecdhe_rsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.

ecdhe_rsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.

ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.

ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.

ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.

ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.

Modified command: prefer-cipher

Old syntax

In non-FIPS mode:

prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |

exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |

rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |

rsa_rc4_128_sha }

undo prefer-cipher

In FIPS mode:

prefer-cipher { dhe_rsa_aes_128_cbc_sha

rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha }

undo prefer-cipher

New syntax

In non-FIPS mode:

| dhe_rsa_aes_256_cbc_sha |

prefer-cipher

{

dhe_rsa_aes_128_cbc_sha

|

dhe_rsa_aes_256_cbc_sha

|

exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |

rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |

rsa_rc4_128_sha

|

rsa_aes_128_cbc_sha256

|

rsa_aes_256_cbc_sha256

|

dhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_gcm_sha256

|

|

|

dhe_rsa_aes_256_cbc_sha256 ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_256_gcm_sha384

|

|

|

152

ecdhe_ecdsa_aes_128_cbc_sha256

|

ecdhe_ecdsa_aes_256_cbc_sha384

ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_gcm_sha384 }

undo prefer-cipher

In FIPS mode:

|

prefer-cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha256 |

rsa_aes_256_cbc_sha256| ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_256_cbc_sha384

|

ecdhe_rsa_aes_128_gcm_sha256

|

ecdhe_rsa_aes_256_gcm_sha384 ecdhe_ecdsa_aes_256_cbc_sha384

ecdhe_ecdsa_aes_256_gcm_sha384 }

|

|

ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_128_gcm_sha256

|

|

undo prefer-cipher

Views

SSL client policy view

Change description

The following keywords were added:

rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES CBC , and the MAC algorithm SHA256.

rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256.

dhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.

dhe_rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256.

ecdhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.

ecdhe_rsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.

ecdhe_rsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.

ecdhe_rsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.

ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.

ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.

ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.

153

ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.

New feature: FIPS support for Suit B

Configuring Suite B in FIPS

Suite B contains a set of encryption and authentication algorithms that meet high security requirements.

In this software version, new FIPS commands were added to support Suite B.

Command reference

New command: fips rng random size filename

Use fips rng random size filename to generate a random number and save it to a file.

Syntax

fips rng random size random-size filename filename

Views

Probe view

Predefined user roles

network-admin

Parameters

random-size: Specifies the random number size in the range of 1 to 1000000 bytes.

filename: Specifies the name of the file to save the random number. The file name is a case-insensitive string.

Usage guidelines

Use this command in FIPS mode to generate a random number and save it to a file.

Examples

# Generate a 100000-byte random number and save it to a file named out.bin.

<Sysname> system-view

[Sysname-probe] fips rng random size 100000 filename out.bin

Generating random number. Please wait...

Random number saved to file successfully.

154

New command: fips rng random size round rate-statistics

Use fips rng random size round rate-statistics to calculate the average rate at which random numbers are generated.

Syntax

fips rng random size random-size round round rate-statistics

Views

Probe view

Predefined user roles

network-admin

Parameters

random-size: Specifies the random number size in the range of 1 to 1000000 bytes.

round: Specifies the number of random number generations, in the range of 3 to 10.

Usage guidelines

Use this command in FIPS mode to calculate the average rate at which random numbers are generated.

Examples

# Generate five 100000-byte random numbers and calculate the average rate at which the random numbers are generated.

<Sysname> system-view

[Sysname-probe] fips rng random size 100000 round 5 rate-statistics

Random number generated successfully.

Rate: 5000 bytes/s

Rate: 5100 bytes/s

Rate: 4900 bytes/s

Rate: 4800 bytes/s

Rate: 52000 bytes/s

Average rate: 5000 bytes/s

New command: fips rng entropy size filename

Use fips rng entropy size filename to generate a random number entropy and save it to a file.

Syntax

fips rng entropy size entropy-size filename filename

Views

Probe view

Predefined user roles

network-admin

155

Parameters

entropy-size: Specifies the random number entropy size in the range of 1 to 1000000 bytes.

filename: Specifies the name of the file to save the random number entropy. The file name is a case-insensitive string.

Usage guidelines

Use this command in FIPS mode to generate a random number entropy and save it to a file.

Examples

# Generate a 100000-byte random number entropy and save it to a file named out.bin.

<Sysname> system-view

[Sysname-probe] fips rng entropy size 100000 filename out.bin

Generating random number entropy. Please wait...

Entropy saved to file successfully.

New command: fips rng entropy size round rate-statistics

Use fips rng entropy size round rate-statistics to calculate the average rate at which random number entropies are generated.

Syntax

fips rng entropy size entropy-size round round rate-statistics

Views

Probe view

Predefined user roles

network-admin

Parameters

entropy-size: Specifies the random number entropy size in the range of 1 to 1000000 bytes.

round: Specifies the number of random number entropy generations, in the range of 3 to 10.

Usage guidelines

Use this command in FIPS mode to calculate the average rate at which random number entropies are generated.

Examples

# Generate five 100000-byte random number entropies and calculate the average rate at which the random number entropies are generated.

<Sysname> system-view

[Sysname-probe]fips rng entropy size 100000 round 5 rate-statistics

Entropy generated successfully.

Rate: 5000 bytes/s

Rate: 5100 bytes/s

Rate: 4900 bytes/s

Rate: 4800 bytes/s

156

Rate: 52000 bytes/s

Average rate: 5000 bytes/s

New command: fips kdf

Use fips kdf to derive a key from an import file and save it to an export file.

Syntax

fips kdf { ikev1 { dsa | psk } | ikev2 | tls } import inputfile export outputfile

Views

Probe view

Predefined user roles

network-admin

Usage guidelines

Use this command in FIPS mode to derive a key for the third-party to determine whether the key meets the CC/FIPS authentication requirements.

Examples

# Derive an ikev1 pre-shared key from an import file named ikev1_psk.req and save the key to an export file named ikev1_psk.rsp.

<Sysname> system-view

[Sysname-probe] fips kdf ikev1 psk import ikev1_psk.req export ikev1_psk.rsp

New command: fips algorithm verify param

Use fips algorithm verify param to execute an algorithm test vector and generate a result file.

Syntax

fips algorithm verify param param

Views

System view

Predefined user roles

network-admin

Usage guidelines

Use this command in FIPS mode to execute an algorithm test vector and generate a result file for the third-party to verify the result.

Examples

# Execute the DSA2 test vector in a file named 01-HP-MPC8544/DSA2/req/PQGGen.req, and generate a result file named 01-HP-MPC8544/DSA2/resp/PQGGen.rsp.

<Sysname> system-view

157

[Sysname] fips algorithm verify fips_dssvs pqg 01-HP-MPC8544/DSA2/req/PQGGen.req

01-HP-MPC8544/DSA2/resp/PQGGen.rsp

Modified command: fips self-test

Syntax fips self-test

Views

System view

Change description

Self-tests were added for the following algorithms:

3DES.

ECDH.

Random number generator (RNG).

GCM.

GMAC.

New feature: SSH support for Suite B

Configuring SSH based on Suite B algorithms

Suite B contains a set of encryption and authentication algorithms that meet high security

requirements. Table 2 lists all algorithms in Suite B.

The SSH server and client support using the X.509v3 certificate for identity authentication in compliance with the algorithm, negotiation, and authentication specifications defined in RFC 6239.

Table 2 Suite B algorithms

Security level

128-bit

192-bit

Both

Key exchange algorithm

ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ecdh-sha2-nistp384

Encryption algorithm and HMAC algorithm

AEAD_AES_128_GCM

AEAD_AES_256_GCM

AEAD_AES_128_GCM

AEAD_AES_256_GCM

Public key algorithm

x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384

Specifying a PKI domain for the SSH server

The PKI domain specified for the SSH server has the following functions:

158

The SSH server uses the PKI domain to send its certificate to the client in the key exchange stage.

The SSH server uses the PKI domain to authenticate the client's certificate if no PKI domain is specified for the client authentication by using the ssh user command.

To specify a PKI domain for the SSH server:

Step

99. Enter system view.

Command system-view

100. Specify a PKI domain for the

SSH server.

ssh server pki-domain

domain-name

Remarks

N/A

By default, no PKI domain is specified for the SSH server.

Establishing a connection to an Stelnet server based on Suite

B

Task Command Remarks

Establish a connection to an

Stelnet server based on Suite B.

Establish a connection to an IPv4 Stelnet server based on Suite B:

ssh2 server [ port-number ] [ vpn-instance

vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain

domain-name ] [ prefer-compress zlib ] [ dscp

dscp-value | escape character | source

{ interface interface-type interface-number | ip

ip-address } ] *

Establish a connection to an IPv6 Stelnet server based on Suite B:

ssh2 ipv6 server [ port-number ] [ vpn-instance

vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain

domain-name ] [ -i interface-type

interface-number ] [ prefer-compress zlib ]

[ dscp dscp-value | escape character | source

{ interface interface-type interface-number |

ipv6 ipv6-address } ] *

Available in user view.

The client cannot establish connections to both IPv4 and IPv6 Stelnet servers.

159

Establishing a connection to an SFTP server based on Suite

B

Task

Establish a connection to an

SFTP server based on Suite B.

Command

Establish a connection to an IPv4 SFTP server based on Suite B:

sftp server [ port-number ] [ vpn-instance

vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain

domain-name ] [ prefer-compress zlib ] [ dscp

dscp-value | source { interface interface-type

interface-number | ip ip-address } ] *

Establish a connection to an IPv6 SFTP server based on Suite B:

sftp ipv6 server [ port-number ] [ vpn-instance

vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain

domain-name ] [ -i interface-type

interface-number ] [ prefer-compress zlib ]

[ dscp dscp-value | source { interface

interface-type interface-number | ipv6

ipv6-address } ] *

Remarks

Available in user view.

The client cannot establish connections to both IPv4 and IPv6 SFTP servers.

Establishing a connection to an SCP server based on Suite B

Task Command Remarks

Establish a connection to an SCP server based on Suite

B.

Establish a connection to an IPv4 SCP server based on Suite B:

scp server [ port-number ] [ vpn-instance

vpn-instance-name ] { put | get }

source-file-name [ destination-file-name ]

suite-b [ 128-bit | 192-bit ] pki-domain

domain-name [ server-pki-domain

domain-name ] [ prefer-compress zlib ]

[ source { interface interface-type

interface-number | ip ip-address } ] *

Establish a connection to an IPv6 SCP server based on Suite B:

scp ipv6 server [ port-number ] [ vpn-instance

vpn-instance-name ] [ -i interface-type

interface-number ] { put | get } source-file-name

[ destination-file-name ] suite-b [ 128-bit |

192-bit ] pki-domain domain-name

[ server-pki-domain domain-name ]

[ prefer-compress zlib ] [ source { interface

interface-type interface-number | ipv6

ipv6-address } ] *

Available in user view.

The client cannot establish connections to both IPv4 and IPv6 SCP servers.

160

Specifying algorithms for SSH2

Perform this task to specify the following types of algorithms that the SSH2 client and server use for algorithm negotiation during the Stelnet, SFTP, or SCP session establishment:

Key exchange algorithms.

Public key algorithms.

Encryption algorithms.

MAC algorithms.

If you specify algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The client uses the specified algorithms to initiate the negotiation, and the server uses the matching algorithms to negotiate with the client.

If multiple algorithms of the same type are specified, the algorithm specified earlier has a higher priority during negotiation.

Specifying key exchange algorithms for SSH2

Step

101. Enter system view.

102. Specify key exchange algorithms for SSH2.

Command system-view

In non-FIPS mode:

ssh2 algorithm key-exchange

{ dh-group-exchange-sha1

| dh-group1-sha1 |

dh-group14-sha1 |

ecdh-sha2-nistp256 |

ecdh-sha2-nistp384 } *

In FIPS mode:

ssh2 algorithm key-exchange

{ dh-group14-sha1 |

ecdh-sha2-nistp256 |

ecdh-sha2-nistp384 } *

Specifying public key algorithms for SSH2

Remarks

N/A

By default, SSH2 uses the key exchange algorithms

ecdh-sha2-nistp256,

ecdh-sha2-nistp384,

dh-group-exchange-sha1,

dh-group14-sha1, and

dh-group1-sha1 in descending order of priority for algorithm negotiation.

Step

103. Enter system view.

104. Specify public key algorithms for SSH2.

Command system-view

In non-FIPS mode:

ssh2 algorithm public-key

{ dsa | ecdsa | rsa |

x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 }

*

In FIPS mode:

ssh2 algorithm public-key

{ ecdsa | rsa |

x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 }

*

Remarks

N/A

By default, SSH2 uses the public key algorithms

x509v3-ecdsa-sha2-nistp256,

x509v3-ecdsa-sha2-nistp384,

ecdsa, rsa, and dsa in descending order of priority for algorithm negotiation.

161

Specifying encryption algorithms for SSH2

Step

105. Enter system view.

106. Specify encryption algorithms for SSH2.

Specifying MAC algorithms for SSH2

Command system-view

In non-FIPS mode:

ssh2 algorithm cipher

{ 3des-cbc | aes128-cbc |

aes256-cbc | des-cbc |

aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm |

aes256-gcm } *

In FIPS mode:

ssh2 algorithm cipher

{ aes128-cbc | aes256-cbc |

aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm |

aes256-gcm } *

Remarks

N/A

By default, SSH2 uses the encryption algorithms aes128-ctr,

aes192-ctr, aes256-ctr,

aes128-gcm, aes256-gcm,

aes128-cbc, 3des-cbc,

aes256-cbc, and des-cbc in descending order of priority for algorithm negotiation.

Step

107. Enter system view.

108. Specify MAC algorithms for

SSH2.

Command system-view

In non-FIPS mode:

ssh2 algorithm mac { md5 |

md5-96 | sha1 | sha1-96 |

sha2-256 | sha2-512 } *

In FIPS mode:

ssh2 algorithm mac { sha1

| sha1-96 | sha2-256 |

sha2-512 } *

Remarks

N/A

By default, SSH2 uses the MAC algorithms sha2-256, sha2-512,

sha1, md5, sha1-96, and md5-96 in descending order of priority for algorithm negotiation.

Command reference

New command: display ssh2 algorithm

Use display ssh2 algorithm to display algorithms used by SSH2 in the algorithm negotiation stage.

Syntax display ssh2 algorithm

Views

Any view

Predefined user roles

network-admin network-operator

Examples

# Display algorithms used by SSH2 in the algorithm negotiation stage.

<Sysname> display ssh2 algorithm

162

Key exchange algorithms : ecdh-sha2-nistp256 ecdh-sha2-nistp384 dh-group-exchange-sha1 dh-group14-sha1 dh-group1-sha1

Public key algorithms : x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 ecdsa rsa dsa

Encryption algorithms : aes128-ctr aes192-ctr aes256-ctr aes128-gcm aes256-gcm aes128-cbc 3des-cbc aes256-cbc des-cbc

MAC algorithms : sha2-256 sha2-512 sha1 md5 sha1-96 md5-96

Table 3 Command output

Field

Key exchange algorithms

Public key algorithms

Encryption algorithms

Description

Key exchange algorithms in descending order of priority for algorithm negotiation.

Public key algorithms in descending order of priority for algorithm negotiation.

Encryption algorithms in descending order of priority for algorithm negotiation.

MAC algorithms

Related commands

MAC algorithms in descending order of priority for algorithm negotiation.

ssh2 algorithm cipher

ssh2 algorithm key-exchange

ssh2 algorithm mac

ssh2 algorithm public-key

New command: ssh server pki-domain

Use ssh server pki-domain to specify a PKI domain for the SSH server.

Use undo ssh server pki-domain to delete the PKI domain of the SSH server.

Syntax

ssh server pki-domain domain-name

undo ssh server pki-domain

Default

No PKI domain is specified for an SSH server.

Views

System view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters,

excluding the characters listed in Table 4 .

163

Table 4 Invalid characters for a PKI domain name

Character name

Tilde

Asterisk

Backslash

Vertical bar

Colon

Examples

*

\

|

:

Symbol

~

Character name

Dot

Left angle bracket

Right angle bracket

Quotation marks

Apostrophe

# Specify the PKI domain serverpkidomain for the SSH server.

<Sysname> system-view

[Sysname] ssh server pki-domain serverpkidomain

Symbol

.

"

'

<

>

New command: scp ipv6 suite-b

Use scp ipv6 suite-b to establish a connection to an IPv6 SCP server based on Suite B algorithms and transfer files with the server.

Syntax

scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source

{ interface interface-type interface-number | ipv6 ipv6-address } ] *

Views

User view

Predefined user roles

network-admin

Parameters

server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.

port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.

The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to

31 characters.

-i interface-type interface-number: Specifies an output interface by its type and number for SCP packets. Specify this option when the server uses a link-local address to provide the SCP service for the client. The specified output interface on the SCP client must have a link-local address.

get: Downloads the file.

put: Uploads the file.

164

source-file-name: Specifies the name of the source file.

destination-file-name: Specifies the name of the target file. If you do not specify this argument, the target file uses the same file name as the source file.

suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see

Table 6 .

128-bit: Specifies the 128-bit Suite B security level.

192-bit: Specifies the 192-bit Suite B security level.

pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding

the characters listed in Table 5 .

Table 5 Invalid characters for a PKI domain name

Character name

Tilde

Asterisk

Backslash

Vertical bar

Colon

|

:

*

\

Symbol

~

Character name

Dot

Left angle bracket

Right angle bracket

Quotation marks

Apostrophe

Symbol

.

"

'

<

>

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.

The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31

characters, excluding the characters listed in Table 5 .

prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.

zlib: Specifies the compression algorithm zlib.

source: Specifies a source IPv6 address or source interface for IPv6 SCP packets. By default, the device automatically selects a source address for IPv6 SCP packets in compliance with RFC 3484.

For successful SCP connections, use one of the following methods:

Specify the loopback interface as the source interface.

Specify the IPv6 address of the loopback interface as the source IPv6 address.

interface interface-type interface-number: Specifies a source interface by its type and number. The

IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets.

ipv6 ipv6-address: Specifies a source IPv6 address.

165

Usage guidelines

Table 6 Suite B algorithms

Security level

Key exchange algorithm

Encryption algorithm and HMAC algorithm

Public key algorithm

128-bit

192-bit

Both ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ecdh-sha2-nistp384

AEAD_AES_128_GCM

AEAD_AES_256_GCM

AEAD_AES_128_GCM

AEAD_AES_256_GCM x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384

If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's

PKI domain on the client by using the server-pki-domain domain-name option. The client uses the

CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

Examples

# Use the 192-bit Suite B algorithms to establish a connection to the SCP sever 2000::1 and download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.

<Sysname> scp ipv6 2000::1 get abc.txt suite-b 192-bit pki-domain clientpkidomain server-pki-domain serverpkidomain

New command: scp suite-b

Use scp suite-b to establish a connection to an SCP server based on Suite B algorithms and transfer files with the server.

Syntax

scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name

[ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain

domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ip

ip-address } ] *

Views

User view

Predefined user roles

network-admin

Parameters

server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.

port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.

166

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.

The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to

31 characters.

get: Downloads the file.

put: Uploads the file.

source-file-name: Specifies the name of the source file.

destination-file-name: Specifies the name of the target file. If you do not specify this argument, the target file uses the same file name as the source file.

suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see

Table 6 .

128-bit: Specifies the 128-bit Suite B security level.

192-bit: Specifies the 192-bit Suite B security level.

pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding

the characters listed in Table 7 .

Table 7 Invalid characters for a PKI domain name

Character name

Tilde

Asterisk

Backslash

Vertical bar

Colon

Symbol

~

*

\

|

:

Character name

Dot

Left angle bracket

Right angle bracket

Quotation marks

Apostrophe

Symbol

.

<

>

"

'

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.

The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31

characters, excluding the characters listed in Table 7 .

prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.

zlib: Specifies the compression algorithm zlib.

source: Specifies a source IP address or source interface for SCP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of

SCP packets. For successful SCP connections, use one of the following methods:

Specify the loopback interface as the source interface.

Specify the IPv4 address of the loopback interface as the source IPv4 address.

interface interface-type interface-number: Specifies a source interface by its type and number. The

IPv4 address of this interface is the source IPv4 address of the SCP packets.

167

ip ip-address: Specifies a source IPv4 address.

Usage guidelines

If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's

PKI domain on the client by using the server-pki-domain domain-name option. The client uses the

CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

Examples

# Use the 128-bit Suite B algorithms to establish a connection to the SCP sever 200.1.1.1 and download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.

<Sysname> scp 200.1.1.1 get abc.txt suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain

New command: sftp ipv6 suite-b

Use sftp ipv6 suite-b to establish a connection to an IPv6 SFTP server based on Suite B algorithms and enter SFTP client view.

Syntax

sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ]

[ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number |

ipv6 ipv6-address } ] *

Views

User view

Predefined user roles

network-admin

Parameters

server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.

port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.

The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to

31 characters.

-i interface-type interface-number: Specifies an output interface by its type and number for IPv6

SFTP packets. Specify this option when the server uses a link-local address to provide the SFTP service for the client. The specified output interface on the SFTP client must have a link-local address.

168

suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see

Table 6 .

128-bit: Specifies the 128-bit Suite B security level.

192-bit: Specifies the 192-bit Suite B security level.

pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding

the characters listed in Table 8 .

Table 8 Invalid characters for a PKI domain name

Character name

Tilde

Asterisk

Backslash

Vertical bar

Colon

\

|

:

Symbol

~

*

Character name

Dot

Left angle bracket

Right angle bracket

Quotation marks

Apostrophe

>

"

'

Symbol

.

<

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.

The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31

characters, excluding the characters listed in Table 8 .

prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.

zlib: Specifies the compression algorithm zlib.

dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets. The value range for the

dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.

source: Specifies a source IP address or source interface for IPv6 SFTP packets. By default, the device automatically selects a source address for IPv6 SFTP packets in compliance with RFC 3484.

For successful IPv6 SFTP connections, use one of the following methods:

Specify the loopback interface as the source interface.

Specify the IPv6 address of the loopback interface as the source IPv6 address.

interface interface-type interface-number: Specifies a source interface by its type and number. The

IPv6 address of this interface is the source IP address of the IPv6 SFTP packets.

ipv6 ipv6-address: Specifies a source IPv6 address.

Usage guidelines

If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's

PKI domain on the client by using the server-pki-domain domain-name option. The client uses the

169

CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

Examples

# Use the 192-bit Suite B algorithms to establish a connection to the SFTP sever 2000::1. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.

<Sysname> sftp ipv6 2000::1 suite-b 192-bit pki-domain clientpkidomain server-pki-domain serverpkidomain

New command: sftp suite-b

Use sftp suite-b to establish a connection to an IPv4 SFTP server based on Suite B algorithms and enter SFTP client view.

Syntax

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp

dscp-value | source { interface interface-type interface-number | ip ip-address } ] *

Views

User view

Predefined user roles

network-admin

Parameters

server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.

port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.

The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to

31 characters.

suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see

Table 6 .

128-bit: Specifies the 128-bit Suite B security level.

192-bit: Specifies the 192-bit Suite B security level.

pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding

the characters listed in Table 9 .

170

Table 9 Invalid characters for a PKI domain name

Character name

Tilde

Asterisk

Backslash

Vertical bar

Colon

*

\

|

:

Symbol

~

Character name

Dot

Left angle bracket

Right angle bracket

Quotation marks

Apostrophe

Symbol

.

"

'

<

>

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.

The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31

characters, excluding the characters listed in Table 9 .

prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.

zlib: Specifies the compression algorithm zlib.

dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the

dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.

source: Specifies a source IP address or source interface for the SFTP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SFTP packets. For successful SFTP connections, use one of the following methods:

Specify the loopback interface as the source interface.

Specify the IPv4 address of the loopback interface as the source IPv4 address.

interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IPv4 address of the SFTP packets.

ip ip-address: Specifies a source IPv4 address.

Usage guidelines

If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's

PKI domain on the client by using the server-pki-domain domain-name option. The client uses the

CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

Examples

# Use the 128-bit Suite B algorithms to establish a connection to the SFTP sever 10.1.1.2. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.

<Sysname> sftp 10.1.1.2 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain

171

New command: ssh2 ipv6 suite-b

Use ssh2 ipv6 suite-b to establish a connection to an IPv6 Stelnet server based on Suite B algorithms.

Syntax

ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ]

[ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type

interface-number | ipv6 ipv6-address } ] *

Views

User view

Predefined user roles

network-admin

Parameters

server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.

port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.

The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to

31 characters.

-i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SSH packets. Specify this option when the server uses a link-local address to provide the Stelnet service for the client. The specified output interface on the Stelnet client must have a link-local address.

suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see

Table 6 .

128-bit: Specifies the 128-bit Suite B security level.

192-bit: Specifies the 192-bit Suite B security level.

pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding

the characters listed in Table 10 .

Table 10 Invalid characters for a PKI domain name

Character name

Tilde

Asterisk

Backslash

*

\

Symbol

~

Character name

Dot

Left angle bracket

Right angle bracket

Symbol

.

<

>

172

Character name

Vertical bar

Colon

Symbol

|

:

Character name

Quotation marks

Apostrophe

Symbol

"

'

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.

The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31

characters, excluding the characters listed in Table 10 .

prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.

zlib: Specifies the compression algorithm zlib.

dscp dscp-value: Specifies the DSCP value in the IPv6 SSH packets. The value range for the

dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.

escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).

source: Specifies a source IP address or source interface for IPv6 SSH packets. By default, the device automatically selects a source address for IPv6 SSH packets in compliance with RFC 3484.

For successful IPv6 Stelnet connections, use one of the following methods:

Specify the loopback interface as the source interface.

Specify the IPv6 address of the loopback interface as the source IPv6 address.

interface interface-type interface-number: Specifies a source interface by its type and number. The

IPv6 address of this interface is the source IP address of the IPv6 SSH packets.

ipv6 ipv6-address: Specifies a source IPv6 address.

Usage guidelines

If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's

PKI domain on the client by using the server-pki-domain domain-name option. The client uses the

CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.

For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next line. HPE recommends that you use the default escape character (~). Do not use any character in

SSH usernames as the escape character.

173

Examples

# Use the 192-bit Suite B algorithms to establish a connection to the Stelnet sever 2000::1. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.

<Sysname> ssh2 ipv6 2000::1 suite-b 192-bit pki-domain clientpkidomain server-pki-domain serverpkidomain

New command: ssh2 suite-b

Use ssh2 suite-b to establish a connection to an IPv4 Stelnet server based on Suite B algorithms.

Syntax

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]

pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp

dscp-value | escape character | source { interface interface-type interface-number | ip ip-address } ]

*

Views

User view

Predefined user roles

network-admin

Parameters

server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.

port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.

The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to

31 characters.

suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see

Table 6 .

128-bit: Specifies the 128-bit Suite B security level.

192-bit: Specifies the 192-bit Suite B security level.

pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding

the characters listed in Table 11 .

Table 11 Invalid characters for a PKI domain name

Character name

Tilde

Symbol

~

Character name

Dot

Symbol

.

174

Character name

Asterisk

Backslash

Vertical bar

Colon

\

|

:

Symbol

*

Character name

Left angle bracket

Right angle bracket

Quotation marks

Apostrophe

Symbol

<

>

"

'

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.

The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31

characters, excluding the characters listed in Table 11 .

prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.

zlib: Specifies the compression algorithm zlib.

dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets. The value range for the

dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.

escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).

source: Specifies a source IP address or source interface for SSH packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of

SSH packets. For successful Stelnet connections, use one of the following methods:

Specify the loopback interface as the source interface.

Specify the IPv4 address of the loopback interface as the source IPv4 address.

interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IPv4 address of the SSH packets.

ip ip-address: Specifies a source IPv4 address.

Usage guidelines

If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's

PKI domain on the client by using the server-pki-domain domain-name option. The client uses the

CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.

For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next

175

line. HPE recommends that you use the default escape character (~). Do not use any character in

SSH usernames as the escape character.

Examples

# Use the 128-bit Suite B algorithms to establish a connection to the SFTP sever 3.3.3.3. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.

<Sysname> ssh2 3.3.3.3 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain

New command: ssh2 algorithm cipher

Use ssh2 algorithm cipher to specify encryption algorithms for SSH2.

Use undo ssh2 algorithm cipher to restore the default.

Syntax

In non-FIPS mode:

ssh2 algorithm cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr

| aes256-ctr | aes128-gcm | aes256-gcm } *

undo ssh2 algorithm cipher

In FIPS mode:

ssh2 algorithm cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |

aes128-gcm | aes256-gcm } *

undo ssh2 algorithm cipher

Default

SSH2 uses the encryption algorithms aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm,

aes256-gcm, aes128-cbc, 3des-cbc, aes256-cbc, and des-cbc in descending order of priority for algorithm negotiation.

Views

System view

Predefined user roles

network-admin

Parameters

3des-cbc: Specifies the encryption algorithm 3des-cbc. Support for this keyword depends on the device model.

aes128-cbc: Specifies the encryption algorithm aes128-cbc.

aes256-cbc: Specifies the encryption algorithm aes256-cbc.

des-cbc: Specifies the encryption algorithm des-cbc.

176

aes128-ctr: Specifies the encryption algorithm aes128-ctr.

aes192-ctr: Specifies the encryption algorithm aes192-ctr.

aes256-ctr: Specifies the encryption algorithm aes256-ctr.

aes256-gcm: Specifies the encryption algorithm aes256-gcm.

aes128-gcm: Specifies the encryption algorithm aes128-gcm.

Usage guidelines

If you specify the encryption algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation.

Examples

# Specify the algorithm 3des-cbc as the encryption algorithm for SSH2.

<Sysname> system-view

[Sysname] ssh2 algorithm cipher 3des-cbc

Related commands

display ssh2 algorithm

ssh2 algorithm key-exchange

ssh2 algorithm mac

ssh2 algorithm public-key

New command: ssh2 algorithm key-exchange

Use ssh2 algorithm key-exchange to specify key exchange algorithms for SSH2.

Use undo ssh2 algorithm key-exchange to restore the default.

Syntax

Default

In non-FIPS mode:

ssh2 algorithm key-exchange

{

dh-group-exchange-sha1

|

dh-group1-sha1

|

dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *

undo ssh2 algorithm key-exchange

In FIPS mode:

ssh2 algorithm key-exchange { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 }

*

undo ssh2 algorithm key-exchange

SSH2 uses the key exchange algorithms ecdh-sha2-nistp256, ecdh-sha2-nistp384,

dh-group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1 in descending order of priority for algorithm negotiation.

177

Views

System view

Predefined user roles

network-admin

Parameters

dh-group-exchange-sha1: Specifies

diffie-hellman-group-exchange-sha1. the key exchange

dh-group1-sha1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.

dh-group14-sha1: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256. algorithm

ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.

Usage guidelines

If you specify the key exchange algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation.

Examples

# Specify the algorithm dh-group1-sha1 as the key exchange algorithm for SSH2.

<Sysname> system-view

[Sysname] ssh2 algorithm key-exchange dh-group1-sha1

Related commands

display ssh2 algorithm

ssh2 algorithm cipher

ssh2 algorithm mac

ssh2 algorithm public-key

New command: ssh2 algorithm mac

Syntax

Use ssh2 algorithm mac to specify MAC algorithms for SSH2.

Use undo ssh2 algorithm mac to restore the default.

In non-FIPS mode:

ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *

undo ssh2 algorithm mac

In FIPS mode:

ssh2 algorithm mac { sha1 | sha1-96 | sha2-256 | sha2-512 } *

undo ssh2 algorithm mac

178

Default

SSH2 uses the MAC algorithms sha2-256, sha2-512, sha1, md5, sha1-96, and md5-96 in descending order of priority for algorithm negotiation.

Views

System view

Predefined user roles

network-admin

Parameters

md5: Specifies the HMAC algorithm hmac-md5.

md5-96: Specifies the HMAC algorithm hmac-md5-96.

sha1: Specifies the HMAC algorithm hmac-sha1.

sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

sha2-256: Specifies the HMAC algorithm hmac-sha2-256.

sha2-512: Specifies the HMAC algorithm hmac-sha2-512.

Usage guidelines

If you specify the MAC algorithms, SSH2 uses only the specified algorithms for algorithm negotiation.

The algorithm specified earlier has a higher priority during negotiation.

Examples

# Specify the algorithm md5 as the MAC algorithm for SSH2.

<Sysname> system-view

[Sysname] ssh2 algorithm mac md5

Related commands

display ssh2 algorithm

ssh2 algorithm cipher

ssh2 algorithm key-exchange

ssh2 algorithm public-key

New command: ssh2 algorithm public-key

Syntax

Use ssh2 algorithm public-key to specify public key algorithms for SSH2.

Use undo ssh2 algorithm public-key to restore the default.

In non-FIPS mode:

ssh2 algorithm public-key { dsa | ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } *

179

undo ssh2 algorithm public-key

In FIPS mode:

ssh2 algorithm public-key

{

ecdsa

| rsa | x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } *

undo ssh2 algorithm public-key

Default

SSH2 uses the public key algorithms x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384,

ecdsa, rsa, and dsa in descending order of priority for algorithm negotiation.

Views

System view

Predefined user roles

network-admin

Parameters

dsa: Specifies the public key algorithm dsa.

ecdsa: Specifies the public key algorithm ecdsa.

rsa: Specifies the public key algorithm rsa.

x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp256.

x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp384.

Usage guidelines

If you specify the public key algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation.

Examples

# Specify the algorithm dsa as the public key algorithm for SSH2.

<Sysname> system-view

[Sysname] ssh2 algorithm public-key dsa

Related commands

display ssh2 algorithm

ssh2 algorithm cipher

ssh2 algorithm key-exchange

ssh2 algorithm mac

Modified command: display ssh server

Syntax

display ssh server { session | status }

180

Views

Any view

Change description

In the command output, the SSH Server PKI domain name field was added to represent the PKI domain of the SSH server.

Modified command: ssh user

Old syntax

In non-FIPS mode:

ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type

{ password | { any | password-publickey | publickey } assign { pki-domain domain-name |

publickey keyname } }

undo ssh user username

In FIPS mode:

ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type

{ password | password-publickey assign { pki-domain domain-name | publickey keyname } }

undo ssh user username

New syntax

In non-FIPS mode:

ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type

{ password | { any | password-publickey | publickey } [ assign { pki-domain domain-name |

publickey keyname } ] }

undo ssh user username

In FIPS mode:

ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type

{ password | password-publickey [ assign { pki-domain domain-name | publickey keyname } ] }

undo ssh user username

Views

System view

Change description

Before modification: The options assign { pki-domain domain-name | publickey keyname } are required for verifying the client.

After modification: The options assign { pki-domain domain-name | publickey keyname } are optional for verifying the client.

181

Modified command: scp

Old syntax

In non-FIPS mode:

scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name

[ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher

{ 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex

{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |

des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ publickey keyname | source

{ interface interface-type interface-number | ip ip-address } ] *

In FIPS mode:

scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name

[ destination-file-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |

aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher

{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source

{ interface interface-type interface-number | ip ip-address } ] *

New syntax

In non-FIPS mode:

scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name

[ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |

prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |

sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |

dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |

aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |

aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] *

[ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type

interface-number | ip ip-address } ] *

In FIPS mode:

scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name

[ destination-file-name ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |

prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |

aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } |

prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher

{ aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |

prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname |

server-pki-domain domain-name } | source { interface interface-type interface-number | ip

ip-address } ] *

182

Views

User view

Change description

The following keywords were added:

Keywords for specifying PKI domains used in certificate verification:

pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or

x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

The PKI domain name cannot contain characters in the following table:

Character name

Tilde

Asterisk

Backslash

~

*

\

Symbol

Character name

Dot

Left angle bracket

Right angle bracket

.

<

>

Symbol

Vertical bar | Quotation marks "

Colon : Apostrophe '

Keywords for specifying the publickey algorithms used in publickey authentication:

ecdsa

: Specifies the public key algorithm ecdsa.

x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp256.

x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp384.

Keywords for specifying the preferred client-to-server encryption algorithms:

aes128-ctr: Specifies the encryption algorithm aes128-ctr.

aes192-ctr: Specifies the encryption algorithm aes192-ctr.

aes256-ctr: Specifies the encryption algorithm aes256-ctr.

aes256-gcm: Specifies the encryption algorithm aes256-gcm.

aes128-gcm: Specifies the encryption algorithm aes128-gcm.

Keywords for specifying the preferred client-to-server HMAC algorithms:

sha2-256: Specifies the HMAC algorithm sha2-256.

sha2-512: Specifies the HMAC algorithm sha2-512.

183

Keywords for specifying the preferred key exchange algorithms:

ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.

ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.

The following keywords were modified:

Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

Keywords for the preferred key exchange algorithm prefer-kex:

The dh-group-exchange keyword was changed to dh-group-exchange-sha1.

The dh-group1 keyword was changed to dh-group1-sha1.

The dh-group14 keyword was changed to dh-group14-sha1.

Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

The default settings for the following algorithms were changed:

For the preferred client-to-server encryption algorithm prefer-ctos-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

For the preferred key exchange algorithm prefer-kex:

Before modification: The default is dh-group-exchange in non-FIPS mode and is

dh-group14 in FIPS mode.

After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.

For the preferred server-to-client encryption algorithm prefer-stoc-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:

Before modification: The default is sha1.

184

After modification: The default is sha2-256.

Modified command: scp ipv6

Old syntax

In non-FIPS mode:

scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa }

| prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac

{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |

prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |

sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ipv6

ipv6-address } ] *

In FIPS mode:

scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key rsa |

prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 |

sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac

{ sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number |

ipv6 ipv6-address } ] *

New syntax

In non-FIPS mode:

scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa

| rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name }

| prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |

aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 |

md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |

dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |

prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 |

sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } | source

{ interface interface-type interface-number | ipv6 ipv6-address } ] *

In FIPS mode:

scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { ecdsa | rsa

| { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |

prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 |

sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |

185

prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |

aes128-gcm | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] *

[ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type

interface-number | ipv6 ipv6-address } ] *

Views

User view

Change description

The following keywords were added:

Keywords for specifying PKI domains used in certificate verification:

pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or

x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

The PKI domain name cannot contain characters in the following table:

Character name

Tilde

Asterisk

Backslash

Vertical bar

\

|

~

*

Symbol

Character name

Dot

Left angle bracket

Right angle bracket

Quotation marks

.

<

>

"

Symbol

Colon : Apostrophe '

Keywords for specifying the publickey algorithms used in publickey authentication:

ecdsa

: Specifies the public key algorithm ecdsa.

x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp256.

x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp384.

Keywords for specifying the preferred client-to-server encryption algorithms:

aes128-ctr: Specifies the encryption algorithm aes128-ctr.

aes192-ctr: Specifies the encryption algorithm aes192-ctr.

aes256-ctr: Specifies the encryption algorithm aes256-ctr.

aes256-gcm: Specifies the encryption algorithm aes256-gcm.

aes128-gcm: Specifies the encryption algorithm aes128-gcm.

186

Keywords for specifying the preferred client-to-server HMAC algorithms:

sha2-256: Specifies the HMAC algorithm sha2-256.

sha2-512: Specifies the HMAC algorithm sha2-512.

Keywords for specifying the preferred key exchange algorithms:

ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.

ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.

The following keywords were modified:

Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

Keywords for the preferred key exchange algorithm prefer-kex:

The dh-group-exchange keyword was changed to dh-group-exchange-sha1.

The dh-group1 keyword was changed to dh-group1-sha1.

The dh-group14 keyword was changed to dh-group14-sha1.

Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

The default settings for the following algorithms were changed:

For the preferred client-to-server encryption algorithm prefer-ctos-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

For the preferred key exchange algorithm prefer-kex:

Before modification: The default is dh-group-exchange in non-FIPS mode and is

dh-group14 in FIPS mode.

After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.

For the preferred server-to-client encryption algorithm prefer-stoc-cipher:

Before modification: The default is aes128.

187

After modification: The default is aes128-ctr.

For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

Modified command: sftp

Old syntax

In non-FIPS mode:

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |

prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac

{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |

prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |

sha1-96 } ] * [ dscp dscp-value | publickey keyname | source { interface interface-type

interface-number | ip ip-address} ] *

In FIPS mode:

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa |

prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 |

sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac

{ sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ip

ip-address } ] *

New syntax

In non-FIPS mode:

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa |

{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |

prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |

aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 |

md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |

dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |

prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 |

sha2-256 | sha2-512 } ] * [ dscp dscp-value | { public-key keyname | server-pki-domain

domain-name } | source { interface interface-type interface-number | ip ip-address } ] *

In FIPS mode:

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { ecdsa | rsa |

{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |

prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 |

sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |

188

prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |

aes128-gcm | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] *

[ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type

interface-number | ip ip-address } ] *

Views

User view

Change description

The following keywords were added:

Keywords for specifying PKI domains used in certificate verification:

pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or

x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

The PKI domain name cannot contain characters in the following table:

Character name

Tilde

Asterisk

Backslash

Vertical bar

\

|

~

*

Symbol

Character name

Dot

Left angle bracket

Right angle bracket

Quotation marks

.

<

>

"

Symbol

Colon : Apostrophe '

Keywords for specifying the publickey algorithms used in publickey authentication:

ecdsa

: Specifies the public key algorithm ecdsa.

x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp256.

x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp384.

Keywords for specifying the preferred client-to-server encryption algorithms:

aes128-ctr: Specifies the encryption algorithm aes128-ctr.

aes192-ctr: Specifies the encryption algorithm aes192-ctr.

aes256-ctr: Specifies the encryption algorithm aes256-ctr.

aes256-gcm: Specifies the encryption algorithm aes256-gcm.

aes128-gcm: Specifies the encryption algorithm aes128-gcm.

189

Keywords for specifying the preferred client-to-server HMAC algorithms:

sha2-256: Specifies the HMAC algorithm sha2-256.

sha2-512: Specifies the HMAC algorithm sha2-512.

Keywords for specifying the preferred key exchange algorithms:

ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.

ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.

The following keywords were modified:

Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

Keywords for the preferred key exchange algorithm prefer-kex:

The dh-group-exchange keyword was changed to dh-group-exchange-sha1.

The dh-group1 keyword was changed to dh-group1-sha1.

The dh-group14 keyword was changed to dh-group14-sha1.

Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

The default settings for the following algorithms were changed:

For the preferred client-to-server encryption algorithm prefer-ctos-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

For the preferred key exchange algorithm prefer-kex:

Before modification: The default is dh-group-exchange in non-FIPS mode and is

dh-group14 in FIPS mode.

After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.

For the preferred server-to-client encryption algorithm prefer-stoc-cipher:

Before modification: The default is aes128.

190

After modification: The default is aes128-ctr.

For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

Modified command: sftp ipv6

Old syntax

In non-FIPS mode:

sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des |

aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex

{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |

des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | publickey

keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *

In FIPS mode:

sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |

aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher

{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source

{ interface interface-type interface-number | ipv6 ipv6-address } ] *

New syntax

In non-FIPS mode:

sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |

prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |

sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |

dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |

aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |

aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] *

[ dscp dscp-value | { public-key keyname | server-pki-domain domain-name } | source { interface

interface-type interface-number | ipv6 ipv6-address } ] *

In FIPS mode:

sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |

prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |

191

aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } |

prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher

{ aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |

prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname |

server-pki-domain domain-name } | source { interface interface-type interface-number | ipv6

ipv6-address } ] *

Views

User view

Change description

The following keywords were added:

Keywords for specifying PKI domains used in certificate verification:

pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or

x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

The PKI domain name cannot contain characters in the following table:

Character name

Tilde

Asterisk

Backslash

Vertical bar

~

*

\

|

Symbol

Character name

Dot

Left angle bracket

Right angle bracket

Quotation marks

.

<

>

"

Symbol

Colon : Apostrophe '

Keywords for specifying the publickey algorithms used in publickey authentication:

ecdsa

: Specifies the public key algorithm ecdsa.

x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp256.

x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp384.

Keywords for specifying the preferred client-to-server encryption algorithms:

aes128-ctr: Specifies the encryption algorithm aes128-ctr.

aes192-ctr: Specifies the encryption algorithm aes192-ctr.

aes256-ctr: Specifies the encryption algorithm aes256-ctr.

192

aes256-gcm: Specifies the encryption algorithm aes256-gcm.

aes128-gcm: Specifies the encryption algorithm aes128-gcm.

Keywords for specifying the preferred client-to-server HMAC algorithms:

sha2-256: Specifies the HMAC algorithm sha2-256.

sha2-512: Specifies the HMAC algorithm sha2-512.

Keywords for specifying the preferred key exchange algorithms:

ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.

ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.

The following keywords were modified:

Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

Keywords for the preferred key exchange algorithm prefer-kex:

The dh-group-exchange keyword was changed to dh-group-exchange-sha1.

The dh-group1 keyword was changed to dh-group1-sha1.

The dh-group14 keyword was changed to dh-group14-sha1.

Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

The default settings for the following algorithms were changed:

For the preferred client-to-server encryption algorithm prefer-ctos-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

For the preferred key exchange algorithm prefer-kex:

Before modification: The default is dh-group-exchange in non-FIPS mode and is

dh-group14 in FIPS mode.

After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.

193

For the preferred server-to-client encryption algorithm prefer-stoc-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

Modified command: ssh2

Old syntax

In non-FIPS mode:

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |

prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac

{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |

prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |

sha1-96 } ] * [ dscp dscp-value | escape character | publickey keyname | source { interface

interface-type interface-number | ip ip-address } ] *

In FIPS mode:

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa |

prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 |

sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac

{ sha1 | sha1-96 } ] * [ escape character | publickey keyname | source { interface interface-type

interface-number | ip ip-address } ] *

New syntax

In non-FIPS mode:

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa |

{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |

prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |

aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 |

md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |

dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |

prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 |

sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname |

server-pki-domain domain-name } | source { interface interface-type interface-number | ip

ip-address } ] *

In FIPS mode:

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { ecdsa | rsa |

{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |

194

prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 |

sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |

prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |

aes128-gcm | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] *

[ escape character | { public-key keyname | server-pki-domain domain-name } | source

{ interface interface-type interface-number | ip ip-address } ] *

Views

User view

Change description

The following keywords were added:

Keywords for specifying PKI domains used in certificate verification:

pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or

x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

The PKI domain name cannot contain characters in the following table:

Character name

Tilde

Asterisk

Backslash

~

*

\

Symbol

Character name

Dot

Left angle bracket

Right angle bracket

.

<

>

Symbol

Vertical bar | Quotation marks "

Colon : Apostrophe '

Keywords for specifying the publickey algorithms used in publickey authentication:

ecdsa

: Specifies the public key algorithm ecdsa.

x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp256.

x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp384.

Keywords for specifying the preferred client-to-server encryption algorithms:

aes128-ctr: Specifies the encryption algorithm aes128-ctr.

aes192-ctr: Specifies the encryption algorithm aes192-ctr.

aes256-ctr: Specifies the encryption algorithm aes256-ctr.

195

aes256-gcm: Specifies the encryption algorithm aes256-gcm.

aes128-gcm: Specifies the encryption algorithm aes128-gcm.

Keywords for specifying the preferred client-to-server HMAC algorithms:

sha2-256: Specifies the HMAC algorithm sha2-256.

sha2-512: Specifies the HMAC algorithm sha2-512.

Keywords for specifying the preferred key exchange algorithms:

ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.

ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.

The following keywords were modified:

Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

Keywords for the preferred key exchange algorithm prefer-kex:

The dh-group-exchange keyword was changed to dh-group-exchange-sha1.

The dh-group1 keyword was changed to dh-group1-sha1.

The dh-group14 keyword was changed to dh-group14-sha1.

Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

The default settings for the following algorithms were changed:

For the preferred client-to-server encryption algorithm prefer-ctos-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

For the preferred key exchange algorithm prefer-kex:

Before modification: The default is dh-group-exchange in non-FIPS mode and is

dh-group14 in FIPS mode.

After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.

196

For the preferred server-to-client encryption algorithm prefer-stoc-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

Modified command: ssh2 ipv6

Old syntax

In non-FIPS mode:

ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des |

aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex

{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |

des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | escape

character | publickey keyname | source { interface interface-type interface-number | ipv6

ipv6-address } ] *

In FIPS mode:

ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |

aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher

{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ escape character | publickey

keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *

New syntax

In non-FIPS mode:

ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |

prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |

aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |

sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |

dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |

aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |

aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] *

[ dscp dscp-value | escape character | { public-key keyname | server-pki-domain domain-name }

| source { interface interface-type interface-number | ipv6 ipv6-address } ] *

In FIPS mode:

197

ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type

interface-number ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |

x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |

prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |

aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } |

prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher

{ aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |

prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ escape character | { public-key

keyname | server-pki-domain domain-name } | source { interface interface-type interface-number

| ipv6 ipv6-address } ] *

Views

User view

Change description

The following keywords were added:

Keywords for specifying PKI domains used in certificate verification:

pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or

x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.

server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.

The PKI domain name cannot contain characters in the following table:

Character name

Tilde

Asterisk

Backslash

~

*

\

Symbol

Character name

Dot

Left angle bracket

Right angle bracket

.

<

>

Symbol

Vertical bar | Quotation marks "

Colon : Apostrophe '

Keywords for specifying the publickey algorithms used in publickey authentication:

ecdsa

: Specifies the public key algorithm ecdsa.

x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp256.

x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm

x509v3-ecdsa-sha2-nistp384.

Keywords for specifying the preferred client-to-server encryption algorithms:

198

aes128-ctr: Specifies the encryption algorithm aes128-ctr.

aes192-ctr: Specifies the encryption algorithm aes192-ctr.

aes256-ctr: Specifies the encryption algorithm aes256-ctr.

aes256-gcm: Specifies the encryption algorithm aes256-gcm.

aes128-gcm: Specifies the encryption algorithm aes128-gcm.

Keywords for specifying the preferred client-to-server HMAC algorithms:

sha2-256: Specifies the HMAC algorithm sha2-256.

sha2-512: Specifies the HMAC algorithm sha2-512.

Keywords for specifying the preferred key exchange algorithms:

ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.

ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.

The following keywords were modified:

Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

Keywords for the preferred key exchange algorithm prefer-kex:

The dh-group-exchange keyword was changed to dh-group-exchange-sha1.

The dh-group1 keyword was changed to dh-group1-sha1.

The dh-group14 keyword was changed to dh-group14-sha1.

Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:

The 3des keyword was changed to 3des-cbc.

The aes128 keyword was changed to aes128-cbc.

The aes256 keyword was changed to aes256-cbc.

The des keyword was changed to des-cbc.

The default settings for the following algorithms were changed:

For the preferred client-to-server encryption algorithm prefer-ctos-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

For the preferred key exchange algorithm prefer-kex:

199

Before modification: The default is dh-group-exchange in non-FIPS mode and is

dh-group14 in FIPS mode.

After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.

For the preferred server-to-client encryption algorithm prefer-stoc-cipher:

Before modification: The default is aes128.

After modification: The default is aes128-ctr.

For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:

Before modification: The default is sha1.

After modification: The default is sha2-256.

New command: fips kdf ssh

Use fips kdf ssh to generate a validation file in SSH Key Derivation Function (KDF) test.

Syntax

fips kdf ssh import single-request-file export validation-file

Views

Probe view

Predefined user roles

network-admin

Parameters

import single-request-file: Specifies the name of the single request file generated by CAVS.

export validation-file: Specifies a name for the validation file to be generated.

Usage guidelines

SSH gets parameters from the single request file and sends them to the key derivation module. After the key derivation module returns the calculation result, SSH stores the calculation result in the validation file.

Examples

# Specify ssh.req and ssh.txt as the single request file and the validation file, respectively.

<Sysname> system-view

[Sysname] probe

[Sysname-probe] fips ssh kdf import ssh.req export ssh.txt

200

New feature: Ignoring the first AS number of EBGP route updates for a peer or peer group

Configuring Ignoring the first AS number of EBGP route updates for a peer or peer group

By default, BGP checks the first AS number of a received EBGP route update. If the first AS number is neither the AS number of the BGP peer nor a private AS number, the BGP router disconnects the

BGP session to the peer.

To ignore the first AS number of EBGP route updates for a peer or peer group:

Step Command

109. Enter system view.

110. Enter BGP instance view or

BGP-VPN instance view.

system-view

Enter BGP instance view:

bgp as-number

Enter BGP-VPN instance view:

a. bgp as-number

b. ip vpn-instance

vpn-instance-name

111. Configure BGP to ignore the first AS number of

EBGP route updates for a peer or peer group.

peer { group-name | ipv4-address

[ mask-length ] | ipv6-address

[ prefix-length ] } ignore-first-as

Remarks

N/A

N/A

By default, BGP checks the first AS number of EBGP route updates.

Command reference

peer ignore-first-as

Syntax

Use peer ignore-first-as to configure BGP to ignore the first AS number of EBGP route updates for a peer or peer group.

Use undo peer ignore-first-as to restore the default.

peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } ignore-first-as

undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] }

ignore-first-as

201

Default

BGP checks the first AS number of a received EBGP route update.

Views

BGP instance view

BGP-VPN instance view

Predefined user roles

network-admin

Parameters

group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The peer group must have created.

ipv4-address: Specifies a peer by its IPv4 address. The peer must have been created.

mask-length: Specifies a mask length in the range of 0 to 32. You can use the ipv4-address and

mask-length arguments together to specify a subnet. If you specify a subnet, BGP ignores the first

AS number of EBGP route updates for all dynamic peers in the subnet.

ipv6-address: Specifies a peer by its IPv6 address. The peer must have been created.

prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and

prefix-length arguments together to specify a subnet. If you specify a subnet, BGP ignores the first

AS number of EBGP route updates for all dynamic peers in the subnet.

Usage guidelines

By default, BGP checks the first AS number of a received EBGP route update. If the first AS number is neither the AS number of the BGP peer nor a private AS number, the BGP router disconnects the

BGP session to the peer.

The peer ignore-first-as command takes effect only on routes received after the configuration of the command. After you configure the undo peer ignore-first-as command, BGP requests the EBGP peer or peer group to resend the routes.

Examples

# In BGP instance view, configure BGP to ignore the first AS number of EBGP route updates for the peer group test.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp-default] peer test ignore-first-as

202

Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces

Feature change description

Layer 3 Ethernet subinterfaces can be assigned to Layer 3 aggregation groups. The following commands are supported in Layer 3 Ethernet subinterface view:

lacp mode

lacp period short

link-aggregation port-priority

port link-aggregation group

To configure a Layer 3 static aggregation group:

Step

112. Enter system view.

Command system-view

113. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.

interface route-aggregation

interface-number

Remarks

N/A

When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same.

114. Return to system view.

quit

N/A

115. Assign an interface or subinterface to the specified

Layer 3 aggregation group.

a. Enter Layer 3 Ethernet interface or subinterface view:

interface interface-type

{ interface-number |

interface-number.subnu

mber }

b. Assign the interface or subinterface to the specified Layer 3 aggregation group:

port link-aggregation

group number

To configure a Layer 3 dynamic aggregation group:

Repeat these two substeps to assign more Layer 3 Ethernet interfaces or subinterfaces to the aggregation group.

Step

116. Enter system view.

Command system-view

Remarks

N/A

203

Step

117. Set the system LACP priority.

118. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.

Command

lacp system-priority

system-priority

interface route-aggregation

interface-number

Remarks

By default, the system LACP priority is 32768.

Changing the system LACP priority might affect the aggregation states of the ports in the dynamic aggregation group.

When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same.

119. Configure the aggregation group to operate in dynamic mode.

120. Return to system view.

link-aggregation mode dynamic

121. Assign an interface or subinterface to the specified

Layer 3 aggregation group.

122. Set the LACP operating mode for the interface or subinterface.

quit

a. Enter Layer 3 Ethernet interface or subinterface view:

interface interface-type

{ interface-number |

interface-number.subnu

mber }

b. Assign the interface or subinterface to the specified Layer 3 aggregation group:

port link-aggregation

group number

Set the LACP operating mode to passive:

lacp mode passive

Set the LACP operating mode to active:

undo lacp mode

By default, an aggregation group operates in static mode.

N/A

Repeat these two substeps to assign more Layer 3 Ethernet interfaces or subinterfaces to the aggregation group.

By default, LACP is operating in active mode.

123. Set the port priority for the interface or subinterface.

link-aggregation port-priority

port-priority

The default setting is 32768.

124. Set the short LACP timeout interval (3 seconds) for the interface or subinterface.

lacp period short

By default, the long LACP timeout interval (90 seconds) is used by the interface or subinterface.

To avoid traffic interruption during an ISSU, do not set the short

LACP timeout interval before performing the ISSU. For more information about ISSU, see

Fundamentals Configuration

Guide.

204

Command changes

Modified command: lacp mode

Syntax lacp mode passive

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view

Change description

Layer 3 Ethernet subinterface view was added.

Modified command: lacp period short

Syntax lacp period short

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view

Change description

Layer 3 Ethernet subinterface view was added.

Modified command: link-aggregation port-priority

Syntax

link-aggregation port-priority port-priority

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view

Change description

Layer 3 Ethernet subinterface view was added.

Modified command: port link-aggregation group

Syntax

port link-aggregation group number

Views

Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view

205

Change description

Layer 3 Ethernet subinterface view was added.

A Layer 3 Ethernet subinterface can belong to only one aggregation group.

You cannot create subinterfaces on a Layer 3 Ethernet interface that is in an aggregation group. You cannot assign a Layer 3 Ethernet interface that contains subinterfaces to an aggregation group.

When you assign a Layer 3 Ethernet subinterface to an aggregation group, follow these restrictions and guidelines:

As a best practice, configure the VLAN termination commands on the subinterface first if VLAN termination is required. VLAN termination configuration on the subinterface cannot be modified after the subinterface is assigned to an aggregation group.

Make sure the VLAN termination configuration is the same on all Layer 3 Ethernet subinterfaces when you assign the subinterfaces to the same aggregation group.

When you configure the vlan-type dot1q vid vlan-id-list [ loose ] command on a subinterface to be assigned a dynamic aggregation group, make sure the vlan-id-list argument specifies only one VLAN ID.

You cannot assign Layer 3 Ethernet interfaces and Layer 3 Ethernet subinterfaces to the same aggregation group.

You cannot create aggregate subinterfaces on a Layer 3 aggregate interface whose corresponding aggregation group uses Layer 3 Ethernet subinterfaces as member ports. You cannot assign Layer 3

Ethernet subinterfaces to an aggregation group whose corresponding aggregate interface has aggregate subinterfaces.

Modified feature: Changing the maximum number of FIB table entries

Feature change description

The maximum number of FIB entries that MSR2003 supports for the IPv4 public network is changed to 300000.

The maximum number of FIB entries that MSR2003 supports for the IPv6 public network is changed to 300000.

Command changes

None

206

Modified feature: Enabling CWMP

Feature change description

The default CWMP status was changed from disabled to enabled.

To enable CWMP:

Step

125. Enter system view.

126. Enter CWMP view.

127. Enable CWMP.

Command system-view cwmp cwmp enable

Remarks

N/A

N/A

By default, CWMP is enabled.

Command changes

Modified command: cwmp enable

Syntax

cwmp enable

undo cwmp enable

Views

CWMP view

Change description

Before modification: CWMP is disabled by default.

After modification: CWMP is enabled by default.

Release 0305

This release has the following changes:

New feature: IKE

Modified feature: IPsec

207

New feature: IKE

Feature change description

IKEv2 was added.

For more information about IKEv2 configuration guide, see the following HPE FlexNetwork MSR

Routers Security Configuration Guide(V7).

Command changes

New command: IKEv2 command

For more information about IKEv2 commands, see the following HPE FlexNetwork MSR Routers

Security Command Reference(V7).

Modified feature: IPsec

Feature change description

IPsecv3 was Modified.

Command changes

Modified command: ah authentication-algorithm

Old syntax

In non-FIPS mode:

ah authentication-algorithm { md5 | sha1 | sm3 } *

undo ah authentication-algorithm

In FIPS mode:

ah authentication-algorithm sha1

undo ah authentication-algorithm

New syntax

In non-FIPS mode:

208

ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *

undo ah authentication-algorithm

In FIPS mode:

ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *

undo ah authentication-algorithm

Views

IPsec transform set view

Change description

The following keywords were added:

aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm, which uses a 128-bit key.

This keyword is available only for IKEv2.

sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.

sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key. This keyword is available only for IKEv2.

sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key. This keyword is available only for IKEv2.

New command: esn enable

Use esn enable to enable the Extended Sequence Number (ESN) feature.

Use undo esn enable to disable ESN.

Syntax

esn enable [ both ]

undo esn enable

Default

ESN is disabled.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

both: Specifies IPsec to support both extended sequence number and traditional sequence number.

If you do not specify this keyword, IPsec only supports extended sequence number.

209

Usage guidelines

The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does not need to be renegotiated.

This feature must be enabled at both the initiator and the responder.

Examples

# Enable ESN in the IPsec transform set tran1.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esn enable

Related commands display ipsec transform-set

Modified command: esp authentication-algorithm

Old syntax

In non-FIPS mode:

esp authentication-algorithm { md5 | sha1 | sm3 } *

undo esp authentication-algorithm

In FIPS mode:

esp authentication-algorithm sha1

undo esp authentication-algorithm

New syntax

In non-FIPS mode:

esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *

undo esp authentication-algorithm

In FIPS mode:

esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *

undo esp authentication-algorithm

Views

IPsec transform set view

Change description

The following keywords were added:

aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm, which uses a 128-bit key.

This keyword is available only for IKEv2.

210

sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.

sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key. This keyword is available only for IKEv2.

sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key. This keyword is available only for IKEv2.

Modified command: esp encryption-algorithm

Old syntax

Low encryption:

esp encryption-algorithm des-cbc undo esp encryption-algorithm

High encryption (in non-FIPS mode):

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null

| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 } *

undo esp encryption-algorithm

High encryption (in FIPS mode):

esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*

undo esp encryption-algorithm

New syntax

Low encryption:

esp encryption-algorithm des-cbc undo esp encryption-algorithm

High encryption (in non-FIPS mode):

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 |

aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc |

gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null | sm1-cbc-128 |

sm1-cbc-192 | sm1-cbc-256 | sm4-cbc } *

undo esp encryption-algorithm

High encryption (in FIPS mode):

esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192

| aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*

undo esp encryption-algorithm

211

Views

IPsec transform set view

Change description

The following keywords were added:

aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key. This keyword is available only for IKEv2.

aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key. This keyword is available only for IKEv2.

aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key. This keyword is available only for IKEv2.

camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key.

This keyword is available only for IKEv2.

camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key.

This keyword is available only for IKEv2.

camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key.

This keyword is available only for IKEv2.

gmac-128: Specifies the GMAC algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

gmac-192: Specifies the GMAC algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.

gmac-256: Specifies the GMAC algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.

gcm-128: Specifies the GCM algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

gcm-192: Specifies the GCM algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.

gcm-256: Specifies the GCM algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.

sm4-cbc: Specifies SM4 algorithm in CBC mode, which uses a 128-bit key.

Modified command: pfs

Old syntax

In non-FIPS mode:

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }

undo pfs

In FIPS mode:

212

pfs dh-group14

undo pfs

New syntax

In non-FIPS mode:

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 | dh-group19 |

dh-group20 }

undo pfs

In FIPS mode:

pfs { dh-group14 | dh-group19 | dh-group20 }

undo pfs

Views

IPsec transform set view

Change description

The following keywords were added:

dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.

dh-group20: Uses 384-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.

New command: tfc enable

Use tfc enable to enable the Traffic Flow Confidentiality (TFC) padding feature.

Use undo tfc enable to disable TFC padding.

Syntax tfc enable

undo tfc enable

Default

TFC padding is disabled.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Usage guidelines

The TFC padding feature can hide the length of the original packet and might affect the packet encapsulation and de-encapsulation performance. This feature takes effect on UDP packets

213

encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel mode.

Examples

# Enable TFC padding for the IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] tfc enable

Related commands

display ipsec ipv6-policy

display ipsec policy

Modified command: public-key local create

Old syntax

public-key local create { dsa | ecdsa | rsa } [ name key-name ]

New syntax

public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 ] | rsa } [ name

key-name ]

Views

System view

Change description

The following keywords were added:

secp192r1: Uses the secp192r1 curve to create a 192-bit ECDSA key pair. The secp192r1 curve is used by default.

secp256r1: Uses the secp256r1 curve to create a 256-bit ECDSA key pair.

secp384r1: Uses the secp384r1 curve to create a 384-bit ECDSA key pair.

Modified command: public-key ecdsa

Old syntax

public-key ecdsa name key-name

New syntax

public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1 ]

Views

PKI domain view

Change description

The following keywords were added:

214

secp192r1: Uses the secp192r1 curve to generate the key pair.

secp256r1: Uses the secp256r1 curve to generate the key pair.

secp384r1: Uses the secp384r1 curve to generate the key pair.

Release 0304P12

This release has the following changes:

New feature: Including vendor information in PPP accounting requests

New feature: BFD for an aggregation group

Modified feature: SSH username

Modified feature: IS-IS hello packet sending interval

Modified feature: MP-group interface numbering

New feature: Including vendor information in PPP accounting requests

Configuring Including vendor information in PPP accounting requests

This feature enables vendor information to be included in PPP accounting requests.

Command reference

pppoe-server account-vendor

Use pppoe-server account-vendor to include vendor information in PPP accounting requests.

Use undo pppoe-server account-vendor to exclude vendor information from PPP accounting requests.

Syntax

Default

pppoe-server account-vendor { adsl-forum | cn-telecom }

undo pppoe-server account-vendor { adsl-forum | cn-telecom }

Vendor information is not included in PPP accounting requests.

215

Views

Ethernet interface view

Ethernet subinterface view

Predefined user roles

network-admin

Parameters

adsl-forum: Specifies the ADSL forum vendor information.

cn-telecom: Specifies the China Telecom vendor information.

Examples

# Include China Telecom vendor information in the PPP accounting requests.

<Sysname> system-view

[Sysname] interface gigabitethernet 2/0/1

[Sysname–GigabitEthernet2/0/1] pppoe-server account-vendor cn-telecom

New feature: BFD for an aggregation group

Configuring BFD for an aggregation group

BFD for Ethernet link aggregation can monitor member link status in an aggregation group. After you enable BFD on an aggregate interface, each Selected port in the aggregation group establishes a

BFD session with its peer port. BFD operates differently depending on the aggregation modes.

BFD for static aggregation

—When BFD detects a link failure, BFD notifies the Ethernet link aggregation module that the peer port is unreachable. The local port is placed in Unselected state. The BFD session between the local and peer ports remains, and the local port keeps sending BFD packets. When the link is recovered, the local port receives BFD packets from the peer port, and BFD notifies the Ethernet link aggregation module that the peer port is reachable.

The local port is placed in Selected state again. This mechanism ensures that the local and peer ports of a static aggregate link have the same aggregation state.

BFD for dynamic aggregation

—When BFD detects a link failure, BFD notifies the Ethernet link aggregation module that the peer port is unreachable. BFD clears the session and stops sending BFD packets. When the link is recovered and the local port is placed in Selected state again, the local port establishes a new session with the peer port. BFD notifies the Ethernet link aggregation module that the peer port is reachable. Because BFD provides fast failure detection, the local and peer systems of a dynamic aggregate link can negotiate the aggregation state of their member ports faster.

For more information about BFD, see High Availability Configuration Guide.

216

Configuration restrictions and guidelines

When you enable BFD for an aggregation group, follow these restrictions and guidelines:

Make sure the source and destination IP addresses are consistent at two ends of an aggregate link. For example, if you execute link-aggregation bfd ipv4 source 1.1.1.1 destination

2.2.2.2 on the local end, execute link-aggregation bfd ipv4 source 2.2.2.2 destination

1.1.1.1 on the peer end. The source and destination IP addresses cannot be the same.

The BFD parameters configured on an aggregate interface take effect on all BFD sessions in the aggregation group. BFD sessions for link aggregation do not support the echo packet mode and the Demand mode.

HPE recommends not configuring other protocols to collaborate with BFD on a BFD-enabled aggregate interface.

Make sure the number of member ports in a BFD-enabled aggregation group is not larger than the number of BFD sessions supported by the device. Otherwise, this command might cause some Selected ports in the aggregation group to change to the Unselected state.

Configuration procedure

To enable BFD for an aggregation group:

Step

Enter system view.

Enter Layer 3 aggregate interface view.

Enable BFD for the aggregation group.

Command system-view

interface route-aggregation

interface-number

link-aggregation bfd ipv4 source

ip-address destination ip-address

Command reference

Remarks

N/A

N/A

By default, BFD is disabled for an aggregation group.

link-aggregation bfd ipv4

Use link-aggregation bfd ipv4 to enable BFD for an aggregation group.

Use undo link-aggregation bfd to disable BFD for an aggregation group.

Syntax

link-aggregation bfd ipv4 source ip-address destination ip-address

undo link-aggregation bfd

Default

BFD is disabled for an aggregation group.

217

Views

Layer 3 aggregate interface view

Predefined user roles

network-admin

Parameters

source ip-address: Specifies the unicast source IP address of BFD sessions. The source IP address cannot be 0.0.0.0.

destination ip-address: Specifies the unicast destination IP address of BFD sessions. The destination IP address cannot be 0.0.0.0.

Usage guidelines

Make sure the source and destination IP addresses are consistent at two ends of an aggregate link.

For example, if you execute link-aggregation bfd ipv4 source 1.1.1.1 destination 2.2.2.2 on the local end, execute link-aggregation bfd ipv4 source 2.2.2.2 destination 1.1.1.1 on the peer end.

The source and destination IP addresses cannot be the same.

The BFD parameters configured on an aggregate interface take effect on all BFD sessions in the aggregation group. BFD sessions for link aggregation do not support the echo packet mode and the

Demand mode.

HPE recommends not configuring other protocols to collaborate with BFD on a BFD-enabled aggregate interface.

Make sure the number of member ports in a BFD-enabled aggregation group is not larger than the number of BFD sessions supported by the device. Otherwise, this command might cause some

Selected ports in the aggregation group to change to the Unselected state.

Examples

# Enable BFD for Layer 3 aggregation group 1, and specify the source and destination IP addresses as 1.1.1.1 and 2.2.2.2 for BFD sessions.

<Sysname> system-view

[Sysname] interface route-aggregation 1

[Sysname-Route-Aggregation1] link-aggregation bfd ipv4 source 1.1.1.1 destination 2.2.2.2

Modified feature: SSH username

Feature change description

In this release, an SSH username cannot be a, al, all, or include the following characters:

\ | / : * ? < >

The at sign (@) can only be used in the username format pureusername@domain when the username contains an ISP domain name.

218

Command changes

Modified command: ssh user

Syntax

In non-FIPS mode:

ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password

| {

any | password-publickey | publickey } assign { pki-domain domain-name | publickey

keyname } }

undo ssh user username

In FIPS mode:

ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password

|

password-publickey assign { pki-domain domain-name | publickey keyname } }

undo ssh user username

Views

System view

Change description

Before modification: The username argument is a case-insensitive string of 1 to 80 characters. If the username contains an ISP domain name, use the format pureusername@domain.

After modification: The username argument is a case-insensitive string of 1 to 80 characters, excluding

\ | / : * ? < >

a, al, all, and the following characters:

The at sign (@) can only be used in the username format pureusername@domain when the username contains an ISP domain name.

Modified feature: IS-IS hello packet sending interval

Feature change description

The value range of the interval for sending hello packets was changed to 1 to 255 seconds.

219

Command changes

Modified command: isis timer hello

Syntax

isis timer hello seconds [ level-1 | level-2 ]

undo isis timer hello [ level-1 | level-2 ]

Views

Interface view

Change description

The value range for the seconds argument was changed to 1 to 255 seconds.

Modified feature: MP-group interface numbering

Feature change description

In this release, the numbering for MP-group interfaces is changed.

Command changes

Modified command: interface mp-group

Syntax

interface mp-group mp-number

Views

System view

Change description

MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.

Modified command: display interface mp-group

Syntax

display interface [ mp-group [ interface-number ] ] [ brief [ description | down ] ]

220

Views

Any view

Change description

MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.

Modified command: ppp mp mp-group

Syntax

ppp mp mp-group mp-number

Views

Interface view

Change description

MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.

Modified command: reset counters interface mp-group

Syntax

reset counters interface [ mp-group [ interface-number ] ]

Views

Interface view

Change description

MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.

Release 0304P04

This release has the following changes:

New feature: Media Stream Control (MSC) logging

Modified feature: ESP encryption algorithms

New feature: Media Stream Control (MSC) logging

This feature enables the router to generate MSC logs and send the logs to the information center.

221

Command reference

sip log enable

Use sip log enable to enable Media Stream Control (MSC) logging.

Use undo sip log enable to disable MSC logging.

Syntax sip log enable undo sip log enable

Default

MSC logging is disabled.

Views

Voice view

Predefined user roles

network-admin

Usage guidelines

This command enables the router to generate MSC logs and send the logs to the information center.

The information center outputs the logs to a destination according to an output rule. For more information about the information center, see Network Management and Monitoring Configuration

Guide.

MSC logging is used for auditing purposes.

Examples

# Enable MSC logging.

<Sysname> system-view

[Sysname] voice-setup

[Sysname-voice] sip log enable

Modified feature: ESP encryption algorithms

Feature change description

Support for the CBC-mode SM4 algorithm was added for high encryption in non-FIPS mode.

222

Command changes

Modified command: esp encryption-algorithm

Old Syntax

High encryption (in non-FIPS mode):

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null

| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 } *

New Syntax

High encryption (in non-FIPS mode):

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null

| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 | sm4-cbc } *

Views

IPsec transform set view

Change description

The sm4-cbc keyword was added to support the CBC-mode SM4 algorithm, which uses a 128-bit key.

Release 0304P02

This release has the following changes:

New feature: IMSI/SN binding authentication

New feature: Specifying a band for a 4G modem

New feature: CFD

New feature: Using tunnel interfaces as OpenFlow ports.

New feature: NETCONF support for ACL filtering

New feature: Specifying a backup traffic processing unit

New feature: WAAS

New feature: Support for the MKI field in SRTP or SRTCP packets

New feature: SIP domain name

New feature: E&M logging

Modified feature: Setting the global link-aggregation load-sharing mode

223

New feature: IMSI/SN binding authentication

This feature enables the device to include the IMSI/SN information in the LCP authentication information.

Command reference

ppp lcp imsi accept

Use ppp lcp imsi accept to enable the client to accept the IMSI binding authentication requests from the LNS.

Use undo ppp lcp imsi accept to restore the default.

Syntax ppp lcp imsi accept undo ppp lcp imsi accept

Default

The client declines the IMSI binding authentication requests from the LNS.

Views

Interface view

Predefined user roles

network-admin

Examples

# Enable the client to accept the IMSI binding authentication requests from the LNS.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp lcp imsi accept

Related commands

ppp lcp imsi request

ppp lcp imsi string

ppp lcp imsi request

Use ppp lcp imsi request to enable the LNS to initiate IMSI binding authentication requests.

Use undo ppp lcp imsi request to restore the default.

224

Syntax ppp lcp imsi request undo ppp lcp imsi request

Default

The LNS does not initiate IMSI binding authentication requests.

Views

Interface view

Predefined user roles

network-admin

Examples

# Enable the LNS to initiate IMSI binding authentication requests.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp lcp imsi request

Related commands

ppp lcp imsi accept

ppp lcp imsi string

ppp lcp imsi string

Use ppp lcp imsi string imsi-info to configure the IMSI information on the client.

Use undo ppp lcp imsi string to delete the IMSI information on the client.

Syntax

ppp lcp imsi string imsi-info

undo ppp lcp imsi string

Default

The client automatically obtains the IMSI information from its SIM card.

Views

Interface view

Predefined user roles

network-admin

Parameters

string imsi-info: Specifies the IMSI information, a case-sensitive string of 1 to 31 characters.

Examples

# Configure the IMSI information as imsi1.

<Sysname> system-view

225

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp lcp imsi string imsi1

Related commands

ppp lcp imsi request

ppp lcp imsi accept

ppp lcp sn accept

Use ppp lcp sn accept to enable the client to accept the SN binding authentication requests from the LNS.

Use undo ppp lcp sn accept to restore the default.

Syntax ppp lcp sn accept undo ppp lcp sn accept

Default

The client declines the SN binding authentication requests from the LNS.

Views

Interface view

Predefined user roles

network-admin

Examples

# Enable the client to accept the SN binding authentication requests from the LNS.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp lcp sn accept

Related commands

ppp lcp sn request

ppp lcp sn string

ppp lcp sn request

Syntax

Use ppp lcp sn request to enable the LNS to initiate SN binding authentication requests.

Use undo ppp lcp sn request to restore the default.

ppp lcp sn request undo ppp lcp sn request

226

Default

The LNS does not initiate SN binding authentication requests.

Views

Interface view

Predefined user roles

network-admin

Examples

# Enable the LNS to initiate SN binding authentication requests.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp lcp imsi request

Related commands

ppp lcp sn accept

ppp lcp sn string

ppp lcp sn string

Use ppp lcp sn string sn-info to configure the SN information on the client.

Use undo ppp lcp sn string to delete the SN information on the client.

Syntax

ppp lcp sn string sn-info

undo ppp lcp sn string

Default

The client automatically obtains the SN information from its SIM card.

Views

Interface view

Predefined user roles

network-admin

Parameters

string sn-info: Specifies the SN information, a case-sensitive string of 1 to 31 characters.

Examples

# Configure the SN information as sn1.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp lcp sn string sn1

227

Related commands

ppp lcp sn request

ppp lcp sn accept

ppp user accept-format imsi-sn split

Use ppp user accept-format imsi-sn split splitchart to configure the separator for the received authentication information.

Use undo ppp user accept-format to restore the default.

Syntax

ppp user accept-format imsi-sn split splitchart

undo ppp user accept-format

Default

No separator is configured for the received authentication information.

Views

Interface view

Predefined user roles

network-admin

Parameters

splitchart: Specifies the separator. The separator contains one character, and it can be a letter, a digit, or any sign other than the at sign (@), slash (/), and backslash (\).

Usage guidelines

By default, the authentication information contains only the client username. If you include the IMSI or SN information in the authentication information, you need to configure the separator to separate different types of information.

If no IMSI/SN information is received from the peer during the authentication process, t he IMSI/SN information split from the received authentication information is used.

Examples

# Configure the pound sign (#) as the separator for the authentication information.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp user accept-format imsi-sn split #

Related commands

ppp lcp sn request

ppp lcp imsi request

ppp lcp sn accept

ppp lcp imsi accept

228

ppp user attach-format imsi-sn split

Use ppp user attach-format imsi-sn split splitchart to configure the separator for the sent authentication information.

Use undo ppp user attach-format to restore the default.

Syntax

ppp user attach-format imsi-sn split splitchart

undo ppp user attach-format

Default

No separator is configured for the sent authentication information.

Views

Interface view

Predefined user roles

network-admin

Parameters

splitchart: Specifies the separator. The separator contains one character, and it can be a letter, a digit, or any sign other than the at sign (@), slash (/), and backslash (\).

Usage guidelines

By default, the authentication information contains only the client username. If you include the IMSI or SN information in the authentication information, you need to configure the separator to separate different types of information.

Examples

# Configure the pound sign (#) as the separator for the sent authentication information.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp user attach-format imsi-sn split #

Related commands

ppp lcp sn request

ppp lcp imsi request

ppp lcp sn accept

ppp lcp imsi accept

ppp user replace

Use ppp user replace to replace the client username with the IMSI or SN information for authentication.

229

Use undo ppp user replace to restore the default.

Syntax ppp user replace { imsi | sn } undo ppp user replace

Default

The client username is used for authentication.

Views

Interface view

Predefined user roles

network-admin

Examples

# Replace the client username with the IMSI information for authentication.

<Sysname> system-view

[Sysname] interface virtual-template 1

[Sysname-Virtual-Template1] ppp user replace imsi

Related commands

ppp user accept-format imsi-sn split

ppp user attach-format imsi-sn split

New feature: Specifying a band for a 4G modem

You can specify a band for a 4G modem.

Command reference

lte band

Use ite band to specify a band for a 4G modem.

Use undo lte band to restore the default.

Syntax

Default

lte band band-number

undo lte band

The default setting varies by 4G modem model.

230

Views

Cellular interface view

Predefined user roles

network-admin

Parameters

band-number: Specifies a band for a 4G modem. The available bands vary by modem model.

Usage guidelines

This command is supported only on the following 4G modems:

Sierra MC7354 and MC7304.

Long Sung U8300C, U8300W, and U8300.

WNC DM11-2.

Examples

# Specify band 3 for Cellular 1/0.

<Sysname> system-view

[Sysname] controller cellular 1/0

[Sysname-Controller-Cellular1/0]lte band 3

New feature: CFD

The router supports the CFD feature.

New feature: Using tunnel interfaces as

OpenFlow ports

The MSR1000 routers support using tunnel interfaces as OpenFlow ports.

New feature: NETCONF support for ACL filtering

The feature enables the device to use an ACL to filter NETCONF over SOAP traffic.

231

Command reference

netconf soap http acl

Use netconf soap http acl to apply an ACL to NETCONF over SOAP over HTTP traffic.

Use undo netconf soap http acl to remove the application.

Syntax

netconf soap http acl { acl-number | name acl-name }

undo netconf soap http acl

Default

No ACL is applied to NETCONF over SOAP over HTTP traffic.

Views

System view

Predefined user roles

network-admin

Parameters

acl-number: Specifies an ACL by its number in the range of 2000 to 2999.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. The specified ACL must be an IPv4 basic ACL that has already been created.

Usage guidelines

This command is not available in FIPS mode.

If you execute this command multiple times, the most recent configuration takes effect.

Only NETCONF clients permitted by the applied ACL can access the device through SOAP over

HTTP.

Examples

# Use ACL 2001 to allow only NETCONF clients in the subnet 10.10.0.0/16 to access the device through SOAP over HTTP.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2001] quit

[Sysname] netconf soap http acl 2001

232

netconf soap https acl

Use netconf soap https acl to apply an ACL to NETCONF over SOAP over HTTPS traffic.

Use undo netconf soap https acl to remove the application.

Syntax

netconf soap https acl { acl-number | name acl-name }

undo netconf soap https acl

Default

No ACL is applied to NETCONF over SOAP over HTTPS traffic.

Views

System view

Predefined user roles

network-admin

Parameters

acl-number: Specifies an ACL by its number in the range of 2000 to 2999.

name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. The specified ACL must be an IPv4 basic ACL that has already been created.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Only NETCONF clients permitted by the applied ACL can access the device through SOAP over

HTTPS.

Examples

# Use ACL 2001 to allow only NETCONF clients in the subnet 10.10.0.0/16 to access the device through SOAP over HTTPS.

<Sysname> system-view

[Sysname] acl basic 2001

[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255

[Sysname-acl-ipv4-basic-2001] quit

[Sysname] netconf soap https acl 2001

233

New feature: Specifying a backup traffic processing unit

Specifying a backup traffic processing unit

This release added support for specifying a backup traffic unit for an interface.

Command reference

service standby

For more information about this command, see HPE FlexNetwork MSR Command References(V7).

New feature: WAAS

Configuring WAAS

This release added support for the Wide Area Application Services (WAAS) feature in the DATA image on the following router series:

MSR1000.

MSR3000.

MSR4000.

Command reference

For more information about WAAS commands, see HPE FlexNetwork MSR Routers Layer 3 - IP

Services Command Reference(V7).

New feature: Support for the MKI field in

SRTP or SRTCP packets

This feature enables the router to add the MKI field to outgoing SRTP or SRTCP packets. You can set the length of the MKI field.

234

Command reference

mki

Use mki to add the MKI field to outgoing SRTP or SRTCP packets and set the length of the MKI field.

Use undo mki to restore the default.

Syntax

mki mki-length

undo mki

Default

Outgoing SRTP or SRTCP packets do not carry the MKI field.

Views

SIP view

Predefined user roles

network-admin

Parameters

mki-length: Specifies the length of the MKI field, in the range of 1 to 128 bits.

Usage guidelines

This command takes effect only when SRTP is the media stream protocol for SIP calls. To specify

SRTP as the medial stream protocol for SIP calls, use the srtp command.

Examples

# Add the MKI field to outgoing SRTP or SRTCP packets and set the length of the MKI field to 1 bit.

<Sysname> system-view

[Sysname] voice-setup

[Sysname-voice] sip

[Sysname-voice-sip] mki 1

New feature: SIP domain name

This feature enables the router to populate the CONTACT header field of outgoing SIP packets with the router's SIP domain name.

235

Command reference

sip-domain

Use sip-domain to populate the CONTACT header field of outgoing SIP packets with the router's

SIP domain name.

Use undo sip-domain to restore the default.

Syntax

sip-domain domain-name

undo sip-domain

Default

The router populates the CONTACT header field of an outgoing SIP packet with the IP address of the outgoing interface.

Views

SIP view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the SIP domain name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, underscore (_), hyphen (-), and dot (.).

Examples

# Populate the CONTACT header field of outgoing SIP packets with the SIP domain name abc.com.

<Sysname> system-view

[Sysname] voice-setup

[Sysname-voice] sip

[Sysname-voice-sip] sip-domain abc.com

New feature: E&M logging

This feature enables the router to generate E&M logs.

Command reference

em log enable

Use em log enable to enable E&M logging.

236

Use undo em log enable to disable E&M logging.

Syntax em log enable undo em log enable

Default

E&M logging is disabled.

Views

Voice view

Predefined user roles

network-admin

Usage guidelines

This command enables the router to generate E&M logs.

Examples

# Enable E&M logging.

<Sysname> system-view

[Sysname] voice-setup

[Sysname-voice] em log enable

Modified feature: Setting the global link-aggregation load-sharing mode

Feature change description

The bandwidth-usage keyword was added to the link-aggregation global load-sharing mode command. You can set the global load-sharing mode to load share traffic based on bandwidth usage.

Command changes

Modified command: link-aggregation global load-sharing mode

Old syntax link-aggregation global load-sharing

mode { destination-ip | destination-mac |

destination-port | mpls-label1 | source-ip | source-mac | source-port } *

undo link-aggregation global load-sharing mode

237

New syntax

link-aggregation global load-sharing mode { bandwidth-usage | destination-ip |

destination-mac | destination-port | mpls-label1 | source-ip | source-mac | source-port } *

undo link-aggregation global load-sharing mode

Views

System view

Change description

The bandwidth-usage keyword was added. You can specify this keyword to set the global load sharing mode to load share traffic based on bandwidth usage.

Release 0304

This release has the following changes:

New feature: Setting the RTC version

New feature: Setting the maximum size of advertisement files

New feature: IRF

New feature: Frame Relay

New feature: EVI

New feature: VPLS

New feature: Multicast VPN support for inter-AS option B

Modified feature: 802.1X redirect URL

Modified feature: Displaying information about NTP servers from the reference source to the primary

NTP server

Modified feature: Saving, rolling back, and loading the configuration

Modified feature: Displaying information about SSH users

Removed feature: Displaying fabric utilization

New feature: Setting the RTC version

Configuring Setting the RTC version

The RTC protocol has the following versions: Version 3 and Version 5. Comware V3-based routers support only Version 3. Comware V5- or Comware V7-based routers support both Version 3 and

Version 5.

238

To set the RTC version:

Step

128. Enter system view.

Command system-view

129. Configure the RTC version.

rta rtc version { v3 | v5 }

Command reference

Remarks

N/A

By default, the router uses

Version 5.

rta rtc version

Use rta rtc version to set the RTC version.

Use undo rta rtc version to o restore the default.

Syntax

rta rtc version { v3 | v5 }

undo rta rtc version

Default

The router uses RTC Version 5.

Views

System view

Predefined user roles

network-admin

Parameters

V3: Sets the RTC version to Version 3.

V5: Sets the RTC version to Version 5.

Usage guidelines

Comware V5/V7-based routers support both RTC Version 3 and Version 5. Comware V3-based routers support only RTC Version 3.

For a Comware V5/V7-based router to communicate with a Comware V3-based, set the RTC version to Version 3 on the Comware V5/V7-based router.

For Comware V5/V7-based routers to communicate each other, set the RTC version on the routers to the same version.

Examples

# Set the RTC version to Version 3.

<Sysname> system-view

[Sysname] rta rtc version v3

239

New feature: Setting the maximum size of advertisement files

Configuring the maximum size of advertisement files

You can set the maximum size of advertisement files sent to wireless clients to 10 MB when the clients access the wireless network.

Command reference

None

New feature: IRF

Configuring IRF

See HP MSR Router Series Virtual Technologies Configuration Guide (V7).

Command reference

See HPE FlexNetwork MSR Router Virtual Technologies Command Reference(V7).

New feature: Frame Relay

Configuring Frame Relay

See HPE FlexNetwork MSR Routers Layer 2 - WAN Configuration Guide(V7).

Command reference

See HPE FlexNetwork MSR Routers Layer 2 - WAN Command Reference(V7).

240

New feature: EVI

Configuring EVI

See HPE FlexNetwork MSR Router EVI Configuration Guide (V7).

Command reference

See HPE FlexNetwork MSR Router EVI Command Reference(V7).

New feature: VPLS

Configuring VPLS

See HPE FlexNetwork MSR Routers MPLS Configuration Guide(V7).

Command reference

See HPE FlexNetwork MSR Routers MPLS Command Reference(V7).

New feature: Multicast VPN support for inter-AS option B

Configuring Multicast VPN support for inter-AS option B

See HPE FlexNetwork MSR Routers IP Multicast Configuration Guide(V7).

Command reference

See HPE FlexNetwork MSR Routers IP Multicast Command Reference(V7).

241

Modified feature: 802.1X redirect URL

Feature change description

The value range for the url-string argument was changed to 1 to 256 characters for the dot1x

ead-assistant url command.

Command changes

Modified command: dot1x ead-assistant url

Syntax

dot1x ead-assistant url url-string

Views

System view

Change description

Before modification: The value range for the url-string argument is 1 to 64 characters.

After modification: The value range for the url-string argument is 1 to 256 characters.

Modified feature: Displaying information about NTP servers from the reference source to the primary NTP server

Feature change description

The source interface-type interface-number option was added to the display ntp-service trace command.

Command changes

Modified command: display ntp-service trace

Old syntax

dot1x ead-assistant url url-string

242

New syntax

display ntp-service trace [ source interface-type interface-number ]

Views

Any view

Change description

The source interface-type interface-number option was added to the display ntp-service trace command.

Modified feature: Saving, rolling back, and loading the configuration

Feature change description

The following configuration guidelines were added when you use NETCONF to save, roll back, or load the configuration:

The save, rollback, and load operations supplement NETCONF requests. Performing the operations might consume a lot of system resources.

Multiple users are allowed to simultaneously perform the save, rollback, or load operation, but the result returned to each user might be inconsistent with the user request. Do not perform the save, rollback, or load operation when a lot of users are performing the operation.

Command changes

None

Modified feature: Displaying information about SSH users

Feature change description

In this release, the display ssh user-information command does not display the public key name for an SSH user that uses password authentication.

243

Command changes

Modified command: display ssh user-information

Syntax

display ssh user-information [ username ]

Views

Any view

Change description

Before modification: The User-public-key-name field in the command output displays null for an

SSH user that uses password authentication.

After modification: The User-public-key-name field in the command output is blank for an SSH user that uses password authentication.

Removed feature: Displaying fabric utilization

Feature change description

The device does not support displaying switching fabric channel usage on interface cards.

Removed command

display fabric utilization

Syntax

In standalone mode:

display fabric utilization [ slot slot-number ]

In IRF mode:

display fabric utilization [ chassis chassis-number slot slot-number ]

Views

Any view

ESS 0302P06

244

This release has the following changes:

New feature: Object policies

New feature: IPHC

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Support of PPPoE server for IPv6

See HPE FlexNetwork MSR Configuration Guides( V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: QSIG tunneling over SIP-T

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Playout delay

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: BGP L2VPN support for NSR

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: BGP support for dynamic peers

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: ARP PnP

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: QoS soft forwarding

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Filtering by application layer protocol status

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: ADVPN support for multicast forwarding

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

245

New feature: MPLS LDP support for IPv6

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Port security

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Customizable IVR

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: SRST

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: NEMO

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Support for LLDP on CPOS interfaces

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: SMS-based automatic configuration

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: ARP attack protection

New feature: SIP support for VRF

New feature: Object policies

Configuring Object policies

A zone pair has a source security zone and a destination security zone. ASPF uses zone pairs to identify the data flows to be examined. ASPF examines only received first data packets.

246

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: IPHC

Configuring IPHC

The device supports PPP IPHC and frame relay IPHC.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Support of PPPoE server for

IPv6

Configuring Support of PPPoE server for IPv6

On IPv6 networks, PPP negotiates only the IPv6 interface identifier instead of the IPv6 address and

IPv6 DNS server address during IPv6CP negotiation.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: QSIG tunneling over SIP-T

Configuring QSIG tunneling over SIP-T

QSIG tunneling over SIP-T tunnels QSIG messages across a SIP network by encapsulating them in

SIP message bodies. This feature enables ISDN networks to communicate over a SIP network.

247

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Playout delay

Configuring Playout delay

By buffering incoming voice packets with different delay times for a period of time (playout delay time), the receiver can smoothly play out the voice packets to the codec. By configuring playout delay, you can prevent delay variation (jitter) from affecting voice quality.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: BGP L2VPN support for NSR

Configuring BGP L2VPN support for NSR

The active BGP process backs up BGP peers and routing information to the standby BGP process only when BGP NSR is enabled.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

248

New feature: BGP support for dynamic peers

Configuring BGP support for dynamic peers

The dynamic BGP peer feature enables BGP to establish dynamic BGP peer relationships with devices in a network. BGP accepts connection requests from the network. After a device in the network initiates a connection request, BGP establishes a dynamic peer relationship with the device.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: ARP PnP

Configuring ARP PnP

The ARP plug and play (PnP) feature allows end users to access the gateway without changing their

IP addresses on subnets different from the subnet where the gateway resides.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

249

New feature: Support of Syslog for DNS and support of customlog&userlog for

IPv6 hosts

Configuring Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts

The two flow log export destinations (information center and log host) are mutually exclusive. Only one export destination can be used at a time. If you configure both export destinations, the flow logs are exported to the information center and are not exported to the log host.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: QoS soft forwarding

Configuring QoS soft forwarding

Configuring PQ: You can define a set of assignment rules in a PQ list and then apply the PQ list to an interface or PVC.

Configuring CQ: You can configure a CQ list that contains up to 16 queues. The CQ list specifies the following information:

The queue where a packet is placed in.

The maximum length of each queue.

The number of bytes sent from the queue during a cycle of round robin scheduling.

Configuring RTPQ.

Configuring packet information pre-extraction: To process the original IP packets with QoS on the physical interface for a tunnel interface, configure packet information pre-extraction on the tunnel interface.

250

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Filtering by application layer protocol status

Configuring Filtering by application layer protocol status

ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323,

HTTP, SCCP, SIP, and SMTP. ASPF drops packets with invalid protocol status.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: ADVPN support for multicast forwarding

Configuring ADVPN support for multicast forwarding

After NBMA mode is enabled on an ADVPN tunnel interface, the interface forwards multicast data only to spokes that need the data.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

251

New feature: MPLS LDP support for IPv6

Configuring MPLS LDP support for IPv6

LDP can operate on a pure IPv4 or IPv6 network or a network where IPv4 and IPv6 coexist. LDP operates similarly on IPv4 and IPv6 networks.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Port security

Configuring Port security

MAC move

—This feature allows 802.1X or MAC authenticated users to move from a port to another port on the device. The authentication session is deleted from the first port, and the users are reauthenticated on the new port.

SNMP notifications for port security

—This feature allows the port security module to generate SNMP notifications to report important events.

MAC authentication delay

—When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or 802.1X authentication fails within the delay period, the port continues to process MAC authentication.

VLAN assignment

—Both the 802.1X and MAC authentication features support VLAN assignment for users.

ACL assignment

—Both the 802.1X and MAC authentication features support ACL assignment for users. You can specify an authorization ACL for a user to control the user's access to network resources. After the user passes authentication, the authentication server (local or remote) assigns the authorization ACL to the access port of the user. The ACL will filter traffic for this user.

802.1X EAD assistant

—This feature allows unauthenticated 802.1X users to access the free

IP. The feature also enables the device to redirect a user who is seeking to access the network to a specific URL on the free IP. For example, you can use this feature to redirect the user to the

EAD client software download page.

252

802.1X SmartOn

—This feature was developed to support the NEC 802.1X client. The device performs SmartOn authentication before 802.1X authentication. If a user fails SmartOn authentication, the device stops 802.1X authentication for the user.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Customizable IVR

Configuring Customizable IVR

Interactive voice response (IVR) is extensively used in voice communications. The IVR system enables you to customize interactive operations and humanize other services. If a subscriber dials an IVR access number, the IVR system plays the prerecorded voice prompts to direct the subscriber about how to proceed.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: SRST

Configuring SRST

SRST provides call handling for a branch office when the branch office loses connectivity to the central voice server or the WAN connection is down. An SRST router in the branch office takes over to manage calls to ensure that local phones can make and receive calls. When the WAN connection is restored, call handling reverts back to the central voice server.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

253

New feature: NEMO

Configuring NEMO

As an extension of MIP, network mobility (NEMO) enables a node to retain the same IP address and maintain application connectivity when the node travels across networks. It allows location-independent routing of IP datagrams on the Internet. A mobile router is a router that operates as a mobile node connecting the mobile network and the home agent.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: Support of MFR and FR for

L2VPN, FR QoS, and FR compression and fragmentation

Configuring Support of MFR and FR for L2VPN,

FR QoS, and FR compression and fragmentation

Frame Relay supports MPLS L2VPN and can then communicate with other networks through MPLS

L2VPN. As a result, Layer 2 data can be transparently transmitted between Frame Relay networks through an MPLS or IP network.

When FRTS is disabled, only FR interface queues are in effect. The predefined FR PVC queues take effect only when FRTS is enabled.

The Frame Relay compression feature can compress Frame Relay packets to save bandwidth, reduce the network load, and improve the transmission efficiency for data in the Frame Relay network. The Frame Relay fragmentation feature can divide a large Frame Relay packet into several small packets, so that large packets can be transmitted over a low-speed link with a low delay.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

254

New feature: Support for LLDP on CPOS interfaces

Configuring Support for LLDP on CPOS interfaces

LLDP is supported on CPOS interfaces.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: SMS-based automatic configuration

Configuring SMS-based automatic configuration

Support for SMS-based automatic configuration. With SMS-based automatic configuration, the device can connect to an IMC server over a 3G or 4G network to obtain a configuration file.

To initiate SMS-based automatic configuration process, the administrator can use a cell phone or the

IMC server to send a short message to the device. The IMC server sends short messages to devices through an SMS gateway. This feature can be used when the devices to be configured are widely distributed and there are 3G or 4G networks available for wireless communication.

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: ARP attack protection

Configuring ARP attack protection

None

255

Command reference

See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command

References(V7).

New feature: SIP support for VRF

Configuring SIP support for VRF

This feature enables a PE device to provide SIP services for a VPN instance. To enable this feature, you can associate the VPN instance with SIP on the PE device. The PE device uses the interface bound to the VPN instance as the source for sending SIP signaling and media streams.

Configuration guidelines

When you enable SIP support for VRF, follow these guidelines:

You cannot associate a VPN instance with SIP or remove the association when a SIP service such as calling, registration, subscription, or the keepalive function is being used.

The VPN instance to associate with SIP must be already created.

Configuration procedure

To enable SIP support for VRF:

Step

Enter system view.

Create a VPN instance.

Enter voice view.

Enter SIP view.

Associate a VPN instance with

SIP.

Command system-view

Remarks

N/A

ip vpn-instance

vpn-instance-name

voice-setup

By default, no VPN instance exists.

N/A

sip

N/A

vpn-instance vpn-instance-name

By default, no VPN instance is associated with SIP.

Command reference

vpn-instance

Use vpn-instance to associate a VPN instance with SIP.

256

Use undo vpn-instance to remove the association.

Syntax

vpn-instance vpn-instance-name

undo vpn-instance

Default

No VPN instance is associated with SIP.

Views

SIP view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

The VPN instance to associate with SIP must be already created.

You cannot associate a VPN instance or remove the association when a SIP service is being used.

Examples

# Associate the VPN instance vpn-voice with SIP.

<Sysname> system-view

[Sysname] voice-setup

[Sysname-voice] sip

[Sysname-voice-sip] vpn-instance vpn-voice

Related commands

ip binding vpn-instance (MPLS Command Reference)

ip vpn-instance (MPLS Command Reference)

ESS 0102

This release has the following changes:

New feature: Portal authentication

New feature: MSDP

New feature: IPsec MIB and IKE MIB

New feature: PoE

New feature: CoPP software forwarding feature

New feature: Configuring MPLS LDP FRR

New feature: Enhanced routing features

257

New feature: Python

New feature: ATM

New feature: DHCP MIB

New feature: Portal authentication

Portal authentication controls user access to the Internet. Portal authenticates a user by the username and password the user enters on a portal authentication page. Therefore, portal authentication is also known as Web authentication. When portal authentication is deployed on a network, an access device redirects unauthenticated users to the website provided by a portal Web server. The users can access the resources provided by the website. If the users want to access the

Internet, they must pass authentication on the website.

Portal authentication is classified into the following types:

Active authentication

—Users visit the authentication website provided by the portal Web server and enter their username and password for authentication.

Forced authentication

—Users visit other websites and are redirected to the portal authentication website for authentication.

Portal authentication flexibly imposes access control on the access layer and vital data entries. It has the following advantages:

Replaces client software with convenient authentication pages.

Provides ISPs with diversified management choices and extended functions. For example, the

ISPs can place advertisements, provide community services, and publish information on the authentication page.

Supports multiple authentication modes. For example, re-DHCP authentication implements a flexible address assigning scheme and saves public IP addresses. Cross-subnet authentication can authenticate users reside in subnets different from the access device.

The device support portal 2.0 and portal 3.0.

Command reference

See HPE FlexNetwork MSR Command References(V7).

New feature: MSDP

Configuring MSDP

MSDP is an inter-domain multicast solution that addresses the interconnection of PIM-SM domains.

It discovers multicast source information in other PIM-SM domains.

258

In the basic PIM-SM mode, a multicast source registers only with the RP in the local PIM-SM domain, and the multicast source information in each domain is isolated. As a result, both of the following occur:

The RP obtains the source information only within the local domain.

A multicast distribution tree is built only within the local domain to deliver multicast data locally.

MSDP enables the RPs of different PIM-SM domains to share their multicast source information. The local RP can then join the SPT rooted at the multicast source across the PIM-SM domains. This allows multicast data to be transmitted among different domains.

With MSDP peer relationships established between appropriate routers in the network, the RPs of different PIM-SM domains are interconnected with one another. These MSDP peers exchange source active (SA) messages, so that the multicast source information is shared among these domains.

For more information about configuring MSDP, see "MSDP Configuration Guide" in HPE

FlexNetwork MSR Configuration Guides(V7).

Command reference

See HPE FlexNetwork MSR Command References(V7).

New feature: IPsec MIB and IKE MIB

IPsec-Monitor-MIB (HH3C-IPSEC-MONITOR-V2-MIB) monitors IPsec tunnels. NMS can use this

MIB to obtain IPsec tunnel information, including algorithms, gateway addresses, and tunnel statistics. Except the trap function, all nodes of this MIB are read only.

Ike-Monitor-MIB (HH3C-IKE-MONITOR-MIB) monitors IKE tunnels. NMS can use this MIB to obtain

IKE tunnel information.

For more information, see the MIB companion document.

New feature: PoE

Configuring PoE

IEEE 802.3af-compliant power over Ethernet (PoE) enables a power sourcing equipment (PSE) to supply power to powered devices (PDs) through Ethernet interfaces over twisted pair cables.

Examples of PDs include IP telephones, wireless APs, portable chargers, card readers, Web cameras, and data collectors. A PD can also use a different power source from the PSE at the same time for power redundancy.

259

For more information about configuring PoE, see "PoE Configuration Guide" in HPE FlexNetwork

MSR Configuration Guides(V7).

Command reference

See HPE FlexNetwork MSR Command References(V7).

New feature: CoPP software forwarding feature

Configuring CoPP

If the rate of packets sent to the control plane exceeds the processing capabilities of the control plane (for example, when the device is suffering DoS attacks), the normal packets sent to the control plane cannot be promptly processed, thus affecting the normal operation of protocols.

To protect the management interface against DoS attacks, which will cause service interruption, you must perform traffic policing for the management interface.

CoPP allows you to perform traffic policing for the control plane or management interface control plane. By default, the predefined QoS parameters are configured for packets of each protocol sent to the control plane. Also, you can apply a user-defined QoS policy to the control plane to filter and rate-limit the packets sent to the control plane. This makes sure the control plane can correctly receive, transmit, and process packets.

Command reference

control-plane

Syntax

Use control-plane to enter control plane view.

MSR2000 / MSR3000:

control-plane

MSR4000:

control-plane slot slot-number

Views

System view

260

Predefined user roles

network-admin

Examples

# (MSR2000 / MSR3000.) Enter control plane view.

<Sysname> system-view

[Sysname] control-plane

[Sysname-cp]

# (MSR4000.) Enter control plane view of the card in slot 3.

<Sysname> system-view

[Sysname] control-plane slot 3

[Sysname-cp-slot3]

control-plane management

Syntax

IMPORTANT:

A QoS policy applied to the management interface control plane takes effect on the packets sent from the management interface to the control plane.

Use control-plane management to enter management interface control plane view.

control-plane management

Views

System view

Predefined user roles

network-admin

Examples

# Enter management interface control plane view.

<Sysname> system-view

[Sysname] control-plane management

[Sysname-cp-management]

qos apply policy (interface view, control plane view)

IMPORTANT:

A QoS policy applied to the management interface control plane takes effect on the packets sent from the management interface to the control plane.

Use qos apply policy to apply a QoS policy to an interface, a control plane.

Use undo qos apply policy to remove a QoS policy from an interface, a control plane.

261

Syntax

qos apply policy policy-name { inbound | outbound }

undo qos apply policy policy-name { inbound | outbound }

Default

No QoS policy is applied to an interface, a control plane, or a management interface control plane.

Views

Interface view, control plane view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.

inbound: Applies the QoS policy to the incoming traffic of an interface, a control plane, or a management interface control plane.

outbound: Applies the QoS policy to the outgoing traffic of an interface.

Usage guidelines

To successfully apply a QoS policy to an interface, make sure the total bandwidth assigned to AF and

EF queues in the QoS policy is smaller than the available bandwidth of the interface. If you modify the available bandwidth of the interface to a value smaller the total bandwidth for AF and EF queues, the applied QoS policy is removed. For a QoS policy to be applied in the inbound direction, the referenced traffic behaviors cannot be configured with any of the commands queue af, queue ef,

queue wfq, and gts.

When you apply a QoS policy to an interface, follow these guidelines:

You can apply a QoS policy configured with various QoS actions (such as remark, car, gts,

queue af, queue ef, queue wfq, and wred) to common physical interfaces.

An inbound QoS policy cannot contain a GTS action or any of these queuing actions queue ef,

queue af, or queue wfq.

Examples

# Apply the QoS policy named USER1 to the outgoing traffic of GigabitEthernet 0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/1

[Sysname-GigabitEthernet0/1] qos apply policy USER1 outbound

262

New feature: Configuring MPLS LDP FRR

Configuring MPLS LDP FRR

A link or router failure on a path can cause packet loss until LDP completes LSP establishment on the new path. LDP FRR enables fast rerouting to minimize the failover time. LDP FRR bases on IP FRR and is enabled automatically after IP FRR is enabled.

Figure 1 Network diagram for LDP FRR

LSR C

LSR A

B ac ku p

LS

P

B ac ku p L

S

P

LSR B

Primary LSP

In Figure 1, configure IP FRR on LSR A by using IGP to calculate or specify a backup next hop. LDP creates a primary LSP and a backup LSP according to the primary route and the backup route calculated by IGP. When the primary LSP operates correctly, it forwards the MPLS packets. W hen the primary LSP fails, LDP directs packets to the backup LSP.

When packets are forwarded through the backup LSP, IGP calculates the optimal path based on the new network topology. When IGP route convergence occurs, LDP establishes a new LSP according to the optimal path. If a new LSP is not established after IGP route convergence, traffic forwarding might be interrupted. Therefore, HPE recommends that you enable LDP IGP synchronization to work with LDP FRR to reduce the traffic interruption time.

Command reference

igp sync delay

Syntax

Use igp sync delay to configure the delay for LDP to notify IGP of the LDP convergence completion.

Use undo igp sync delay to restore the default.

igp sync delay time

undo igp sync delay

263

Default

LDP immediately notifies IGP of the LDP convergence completion.

Views

LDP view

Predefined user roles

network-admin

Parameters

time: Specifies the notification delay in the range of 5 to 300 seconds.

Usage guidelines

LDP convergence on a link is completed when the followings occur:

The local device establishes an LDP session to at least one peer, and the LDP session is already in Operation state.

The local device has distributed the label mappings to at least one peer.

MPLS traffic forwarding might be interrupted in one of the following scenarios:

When the peer uses the Ordered label distribution control mode, the local device needs to wait for a label mapping from its downstream LSR after the LDP session goes into Operation state.

If LDP immediately notifies IGP of the LDP convergence completion when the label mapping from downstream is not received, MPLS traffic forwarding might be interrupted.

When a large number of label mappings are distributed from downstream, if LDP immediately notifies IGP of the LDP convergence completion, label advertisement might not be finished, and

MPLS traffic forwarding is interrupted.

In these scenarios, you must use this command to configure the notification delay. When LDP convergence on a link is completed, LDP waits a delay time to notify IGP of the LDP convergence completion to reduce the traffic interruption time.

Examples

# Configure the notification delay as 30 seconds.

<Sysname> system-view

[Sysname] mpls ldp

[Sysname-ldp] igp sync delay 30

Related commands

igp sync delay on-restart

mpls ldp igp sync disable

mpls ldp sync (IS-IS view)

mpls ldp sync (OSPF view/OSPF area view)

264

igp sync delay on-restart

Use igp sync delay on-restart to configure the maximum delay for LDP to notify IGP of the LDP IGP synchronization status after an LDP restart or an active/standby switchover occurs.

Use undo igp sync delay on-restart to restore the default.

Syntax

igp sync delay on-restart time

undo igp sync delay on-restart

Default

The maximum notification delay is 90 seconds.

Views

LDP view

Predefined user roles

network-admin

Parameters

time: Specifies the maximum notification delay in the range of 60 to 600 seconds.

Usage guidelines

After LDP restarts or an active/standby switchover occurs, LDP convergence begins after a period of time. If LDP immediately notifies IGP of all the current LDP IGP synchronization status, and updates the status after LDP convergence, IGP might frequently process the status, and the cost might increase.

The notification delay mechanism for an LDP restart or an active/standby switchover provides a notification delay of LDP process levels. When LDP restarts or an active/standby switchover occurs, this mechanism enables LDP to wait a period of time till LDP recovers to the status before the restart or switchover, and then notify IGP of the LDP IGP synchronization status in bulk. If LDP does not recover to the status before the restart or switchover when the maximum delay set by this command expires, LDP immediately notifies IGP of the LDP IGP synchronization status in bulk.

Examples

# Configure the maximum notification delay as 300 seconds.

<Sysname> system-view

[Sysname] mpls ldp

[Sysname-ldp] igp sync delay on-restart 300

Related commands

igp sync delay

mpls ldp igp sync disable

mpls ldp sync (IS-IS view)

mpls ldp sync (OSPF view/OSPF area view)

265

mpls ldp igp sync disable

Use mpls ldp igp sync disable to disable LDP IGP synchronization on an interface.

Use undo mpls ldp igp sync disable to restore the default.

Syntax mpls ldp igp sync disable undo mpls ldp igp sync disable

Default

LDP IGP synchronization is enabled on an interface.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

After you enable LDP IGP synchronization for IGP, for example, an OSPF area or an IS-IS process,

LDP IGP synchronization is enabled on the OSPF interfaces and IS-IS interfaces. To disable LDP

IGP synchronization on an interface, execute the mpls ldp igp sync disable command on that interface.

Examples

# Enable LDP IGP synchronization on GigabitEthernet 0/1.

<Sysname> System-view

[Sysname] interface gigabitethernet 0/1

[Sysname-GigabitEthernet0/1] mpls ldp igp sync disable

Related commands

mpls ldp sync (IS-IS view)

mpls ldp sync (OSPF view/OSPF area view)

New feature: Enhanced routing features

Configuring enhanced routing features

This release supports RIB NSR, IPv4 static route FRR, direct route redistribution, and RFC4382 MIB

(MPLS-L3VPN-STD-MIB).

266

Command reference

non-stop-routing

Use non-stop-routing to enable RIB NSR to back up routing information.

Use undo non-stop-routing to restore the default.

Syntax non-stop-routing

undo non-stop-routing

Default

RIB NSR is disabled.

Views

RIB IPv4 address family view, RIB IPv6 address family view

Predefined user roles

network-admin

Examples

# Enable NSR for the RIB IPv4 address family.

<Sysname> system-view

[Sysname] rib

[Sysname-rib] address-family ipv4

[Sysname-rib-ipv4] non-stop-routing

ip route-static fast-reroute auto

Use ip route-static fast-reroute auto to configure static route FRR to automatically select a backup next hop.

Use undo ip route-static fast-reroute auto to disable static route FRR.

Syntax

Default

Static route FRR is disabled.

Views ip route-static fast-reroute auto undo ip route-static fast-reroute auto

System view

267

Predefined user roles

network-admin

Examples

# Configure static route FRR to automatically select a backup next hop.

<Sysname> system-view

[Sysname] ip route-static fast-reroute auto

import-route (RIP view)

Use import-route to enable route redistribution from another routing protocol.

Use undo import-route to disable route redistribution.

Syntax

import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |

route-policy route-policy-name | tag tag ] *

undo import-route protocol [ process-id | all-processes ]

Default

RIP does not redistribute routes from any other routing protocol.

Views

RIP view

Predefined user roles

network-admin

Parameters

protocol: Specifies a routing protocol from which RIP redistributes routes. It can be bgp, direct, isis,

ospf, rip, or static.

process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. This argument is available only when the protocol is isis, rip, or ospf.

all-processes: Enables route redistribution from all the processes of the specified protocol. This keyword takes effect only when the protocol is rip, ospf, or isis.

allow-ibgp: Allows redistribution of IBGP routes. This keyword is available when the protocol argument is set to bgp.

allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the

allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.

Otherwise, the allow-direct keyword does not take effect.

cost cost: Specifies a cost for redistributed routes, in the range of 0 to 16. The default cost is 0.

268

route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to

63 characters.

tag tag: Specifies a tag for marking redistributed routes, in the range of 0 to 65535. The default is 0.

Usage guidelines

The import-route bgp command redistributes only EBGP routes. The import-route bgp allow-ibgp command additionally redistributes IBGP routes and might cause routing loops. Therefore, use it with caution.

This command redistributes only active routes. To view route state information, use the display ip

routing-table protocol command.

The undo import-route protocol all-processes command removes only the configuration made by the import-route protocol all-processes command, instead of the configuration made by the

import-route protocol process-id command.

Examples

# Redistribute static routes into RIP, and set the cost for redistributed routes to 4.

<Sysname> system-view

[Sysname] rip 1

[Sysname-rip-1] import-route static cost 4

Related commands

default cost

import-route (OSPF view)

Use import-route to redistribute AS-external routes from another routing protocol.

Use undo import-route to disable route redistribution from another routing protocol.

Syntax

import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |

nssa-only | route-policy route-policy-name | tag tag | type type ] *

undo import-route protocol [ process-id | all-processes ]

Default

OSPF does not redistribute AS-external routes from any other routing protocol.

Views

OSPF view

Predefined user roles

network-admin

Parameters

protocol: Redistributes routes from the specified protocol, which can be bgp, direct, isis, ospf, rip, or static.

269

process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. It is available only when the protocol is rip, ospf, or isis.

all-processes: Redistributes routes from all the processes of the specified routing protocol. This keyword takes effect only when the protocol is rip, ospf, or isis.

allow-ibgp: Redistributes IBGP routes. It is available only when the protocol is bgp.

allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the

allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.

Otherwise, the allow-direct keyword does not take effect.

cost cost: Specifies a route cost in the range of 0 to 16777214. The default is 1.

nssa-only: Limits the route advertisement to the NSSA area by setting the P-bit of Type-7 LSAs to 0.

By default, the P-bit of Type-7 LSAs is set to 1. If the router acts as both an ASBR and an ABR and

FULL state neighbors exist in the backbone area, the P-bit of Type-7 LSAs originated by the router is set to 0. This keyword applies to NSSA routers.

route-policy route-policy-name: Specifies a routing policy to filter redistributed routes. The

route-policy-name argument is a case-sensitive string of 1 to 63 characters.

tag tag: Specifies a tag for marking external LSAs, in the range of 0 to 4294967295. The default is 1.

type type: Specifies a cost type, 1 or 2. The default is 2.

Usage guidelines

This command redistributes routes destined for other ASs from another protocol. AS external routes include the following types:

Type-1 external route

Type-2 external route

A Type-1 external route has high reliability. Its cost is comparable with the cost of OSPF internal routes. The cost from an OSPF router to a Type-1 external route's destination equals the cost from the router to the ASBR plus the cost from the ASBR to the external route's destination.

A Type-2 external route has low credibility. OSPF considers the cost from the ASBR to the destination of a Type-2 external route is much bigger than the cost from the ASBR to an OSPF internal router. The cost from an internal router to a Type-2 external route's destination equals the cost from the ASBR to the Type-2 external route's destination.

The import-route command cannot redistribute default external routes.

The import-route bgp command redistributes only EBGP routes. Because the import-route bgp

allow-ibgp command redistributes both EBGP and IBGP routes and might cause routing loops, use it with caution.

270

Only active routes can be redistributed. To view information about active routes, use the display ip

routing-table protocol command.

The undo import-route protocol all-processes command removes only the configuration made by the import-route protocol all-processes command, instead of the configuration made by the

import-route protocol process-id command.

The import-route nssa-only command redistributes AS-external routes in Type-7 LSAs only into the NSSA area.

Examples

# Redistribute routes from RIP process 40 and specify the type, tag, and cost as 2, 33, and 50 for redistributed routes.

<Sysname> system-view

[Sysname] ospf 100

[Sysname-ospf-100] import-route rip 40 type 2 tag 33 cost 50

Related commands

default-route-advertise (OSPF view)

import-route (IS-IS view)

Use import-route to redistribute routes from another routing protocol or another IS-IS process.

Use undo import-route to remove the redistribution.

Syntax

import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |

cost-type { external | internal } | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name |

tag tag ] *

undo import-route protocol [ process-id | all-processes ]

Default

No route redistribution is configured.

Views

IS-IS view

Predefined user roles

network-admin

Parameters

protocol: Redistributes routes from a routing protocol, which can be BGP, direct, IS-IS, OSPF, RIP, or static.

process-id: Specifies a process by its ID in the range of 1 to 65535. It is available only when the protocol is isis, ospf, or rip.

271

all-processes: Redistributes routes from all the processes of the specified routing protocol. This keyword takes effect only when the protocol is rip, ospf, or isis.

allow-ibgp: Allows redistribution of IBGP routes. It is available when the protocol is BGP.

allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the

allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.

Otherwise, the allow-direct keyword does not take effect.

cost: Specifies a cost for redistributed routes, which is in the range of 0 to 4261412864.

For the styles of narrow, narrow-compatible, and compatible, the cost is in the range of 0 to

63.

For the styles of wide and wide-compatible, the cost is in the range of 0 to 4261412864.

cost-type { external | internal }: Specifies the cost type. The internal type indicates internal routes, and the external type indicates external routes. If external is specified, the cost of a redistributed route is added by 64 to make internal routes take priority over external routes. The type is external by default. The keywords are available only when the cost type is narrow, narrow-compatible, or

compatible.

level-1: Redistributes routes into the Level-1 routing table.

level-1-2: Redistributes routes into both Level-1 and Level-2 routing tables.

level-2: Redistributes routes into the Level-2 routing table. If no level is specified, the routes are redistributed into the Level-2 routing table by default.

route-policy route-policy-name: Redistributes only routes matching the specified routing policy. The

route-policy-name argument is a case-sensitive string of 1 to 63 characters.

tag tag: Specifies a tag value for marking redistributed routes, in the range of 1 to 4294967295.

Usage guidelines

IS-IS takes all the redistributed routes as external routes to destinations outside the IS-IS routing domain.

The effective cost depends on the cost style. For the styles of narrow, narrow-compatible, and

compatible, the cost is in the range of 0 to 63. If the cost is more than 63, 63 is used. For the style of wide or wide-compatible, the configured value is the effective value.

This import-route command cannot redistribute default routes. The command redistributes only active routes. To display route state information, use the display ip routing-table protocol command.

The import-route bgp command redistributes only EBGP routes.

The import-route bgp allow-ibgp command redistributes both EBGP and IBGP routes. Because this command might cause routing loops, use it with caution.

272

The undo import-route protocol all-processes command removes only the configuration made by the import-route protocol all-processes command, instead of the configuration made by the

import-route protocol process-id command.

Examples

# Redistribute static routes into IS-IS, and set the cost for redistributed routes to 15.

<Sysname> system-view

[Sysname] isis 1

[Sysname-isis-1] import-route static cost 15

Related commands import-route limit

import-route (BGP view)

Use import-route to enable BGP to redistribute routes from an IGP protocol.

Use undo import-route to disable route redistribution from an IGP protocol.

Syntax

In BGP IPv4 unicast address family view/BGP-VPN IPv4 unicast address family view:

import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy

route-policy-name ] * ]

undo import-route protocol [ process-id | all-processes ]

In BGP IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view:

import-route protocol [ process-id [ allow-direct | med med-value | route-policy

route-policy-name ] * ]

undo import-route protocol [ process-id ]

Default

BGP does not redistribute IGP routes.

Views

BGP IPv4 unicast address family view, BGP-VPN IPv4 unicast address family view, BGP IPv6 unicast address family view, BGP-VPN IPv6 unicast address family view

Predefined user roles

network-admin

Parameters

protocol: Redistributes routes from a specified IGP protocol. In BGP IPv4 unicast address family view/BGP-VPN IPv4 unicast address family view, it can be direct, isis, ospf, rip, or static. In BGP

IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view, it can be direct, isisv6,

ospfv3, ripng, or static.

273

process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. In BGP IPv4 unicast address family view/BGP-VPN IPv4 unicast address family view, it is available only when the protocol is isis, ospf, or rip. In BGP IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view, it is available only when the protocol is isisv6, ospfv3, or ripng.

all-processes: Redistributes routes from all the processes of the specified IGP protocol. This keyword takes effect only when the protocol is isis, ospf, or rip.

allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the

allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.

Otherwise, the allow-direct keyword does not take effect.

med med-value: Specifies a MED value for redistributed routes, in the range of 0 to 4294967295. If no MED is specified, the metric of a redistributed route is used as its MED.

route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to

63 characters, to filter redistributed routes or set route attributes for redistributed routes.

Usage guidelines

The import-route command cannot redistribute default IGP routes. To redistribute default IGP routes, use the default-route imported command together with the import-route command.

Only active routes can be redistributed. You can use the display ip routing-table protocol or

display ipv6 routing-table protocol command to view route state information.

The ORIGIN attribute of routes redistributed by the import-route command is INCOMPLETE.

Examples

# In BGP IPv4 unicast address family view, redistribute routes from RIP process 1, and set the MED value for redistributed routes to 100.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp] address-family ipv4 unicast

[Sysname-bgp-ipv4] import-route rip 1 med 100

# In BGP-VPN IPv4 unicast address family view, redistribute routes from RIP process 1, and reference a routing policy imprt to exclude route 1.1.1.0/24 from route redistribution.

<Sysname> system-view

[Sysname] ip prefix-list imprt deny 1.1.1.0 24

[Sysname] ip prefix-list imprt permit 0.0.0.0 0 less-equal 32

[Sysname] route-policy imprt permit node 0

[Sysname-route-policy-imprt-0] if-match ip address prefix-list imprt

[Sysname-route-policy-imprt-0] quit

[Sysname] bgp 100

[Sysname-bgp] ip vpn-instance vpn1

[Sysname-bgp-vpn1] address-family ipv4 unicast

[Sysname-bgp-ipv4-vpn1] import-route rip 1 route-policy imprt

274

# In BGP IPv6 unicast address family view, redistribute routes from RIP process 1.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp] address-family ipv6 unicast

[Sysname-bgp-ipv6] import-route ripng

# In BGP-VPN IPv6 unicast address family view, redistribute routes from RIP process 1.

<Sysname> system-view

[Sysname] bgp 100

[Sysname-bgp] ip vpn-instance vpn1

[Sysname-bgp-vpn1] address-family ipv6 unicast

[Sysname-bgp-ipv6-vpn1] import-route ripng

Related commands

display ip routing-table protocol

display ipv6 routing-table protocol

import-route (RIPng view)

Use import-route to redistribute routes from another routing protocol.

Use undo import-route to disable route redistribution.

Syntax

import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost | route-policy

route-policy-name ] *

undo import-route protocol [ process-id ]

Default

RIPng does not redistribute routes from another routing protocol.

Views

RIPng view

Predefined user roles

network-admin

Parameters

protocol: Specifies a routing protocol from which RIPng redistributes routes. It can be bgp4+, direct,

isisv6, ospfv3, ripng, or static.

process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. This argument is available only when the protocol is isisv6, ospfv3, or ripng.

allow-ibgp: Allows redistribution of IBGP routes. This keyword is available when the protocol argument is set to bgp4+.

allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the

275

allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.

Otherwise, the allow-direct keyword does not take effect.

cost cost: Specifies a metric for redistributed routes, in the range of 0 to 16. The default metric is 0.

route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to

63 characters.

Usage guidelines

The import-route bgp4+ command redistributes only EBGP routes. The import-route bgp4+

allow-ibgp command redistributes both EBGP and IBGP routes.

Examples

# Redistribute routes from IPv6 IS-IS process 7 into RIPng and set the metric for redistributed routes to 7.

<Sysname> system-view

[Sysname] ripng 100

[Sysname-ripng-100] import-route isisv6 7 cost 7

import-route (OSPFv3 view)

Use import-route to redistribute routes.

Use undo import-route to disable route redistribution.

Syntax

import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |

nssa-only | route-policy route-policy-name | tag tag | type type ] *

undo import-route protocol [ process-id | all-processes ]

Default

OSPFv3 route redistribution is disabled.

Views

OSPFv3 view

Predefined user roles

network-admin

Parameters

protocol: Redistributes routes from the specified routing protocol, which can be bgp4+, direct,

isisv6, ospfv3, ripng, or static.

process-id: Specifies the process ID of a routing protocol, in the range of 1 to 65536. It defaults to 1.

This argument takes effect only when the protocol is isisv6, ospfv3, or ripng.

276

all-processes: Redistributes routes from all the processes of the specified routing protocol. This keyword takes effect only when the protocol is ripng, ospfv3, or isisv6.

allow-ibgp: Redistributes IBGP routes. It is available only when the protocol is bgp4+.

allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the

allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.

Otherwise, the allow-direct keyword does not take effect.

cost cost: Specifies a cost for redistributed routes, in the range of 1 to 16777214. The default is 1.

nssa-only: Limits the route advertisement to the NSSA area by setting the P-bit of Type-7 LSAs to 0.

By default, the P-bit of Type-7 LSAs is set to 1. If the router acts as both an ASBR and an ABR and

FULL state neighbors exist in the backbone area, the P-bit of Type-7 LSAs originated by the router is set to 0. This keyword applies to NSSA routers.

route-policy route-policy-name: Specifies a routing policy to filter redistributed routes. The

route-policy-name argument is a case-sensitive string of 1 to 63 characters.

tag tag: Specifies a tag for marking external LSAs, in the range of 0 to 4294967295. If this option is not specified, no tag is contained in advertised LSAs by default.

type type: Specifies the type for redistributed routes, 1 or 2. The default is 2.

Usage guidelines

An external route is a route to a destination outside the OSPFv3 AS. External routes types are as follows:

A Type-1 external route has high reliability. Its cost is comparable with the cost of OSPFv3 internal routes. The cost from an OSPFv3 router to a Type-1 external route's destination equals the cost from the router to the ASBR plus the cost from the ASBR to the external route's destination.

A Type-2 external route has low credibility, so OSPFv3 considers the cost from the ASBR to a

Type-2 external route is much bigger than the cost from the ASBR to an OSPFv3 internal router.

The cost from an internal router to a Type-2 external route's destination equals the cost from the

ASBR to the Type-2 external route's destination.

The import-route command cannot redistribute default routes.

The import-route bgp4+ command redistributes only EBGP routes. The import-route bgp4+

allow-ibgp command redistributes both EBGP and IBGP routes, and might cause routing loops.

Therefore, use it with caution.

The import-route nssa-only command redistributes AS-external routes in Type-7 LSAs only into the NSSA area.

277

Examples

# Configure OSPFv3 process 1 to redistribute routes from RIPng and specify the type as type 2 and cost as 50.

<Sysname> system-view

[Sysname] ospfv3

[Sysname-ospfv3-1] import-route ripng 10 type 2 cost 50

# Configure OSPFv3 process 100 to redistribute the routes discovered by OSPFv3 process 160.

<Sysname> system-view

[Sysname] ospfv3 100

[Sysname-ospfv3-100] import-route ospfv3 160

ipv6 import-route (IPv6 IS-IS view)

Use ipv6 import-route to enable IPv6 IS-IS to redistribute routes from another routing protocol.

Use undo ipv6 import-route to disable route redistribution.

Syntax

ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost | [ level-1 |

level-1-2 | level-2 ] | route-policy route-policy-name| tag tag ] *

undo ipv6 import-route protocol [ process-id ]

Default

IPv6 does not redistribute routes from any other routing protocol.

Views

IS-IS view

Predefined user roles

network-admin

Parameters

protocol: Redistributes routes from the specified routing protocol, which can be direct, static, ripng,

isisv6, bgp4+, or ospfv3.

process-id: Specifies a process by its ID in the range of 1 to 65535. It is available only when the protocol is ripng, isisv6, or ospfv3.

allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the

allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.

Otherwise, the allow-direct keyword does not take effect.

cost cost: Specifies a cost for redistributed routes, in the range of 0 to 4261412864.

level-1: Redistributes routes into the Level-1 routing table.

278

level-1-2: Redistributes routes into Level-1 and Level-2 routing tables.

level-2: Redistributes routes into the Level-2 routing table.

route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to

63 characters, to filter redistributed routes.

tag tag: Specifies an administrative tag for marking redistributed routes, in the range of 1 to

4294967295.

allow-ibgp: Allows redistribution of IBGP routes. This keyword is available only when the protocol is

bgp4+.

Usage guidelines

IPv6 IS-IS considers redistributed routes as AS-external routes.

You can specify a cost and a level for redistributed routes.

The import-route bgp4+ command redistributes only EBGP routes. The import-route bgp4+

allow-ibgp command redistributes both EBGP and IBGP routes, and might cause routing loops.

Therefore, use it with caution.

Examples

# Configure IPv6 IS-IS to redistribute static routes and set the cost for redistributed routes to 15.

<Sysname> system-view

[Sysname] isis 1

[Sysname-isis-1] ipv6 import-route static cost 15

New feature: Python

Using Python

Python is an easy to learn, powerful programming language. It has efficient high-level data structures and a simple but effective approach to object-oriented programming. Python's elegant syntax and dynamic typing, together with its interpreted nature, make it an ideal language for scripting and rapid application development in many areas on most platforms.

Comware V7 provides a built-in Python interpreter that supports the following items:

Python 2.7 commands.

Python 2.7 standard API.

Comware V7 extended API.

Python scripts. You can use a Python script to configure the system automatically.

To use Python 2.7 commands and the APIs, you must enter the Python shell.

279

Command reference

See HPE FlexNetwork MSR Command References(V7).

New feature: ATM

Configuring ATM

Asynchronous Transfer Mode (ATM) is a technology based on packet transmission mode while incorporating the high-speed of circuit transmission mode. ATM was adopted as the transmission and switching mode for broadband ISDN by the ITU-T in June 1992. Due to its flexibility and support for multimedia services, ATM is regarded as core broadband technology.

As defined by the ITU-T, data is encapsulated in cells in ATM. Each ATM cell is 53 bytes in length, of which the first five bytes contain cell header information and the last 48 bytes contain payload. The major function of the cell header is to identify virtual connection. In addition, it can be used to carry limited flow control, congestion control, and error control information.

Command reference

See HPE FlexNetwork MSR Command References(V7).

New feature: DHCP MIB

DHCP MIB

The MIB supports HH3C-DHCP4-MIB and HH3C-DHCP-SNOOP2-MIB.

For more information about

MIB nodes, see the MIB companion document.

Command reference

if-match

Use if-match to configure a match rule for a DHCP user class.

Use undo if-match to remove the match rule for a DHCP user class.

280

Syntax

if-match rule rule-number option option-code [ hex hex-string [ mask mask | offset offset length

length ] ]

undo if-match rule rule-number

Syntax

No match rule is configured for the DHCP user class.

Views

DHCP user class view

Predefined user roles

network-admin

Parameters

rule rule-number: Assigns the match rule an ID in the range of 1 to 16. A smaller ID represents a higher match priority.

option option-code: Matches a DHCP option by a number in the range of 1 to 254.

hex hex-string: Matches the specified string in the option, which must be a hex string of even numbers in the range of 2 to 256. If you do not specify the hex-string argument, the DHCP server only checks whether the specified option exists in the received packets.

mask mask: Specifies the mask used to match the option content. The mask argument is a hex string of even numbers in the range of 2 to 256. The length of mask must be the same as that of

hex-string.

offset offset: Specifies the offset to match the option, in the range of 0 to 254 bytes. If you do not specify the offset argument, the server matches the entire option with the rule.

length length: Matches the specified length of the option, in the range of 1 to 128 bytes. The specified length must be the same as the hex-string length.

Usage guidelines

You can configure multiple match rules for a DHCP user class. Each match rule is uniquely identified by a rule ID. Different match rules can include the same option code, but they cannot have the exact same matching criteria.

The DHCP server matches DHCP requests against the match rules. A DHCP client matches a DHCP user class when its request matches one of the specified match rules.

The match operation follows these guidelines:

If only the option-code argument is specified in the rule, packets containing the option match the rule.

If only the option-code and hex-string arguments are specified in the rule, packets that have the specified hex string in the specified option match the rule.

281

If the option-code, hex-string, offset and length arguments are specified in the rule, packets match the rule as long as their content from offset+1 bit to offset+length bit in the specified option is the same as the specified hex string.

If the option-code, hex-string, and mask arguments are specified in the rule, the DHCP server

ANDs the content from the first bit to the mask-1 bit in the specified option with the mask, and then compares the result with the result of the AND operation between hex-string and mask. If the two results are the same, the received packet matches the rule.

Examples

# Configure match rule 1 to match DHCP requests that contain Option 82 for DHCP user class

contain-option82.

<Sysname> system-view

[Sysname] dhcp class contain-option82

[Sysname-dhcp-class-contain-option82] if-match rule 1 option 82

# Configure match rule 2 to match DHCP requests that contain Option 82 whose first three bytes is

0x13ae92 for DHCP user class exam.

<Sysname> system-view

[Sysname] dhcp class exam

[Sysname-dhcp-class-exam] if-match rule 2 option 82 hex 13ae92 offset 0 length 3

# Configure match rule 3 to match DHCP requests that contain Option 82 whose highest bit of the fourth byte is 1 for DHCP user class exam.

<Sysname> system-view

[Sysname] dhcp class exam

[Sysname-dhcp-class-exam] if-match rule 3 option 82 hex 00000080 mask 00000080

Related commands

dhcp class

ESS 0006P02

None

282

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

Download PDF

advertisement

Table of contents