- No category
advertisement
HPE
MSR1000_MSR2000_MSR3000_MSR4000-
CMW710-R0306P82 Release Notes
The information in this document is subject to change without notice.
© Copyright [First Year] 2013, [Current Year] 2017 Hewlett Packard Enterprise Development LP
Contents
Version information ···········································································1
Hardware feature updates ··································································9
Software feature and command updates ············································· 10
MIB updates ·················································································· 11
Operation changes ········································································· 20
Restrictions and cautions ································································· 21
Open problems and workarounds ······················································ 21
List of resolved problems ································································· 21
Support and other resources····························································· 67
Appendix A Feature list ··································································· 70
i
Appendix B Upgrading software ························································ 81
Appendix C Handling console login password loss ······························ 108
ii
List of Tables
Table 13 MSR3044/MSR3064/MSR4060/MSR4080 AC power module specifications ...................... 73
Table 14 MSR3044/MSR3064/MSR4060/MSR4080 DC power module specifications ...................... 73
Table 15 MSR3044/MSR3064/MSR4060/MSR4080 PoE power module specifications ...................... 73
iii
This document describes the features, restrictions and guidelines, open problems, and workarounds for version R0306P82. Before you use this version in a live network, back up the configuration and test the version to avoid software upgrade affecting your live network.
Use this document in conjunction with HPE
MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P82 Release Notes (Software
Feature Changes) and the documents listed in
Version information
Version number
HPE Comware Software, Version 7.1.059, Release 0306P82
Please see the example below generated by the display version command:
<HPE> display version
HPE Comware Software, Version 7.1.059, Release 0306P82
Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP
HPE MSR3064 uptime is 0 weeks, 0 days, 0 hours, 2 minutes
Last reboot reason : User reboot
Boot image: cfa0:/msr3000-cmw710-boot-r0306p82.bin
Boot image version: 7.1.059P29, Release 0306P82
Compiled Jan 04 2017 16:00:00
System image: cfa0:/msr3000-cmw710-system-r0306p82.bin
System image version: 7.1.059, Release 0306P82
Compiled Jan 04 2017 16:00:00
Feature image(s) list:
cfa0:/msr3000-cmw710-security-r0306p82.bin, version: 7.1.059
Compiled Jan 04 2017 16:00:00
cfa0:/msr3000-cmw710-voice-r0306p82.bin, version: 7.1.059
Compiled Jan 04 2017 16:00:00
cfa0:/msr3000-cmw710-data-r0306p82.bin, version: 7.1.059
Compiled Jan 04 2017 16:00:00
CPU ID: 0x4
2G bytes DDR3 SDRAM Memory
8M bytes Flash Memory
PCB Version: 2.0
CPLD Version: 2.0
Basic BootWare Version: 1.60
Extended BootWare Version: 1.60
[SLOT 0]AUX (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]GE0/0 (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]GE0/1 (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]GE0/2 (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]CELLULAR0/0 (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 0]CELLULAR0/1 (Hardware)2.0, (Driver)1.0, (CPLD)2.0
[SLOT 6]HMIM-1CE3 (Hardware)2.0, (Driver)1.0, (CPLD)1.0
[SLOT 7]HMIM-2T1 (Hardware)3.0, (Driver)1.0, (CPLD)4.0
1
[SLOT 9]HMIM-4T1-F (Hardware)3.0, (Driver)1.0, (CPLD)3.0
Version history
Table 1 Version history
Version number
CMW710-R0306
P82
CMW710-R0306
P81
CMW710-R0306
P80
CMW710-R0306
P70
CMW710-R0306
P52
CMW710-R0306
P30
Last version
Release date
CMW710-R03
06P81
2017-01-1
0
CMW710-R03
06P80
2016-12-0
1
CMW710-R03
06P70
2016-10-3
1
CMW710-R03
06P52
2016-09-2
8
CMW710-R03
06P30
2016-08-2
6
CMW710-R03
06P12
2016-06-0
8
Release type
Remarks
Release version
Release version
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and
MSR3012 AC
Fixes bugs
MSR1000_2000_3000_4000 series, including MSR1003-8S and
MSR3012 AC
Fixes bugs
MSR1000_2000_3000_4000 series, including MSR1003-8S and
MSR3012 AC
Fixes bugs
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and
MSR3012 AC
Fixes bugs
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and
MSR3012 AC
New feature:
1. MAC address recording in TCP packets
2. Configuring the leased line service for an ISDN BRI interface
3. LLDP PVID inconsistency check
Modified feature:
1. High encryption
2. OSPF
3. Policy-based routing
4. MIB objects
5. Setting ISP domain status
6. Excluding an attribute from portal protocol packets
7. NTP
8. Transceiver modules
9. E1POS
Fixes bugs
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and
MSR3012 AC
New feature:
1. SIP compatibility
Modified feature:
1. OSPF performance
2.Telnet redirect
2
CMW710-R0306
P12
CMW710-R0306
P11
CMW710-R0306
P07
CMW710-R0305
P08
CMW710-R03
06P11
2016-04-2
7
CMW710-R03
06P07
CMW710-R03
05P08
CMW710-R03
05P04
2016-04-1
3
2016-03-1
6
2016-01-1
0
Release version
3.POS terminal access
4.License
5.IP performance optimization
Fixes bugs
MSR1000_2000_3000_4000 series, including MSR1003-8S and
MSR3012 AC
Modified feature:
1. Configuring an SSH user
2. AAA
3. Configuring a cellular interface for a
3G/4G modem
4. VXLAN
5. DHCP
Fixes bugs.
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and
MSR3012 AC
New feature:
1. Voice VLAN
Modified feature:
1. MPLS QoS support for matching the EXP field
2. MPLS QoS support for marking the
EXP field
3. Automatic configuration
Removed feature
1. Tinyproxy
Fixes bugs.
Release version
Release version
MSR1000_2000_3000_4000 series, including MSR1003-8S and
MSR3012 AC
New feature:
1. L2TP-based EAD
2. CFD configuration
Modified feature:
1. Support using dots in user profile name
2. Default size of the TCP receive and send buffer
3. Support for obtaining fan tray and power module vendor information through MIB
4. Supporting per-packet load sharing
5. Automatic configuration
6. Software image signature
Fixes bugs.
MSR1000_2000_3000_4000 series, including MSR1003-8S and
MSR3012 AC
New feature:
1. mGRE
3
CMW710-R0305
P04
CMW710-R0305
P04
First release
CMW710-R03
05
2015-12-1
8
2015-11-2
5
Release version
Release version
CMW710-R0305
CMW710-R03
04P12
2015-10-2
3
Release version
CMW710-R0304
P12
CMW710-R0304
P04
CMW710-R03
04P04
CMW710-R03
04P02
2015-09-1
5
2015-08-1
8
Release version
Release version
2. Disabling transceiver module alarm
Modified feature:
1. Default user role
2. Debugging
Fixes bugs.
Only support MSR3012 AC Router
MSR1000_2000_3000_4000 series, including MSR1003-8S
New feature:
1. Public key management support for
Suite B
2. PKI support for Suite B
3. IPsec support for Suite B
4. SSL support for Suite B
5. FIPS support for Suit B
6. SSH support for Suite B
7. Ignoring the first AS number of
EBGP route updates for a peer or peer group
Modified feature:
1. Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces
2. Changing the maximum number of
FIB table entries
3. Enabling CWMP
4. The logo of HP is changed to HPE
Fixes bugs.
MSR1000_2000_3000_4000 series, including MSR1003-8S
New feature:
1. IKE
Modified feature:
1. IPsec
Fixes bugs.
MSR1000_2000_3000_4000 series, including MSR1003-8S
New feature:
1. Including vendor information in
PPP accounting requests
2. BFD for an aggregation group
Modified feature:
1. SSH username
2. IS-IS hello packet sending interval
3. MP-group interface numbering
Fixes bugs.
Support MSR1000_2000_3000_4000 series, including MSR1003-8S
New feature:
4
CMW710-R0304
P02
CMW710-R0304
CMW710-E0302
CMW710-R03
04
CMW710-E03
02P06
2015-07-2
2
2015-06-2
9
Release version
Release version
1. Media Stream Control (MSC) logging
Modified feature:
1. ESP encryption algorithms
Fixes bugs.
Support MSR1000_2000_3000_4000 series, including MSR1003-8S
New feature:
1. IMSI/SN binding authentication
2. Specifying a band for a 4G modem
3. CFD
4. Using tunnel interfaces as
OpenFlow ports
5. NETCONF support for ACL filtering
6. Specifying a backup traffic processing unit
7. WAAS
8. Support for the MKI field in SRTP or
SRTCP packets
9. SIP domain name
10. E&M logging
11. Add new cards
Modified feature:
1. Setting the global link-aggregation load-sharing mode
Fixes bugs.
Support MSR1000_2000_3000_4000 series, added MSR1003-8S
New feature:
1. Setting the RTC version
2. Setting the maximum size of advertisement files
3. IRF
4. Frame Relay
5. EVI
6. VPLS
7. Multicast VPN support for inter-AS option B
Modified feature:
1. 802.1X redirect URL
2. Displaying information about NTP servers from the reference source to the primary NTP server
3. Saving, rolling back, and loading the configuration
4. Displaying information about SSH users
Removed feature
1. Displaying fabric utilization
Fixes bugs
CMW710-E01 2015-04-1
ESS version
Support MSR1000_2000_3000_4000
5
P06
CMW710-E0102
CMW710-E0006
P02
02
CMW710-E00
06P02
3
2013-08-1
0
CMW710-E00
06
2013-04-2
3
ESS version
ESS version series
New feature:
1. Object policies
2. IPHC
3. Support of PPPoE server for IPv6
4. QSIG tunneling over SIP-T
5. Playout delay
6. BGP L2VPN support for NSR
7. BGP support for dynamic peers
8. ARP PnP
9. Support of Syslog for DNS and support of customlog&userlog for
IPv6 hosts
10. QoS soft forwarding
11. Filtering by application layer protocol status
12. ADVPN support for multicast forwarding
13. MPLS LDP support for IPv6
14. Port security
15. Customizable IVR
16. SRST
17. NEMO
18. Support of MFR and FR for
L2VPN, FR QoS, and FR compression and fragmentation
19. Support for LLDP on CPOS interfaces
20. SMS-based automatic configuration
21. ARP attack protection
22. SIP support for VRF
Fixes bugs
Support MSR2000_3000_4000 series
New feature:
1. Portal authentication
2. MSDP
3. IPsec MIB and IKE MIB
4. PoE
5. CoPP software forwarding feature
6. Configuring MPLS LDP FRR
7. Enhanced routing features
8. Python
9. ATM
10. DHCP MIB
Fixes bugs.
Only support MSR3000_4000 series, not support MSR2000 series
Fixes bugs.
6
CMW710-E0006 First release
2013-01-2
8
ESS version None
Hardware and software compatibility matrix
CAUTION:
To avoid an upgrade failure, use Table 3 to verify the hardware and software compatibility before
performing an upgrade.
Table 2 HPE product device numbers matrix
Product code
JG402A
JG403A
JG404A
JG405A
JG406A
JG407A
JG408A
JG409A
JG410A
JG411A
JG412A
JG413A
JG414A
JG670A
JG875A
JH060A
JG861A
JG734A
JG735A
JG866A
JG869A
JG409B
HPE Product name
HPE MSR4080 Router Chassis
HPE MSR4060 Router Chassis
HPE MSR3064 Router
HPE MSR3044 Router
HPE MSR3024 AC Router
HPE MSR3024 DC Router
HPE MSR3024 PoE Router
HPE MSR3012 AC Router
HPE MSR3012 DC Router
HPE MSR2003 AC Router
HPE MSR4000 MPU-100 Main Processing Unit
HPE MSR4000 SPU-100 Service Processing Unit
HPE MSR4000 SPU-200 Service Processing Unit
HPE MSR4000 SPU-300 Service Processing Unit
HPE MSR1002-4 AC Router
HPE MSR1003-8S AC Router
HPE MSR3024 TAA-compliant AC Router
HPE MSR2004-24 AC Router
HPE MSR2004-48 Router
HPE MSR2003 TAA-compliant AC Router
HPE MSR4000 TAA-compliant MPU-100 Engine
HPE MSR3012 AC Router
Table 3 Hardware and software compatibility matrix
Item
Product family
Boot ROM
Specifications
MSR1000_MSR2000_MSR3000_MSR4000
MSR1002-4_MSR1003-8S: 250 or higher
7
version
Host software iMC version
MSR2003_MSR2004-24_MSR2004-48: 160 or higher
MSR3012_MSR3024_MSR3044_MSR3064: 160 or higher
MSR4060_MSR4080: MPU-100: 161 or higher
SPU-100/200: 140 or higher
Hardware
MSR1002-4_MS
R1003-8S software
MSR100X-CMW7
10-R0306P82.IPE
MD5 Check Sum
0387b772d6ff15c847a b78ca468313e3
MSR2003_MSR2
004-24_MSR200
4-48
MSR3012_MSR3
024_MSR3044_
MSR3064
MSR4060_MSR4
080
MSR2000-CMW7
10-R0306P82.IPE
MSR3000-CMW7
10-R0306P82.IPE
2311ab13c46d7462e6
762ebfd384a923 e68521472290a361b8
2f5998dfcba59f
MSR4000-CMW7
10-R0306P82.IPE
f0f1932b12096307cac
55ac7a66c70a2 iMC BIMS 7.2 (E0402P02) iMC EAD 7.2 (E0407) iMC TAM 7.2 (E0407) iMC UAM 7.2 (E0407) iMC IVM 7.2 (E0402H02) iMC MVM 7.2 (E0402P02) iMC NTA 7.2 (E0402P02) iMC PLAT 7.2 (E0403P04) iMC QoSM 7.2 (E0403H01) iMC RAM 7.2 (E0402) iMC SHM 7.2 (E0402l01) iMC UBA 7.2 (E0401P03) iMC VFM 7.2 (E0403)
File size
67,390,464 bytes
74,107,904 bytes
57,053,184 bytes
118,548,480 bytes iNode version
Cards version iNode PC 7.2 (E0407)
Cards Name
SIC-3G-HSPA
SIC-3G-CDMA
Software Version
280 or higher
280 or higher
CPLD or FPGA version
200 or higher
200 or higher
Upgrading restrictions and guidelines
1.
After the software is upgraded from a version earlier than E0302P06 to E0302P06 or a later version, the unit of the VRRP preemption delay is changed from seconds to centiseconds.
2.
To upgrade from R0305 to R0305P04 or a later version, you must first install the R0305H01 hot patch.
8
Hardware feature updates
CMW710-R0306P82
None.
CMW710-R0306P30
Add new hardware:
Add new card:
4-port 100BASE-FX/1000BASE-X(SFP) Ethernet L2/L3 SIC Module-RT-SIC-4GSWF
CMW710-R0306P07
Add new hardware:
SFP-GPON-SM-ONU
USB modem E3533
CMW710-R0305P08
Add new router:
HPE MSR3012 AC Router(JG409B)
Add new card:
1-port E1 / T1 Voice SIC Module(JH240A)
CMW710-R0305P04
The logo of HP is changed to HPE.
CMW710-R0304P02
Add new cards:
HPE MSR 4GLTE SIC Mod for CDMA/WCDMA (JG742B)
HPE MSR 4G LTE SIC Mod for ATT (JG743B)
HPE MSR 4GLTE SIC Mod for Global (JG744B)
HPE MSR HSPA+/WCDMA SIC Module (JG929A)
CMW710-R0304
Add new router:
HPE MSR1003-8S AC Router
9
CMW710-E0302P06
Add new hardware:
8-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH169A)
4-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH170A)
2-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH171A)
8-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH172A)
4-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH173A)
2-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH174A)
8-port 100BASE-FX/1000BASE-X / 4-port 1000BASE-T (Combo) L2/L3 HMIM Module (JH238A)
CMW710-E0102
Add new hardware:
4-port 10/100 Mbps Ethernet L2 switching module-PoE card(SIC-4FSW-POE)
1-port ADSL over POTS SIC interface module (SIC-1ADSL)
1 port E1/CE1/PRI SIC interface module(SIC-1EPRI-V3)
9-port 10/100 Mbps Ethernet L2 switching module -PoE card (DSIC-9FSW-POE)
1-port 8-wire G.SHDSL (RJ45) DSIC Module
2-port 1000BASE-X HMIM Module (HMIM-2GEF)
4-port 1000BASE-X HMIM Module (HMIM-4GEF)
8-port 1000BASE-X HMIM Module (HMIM-8GEF)
24-port Gig-T Switch HMIM Module (HMIM-24GSW)
24-port Gig-T PoE Switch HMIM Module (HMIM-24GSW-POE)
1-port OC-3 / STM-1 CPOS HMIM Module (HMM-1CPOS)
2-port OC-3 / STM-1 CPOS HMIM Module (HMIM-2CPOS)
1-port OC-3c / STM-1c ATM SFP HMIM Module (HMIM-ATMOC3)
1-port dual-pair G.SHDSL interface module (MIM-1SHL-4W)(need to config HMIM-Adapter)
SPU-300 service module
MSR3012-DC
MSR3024-DC
MSR3024-POE
300W DCPower(PSR300-12D2)
Support USB modem E303c and E3131
Software feature and command updates
For more information about the software feature and command update history, see HPE
MSR1000_MSR2000_MSR3000_MSR4000-CMW710-R0306P82 Release Notes (Software
Feature Changes).
10
MIB updates
Table 4 MIB updates
Item MIB file
CMW710-R0306P82
New None
Modified None
CMW710-R0306P12
New None
Modified rfc1213.mib
CMW710-R0306P11
New None
Modified rfc1213.mib
CMW710-R0306P07
New None
Modified rfc1213.mib
CMW710-R0305P08
New None
Modified hh3c-3gmodem.mib
CMW710-R0305P04
New None
Module
None
None
Description
None
None
None
RFC1213-MIB
None
11
None
Modified description of sysDescr and sysObjectID
None
RFC1213-MIB
None
RFC1213-MIB
None
Modified description of sysObjectID
None
Modified description of sysDescr and sysObjectID
None
HH3C-3GMODEM-MIB
None
Modified description of hh3cWirelessCardOnlineTa ble, hh3cWirelessCardModemM ode, hh3cWirelessCardCurNetCo nn, hh3cWirelessCardOnlineTim e, hh3cWirelessCardOnlineTyp e, hh3cUIMInfoTable,hh3cUIMI ndex, hh3cUIMStatus,hh3cUIMIms i, hh3c3GCdma1xRttBID, hh3c3GCdma1xRttSID, hh3c3GCdma1xRttNID, hh3c3GCdmaEvDoSubNetI
D, hh3c3GGsmMcc, hh3c3GGsmMnc, hh3cSmsSrcNumberBind, hh3cSmsTimeBind, hh3cSmsEncodeBind, hh3cSmsContentBind, hh3cSmsRxNotifSwitch and hh3cSmsRxNotification
None
Modified rfc1213.mib RFC1213-MIB
Modified description of sysDescr, sysContact, sysName and sysLocation, sysObjectID
CMW710-R0305
New None
Modified rfc1213.mib
None
RFC1213-MIB
None
Modified description of sysDescr and sysObjectID
CMW710-R0304P12
New None
Modified rfc2925-disman-ping.mib hh3c-nqa.mib
hh3c-mplsext.mib
None
DISMAN-PING-MIB
HH3C-NQA-MIB
HH3C-MPLSEXT-MIB
None
Modified description of pingCtlTable
Modified description of hh3cNqaCtlTable
Added hh3cMplsExtVpnStatsTable
CMW710-R0304
New None
Modified hh3c-transceiver-info.mib
None
HH3C-TRANSCEIVER-INF
O-MIB
None
Modified description of hh3cTransceiverCurTXPow er and hh3cTransceiverCurRXPow er
CMW710-E0302P06 hh3c-stack.mib rfc5060-pim-std.mib rfc5240-pim-bsr.mib
New hh3c-qinqv2.mib rfc3019-ipv6-mld.mibs hh3c-nqa.mib hh3c-posa.mib rfc1473-ppp-ip.mib rfc1471-ppp-lcp.mib hh3c-mp-v2.mib hh3c-mplsext.mib hh3c-mplste.mib
HH3C-STACK-MIB
PIM-STD-MIB
PIM-BSR-MIB
IPV6-MLD-MIB
HH3C-NQA-MIB
HH3C-POSA-MIB
PPP-IP-NCP-MIB
PPP-LCP-MIB
HH3C-MP-V2-MIB rfc6445-mpls-frr-facility-std.m
ib
MPLS-FRR-FACILITY-STD
-MIB rfc6445-mpls-frr-general-std.
mib
HH3C-QINQV2-MIB
HH3C-MPLSEXT-MIB
HH3C-MPLSTE-MIB
MPLS-FRR-GENERAL-ST
D-MIB
Added HH3C-STACK-MIB
Added
PIM-STD-MIB
Added
PIM-BSR-MIB
Added
HH3C-QINQV2-MIB
Added
IPV6-MLD-MIB
Added HH3C-NQA-MIB
Added
HH3C-POSA-MIB
Added PPP-IP-NCP-MIB
Added PPP-LCP-MIB
Added HH3C-MP-V2-MIB
Added
HH3C-MPLSEXT-MIB
Added H3C-MPLSTE-MIB
Added
MPLS-FRR-FACILITY-STD-
MIB
Added
MPLS-FRR-GENERAL-STD
-MIB
12
Modified rfc3812-mpls-te-std.mib rfc3970-te.mib hh3c-transceiver-info.mib rfc5519-mgmd-std.mib rfc4560-disman-traceroute.m
ib
DISMAN-TRACEROUTE-
MIB rfc2925-disman-ping.mib rfc5603-pw-enet-std.mib rfc5601-pw-std.mib hh3c-snmp-ext.mib hh3c-posa.mib hh3c-bfd-std.mib hh3c-ppp-over-sonet.mib rfc3815-mpls-ldp-std.mib
MPLS-TE-STD-MIB
TE-MIB
HH3C-TRANSCEIVER-INF
O-MIB
MGMD-STD-MIB
DISMAN-PING-MIB
PW-ENET-STD-MIB
PW-STD-MIB
HH3C-SNMP-EXT-MIB
HH3C-POSA-MIB
HH3C-BFD-STD-MIB
HH3C-PPP-OVER-SONET
-MIB
MPLS-LDP-STD-MIB rfc4382-mpls-l3vpn-std.mib MPLS-L3VPN-STD-MIB hh3c-license.mib hh3c-tunnel.mib rfc5643-ospfv3.mib rfc2981-disman-event.mib hh3c-pvst.mib hh3c-evi.mib hh3c-l2vpn.mib
rfc4444-isis.mib rfc1213.mib
rfc4444-isis.mib
HH3C-LICENSE-MIB
HH3C-TUNNEL-MIB
OSPFV3-MIB
DISMAN-EVENT-MIB
HH3C-PVST-MIB
HH3C-EVI-MIB
HH3C-L2VPN-MIB
ISIS-MIB
RFC1213-MIB
ISIS-MIB
Added MPLS-TE-STD-MIB
Added TE-MIB
Added
HH3C-TRANSCEIVER-INF
O-MIB
Added MGMD-STD-MIB
Added
DISMAN-TRACEROUTE-MI
B
Added DISMAN-PING-MIB
Added PW-ENET-STD-MIB
Added PW-STD-MIB
Added
HH3C-SNMP-EXT-MIB
Added HH3C-POSA-MIB
Added HH3C-BFD-STD-MIB
Added
HH3C-PPP-OVER-SONET-
MIB
Added MPLS-LDP-STD-MIB
Added
MPLS-L3VPN-STD-MIB
Added HH3C-LICENSE-MIB
Added HH3C-TUNNEL-MIB
Added OSPFV3-MIB
Added
DISMAN-EVENT-MIB
Added HH3C-PVST-MIB
Added HH3C-EVI-MIB
Added HH3C-L2VPN-MIB
Modified description of isisSysLevelMinLSPGenI nt
Modified description of sysDescr and sysObjectID;
Modified TAA description of sysObjectID;
Modified index of ipv6InterfaceTable; Modified description of sysContact and sysLocation;
Modified Access of ipAddressStorageType.
Modified description of isisRouterID, isisSysLevelTEEnabled, isisNextCircIndex,
13
rfc2465-ipv6.mib
hh3c-splat-mstp.mib rfc2933-igmp-std.mib
rfc2863-if.mib
hh3c-dns.mib
hh3c-domain.mib
hh3c-sys-man.mib
hh3c-config-man.mib
rfc2933-igmp-std.mib
rfc2925-disman-ping.mib
IPV6-MIB
HH3C-LswMSTP-MIB
IGMP-STD-MIB
IF-MIB
HH3C-DNS-MIB
H3C-DOMAIN-MIB
HH3C-SYS-MAN-MIB
HH3C-CONFIG-MAN-MIB
IGMP-STD-MIB
DISMAN-PING-MIB isisCirc3WayEnabled, isisCircExtendedCircID, isisISAdj3WayState
和 isisISAdjNbrExtendedCirc
ID
Modified description of ipv6IfDescr
Modified description of hh3cdot1sStpForceVersi on
Modified description and
PDS of
IGMP-STD-MIB
Updated the rfc2863-if.mib from rfc2233-if.mib
Modified description of
HH3C-DNS-MIB
Modified description of
HH3C-DOMAIN-MIB
Modified example of hh3cSysBtmLoadTable
Modified description of hh3cCfgLogTerminalUser and hh3cCfgLogCmdSrcAddress
Modified description of igmpInterfaceQueryMaxRes ponseTime, igmpInterfaceRobustness, igmpInterfaceLastMembQue ryIntvl, mldInterfaceQueryMaxResp onseDelay, mldInterfaceRobustness, mldInterfaceLastListenQuer yIntvl;
Modified PDS of igmpCacheAddress, igmpCacheIfIndex, igmpCacheSelf, mldCacheAddress, mldCacheIfIndex, mldCacheSelf
Modified description of pingCtlIfIndex;
Added pingProbeFailed, pingTestFailed, pingTestCompleted, hh3cNqaProbeTimeOverThr eshold, hh3cNqaJitterRTTOverThre shold, hh3cNqaProbeFailure, hh3cNqaJitterPacketLoss, hh3cNqaJitterSDOverThres hold,
14
rfc4133-entity.mib
hh3c-if-ext.mib
hh3c-config-man.mib
hh3c-trng2.mib
rfc2925-disman-ping.mib
hh3c-ntp.mib
hh3c-entrelation.mib
hh3c-entity-ext.mib
hh3c-ssh.mib
hh3c-lsw-dev-adm.mib
hh3c-lsw-dev-adm.mib
hh3c-3gmodem.mib
hh3c-trap.mib
rfc2863-if.mib
ENTITY-MIB
HH3C-IF-EXT-MIB
HH3C-CONFIG-MAN-MIB
HH3C-TRNG2-MIB
DISMAN-PING-MIB hh3cNqaJitterDSOverThres hold, hh3cNqaICPIFOverThreshol d, hh3cNqaMOSOverThreshol d
Modified description of entPhysicalAlias, entPhysicalAssetID
Modified description of
HH3C-IF-EXT-MIB
Modified description of
HH3C-CONFIG-MAN-MIB
Modified description of
HH3C-TRNG2-MIB
Modified description of pingCtlTable
HH3C-NTP-MIB
Modified description of hh3cNTPSystemMIB
HH3C-ENTRELATION-MIB
Modified description of hh3cEntRelationTable
HH3C-ENTITY-EXT-MIB
Added hh3cEntityExtCpuUsageRec overThreshold, hh3cEntityExtMemSizeRev, hh3cEntityExtCpuUsageIn1
Minute, hh3cEntityExtCpuUsageIn5
Minutes, hh3cEntityExtVoltageTable;
Modified description and relationship of hh3cEntityExtTemperatureT hreshold,
Modified description of hh3cEntityExtTemperature.
HH3C-SSH-MIB
HH3C-LSW-DEV-ADM-MI
B
Added hh3cSTelnetServerEnable, hh3cSCPServerEnable
Added hh3cLswSlotMemRev, hh3cLswSlotPhyMemRev
, hh3cLswSlotRunTime and hh3cLswSlotMemUsedR ev
HH3C-LSW-DEV-ADM-MI
B
HH3C-3GMODEM-MIB
Added hh3cLswCpuTable
HH3C-TRAP-MIB
IF-MIB
Added hh3cLteInfoTable
Modified description of hh3cTrapConfigSwitch
Modified description of ifOutQLen
15
hh3c-ip-address.mib
fc1471-ppp-lcp.mib
ieee8023-lag.mib
hh3c-lag.mib
hh3c-domain.mib
hh3c-if-ext.mib
rfc5603-pw-enet-std.mib rfc5602-pw-mpls-std.mib hh3c-acl.mib
hh3c-stack.mib rfc2819-rmon.mib
rfc4502-rmon.mib
lldp-ext-dot1-v2.mib
rfc5603-pw-enet-std.mib
table hh3cPosParamTable
HH3C-IP-ADDRESS-MIB
PPP-LCP-MIB
IEEE8023-LAG-MIB
HH3C-LAG-MIB
HH3C-DOMAIN-MIB
HH3C-IF-EXT-MIB
PW-ENET-STD-MIB
PW-MPLS-STD-MIB
PW-ENET-STD-MIB
Added hh3cIpAddrFirstTrapTime
Modified description of pppLinkStatusBadFCSs
Modified title of
IEEE8023-LAG-MIB
Modified title of
HH3C-LAG-MIB
Modified description of hh3cDomainDefault and hh3cDomainName
Added hh3cIfOperStatus and hh3cIfDownTimes
Modified pwEnetTable
Modified the module of
PW-MPLS-STD-MIB
Modified the table of
PW-ENET-STD-MIB
HH3C-PPP-OVER-SONET
-MIB
Only support POS interfaces
HH3C-ACL-MIB
HH3C-STACK-MIB
RMON-MIB
RMON2-MIB
LLDP-EXT-DOT1-V2-MIB
Modified hh3cAclNumberGroupTable, hh3cPfilterApplyTable, hh3cPfilterAclGroupRunInfo
Table, hh3cPfilterStatisticSumTabl e and added the hh3cAclNamedGroupTable, hh3cAclIPAclNamedBscTabl e, hh3cAclIPAclNamedAdvTab le, hh3cAclNamedMACTable, hh3cAclIntervalTable hh3cAclNamedUserTable, hh3cPfilter2ApplyTable, hh3cPfilter2, hh3cPfilter2AclGroupRunInf oTable, hh3cPfilter2AclRuleRunInfo
Table, hh3cPfilter2StatisticSumTab le, hh3cAclNamedGroupTable
Modified description of hh3cStackTopology
Modified description of default value in RMON-MIB
Modified description of default value in RMON2-MIB
Removed lldpXdot1dcbxConfigETSCo nfigurationTable lldpXdot1dcbxConfigETSRe
16
17 commendationTable lldpXdot1dcbxConfigPFCTa ble lldpXdot1dcbxConfigApplicat ionPriorityTable lldpXdot1dcbxLocETSBasic
ConfigurationTable lldpXdot1dcbxLocETSConPr iorityAssignmentTable lldpXdot1dcbxLocETSConTr afficClassBandwidthTable lldpXdot1dcbxLocETSConTr afficSelectionAlgorithmTable lldpXdot1dcbxLocETSReco
TrafficClassBandwidthTable lldpXdot1dcbxLocETSReco
TrafficSelectionAlgorithmTa ble lldpXdot1dcbxLocPFCBasic
Table lldpXdot1dcbxLocPFCEnabl eTable lldpXdot1dcbxLocApplicatio nPriorityAppTable lldpXdot1dcbxRemETSBasi cConfigurationTable lldpXdot1dcbxRemETSCon
PriorityAssignmentTable lldpXdot1dcbxRemETSCon
TrafficClassBandwidthTable lldpXdot1dcbxRemETSCon
TrafficSelectionAlgorithmTa ble lldpXdot1dcbxRemETSReco
TrafficClassBandwidthTable lldpXdot1dcbxRemETSReco
TrafficSelectionAlgorithmTa ble lldpXdot1dcbxRemPFCBasi cTable lldpXdot1dcbxRemPFCEnab leTable lldpXdot1dcbxRemApplicatio nPriorityAppTable lldpXdot1dcbxAdminETSBa sicConfigurationTable lldpXdot1dcbxAdminETSCo nPriorityAssignmentTable lldpXdot1dcbxAdminETSCo nTrafficClassBandwidthTabl e lldpXdot1dcbxAdminETSCo
CMW710-E0102 rfc5060-pim-std.mib rfc5240-pim-bsr.mib hh3c-qinqv2.mib rfc3019-ipv6-mld.mibs
New hh3c-lsw-dev-adm.mib hh3c-nqa.mib hh3c-posa.mib rfc4444-isis.mib
Modified hh3c-entity-ext.mib rfc1213.mib rfc4444-isis.mib rfc2465-ipv6.mib hh3c-splat-mstp.mib rfc2933-igmp-std.mib rfc4133-entity.mib nTrafficSelectionAlgorithmT able lldpXdot1dcbxAdminETSRe coTrafficClassBandwidthTab le lldpXdot1dcbxAdminETSRe coTrafficSelectionAlgorithm
Table lldpXdot1dcbxAdminPFCBa sicTable lldpXdot1dcbxAdminPFCEn ableTable lldpXdot1dcbxAdminApplicat ionPriorityAppTable
PIM-STD-MIB
PIM-BSR-MIB
HH3C-QINQV2-MIB
IPV6-MLD-MIB
HH3C-LSW-DEV-ADM-MI
B
HH3C-NQA-MIB
HH3C-POSA-MIB
ISIS-MIB
HH3C-ENTITY-EXT-MIB
RFC1213-MIB
ISIS-MIB
IPV6-MIB
HH3C-LswMSTP-MIB
IGMP-STD-MIB
ENTITY-MIB
Added PIM-STD-MIB
Added PIM-BSR-MIB
Added HH3C-QINQV2-MIB
Added IPV6-MLD-MIB
Added hh3cLswSlotMemRev, hh3cLswSlotPhyMemRev, hh3cLswSlotRunTime and hh3cLswSlotMemUsedRev
Added HH3C-NQA-MIB
Added HH3C-POSA-MIB
Modified description of isisSysLevelMinLSPGenInt
Modified description and relationship of hh3cEntityExtTemperatureT hreshold
Modified description of sysDescr and sysObjectID
Modified description of isisRouterID, isisSysLevelTEEnabled, isisNextCircIndex, isisCirc3WayEnabled, isisCircExtendedCircID, isisISAdj3WayState and isisISAdjNbrExtendedCircID
Modified description of ipv6IfDescr
Modified description of hh3cdot1sStpForceVersion
Modified description and
PDS of nodes in
IGMP-STD-MIB
Modified description and
PDS of entPhysicalAlias and entPhysicalAssetID
18
hh3c-posa.mib rfc2863-if.mib
HH3C-POSA-MIB
IF-MIB
Modified description of hh3cPosaFcmIdleTimeout
Updated the rfc2863-if.mib from rfc2233-if.mib
CMW710-E0102
New
Modified hh3c-ike-monitor.mib
hh3c-ike-monitor.mib
lldp-v2.mib
lldp-ext-dot1-v2.mib
lldp-ext-dot3-v2.mib
b hh3c-domain.mib
hh3c-domain.mib
hh3c-user.mib
rfc3814-mpls-ftn-std.mib hh3c-dhcp4.mib
hh3c-dhcp-snoop2.mib
hh3c-common-system.mib
hh3c-splat-inf.mib
rfc2819-rmon.mib rfc4502-rmon.mib rfc5132-ipmcast.mib
rfc2620-radius-acc-client.mib rfc2618-radius-auth-client.mi
hh3c-qos-capability.mib rfc3621-power-ethernet.mib hh3c-power-eth-ext.mib rfc2662-adsl-line.mib
hh3c-rmon-ext2.mib
HH3C-IKE-MONITOR-MIB
HH3C-IPSEC-MONITOR-V
2-MIB
LLDP-V2-MIB
LLDP-EXT-DOT1-V2-MIB
LLDP-EXT-DOT3-V2-MIB
RADIUS-ACC-CLIENT-MI
B
RADIUS-AUTH-CLIENT-MI
B
HH3C-DOMAIN-MIB
HH3C-DOMAIN-MIB
HH3C-USER-MIB
HH3C-QOS-CAPABILITY-
MIB
POWER-ETHERNET-MIB
HH3C-POWER-ETH-EXT-
MIB
MPLS-FTN-STD-MIB
HH3C-DHCP4-MIB
HH3C-DHCP-SNOOP2-MI
B
ADSL-LINE-MIB
RMON-MIB
RMON2-MIB
HH3C-RMON-EXT2-MIB
IPMCAST-MIB
HH3C-COMMON-SYSTEM
-MIB
HH3C-LswINF-MIB
Added
HH3C-IKE-MONITOR-MIB
Added
HH3C-IPSEC-MONITOR-V2
-MIB
Added LLDP-V2-MIB
Added
LLDP-EXT-DOT1-V2-MIB
Added
LLDP-EXT-DOT3-V2-MIB
Added
RADIUS-ACC-CLIENT-MIB
Added
RADIUS-AUTH-CLIENT-MI
B
Added HH3C-DOMAIN-MIB
Added HH3C-DOMAIN-MIB
Added HH3C-USER-MIB
Added
HH3C-QOS-CAPABILITY-M
IB
Added
POWER-ETHERNET-MIB
Added
HH3C-POWER-ETH-EXT-M
IB
Added MPLS-FTN-STD-MIB
Added HH3C-DHCP4-MIB
Added
HH3C-DHCP-SNOOP2-MIB
Added ADSL-LINE-MIB
Added RMON-MIB
Added RMON2-MIB
Added
HH3C-RMON-EXT2-MIB
Added IPMCAST-MIB
Modified
HH3C-COMMON-SYSTEM-
MIB to V2.4
Modified HH3C-LswINF-MIB to V3.4
19
hh3c-infocenter.mib
hh3c-lsw-dev-adm.mib
rfc2465-ipv6.mib
rfc2096-ip-forward.mib
hh3c-config-man.mib
hh3c-cbqos2.mib
rfc3415-snmp-vacm.mib
rfc1213.mib
rfc3415-snmp-vacm.mib rfc2233-if.mib hh3c-common-system.mib
rfc1213.mib
Operation changes
HH3C-INFO-CENTER-MIB
Added hh3cICLogbufferContTable in
HH3C-INFO-CENTER-MIB
HH3C-LSW-DEV-ADM-MI
B
Added hh3cLswSlotPktBufFree, hh3cLswSlotPktBufInit, hh3cLswSlotPktBufMin and hh3cLswSlotPktBufMiss in hh3cLswSlotTable
IPV6-MIB
IP-FORWARD-MIB
HH3C-CONFIG-MAN-MIB
HH3C-CBQOS2-MIB
NMP-VIEW-BASED-ACM-
MIB
RFC1213-MIB
SNMP-VIEW-BASED-ACM
-MIB
IF-MIB
HH3C-COMMON-SYSTEM
-MIB
RFC1213-MIB
Added ipv6RouteNumber, ipv6DiscardedRoutes and ipv6RouteTable
Added inetCidrRouteNumber, inetCidrRouteDiscards and inetCidrRouteTable
Modified the description of hh3cCfgRunModifiedLast
Modified the description of hh3cCBQoSPolicyClassNex tIndex and hh3cCBQoSPolicyClassCfgI nfoTable,and deleted hh3cCBQoSRedirectCfgInfo
Table and hh3cCBQoSMirrorIfCfgInfoT able
Modified the description of vacmContextName
Modified the description of ipNetToMediaIfIndex
Modified the description of vacmContextName
Modified the description of ifAlias
Modified the description of hh3cSysStatisticPeriod, hh3cSysSamplePeriod, hh3cSysTrapResendPeriod, hh3cSysTrapCollectionPerio d, hh3cSysSnmpPort, hh3cSysSnmpTrapPort, hh3cSysNetID, hh3cSysLastSampleTime.A
nd Modified the PDS of hh3cSysNetID
Modified the description of sysDescr and sysObjectID
None
20
Restrictions and cautions
1.
HPE
’s FXS not supporting call transfers from an analog phone to Lync Server.
Open problems and workarounds
None
List of resolved problems
Resolved problems in CMW710-R0306P82
201612130003
Symptom: The password needs to be entered twice when the MSR router logs in to an SSH server.
Condition: This symptom occurs if the MSR router acts as an SSH client and the SSH server performs HWTACACS authentication on clients.
201612080568
Symptom: When the MSR router acts as the LNS, it cannot establish L2TP tunnels with L2TP clients.
Condition: This symptom occurs if a large number of L2TP users frequently come online and go offline and a memory leakage exists on the router.
201611110148
Symptom: The MSR router reboots unexpectedly.
Condition: This symptom occurs if MPLS L3VPN and a large number of VXLAN tunnels are configured on the router and the router handles large bursts of traffic for a long time.
201611150055
Symptom: The MSR router forwards ND packets that are supposed to be discarded.
Condition: This symptom occurs if interfaces on the router are assigned IPv6 addresses and the router receives ND packets of which the target addresses are not local IPv6 addresses.
201610280205
Symptom: The CLI of the MSR router hangs.
Condition: This symptom occurs if password control is globally enabled on the router and a large number of users frequently come online and go offline.
201609230642
Symptom: A Layer 3 subinterface on the MSR router might fail to be deleted.
Condition: This symptom occurs if a large number of Layer 3 subinterfaces are configured on the router and the shutdown and undo vlan-type commands are simultaneously issued to multiple Layer 3 subinterfaces.
201612260238
Symptom: Portal users fail authentication on the MSR router that acts as the access device.
Condition: This symptom occurs if the router performs RADIUS authentication on users and a large number of portal users come online and go offline.
21
201612260250
Symptom: The MSR router cannot correctly advertise the default route to PE neighbors.
Condition: This symptom occurs if MPLS L3VPN is configured on the router.
201612260223
Symptom: BFD performance of the MSR router decreases. Specifically, the maximum number of BFD sessions cannot be reached.
Condition: None.
201609230608
Symptom: Some traffic cannot be NATed.
Condition: This symptom might occur if the following conditions exist:
The MSR router acts as the NAT gateway.
Fast forwarding load sharing is disabled.
NAT is configured.
201609050237
Symptom: Fragmented packets cannot be forwarded and a memory leakage exists on the MSR router in an IRF fabric.
Condition: This symptom occurs if NAT is configured on the IRF fabric and fragmented packets from the external network are cross-chassis forwarded to a VLAN interface of the internal network.
Resolved problems in CMW710-R0306P81
201611090368
Symptom: The total number of error packets displayed on the network management software and that displayed from the CLI are different.
Condition: This symptom occurs when error packets uiAlignErrs and uiInDiscards are received.
201610280217
Symptom: The description command cannot be successfully executed when a PC running the
Windows 10 operating system is used to configure the device.
Condition: This symptom might occur when the description command is executed on a PC running the Windows 10 operating system.
201611100317
Symptom: In a VXLAN network, the configured DSCP marking action does not take effect when a QoS policy for incoming packets is applied to the site-facing interface that hosts an AC.
Condition: This symptom occurs when a QoS policy for incoming packets is applied to the site-facing interface that hosts an AC in a VXLAN network.
201610280181
Symptom: Clients cannot log in to a device through IPv6 SSH and Telnet.
Condition: This symptom occurs when the following conditions are met:
The tcp syn-cookie enable command is executed.
The client is not connected to the device directly.
The device uses an IPv6 address.
22
201610280192
Symptom: L2TP clients go offline.
Condition: This symptom might occur when a user that uses an incorrect username or password sends authentication requests.
201609230618
Symptom: Traffic cannot be forwarded because ARP/ND entry issuing has failed.
Condition: This symptom might occur when a large number of ARP/ND entries are learned or age out.
201611170054
Symptom: The configuration on FXS interfaces gets lost and no call progress tone is played.
Condition: This symptom occurs when over three HMIM-16FXS modules are installed on the device.
201611080238
Symptom: AAA accounting fails because the device and the server use inconsistent session ID formats.
Condition: This symptom occurs when AAA authentication uses an old-version server whose accounting session ID format is incompatible with the ID format on the device.
201611070502
Symptom: CVE-2016-8858.
Condition: Vulnerability was reported in OpenSSH. A remote user can send specially crafted data during the key exchange process to trigger a flaw in kex_input_kexinit() and consume excessive memory on the target system. This can be exploited to consume up to 384 MB per connection.
201610260739
Symptom: In an MPLS over GRE network, the device acts as a P device, and packet loss occurs when two CE devices ping each other.
Condition: This symptom might occur when two CE devices are connected through a service provider network.
201610260505
Symptom: The memory usage of the device continues to increase.
Condition: This symptom occurs when a GRE tunnel with TCP MSS set forwards fragmented packets.
201611250487
Symptom: URL redirection configured for EAD assistant does not take effect.
Condition: None.
Resolved problems in CMW710-R0306P80
201609270202
Symptom: Long ping response delay occurs when no SIM card is installed in the SIC-3G module that uses the EM660 modem chip.
Condition: This symptom might occur if no SIM card is installed in the SIC-3G module that uses the EM660 modem chip.
23
201603110069
Symptom: When the speed is set to 100 Mbps for a fiber port that uses a 1000-Mbps transceiver module, the LED of the port turns yellow or off.
Condition: This symptom might occur if the speed is set to 100 Mbps for a fiber port that uses a
1000-Mbps transceiver module.
201609220199
Symptom: A 4G router cannot access an LNS through 3G dialup.
Condition: This symptom might occur if a 4G router accesses an LNS through 3G dialup.
201610170407
Symptom: When multicast VPN is configured on the router, a switching module does not forward packets that are received from a Layer 3 interface.
Condition: This symptom might occur if multicast VPN is configured on the router, and the incoming interface of traffic is a Layer 3 interface.
201610190490
Symptom: The router can be pinged only within a short period of time after startup.
Condition: This symptom might occur if the following conditions exist:
After negotiation, the speed and duplex mode of interfaces on an SIC-4FSW or SIC-9FSW module are set to 100 Mbps and half duplex.
The module receives Layer 3 packets between 61 and 1536 bytes long at 10 Mbps and forwards the packets through VLAN interfaces.
201607230235
Symptom: The router cannot operate correctly when multiple GRE tunnels and one IPsec over
GRE tunnel are forwarding traffic.
Condition: This symptom might occur if multiple GRE tunnels and one IPsec over GRE tunnel are set up.
201607020116
Symptom: When a Telnet user logs in to the router by using a username longer than 253 bytes, memory might be exhausted, and the router might reboot unexpectedly.
Condition: This symptom might occur if SNMP and trap notifications are enabled, and a Telnet user logs in to the router by using a username longer than 253 bytes.
201606010250
Symptom: A voice VLAN-enabled Layer 2 interface fails to forward VLAN-tagged traffic.
Condition: This symptom might occur if the source MAC addresses of the received traffic belong to voice VLANs, but the VLAN tags are for non-voice VLANs.
201604280054
Symptom: QoS cannot correctly collect traffic statistics on an IRF fabric.
Condition: This symptom might occur if a rate limiting template is configured for portal users on an IRF fabric.
201609210481
Symptom: SSH login fails when accounting is enabled and no accounting server is specified.
Condition: This symptom might occur if SSH login is performed when accounting is enabled without any accounting server specified.
24
201609060727
Symptom: BFD MAD does not take effect on two connected IRF fabrics.
Condition: This symptom might occur if BFD MAD is configured on two connected IRF fabrics, and the IRF fabrics can receive BFD detection packets from each other.
201608110527
Symptom: PPPoE clients cannot come online if the PPPoE server uses the DHCP address pool of a local DHCP server for address assignment.
Condition: This symptom might occur if the PPPoE server uses the DHCP address pool of a local DHCP server for address assignment.
201607290325
Symptom: CVE-2016-1409
Condition: The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in Cisco IOS
XE 2.1 through 3.17S, IOS XR 2.0.0 through 5.3.2, and NX-OS allows remote attackers to cause a denial of service (packet-processing outage) via crafted ND messages, aka Bug ID
CSCuz66542, as exploited in the wild in May 2016.
201604210076
Symptom: Execution of RSSI commands fails on a distributed router after the router reboots with a configuration file.
Condition: This symptom might occur if RSSI commands are executed on a distributed router that has rebooted with a configuration file.
201609220670
Symptom: The router cannot operate correctly when a Layer 3 interface is changed to a Layer 2 interface during traffic forwarding.
Condition: This symptom might occur if a Layer 3 interface is changed to a Layer 2 interface during traffic forwarding.
201607290311
Symptom: CVE-2016-2177
Condition: OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
201606280170
Symptom: PBR does not fake effect when it is configured after the router starts up without any configuration file.
Condition: This symptom might occur if PBR is configured after the router starts up without any configuration file.
201607250050
Symptom: RBAC does not define access control for the ip load-sharing local-first enable command.
Condition: This symptom might occur if the ip load-sharing local-first enable command is configured, and trace logs are displayed.
201610170025
Symptom: The router cannot provide services when IPsec is enabled.
Condition: This symptom might occur if the following conditions exist:
a. IPsec is configured on the router.
25
b. Multiple data flows trigger IKE SA negotiations simultaneously, and the negotiations fail.
201609260311
Symptom: Incorrect PVST status causes broadcast storms.
Condition: This symptom might occur if the following conditions exist:
A PVST-enabled VLAN is deleted.
The stpd process is restarted, or the stpd process restarts during patch installation.
201610180122
Symptom: When QoS policy nesting is configured on an interface, long ping response delay occurs.
Condition: This symptom might occur if QoS policy nesting is configured on an interface, and
GTS is configured in the parent policy.
201609260288
Symptom: When global password control is enabled, an SSH user cannot log in after multiple login failures.
Condition: This symptom might occur if global password control is enabled, and an SSH user logs in repeatedly by using a correct username and an incorrect password.
201609230633
Symptom: Installation of a patch or devkit package takes more than 40 minutes or fails.
Condition: This symptom might occur if a patch or devkit package is installed.
201608030540
Symptom: The router cannot forward MPLS L3VPN traffic correctly after the vpn popgo command is executed.
Condition: This symptom might occur if MPLS L3VPN is configured on the router, and the vpn
popgo command is executed.
201607290305
Symptom: CVE-2012-0036
Condition: Curl and libcurl 7.2x before 7.24.0 do not properly consider special characters during extraction of a pathname from a URL, which allows remote attackers to conduct data-injection attacks via a crafted URL, as demonstrated by a CRLF injection attack on the (1) IMAP, (2)
POP3, or (3) SMTP protocol.
Resolved problems in CMW710-R0306P70
201608120148
Symptom: The ICCID information for a 3G modem is not displayed in the display cellular command output.
Condition: None.
201608240033
Symptom: The diagnostic and monitoring (DM) feature is not available for ports on a
SIC-4G-LTE card.
Condition: None.
201608190032
Symptom: Profile 3 cannot be used by 4G modem for dialup.
26
Condition: None.
201608290384
Symptom: The CPU usage of an MSR router reaches 50 percent and the delay of audio signals increases.
Condition: This symptom occurs if 12 concurrent calls exist on the MSR router.
201608250025
Symptom: LEDs on the 8GSW card installed in an MSR5660 device cannot operate correctly.
Condition: None.
201609060155
Symptom: Ports on an 8GEE card of an MSR router cannot forward traffic.
Condition: This symptom might occur if the 8GEE card is used in a VRRP network.
201609050247
Symptom: An MSR2004 router runs out of memory after a certain period of use.
Condition: This symptom occurs if a VLAN interface is created on the MSR3600 router and the actual forwarding speed of the VLAN interface is higher than the set speed 10 Mbps.
201608300072
Symptom: Portal authentication cannot correctly control user access to the network after users switch to different VLANs.
Condition: None.
201608290529
Symptom: CVE-2009-3238
Condition: The get_random_int function in drivers/char/random.c in the Linux kernel before
2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."
201607190451
Symptom: The CLI of an MSR router hangs.
Condition: This symptom occurs if the following conditions exist:
LLDP and 802.1X authentication are enabled on the MSR router.
A port is configured to be shut down upon receiving an illegal frame.
An IP phone fails 802.1X authentication and triggers intrusion protection.
201605200138
Symptom: An MSR router does not support EAD quick deployment. However, no error message is displayed when EAD quick deployment is configured on a 9FSW card installed in the router.
Condition: None.
201607190461
Symptom: An MSR router cannot work with a Cisco NX9000 switch in an IS-IS network.
Condition: None.
27
201608110387
Symptom: The BGP NSR status of a two-MPU router is not correct, and the status cannot recover.
Condition: This symptom occurs if the memory threshold is reached during an active/standby switchover.
201608160017
Symptom: Ports on the MSR device are always in loopback state.
Condition: This symptom occurs if an external loopback test is performed on a card configured with PPP.
201608090279
Symptom: No voices but only signals are exchanged in the channels for voice services.
Condition: This symptom occurs if PPP compression and VAD are used during satellite link switchover for VHF services.
201607260049
Symptom: The country mode for call progress tones does not take effect on a voice card of an
MSR router.
Condition: This symptom occurs if call program tones are changed to non-default ones.
201607010523
Symptom: An MSR router in a full-mesh mGRE network reboots unexpectedly.
Condition: This symptom occurs if an aggregate interface is used as the mGRE tunnel interface and the port link modes of member ports in the aggregation group are changed.
201606280148
Symptom: In an MSR IRF fabric, errors exist in VLAN-instance mappings and STP status on ports cannot be correctly set.
Condition: This symptom occurs if the following conditions are met:
a. The spanning tree mode on the IRF fabric is PVST.
b. VLANs are created in the ascending order of VLAN IDs and then some VLANs are deleted.
Or, VLANs are not created in the ascending order of VLAN IDs. For example, create VLAN
10 and then create 5.
c. An interface card on the IRF fabric is rebooted.
d. An IRF master/subordinate switchover occurs. Or, the STP process restarts because a patch is installed or uninstalled or an ISSU is performed.
201607180362
Symptom: The AAA NAS-ID profile configuration on an MSR router does not take effect after the router reboots.
Condition: This symptom occurs if the running configuration is saved and the router is rebooted.
201607190489
Symptom: Stream media services are interrupted, because NAT 444 does not create correct entries for RTSP traffic.
Condition: This symptom occurs if the service client instead of the server initiates the service negotiation.
201607280123
Symptom: Fast forwarding does not take effect on a one-armed MSR router.
28
Condition: This symptom occurs if the one-armed router uses the same Layer 3 interface to perform traffic forwarding. For example, VLAN-interface 361 is configured with a primary interface and secondary interfaces. Traffic arrives at VLAN-interface 361 and then is forwarded out of VLAN-interface 361.
Resolved problems in CMW710-R0306P52
201605260540
Symptom: After the APN-profile is configured, only the authentication mode is modified, but the configuration does not take effect.
Condition: None.
201606200046
Symptom: The device reboots unexpectedly.
Condition: This symptom occurs if the device acts as an SSL VPN gateway and the user logs into the device through the Web interface.
201606290087
Symptom: The device reboots because of memory leak.
Condition: This symptom occurs if the SIM card is absent or fails on the 4G interface.
201605300494
Symptom: 802.1X authentication on the SIC-4FSW/DSIC-9FSW cards fails. Layer 2/Layer 3 forwarding is performed without authentication.
Condition: This symptom occurs if the EAD assistant feature is configured on the
SIC-4FSW/DSIC-9FSW cards.
201605060278
Symptom: The system fails to obtain the next startup configuration file through MIB.
Condition: None.
201603040253
Symptom: When both voice VLAN and MAC authentication are configured on an interface,
MAC authentication is also performed for packets with OUI addresses.
Condition: None.
201605040492
Symptom: When an SSL client policy is configured, the configuration takes effect only after you disable SSL session renegotiation, save the configuration, and reboot the device.
Condition: None.
201604150420
Symptom: If the MAC address of data packets is learned in a voice VLAN, the packets are not forwarded.
Condition: This symptom occurs if the source MAC address of the data packets is an OUI address and the VLAN tag of the packets is not the voice VLAN.
201605260553
Symptom: The PIM process exits exceptionally.
Condition: This symptom occurs if the PIM DM mode is used to create 32K entries and an outgoing interface is configured as the multicast forwarding boundary.
29
201606070297
(1)Symptom: CVE-2016-2105
(1)Condition: Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in
OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
(2)Symptom: CVE-2016-2106
(2)Condition: Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in
OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data.
(3)Symptom: CVE-2016-2107
(3)Condition: The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES
CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
(4)Symptom: CVE-2016-2108
(4)Condition: The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
(5)Symptom: CVE-2016-2109
(5)Condition: The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
(6)Symptom: CVE-2016-2176
(6)Condition: The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before
1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC
ASN.1 data.
201605200360
Symptom: A voice call fails.
Condition: This symptom occurs if the longest match is configured and the dialed number is a short number.
201605030252
Symptom: An L2TP user fails to come online through dialup.
Condition: This symptom occurs if the device acts as an LNS and the idle-timeout assigned by the AAA server is 0.
201606290046
Symptom: When the RADIUS server remotely assigns an address, you must configure an IKE address pool.
Condition: None.
201605030237
Symptom: When IKE local extended authentication and address authorization are configured, the configuration is an old version is incompatible with the configuration in a new version.
Condition: None.
30
201511200124
Symptom: An E1/T1 interface still processes RAI alarms when RAI detection is disabled on the interface.
Condition: None.
201606280531
Symptom: An HMIM-2/4/8E1T1 (-F) card fails to start up.
Condition: This symptom occurs if the device is powered off when the card updates the logic.
201607020231
Symptom: The device reboots unexpectedly because of memory exhaustion.
Condition: This symptom occurs if a user telnets to the device by using a username longer than
127 bytes.
201606290412
Symptom: An interface on which the maximum number of secure MAC addresses is limited goes down when forwarding traffic.
Condition: This symptom might occur if the maximum number of secure MAC addresses set on the interface is small.
201607010400
Symptom: The free-rule 1 source any configuration is added to the configuration file after the device reboots.
Condition: This symptom occurs if the device starts up with a .cfg startup configuration file.
201607010364
Symptom: Portal users can come online through an interface with portal authentication disabled, but the status of portal users is not correct.
Condition: None.
201607150110
Symptom: A busy error occurs when an asynchronous serial interface operating in flow mode reversely telnets to the device.
Condition: This symptom occurs if the asynchronous serial interface reversely telnets to the device when it is enabled with terminal service.
201607040302
(1)Symptom: CVE-2016-4953
(1)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service by sending a spoofed packet with incorrect authentication data at a certain time.
(2)Symptom: CVE-2016-4954
(2)Condition: Fixed vulnerability in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service by sending spoofed packets from source IP addresses in a certain scenario.
(3)Symptom: CVE-2016-4956
(3)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service via a spoofed broadcast packet.
201605060581
(1)Symptom: CVE-2015-8138
31
(1)Condition: Fixed vulnerability in ntpd which attackers may be able to disable time synchronization by sending a crafted NTP packet to the NTP client.
(2)Symptom: CVE-2015-7979
(2)Condition: Fixed vulnerability in ntpd allows attackers to send special crafted broadcast packets to broadcast clients, which may cause the affected NTP clients to become out of sync over a longer period of time.
(3)Symptom: CVE-2015-7974
(3)Condition: Fixed vulnerability in NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key.
(4)Symptom: CVE-2015-7973
(4)Condition: Fixed vulnerability when NTP is configured in broadcast mode, a man-in-the-middle attacker or a malicious client could replay packets received from the broadcast server to all (other) clients, which cause the time on affected clients to become out of sync over a longer period of time.
201605180120
(1)Symptom: CVE-2016-1547
(1)Condition: Fixed vulnerability where an off-path attacker can deny service to ntpd clients by demobilizing preemptable associations using spoofed crypto-NAK packets.
(2)Symptom: CVE-2016-1548
(2)Condition: Fixed vulnerability where an attacker can change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode.
(3)Symptom: CVE-2016-1550
(3)Condition: Fixed vulnerability in ntpd function allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by ntpd.
(4)Symptom: CVE-2016-1551
(4)Condition: Fixed vulnerability in ntpd allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering.
(5)Symptom: CVE-2016-2519
(5)Condition: Fixed vulnerability in ntpd will abort if an attempt is made to read an oversized value.
(6)Symptom: CVE-2015-7704
(6)Condition: Fixed vulnerability in ntpd that a remote attacker could use, to send a packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server.
201607140270
Symptom: A user fails to dial up by using a POS terminal.
Condition: This symptom occurs if the SoftX device sends an 18x response with an SDP, a 180 response without an SDP, and a 200 OK response without an SDP in order. The media of the devices is not connected, so fax or modem switchover fails.
201607080214
Symptom: When SIP session refresh using re-INVITE requests is enabled, calls are cut off at about 3 minutes.
Condition: This symptom might occur if SIP session refresh using re-INVITE requests is enabled.
32
201607130473
Symptom: When command accounting is enabled for a Telnet user that passes TACACS authentication, long command execution delay exists.
Condition: This symptom might occur if one of the following conditions exists:
The router does not have connectivity to the TACACS server.
The TACACS server does not respond to accounting requests.
The network has great latency.
201607140274
Symptom: Both the calling party and the called party are silent during a call established between the device and a SoftX device.
Condition: This symptom occurs if the SoftX device sends an 18x response with an SDP, a 180 response without an SDP, and a 200 OK response without an SDP in order. The media of the devices is not connected, so both parties cannot hear any voices.
201607120078
Symptom: When a TTY user logs in through an asynchronous serial interface of an SIC-16AS card, the user connection is not terminated after the idle timeout, the user cannot be forcibly logged off, and reverse Telnet is unavailable.
Condition: This symptom might occur if the following conditions exist:
The flow mode is enabled for the asynchronous serial interface.
The undo shell command is not configured for the user line.
The interface goes down when receiving and sending data.
201608230032
Symptom: An MSR3012 router reboots unexpectedly.
Condition: This symptom might occur if an HMIM-8E1T1 card with CPLD version 7.0 is hot plugged into the MSR3012 router when the router is being powered on.
Resolved problems in CMW710-R0306P30
201603140497
Symptom: An MSR2003 router displays the message "Watchdog timeout ==MSR2003 Reboot with CW7 e0402l10" if GRE over IPsec runs on a subinterface and MPLS L3VPN settings are configured on the GRE tunnel interface.
Condition: This symptom might occur if GRE over IPsec runs on a subinterface and MPLS
L3VPN settings are configured on the GRE tunnel interface.
201604200661
Symptom: When the full duplex mode is configured and the speed is set to 1000 Mbps for a
Layer 2 interface on an SIC-4GSW card, the interface cannot come up or uses an incorrect duplex mode.
Condition: This symptom might occur if the full duplex mode is configured and the speed is set to 1000 Mbps for a Layer 2 interface on an SIC-4GSW card.
201604280272
Symptom: On a China Telecom 3G interface, when the EVDO mode is enabled, an hh3c3GRssiWeakSignalTrap notification for the CDMA-1x RTT mode is falsely generated.
33
When the CDMA-1x RTT mode is enabled, an hh3c3GRssiWeakSignalTrap notification for the
EVDO mode is falsely generated.
Condition: None.
201604220195
Symptom: Modem dialups fail on FXS, FXO, E&M, and BSV cards when modem pass-through and fax pass-through are enabled.
Condition: This symptom might occur if modem pass-through and fax pass-through are enabled.
201604220017
Symptom: When the receiving power and transmitting power of a transceiver module change, the corresponding values in the MIB are not updated on time.
Condition: None.
201603140402
Symptom: The router provides 4G dialup services to an LTE network with two LNSs. When the primary LNS fails, services are not switched to the standby LNS.
Condition: None.
201604260058
Symptom: The error packet suppression feature is removed.
Condition: None.
201605060432
Symptom: The format of POSA hello messages is incorrect, and the handshaking feature does not take effect.
Condition: None.
201512230234
Symptom: In a dynamic link aggregation group, an Ethernet subinterface is not Selected after certain operations are performed.
Condition: This symptom might occur if the following operations are performed:
a. Create a dynamic link aggregation group and assign an Ethernet subinterface to the group.
b. Delete the link aggregation group.
c. Re-create the link aggregation group and assign the Ethernet subinterface to the group.
201604110398
Symptom: CVE-2016-2842。
Condition: Fixed vulnerability in the doapr_outch function in crypto/bio/b_print.c, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string.
201603230025
Symptom(1): CVE-2016-0705。
Condition(1):Fixed vulnerability when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources.
Symptom(2): CVE-2016-0798
Condition(2): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt.
34
Symptom(3): CVE-2016-0797
Condition(3): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference).
Symptom(4): CVE-2016-0799
Condition(4): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service which could lead to memory allocation failure or memory leaks.
Symptom(5): CVE-2016-0702
Condition(5): Fixed vulnerability in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g which makes it easier for local users to discover RSA keys leveraging cache-bank conflicts, aka a
"CacheBleed" attack.
201603170257
Symptom(1): CVE-2016-0701:
Condition(1): The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.
Symptom(2): CVE-2015-3197。
Condition(2): ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
201605040142
Symptom: IKE SA setup fails because "Number of negotiating IKE SAs exceeded the limit" after certain operations are performed.
Condition: This symptom might occur if the IKE keychain settings at the two ends of an IKE SA are inconsistent and the IKE SA is repeatedly created and deleted.
201604260409
Symptom: IPv6 policy-based routing does not take effect.
Condition: None.
201604280185
Symptom: A device using non-standard protocols might drop the frames sent by the router when the frames are VLAN-tagged and 64-byte long (including padding and CRC).
Condition: None.
201604260624
Symptom: After a port goes down, the FIB entry for a direct route that contains the port is deleted after a delay of 20 seconds.
Condition: This symptom might occur if the router keeps forwarding traffic matching the direct route.
201604180578
Symptom: The router does not process R2 B3 messages and forwards a wrong B message to a
PBX when receiving a SIP 410 message.
Condition: None.
35
201602180272
Symptom: An incorrect PSTN cause code is returned for an ISDN link down event.
Condition: None.
201605040146
Symptom: The undo mac-address dynamic mac-address vlan vlan-id command cannot delete a dynamic MAC address entry.
Condition: None.
201603220579
Symptom: An MFR subinterface cannot forward traffic if the PVC is deleted at one end of the link or the type of the PVC is modified from dynamic to static on the DTE.
Condition: This symptom might occur if the PVC of an MFR subinterface is deleted on one end of the link or the type of the PVC is modified from dynamic to static on the DTE.
201605100011
Symptom: NetStream has incorrect outgoing traffic statistics for an interface if the interface forwards traffic from an IP network to an MPLS network.
Condition: This symptom might occur if an interface forwards traffic from an IP network to an
MPLS network.
201605160128
Symptom: The router sends a wrong Release Cause code in a no pickup call.
Condition: None.
201605130382
Symptom: An incorrect PSTN cause code results in an incorrect SIP status code.
Condition: None.
201604290522
Symptom: Mirrored packets from a Layer 3 mirroring source port might carry an incorrect IP version value.
Condition: None.
201603140262
Symptom: On an MSR4000 router, a GRE tunnel goes down because the router does not receive GRE keepalive responses from the peer.
Condition: This symptom might occur if the router can receive GRE keepalive requests from the peer, but no GRE keepalive responses are received.
201604090478
Symptom: On a voice VLAN-enabled Layer 2 port, MAC address entries of a non-voice VLAN age out even when the port constantly receives traffic of the non-voice VLAN.
Condition: None.
201605260501
Symptom: After the debugging physical card e1posdm calling command is executed in probe view, the undo form of the command does not take effect.
Condition: None.
201606060042
Symptom: A call is disconnected 30 seconds after a user places the call on hold.
36
Condition: This symptom occurs if the router does not send an RTCP message to the
Lync server within 30 seconds.
Resolved problems in CMW710-R0306P12
201602290360
Symptom: After a .cfg configuration file is used to restore the configuration of the router, OSPF sessions that are not configured with a router ID do not use the global router ID.
Condition: This symptom might occur if a .cfg configuration file is used to restore the configuration of the router.
201604010161
Symptom: MAC address entries age out on a voice VLAN-enabled Layer 2 interface when the interface has been forwarding traffic to and from the corresponding MAC addresses.
Condition: This symptom might occur if voice VLAN is enabled on a Layer 2 interface.
201604130088
Symptom: On an MSR4000 router, interfaces remain in discarding state after spanning tree is globally enabled.
Condition: This symptom might occur if spanning tree is globally enabled on an MSR4000 router.
201604090420
Symptom: The QoS policy configuration issued by IMC contains incorrect parameters for the
CAR action of a traffic behavior.
Condition: None.
201603050111
Symptom: After voice VLAN is enabled, and the router is rebooted, the priority of voice VLAN packets is incorrect.
Condition: This symptom might occur if voice VLAN is enabled, and the router is rebooted.
201512310070
Symptom: CVE-2015-3194
Condition: Certificate verify crash with missing PSS parameter.
Symptom: CVE-2015-3195
Condition: X509_ATTRIBUTE memory leak.
Symptom: CVE-2015-3196
Condition: Race condition handling PSK identify hint.
Symptom: CVE-2015-1794
Condition: Anon DH ServerKeyExchange with 0 p parameter.
201603160152
Symptom: Aggressive IKE negotiation fails for specific Android phones, for example, phones running Android 5.1.1.
Condition: This symptom might occur if the router authenticates specific Android phones.
201511160131
Symptom: POS terminal listening fails if the listening port or the adjacent ports are used by other applications.
37
Condition: This symptom might occur if the POS terminal listening port or the adjacent ports are used by other applications.
201604060109
Symptom: The 4G MIB is inaccessible.
Condition: None.
201604230042
Symptom: IMC SNMP cannot automatically discover LNS IP addresses.
Condition: None.
201603140262
Symptom: A GRE tunnel goes down unexpectedly.
Condition: This symptom might occur if the router and its peer send keepalive packets to each other, but the router does not receive any keepalive acknowledgment packet from the peer.
Resolved problems in CMW710-R0306P11
201602290064
Symptom: After the pre-shared key is modified, IKE negotiation fails, and the router displays the
"2th byte of the structure ISAKMP Identification Payload must be 0" message.
Condition: This symptom might occur if the old pre-shared key is not deleted when the new key is set.
201602170270
Symptom: On a CDMA-1xRTT/CDMA-EVDO network, 3G VPDN access fails if the mode of the
SIC-4G-LTE module is switched to 3G.
Condition: This symptom might occur if the mode of the SIC-4G-LTE module is switched to 3G.
201601260255
Symptom: After the router reboots, BFD sessions cannot be set up on subinterfaces that are in an aggregation group.
Condition: This symptom might occur if the router reboots.
201603150157
Symptom: IMC obtains incorrect packet statistics for Layer 2 interfaces on an MSR2004-24 router.
Condition: This symptom might occur if IMC reads the packet statistics on Layer 2 interfaces of an MSR2004-24 router.
201602260225
Symptom: An interface on an SIC-4/9FSW module cannot send broadcast traffic in its VLAN after certain operations are performed.
Condition: This symptom might occur if the following operations are performed:
a. Enable STP globally, and form a loop on an interface of an SIC-4/9FSW module.
b. Remove the blocked interface from its VLAN.
c. Disable STP globally, and assign the interface to its original VLAN.
201602260270
Symptom: The router does not display the command execution result after AT commands are manually executed.
38
Condition: None.
201603110385
Symptom: The router does not send a trap message after a warm or cold reboot.
Condition: This symptom might occur if a warm or cold reboot is performed.
201603240091
Symptom: Dialup fails if a 4G module is operating in 3G mode.
Condition: This symptom might occur if the following operations are performed:
a. Install a 4G SIM card in a 4G module.
b. Set the mode of the 4G module to 3G, and reboot the module.
201603100323
Symptom: When a portal preauthentication domain and MAC-based quick portal authentication are used together, authorization attributes in the preauthentication domain do not take effect on preauthentication users.
Condition: This symptom might occur if a portal preauthentication domain and MAC-based quick portal authentication are used together, and MAC-based quick portal authentication is triggered when preauthentication users access the network.
201601210332
Symptom: After a subcard is removed and the router is rebooted, the interface indexes for the subcard change in the MIB.
Condition: This symptom might occur if a subcard is removed and the router is rebooted.
201601180511
Symptom: When OpenFlow is enabled, application layer processing is slow and packet loss occurs.
Condition: This symptom might occur if OpenFlow is enabled.
201603290254
Symptom: The router reboots unexpectedly if it has 4 GB of memory.
Condition: This symptom might occur if the router has 4 GB of memory.
201602290118
Symptom: The route filtering settings of RIP processes running in VPNs are lost after the running configuration is saved and the router is rebooted.
Condition: This symptom might occur if one of the following operations is performed:
Upgrade the software and reboot the router.
Use a .cfg configuration file when rebooting the router.
201602260072
Symptom: An L2TP LAC does not have uplink traffic statistics for users.
Condition: None.
201602200075
Symptom: PPPoE clients fail to come online when the router acts as the PPPoE server if the
DNS server IP address is an IPCP configuration option in IPCP negotiation.
Condition: This symptom might occur if the DNS server IP address is an IPCP configuration option in IPCP negotiation.
39
201602010352
Symptom: When network congestion occurs, high-priority packets are dropped on a
CBQ-enabled MP link.
Condition: This symptom might occur if CBQ is configured for an MP link, and network congestion occurs.
201602150740
Symptom: 4G dialup fails if an APN profile specifies the username and password.
Condition: This symptom might occur if an APN profile specifies the username and password for 4G dialup.
201604060109
Symptom: No information can be obtained from the 4G MIB.
Condition: None.
201604070435
Symptom: An HMIM module might drop packets or stop forwarding traffic.
Condition: None.
201604130088
Symptom: When STP is globally enabled on a distributed router, the state of Layer 2 interfaces becomes discarding.
Condition: None.
Resolved problems in CMW710-R0306P07
201601190330
Symptom: The VPM light of the RT-SPU-100 module fails the equipment test.
Condition: None.
201601200375
Symptom: The GPS track curve reported by the router is inaccurate.
Condition: This symptom occurs when the 4G modem just starts to work.
201601220079
Symptom: Repeated satellite information is displayed when you view the 4G modem information.
Condition: None.
201512300275
Symptom: TACACS accounting configured at the CLI does not take effect.
Condition: This symptom occurs if the super command is used to obtain another user role.
201511270766
Symptom: The status of a Layer 2 aggregate interface is incorrect.
Condition: This symptom occurs if master/subordinate switchover is repeatedly performed for the router.
40
201601080547
Symptom: The configuration of an Ethernet subinterface is lost after it is assigned to an aggregation group.
Condition: This symptom occurs if the router reboots after the software is upgraded or the router is started by using a .cfg configuration file.
201601120609
Symptom: The user profile name cannot contain periods (.).
Condition: None.
201601130385
Symptom: The router reboots unexpectedly.
Condition: This symptom occurs if LDP receives abnormal TCP PDUs with the length field value
0 in the header.
201601120436
Symptom: The CPU usage reaches 100% in the core where the LDP active process resides.
Condition: This symptom occurs if the following conditions exist:
LDP NSR is configured. After the session comes up, active/standby switchover has occurred.
The number of messages that the session sends by using TCP is incorrectly counted.
201511260615
Symptom: The router reboots unexpectedly.
Condition: This symptom occurs if IPsec SAs and IKE SAs are repeatedly set up and deleted.
201511050564
Symptom: The router reboots unexpectedly.
Condition: This symptom occurs if IPsec protects OSPFv3 routes, and active/standby switchover is performed for the router.
201411190490
Symptom: An ADVPN tunnel fails to be established.
Condition: This symptom occurs if the ADVPN tunnel interface is bound to a VPN instance.
201510300470
Symptom: The operating mode configuration for an SIC-1VE1T1 module does not take effect.
Condition: This symptom occurs if the following operations are performed:
a. Configure the module to operate in T1 mode, and save the configuration.
b. Switch the operating mode to E1.
Reboot the router without saving the configuration.
201601270151
Symptom: The cable impedance of a CE1/PRI interface on an SIC-1VE1T1 module is set to
120 ohm, but the command output shows that the interface's cable impedance is 75 ohm.
Condition: This symptom might occur if the cable impedance of a CE1/PRI interface on an
SIC-1VE1T1 module is set to 120 ohm.
201602030487
Symptom: A Layer 3 subinterface on an SIC-4/9FSW(P) module cannot forward traffic if the
VLAN numbered with the subinterface number is not created.
41
Condition: This symptom might occur if a Layer 3 subinterface is created on an SIC-4/9FSW(P) module and the VLAN numbered with the subinterface number is not created.
201512110251
Symptom: The router does not have packet statistics for an aggregate interface that uses subinterfaces as members.
Condition: None.
201601240052
Symptom: MFR subinterfaces cannot be created.
Condition: None.
201512250041
Symptom: Modification of the service type for users in an ISP domain takes effect, but the router still displays the old configuration.
Condition: This symptom might occur if the service type for users in an ISP domain is modified.
201601280133
Symptom: The expired license of the router is reactivated, but some features are still unavailable after the router automatically loads the image file.
Condition: This symptom might occur if the expired license is reactivated.
201602240243
Symptom: The router might reboot unexpectedly after running for 497 days.
Condition: None.
201602010060
Symptom: RIP route filtering settings on the router are lost after the running configuration is saved and the router is rebooted.
Condition: This symptom might occur if one of the following operations is performed:
Upgrade the software and reboot the router.
Use a .cfg configuration file when rebooting the router.
201603090066
Symptom: An ADVPN tunnel cannot be set up if a loopback interface provides the tunnel source address and the physical tunnel outgoing interface is a NAT-enabled PPPoE dialer interface.
Condition: This symptom might occur if a loopback interface provides the tunnel source address and the physical tunnel outgoing interface is a NAT-enabled PPPoE dialer interface.
201603090064
Symptom: The DVPN service is interrupted during IPsec SA renegotiation.
Condition: This symptom might occur if the IPsec SA expires and IPsec SA renegotiation is performed.
201603020540
Symptom: The memory usage keeps rising if no ACL is specified for an IPsec policy template.
Condition: This symptom might occur if no ACL is specified for an IPsec policy template.
201601120419
Symptom: An NMS returns an error when it reads the 3G modem table from the MIB of the router.
Condition: This symptom might occur if two SIC-3G cards are installed on the router.
42
201601160235
Symptom: The router as a PPPoE server has duplicate PPPoE client information.
Condition: None.
201601180617
Symptom: The global DHCP address pool usage is incorrect.
Condition: None.
201601260049
Symptom: The router reboots unexpectedly when it receives GRE packets with the DF bit set.
Condition: This symptom might occur if the router receives GRE packets with the DF bit set.
201601190036
Symptom: The secondary IP addresses of a Virtual-Template interface are unavailable.
Condition: None.
201601210335
Symptom: The PPP IP segment match feature does not take effect if the
user-basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } command is not configured.
Condition: This symptom might occur if the user-basic-service-ip-type { ipv4 | ipv6 | ipv6-pd } command is not configured.
201602010492
Symptom: A VLAN interface cannot forward IPv6 traffic if a Layer 2 aggregate interface performs forwarding for the VLAN interface.
Condition: This symptom might occur if a Layer 2 aggregate interface performs forwarding for a
VLAN interface.
201601210099
Symptom: When the FTP, SSH, Telnet, DNS, HTTP, or HTTPS service is enabled, 31 irrelevant
TCP ports are also opened.
Condition: This symptom might occur if the FTP, SSH, Telnet, DNS, HTTP, or HTTPS service is enabled.
201601120047
Symptom: When execution of the description command in interface view fails because the specified description contains unsupported special characters, no prompt is displayed for the failure.
Condition: This symptom might occur if the description command specifies a description that contains unsupported special characters.
201601260439
Symptom: Memory leaks and the device reboots unexpectedly.
Condition: This symptom probably occurs if GRE tunnels/ADVPN tunnels are established over
PPPoE and traffic are forwarded through these tunnels.
Resolved problems in CMW710-R0305P08
201512030136
Symptom: A nested QoS policy cannot classify traffic correctly.
43
Condition: This symptom occurs if QoS pre-classify is enabled for IPsec, and a nested QoS policy is configured to classify the encrypted traffic by using DSCP values.
201508060073
Symptom: GTS cannot well process bursty traffic, and traffic is not sent evenly. When a small burst size is configured, the traffic cannot reach the expected rate.
Condition: This symptom occurs if GTS is configured on an interface to shape traffic.
201512090619
Symptom: The system displays an invalid version notification when the software of a distributed router or an IRF fabric is upgraded from R0305P04.
Condition: This symptom occurs if one of the following conditions exists:
On the distributed router, the slot number of the active MPU is higher than the slot number of the standby MPU, and the software image is stored on the active MPU.
On the IRF fabric, the chassis number of the master IRF member router is higher than the chassis numbers of the subordinate IRF member routers, and the software image is stored on the master IRF member router.
201511200241
Symptom: HMIM-8GEE interface cards might stop sending packets.
Condition: This symptom might occur if interfaces on the HMIM-8GEE interface cards receive
MPLS frames greater than 3072 bytes.
201509250085
Symptom: Operating modes do not take effect on interfaces on DSIC-1SHDSL-8W interface cards.
Condition: This symptom might occur if the DSIC-1SHDSL-8W interface cards are installed in the router together with other interface cards.
201512210405
Symptom: After a static MAC address entry is configured on the MSR2004, MAC address table synchronization fails and the static MAC address entry cannot be deleted from switching chips.
Condition: This symptom might occur if the MAC address in the static MAC address entry is the source MAC address of traffic.
201511050149
Symptom: Memory leak occurs.
Condition: This symptom occurs if the display debugging command is repeatedly executed.
201512230491
Symptom: A serial interface goes down and then comes up.
Condition: This symptom occurs if the following operations have been performed:
a.
The operating mode of the serial interface is changed from synchronous to asynchronous.
b.
A master/subordinate switchover occurs.
201511140166
Symptom: The system fails to display or clear statistics for FCM interfaces.
Condition: This symptom occurs if you do not specify an FCM interface when executing the
display fcm statistics or reset fcm statistics command.
201512030136
Symptom: No traffic matches a child QoS policy.
44
Condition: This symptom occurs if the child QoS policy is nested in a parent QoS policy.
201508060073
Symptom: The download speed is slow when a QoS GTS action is configured.
Condition: This symptom occurs if you set a small CBS value for the QoS GTS action.
201511060514
Symptom: QoS queuing configuration cannot be modified on an interface on the MSR4000 after a master/subordinate switchover.
Condition: None.
201512110364
Symptom: The L2VE interface and L3VE interface display up state twice after a master/subordinate switchover.
Condition: None.
201512010186
Symptom: CVE-2015-7704
Condition: Denial of Service by Spoofed Kiss-of-Death.
Symptom: CVE-2015-7705
Condition: Denial of Service by Priming the Pump.
Symptom: CVE-2015-7855
Condition: Denial of Service Long Control Packet Message.
Symptom: CVE-2015-7871
Condition: NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability.
201507140251
Symptom: VRRPv3 does not support packet authentication. However, no error is displayed when packet authentication is configured for VRRPv3.
Condition: None.
201505270318
Symptom: No prompt is displayed when the router finishes downloading a file as an FTP client.
Condition: This symptom occurs if the downloaded file is greater than 2147483647 bytes.
201512300140
Symptom: NTP time synchronization fails between the router and a Cisco device with a time accuracy of 2
32
.
Condition: This symptom occurs if NTP time synchronization occurs between the device and a
Cisco device with a time accuracy of 2
32
.
201507210022
Symptom: IPsec RRI cannot be implemented based on negotiated traffic flow in the IPsec VPN.
Condition: None.
201511260648
Symptom: Traffic cannot be forwarded through ADVPN tunnels.
Condition: This symptom occurs if ADVPN tunnels are established over an IPv6 network.
201511300165
Symptom: The results of tests that FIPS performs for 3DES and AES-wrap are unexpected.
45
Condition: None.
201507020257
Symptom: The DF bit setting in IPsec packets does not take effect.
Condition: This symptom occurs if the DF bit of IPsec packers is set on the source interface bound to an IPsec policy.
201512091595
Symptom: IKEv2 uses protocol number 5000 instead of 4500.
Condition: This symptom occurs if IKEv2 NAT traversal is configured.
201510080297
Symptom: The router fails to perform PPTP dial-up.
Condition: This symptom might occur if the router accesses the PPTP server through the NAT server.
201512100696
Symptom: The OpenFlow controller fails to discover the router during topology discovery.
Condition: This symptom occurs if the OpenFlow controller uses BDDP to perform topology discovery.
201509160400
Symptom: A user line cannot be configured by using the line number command.
Condition: This symptom occurs if you use the line number command to configure the user line.
201509180141
Symptom: In CWMP, a CPE fails to establish a connection to a server.
Condition: This symptom occurs if the CWMP connection interface belongs to a VPN instance.
201511040399
Symptom: The expected bandwidth configuration on a VLAN interface is lost.
Condition: This symptom occurs after two master/subordinate switchovers.
201512010078
Symptom: The boot-loader file command fails to specify a startup image file.
Condition: This symptom occurs if the startup image file resides on the standby MPU.
201510300441
Symptom: Unexpected page break occurs during faxing or fax negotiation fails.
Condition: This symptom occurs if multiple voice calls are established during faxing.
201512110328
Symptom: MAC address entries age out when they are configured not to age.
Condition: None.
201510160271
Symptom: The dual-stack PPPoE server that mainly provides IPv6 services exhausts IPv6 addresses in the DHCPv6 address pool. PPPoE users who have no IPv6 addresses assigned can log in.
Condition: This symptom occurs if two master/subordinate switchovers occur after IPv6 address exhaustion.
46
201510220524
Symptom: A logged-in PPPoE user cannot receive traffic.
Condition: This symptom occurs if the following conditions exist:
Two routers form an IRF fabric.
The PPPoE user logs in through an IRF port.
The master device reboots.
201510130373
Symptom: A SIP call cannot be established.
Condition: This symptom occurs if the router receives an INVITE request without SDP information.
201507200041
Symptom: The VE1 PRI Layer 3 test fails.
Condition: This symptom occurs if the device receives a SETUP message in which the value of the cap. field is video.
201510160206
Symptom: The dual-stack PPPoE server that mainly provides IPv6 services has available IPv6 addresses in the DHCPv6 address pool. PPPoE users who have no IPv4 addresses assigned cannot log in.
Condition: None.
201509220301
Symptom: The Cellular process reboots unexpectedly.
Condition: This symptom occurs if the profile main command is executed on a cellular interface on the MSR4000.
201510230327
Symptom: If a PPPoE user logs in and then logs out, the CIR specified in the user profile for the user does not take effect.
Condition: This symptom occurs if the following conditions exist:
Two routers form an IRF fabric.
The PPPoE user logs in through an IRF port.
The master device reboots.
201508100249
Symptom: No information is displayed after the display voice sip call command is executed on the MSR4000.
Condition: None.
201512180019
Symptom: The AC of an MPLS L2VPN cannot receive packets from a CE.
Condition: This symptom occurs if a Layer 3 aggregate subinterface is used as the AC of the
MPLS L2VPN.
201511250428
Symptom: Settings of the answer-time, idle-time, and trade-time parameters cannot be deployed to interface cards related to POS terminal access.
Condition: This symptom occurs if you set the answer-time, idle-time, and trade-time parameters in system view.
47
201512010169
Symptom: An error occurs on an IRF physical interface after the router reboots and some operations are performed on the router.
Condition: This symptom occurs if two GigabitEthernet interfaces are used as IRF physical interfaces and one of the IRF physical interfaces goes down.
201512030468
Symptom: Packet filtering does not take effect on an Ethernet interface operating in bridge mode.
Condition: This symptom occurs if packet filtering is enabled on the Ethernet interface operating in bridge mode.
201511210055
Symptom: Interfaces on the HMIM-8GSW or HMIM-24GSW interface card receive a large number of ARP requests. Then, a packet statistics error occurs and the switching modules cannot operate correctly.
Condition: This symptom occurs if ARP snooping is enabled on interfaces on the HMIM-8GSW or HMIM-24GSW interface card.
201512180334
Symptom: The MSR2004-24 or MSR2004-48 router reboots unexpectedly.
Condition: This symptom occurs if the parameter of an SDK function on the switching chip of the router is null.
201511120124
Symptom: Packets are sent out of order.
Condition: This symptom occurs if packets are sent in per-flow mode.
201511270774
Symptom: A silent call is established after the called party goes off-hook.
Condition: This symptom occurs if the router uses the SIC-1VE1 or SIC-1VT1 voice card to initiate calls.
201512140104
Symptom: The mac-address max-mac-count command does not take effect, and no error message that the router does not support this command is displayed.
Condition: This symptom occurs if the mac-address max-mac-count command is executed on a Layer 2 aggregate interface.
201511300156
Symptom: The static IPv6 address binding feature does not take effect on an interface of the
HMIM-8GSW interface card.
Condition: This symptom occurs if the static IPv6 address binding feature is configured on the interface of the HMIM-8GSW card.
201512100157
Symptom: Transceiver modules on the HMIM-8GSW interface card might fail the equipment test.
Condition: This symptom occurs if the equipment test is performed on the HMIM-8GSW interface card.
48
201511170229
Symptom: When a POS terminal hangs up, the FCM interface stays in up state and the FCM card becomes unavailable.
Condition: This symptom occurs if the router uses the FCM card for POS dial-up access and a large number of POS terminals repeatedly dial up.
201511250418
Symptom: The 3G chip MC8705 fails to update the firmware.
Condition: This symptom occurs if an MSR2004/4000 router is used to update the firmware of the 3G chip MC8705.
201510190389
Symptom: An L2TP tunnel cannot be established because the router performs strict check on packets with hidden AVPs.
Condition: This symptom occurs if the router acts as the L2TP LNS and receives packets with hidden AVPs sent by the LAC.
201510290199
Symptom: An L2TP user with a matching full username fails L2TP authentication. An L2TP tunnel cannot be established.
Condition: This symptom occurs if the router acts as the L2TP LNS and is configured with the
ppp user attach-format imsi-sn split command.
201510290176
Symptom: An L2TP user whose authentication information does not contain an at sign (@) fails
L2TP authentication. An L2TP tunnel cannot be established.
Condition: This symptom occurs if the router acts as the L2TP LNS and is configured with the
ppp user accept-format imsi-sn split @ command.
201508190420
Symptom: Memory loss occurs after a voice interface card on the router reboots.
Condition: This symptom occurs if the CPU usage of the router reaches 100%.
201510160215
Symptom: The router acts as the PPPoE server and uses DHCPv6 to assign IPv6 addresses to hosts. No IPv6 addresses are displayed for PPPoE users in the display ppp access-user command output.
Condition: This symptom occurs if a master/subordinate switchover occurs after PPPoE users log in.
201511250195
Symptom: The MAC address entry for a VRRP group still exists on the router after the VRRP group is deleted.
Condition: This symptom occurs if you assign an IP address to the VRRP group and then delete the VRRP group.
201506180269
Symptom: The router stops sending packets when a POS terminal accesses the router.
Condition: This symptom might occur if the number of concurrent connections reaches 30 on the AM interface multiple times and configuration of the AM interface changes.
201511170159
Symptom: IPsec does not support SM4 algorithms.
49
Condition: None.
Resolved problems in CMW710-R0305P04
201510300500
Symptom: Packets are out of order if flow-based forwarding is enabled.
Condition: This symptom might occur if flow-based forwarding is enabled.
201510220351
Symptom: The IMSIs of some China Telecom 3G SIM cards cannot be correctly identified.
Condition: This symptom might occur if the Vodafone IMSIs are stored as the 3GPP IMSIs of the SIM cards.
201509300412
Symptom: The peer drops the ARP packets sent by the router if the ARP packets carry 802.1Q
VLAN tags with the CFI bit set to 1.
Condition: This symptom might occur if the ARP packets carry 802.1Q VLAN tags with the CFI bit set to 1.
201509240177
Symptom: The router reboots unexpectedly if an HMIM-CNDE module is removed by using the
remove command during the IPsec packet forwarding process.
Condition: This symptom might occur if an HMIM-CNDE module is removed by using the
remove command during the IPsec packet forwarding process.
201510260569
Symptom: If port isolation is configured on both a Layer 2 aggregate interface and its member ports, the configuration fails on the aggregate interface or its member ports. Removal of the port isolation configuration also fails.
Condition: This symptom might occur if port isolation is configured on a Layer 2 aggregate interface and its member ports.
201509240346
Symptom: Channel configuration on radio interfaces is lost after a reboot.
Condition: None.
201509300064
Symptom: The traffic statistics for 3G/4G serial and Eth-channel interfaces are 0 in the MIB.
Condition: None.
201510300208
Symptom: The router cannot communicate with the peer if the router acts as the LNS to set up an L2TP tunnel to the peer by using a SIC-4FSW module.
Condition: This symptom might occur if the router acts as the LNS to set up an L2TP tunnel to the peer by using a SIC-4FSW module.
201511110304
Symptom: The router reboots unexpectedly if VLAN interfaces are created or deleted during the traffic forwarding process.
Condition: This symptom might occur if VLAN interfaces are created or deleted during the traffic forwarding process.
50
201508290046
Symptom: The CPU usage of the router rises if the router acts as a Telnet server and Telnet login to the router is aborted abnormally.
Condition: This symptom might occur if the router acts as a Telnet server and Telnet login to the router is aborted abnormally.
201509290092
Symptom: Telnet login with remote TACACS/RADIUS authentication fails.
Condition: This symptom might occur if Telnet login with remote TACACS/RADIUS authentication is performed.
201505130349
Symptom: Static NAT444 traffic does not trigger NAT444 user logging.
Condition: None.
201507070217
Symptom: ACL mismatches occur if a connection limit policy is applied to DS-Lite tunnels.
Condition: This symptom might occur if a connection limit policy is applied to DS-Lite tunnels.
201510200471
Symptom: The routing, multicast, authentication, and voice modules stop working, and incorrect information is displayed for the TRAP, NetStream, and DHCP modules.
Condition: This symptom might occur if the router has been running for more than seven months (214 days).
201508260173
Symptom: The time range status is incorrect if NTP is used.
Condition: This symptom might occur if NTP is used.
201510140128
Symptom: DDNS dynamic domain name update fails if the DDNS password contains forward slashes (/).
Condition: This symptom might occur if the DDNS password contains forward slashes (/).
201509160563
Symptom: The router reboots unexpectedly if the router acts as a PPPoE server and PPPoE users repeatedly come online and go offline.
Condition: This symptom might occur if the router acts as a PPPoE server and PPPoE users repeatedly come online and go offline.
201401100267
Symptom: PPP IPCP negotiation fails when a PPPoE client initiates a connection request to the router, and the VA interface goes up and comes down constantly.
Condition: This symptom might occur if NAT is performed for the PPPoE client, and IP address negotiation is enabled on the dialer interface.
201509170256
Symptom: Information about the last login is not displayed for a user that passes authentication.
Condition: None.
201507160359
Symptom: CVE-2014-8176
51
Condition: If a DTLS peer receives application data between the ChangeCipherSpec and
Finished messages. May result in a segmentation fault or potentially, memory corruption.
Symptom:CVE-2015-1788
Condition: When processing an ECParameters structure OpenSSL enters an infinite loop. This can be used to perform denial of service against any system which processes public keys, certificate requests or certificates.
Symptom: CVE-2015-1789
Condition: X509_cmp_time does not properly check the length of the ASN1_TIME string and/or accepts an arbitrary number of fractional seconds in the time string. An attacker can use this to craft malformed certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs.
Symptom: CVE-2015-1790
Condition: The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. An attacker can craft malformed PKCS#7 blobs with missing content and trigger a
NULL pointer dereference on parsing.
Symptom: CVE-2015-1791
Condition: If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur potentially leading to a double free of the ticket data.
Symptom: CVE-2015-1792
Condition: When verifying a signedData message the CMS code can enter an infinite loop. This can be used to perform denial of service against any system which verifies signedData messages using the CMS code.
201510130373
Symptom: SIP calls cannot be placed if the router receives INVITE requests with no SDP information.
Condition: This symptom might occur if the router receives INVITE requests with no SDP information.
201507200041
Symptom: The router sends a SIP response message that contains an incorrect call release cause code if the router receives an INVITE request with SDP information that contains the video capability.
Condition: This symptom might occur if the router receives an INVITE request with SDP information that contains the video capability.
201508100249
Symptom: The display voice sip call command outputs nothing if an MSR4000 router is a single-chassis IRF fabric and uses the chassis number 2.
Condition: This symptom might occur if an MSR4000 router is a single-chassis IRF fabric and uses the chassis number 2.
201508190420
Symptom: Memory leaks occur if the voice card is rebooted at the CLI when the CPU usage is
100%.
Condition: This symptom might occur if the voice card is rebooted at the CLI when the CPU usage is 100%.
201510270033
Symptom: Upgrading the standby MPU of the MSR4000 router fails.
52
Condition: This symptom might occur if the active MPU only has an .ipe startup image file, and the
boot-loader command specifies the .ipe file for upgrading the standby MPU.
Resolved problems in CMW710-R0305
201509070388
Symptom: A fiber port cannot come up if a 100-Mbps optical transceiver module is installed in the port and the speed 100 command is executed on the port.
Condition: This symptom might occur if a 100-Mbps optical transceiver module is installed in the port and the speed 100 command is executed on the port.
201504130290
Symptom: Fax transmission fails if fax pass-through by using the G.711alaw or G711ulaw codec is used for DIS signal transmission.
Condition: This symptom might occur if fax pass-through by using the G.711alaw or G711ulaw codec is used for DIS signal transmission.
201509240046
Symptom: Some interfaces on the HMIM-8E1T1-F module cannot come up if the module is produced on 11 August 2015 or after that date.
Condition: This symptom might occur if the HMIM-8E1T1-F module is produced on 11 August
2015 or after that date.
201508040165
Symptom: Some transactions of POS terminals fail if TCP FIN packets contain transaction data.
Condition: This symptom might occur if TCP FIN packets contain transaction data.
201507150251
Symptom: Layer 3 aggregate interfaces cannot be created by using IMC.
Condition: This symptom might occur if IMC is used to create Layer 3 aggregate interfaces.
201508290021
Symptom: The CPU usage is high if the TCP maximum segment size is set to 1400 bytes.
Condition: This symptom might occur if the following operations have been performed:
a.
Use the tcp mss command to set the TCP maximum segment size to 1400 bytes.
b.
Save the configuration and reboot the router.
201508250213
Symptom: The delay in the result of the NQA ICMP jitter operation is much larger than the delay in the ping operation result.
Condition: This symptom might occur if the NQA ICMP jitter operation is performed.
201509140123
Symptom: The router cannot communicate with a Cisco device through the HDLC link between them.
Condition: This symptom might occur if the ip address slarp interval 1 command is executed on the Cisco device.
201508270343
Symptom: Tracert returns the destination IP address as the first hop if it is used on an L2TP over IPsec tunnel.
53
Condition: This symptom might occur if tracert is used on an L2TP over IPsec tunnel.
201510130060
Symptom: The signature algorithm does not support HMAC-SHA256 when a certificate request is made in non-FIPS mode.
Condition: This symptom might occur if the certificate request is made in non-FIPS mode.
201510200471
Symptom: The OSPF LSAs on the router do not age out. As a result, peers cannot learn routes from the router.
Condition: This symptom might occur if OSPF is enabled on the router, and the router has been operating for more than 210 days.
201507140154
Symptom: The router can be successfully logged in to by using a public key through SSH1, but
RSA fails to encrypt the public key.
Condition: This symptom might occur if a public key and SSH are used to log in to the router.
201508280355
Symptom: The HDLC process does not respond if the display interface serial command is executed when the router receives ADDR_REQ packets.
Condition: This symptom might occur if the display interface serial command is executed when the router receives ADDR_REQ packets.
201509220038
Symptom: The router fails TACACS authentication for an incorrect password or invalid shared key if the TACACS server uses ACS V5.6 or later versions.
Condition: This symptom might occur if the TACACS server uses ACS V5.6 or later versions.
Resolved problems in CMW710-R0304P12
201507250134
Symptom: The router can be successfully logged in to by using an incorrect password.
Condition: This symptom might occur if remote TACACS authentication and NETCONF are used to log in to the router.
201508030326
Symptom: An interface goes down and the router reboots unexpectedly if PPPoE sessions are established on a large number of subinterfaces on the interface.
Condition: This symptom might occur if PPPoE sessions are established on a large number of subinterfaces on the interface.
201508030334
Symptom: The secondary RADIUS authentication/authorization server cannot be reconfigured if it has been deleted.
Condition: This symptom might occur if the secondary RADIUS authentication/authorization server is deleted and then reconfigured.
201506190329
Symptom: An interface on an HMIM-8GSWF module cannot communicate with the directly connected peer.
54
Condition: This symptom might occur if the port security mode of the interface is set to autoLearn, and the HMIM module is rebooted.
201507300171
Symptom: The router reboots unexpectedly if the RADIUS server sends a DM request to log off a user by session ID.
Condition: This symptom might occur if the RADIUS server sends a DM request to log off a user by session ID.
201505200410
Symptom: Matching packets are not assigned to the RTP queue.
Condition: This symptom might occur if the UDP port number of the packets is an odd number before byte order reversing.
201508030336
Symptom: The router reboots unexpectedly if the IPsec tunnels on the router have been forwarding traffic for a long period of time.
Condition: This symptom might occur if the IPsec tunnels on the router have been forwarding traffic for a long period of time.
201507270023
Symptom: The router chooses a dynamic address pool over a static address pool when the router processes DHCP INFORM packets sent by a client that uses an IP address in the static address pool.
Condition: This symptom might occur if the dynamic address pool contains all IP addresses of the static address pool.
201508120238
Symptom: When the router acts as a DHCP server, DHCP clients obtain IP addresses after a long delay.
Condition: This symptom might occur if the DHCP clients have errors and are moved from another network.
201508030441
Symptom: Routes configured by using the ppp ip-pool route command are lost after an IRF master/subordinate switchover.
Condition: This symptom might occur if an IRF master/subordinate switchover occurs.
201507160240
Symptom: IMC cannot display the rules of ACLs.
Condition: None.
201508130129
Symptom: The router does not prompt for LDP session reset after the LSR ID is modified, and then MPLS has status or forwarding errors.
Condition: This symptom might occur if the mpls lsr-id command is used to modify the LSR ID.
201508110265
Symptom: The FTP user is logged off after FTP finishes transferring files to the storage medium of the standby MPU.
Condition: This symptom might occur if FTP is used to transfer large files to the storage medium of the standby MPU.
55
201508110026
Symptom: The router reboots unexpectedly if the IPsec over L2TP tunnels on the router have been forwarding traffic for a long period of time.
Condition: This symptom might occur if the IPsec over L2TP tunnels on the router have been forwarding traffic for a long period of time.
201504210203
Symptom: A centralized IRF member router halts during reboot after its operating mode is changed from IRF to standalone.
Condition: This symptom might occur if the following operations have been performed on the router:
a.
Save the configuration.
b.
Shut down the IRF physical interfaces.
c.
Change the operation mode from IRF to standalone after the IRF fabric splits.
201507090504
Symptom: When a PoE profile is configured, the router warns that the maximum PI power specified by using the poe max-power command is invalid even if the value is in the valid power range.
Condition: None.
201508120439
Symptom: The router reboots unexpectedly if the router is deleted from IMC.
Condition: This symptom might occur if the following conditions exist:
The router connects to IMC through a tunnel and passes portal authentication.
The router is deleted from IMC after portal authentication.
201508050381
Symptom: MAC address check on a DHCP relay agent does not take effect after DHCP is disabled.
Condition: This symptom might occur if DHCP is disabled.
201507130082
Symptom: The router reboots unexpectedly if the HMIM-2/4/8GE module is repeatedly rebooted when the module receives traffic.
Condition: This symptom might occur if the HMIM-2/4/8GE module is repeatedly rebooted when the module receives traffic.
201508180093
Symptom: Two terminals in the same 3G or 4G network cannot communicate with each other.
Condition: This symptom might occur if the terminals are assigned the same network segment but different subnet masks.
201508240276
Symptom: The router does not display the legal banner before authentication when an SSH user logs in to the router.
Condition: None.
201508240106
Symptom: Some interfaces on the HMIM-2/4/8E1T1-F module cannot come up.
Condition: None.
56
201507300132
Symptom: Though the fixed Ethernet interfaces of the MSR2004 router are up, they cannot receive packets.
Condition: This symptom occurs after the MSR2004 router has been operating for a certain period of time.
201507240120
Symptom: Very rarely, the fixed GE0/1 or GE0/2 of MSR2004 router can't UP, and the interface can't receive and send the packets (this occurs in a very small percentage of BCM5221 chips).
Condition: None.
201508060025
Symptom: The settings of MP-group interfaces are incompatible after an MSR router is upgraded to E0302P06 or a later version.
Condition: This symptom occurs if an MSR router is upgraded to E0302P06 or a later version.
201507080421
Symptom: The display qos policy interface command outputs incorrect statistics.
Condition: This symptom might occur if MPLS forwarding, PPP IP header compression, and
QoS CBQ are enabled on PPP interfaces of the router.
201506050279
Symptom: A POS transaction fails if it has multiple interaction messages.
Condition: This symptom might occur if the following conditions exist:
POS terminal access is enabled on the router.
The background process of POS transactions requires that the messages of a transaction must have the same source TPDU.
201506030302
Symptom: Memory leakage occurs when the router is sending NetStream data packets.
Condition: This symptom might occur if NetStream is enabled on the router.
201507200403
Symptom: In the RADIUS packets that the router sends, '\000' is incorrectly added to the
NAS-ID attribute.
Condition: This symptom might occur if RADIUS authentication is configured on the router.
Resolved problems in CMW710-R0304P04
201501200401
Symptom: RBAC cannot control access to the content filtering feature.
Condition: None.
201503020376
Symptom: Packets are dropped after a BGP GR process is completed.
Condition: This symptom occurs if both BFD and GR are enabled for BGP.
201507170124
Symptom: The MPLS ILM entry is not updated after the traffic processing unit is changed for an outgoing interface.
57
Condition: This symptom occurs if the traffic processing unit is changed for an outgoing interface.
201504190023
Symptom: The BGP process on the PE is stuck.
Condition: This symptom occurs if the following conditions exist:
There is a large number of routes and many types of traffic.
The PE runs for a long time.
201507020251
Symptom: A PW is re-created after the L2VPN process is re-optimized by using the placement
reoptimize command.
Condition: This symptom occurs if split horizon is enabled for the PW.
201506300136
Symptom: An interface on the SIC-4GSW card cannot ping the directly connected interface on the same subnet after the interface is changed to a Layer 3 interface.
Condition: This symptom occurs if the following operations are performed:
a.
Enable port security globally.
b.
Configure port security on the interface operating as a Layer 2 interface.
c.
Change the interface to a Layer 3 interface.
201505290258
Symptom: Subinterfaces cannot be created or deleted when there are more than 4000 subinterfaces on the router.
Condition: This symptom might occur if the following operations are performed:
a.
Perform an active/standby switchover.
b.
Restart the standby MPU.
c.
Change a main interface between Layer 2 mode and Layer 3 mode.
d.
Bring up and shut down the main interface.
201507170043
Symptom: A router in an MPLS network reboots unexpectedly.
Condition: This symptom occurs if the public interface of the router goes down and comes up repeatedly.
201507030323
Symptom: Memory leaks.
Condition: This symptom occurs if NETCONF is used to download files for the FileSystem node.
201506190348
Symptom: The xmlcfgd process crashes.
Condition: This symptom occurs if the xmlcfgd process is accessed through XML when there is no Envelope namespace.
201506190151
Symptom: The router does not preferentially use static address allocation when receiving a
DHCP-INFORM message from a client.
Condition: This symptom occurs if the following conditions exist:
58
The client is bound to an IP address in a DHCP address pool.
Another DHCP address pool includes the IP address bound to the client.
201506100354
Symptom: The router configured with WAAS sends a receiving buffer size different from the set value to the peer device.
Condition: This symptom occurs if the receiving buffer size is modified.
201507020391
Symptom: The TTL of a static blacklist entry is different from the actual aging time.
Condition: This symptom occurs if the static blacklist entry is added after a master/subordinate switchover in an IRF fabric.
201505150461
Symptom: An interface cannot forward packets when it is up.
Condition: This symptom occurs if a large number of portal users come online and go offline through the interface.
201506100261
Symptom: ARP reply packets are forwarded through the trusted interface even if there is a match in the MAC address table.
Condition: This symptom occurs when ARP restricted forwarding is enabled.
201506120046
Symptom: The ToS bits in the outer IP header are not set to the same as the ToS bits in the inner header after IP packets are encapsulated with MPLS L3VPN or GRE.
Condition: This symptom occurs if IP packets are encapsulated with MPLS L3VPN or GRE.
201506230020
Symptom: A POS interface cannot forward packets that are greater than 2048 bytes.
Condition: None.
201504270304
Symptom: Only up to 256 ports can be specified in one nat server command.
Condition: None.
201503110416
Symptom: Assertion information is displayed and accounting stops when a user comes online.
Condition: This symptom occurs if the accounting quota-out redirect-url command is configured.
201411190412
Symptom: The tunnel source cannot return Packet Too Big messages for packets tunneled through an IPv6 over IPv4 tunnel.
Condition: This symptom occurs when fragmentation check is enabled for packets to be tunneled.
201503090076
Symptom: IPv4 addresses must be configured on the AFTR of a DS-Lite tunnel.
Condition: This symptom occurs when the AFTR of a DS-Lite tunnel is configured.
59
201507070230
Symptom: The router establishes calls slowly when using R2 signaling.
Condition: This symptom occurs if R2 signaling is used.
201505200402
Symptom: Too much log information is displayed after RTP packets are interrupted.
Condition: This symptom occurs if the network link fails after a call is established.
201505290049
Symptom: The hh3cTransceiver node does not return new information for a different transceiver module type.
Condition: This symptom occurs if the following operations are performed:
a.
Replace a transceiver module.
b.
Walk the hh3cTransceiver node by using a MIB browser.
201506250411
Symptom: CVE-2015-3143
Condition: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request.
Symptom: CVE-2015-3148
Condition: cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated
Negotiate connections, which allows remote attackers to connect as other users via a request.
201411190504
Symptom: The number of packets in the ADVPN session statistics is a negative value.
Condition: This symptom occurs if the router forwards traffic for a long time.
201504140088
Symptoms: CVE-2015-0209
Condition: A malformed EC private key file consumed via the d2i_ECPrivateKey function could cause a use after free condition. This could lead to a DoS attack or memory corruption for applications that receive EC private keys from untrusted sources.
Symptoms: CVE-2015-0286
Condition: DoS vulnerability in certificate verification operation. Any application which performs certificate verification is vulnerable including OpenSSL clients and servers which enable client authentication.
Symptoms: CVE-2015-0287
Condition: Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. Applications that parse structures containing CHOICE or ANY
DEFINED BY components may be affected.
Symptoms:CVE-2015-0288
Condition: The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid.
Symptoms: CVE-2015-0289
Condition: The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a
NULL pointer dereference on parsing.
Symptoms: CVE-2015-0292
60
Condition: A vulnerability existed in previous versions of OpenSSL related to the processing of base64 encoded data.
Symptoms: CVE-2015-0293
Condition: A malicious client can trigger an OPENSSL_assert in servers that both support
SSLv2 and enable export cipher suites by sending a specially crafted SSLv2
CLIENT-MASTER-KEY message.
201505250363
Symptom: Services are interrupted for about 50 minutes after the router runs for a long time with traffic load.
Condition: This symptom might occur if the DH-Group2 algorithm is used in an IPsec VPN environment.
201507200433
Symptom: An interface on an MSR2004 router is up, but does not receive packets.
Condition: This symptom occurs if the following conditions exist:
The router runs for a long time with traffic load.
The interface is configured with multiple features.
201506240472
Symptom: Of multiple EVI tunnels, only one tunnel can forward traffic.
Condition: This symptom occurs if the following conditions exist:
The EVI tunnels have the same source IP address and the same destination IP address.
Each EVI tunnel is used for a different VLAN.
201506030356
Symptom: The feature images are not selected from the storage medium where the current boot and system images reside.
Condition: This symptom occurs if the router has multiple storage media.
201506230200
Symptom: The WAAS optimization effect is bad in per-flow load sharing mode.
Condition: None.
201507070433
Symptom: The peer port is up when the local fiber port is down.
Condition: This symptom occurs after the fiber port is changed from Layer 2 mode to Layer 3 mode.
201506250378
Symptom: An MSR3024 or MSR3044 router cannot forward 65-byte packets at wire speed when fast forwarding is enabled.
Condition: This symptom occurs if fast forwarding is enabled.
201506020161
Symptom: BGP neighbors flap after the IRF fabric is restarted.
Condition: This symptom occurs if a large number of BGP neighbors are established dynamically.
201507270061
Symptom: An aggregate interface with two or more member ports cannot ping the directly connected interface.
61
Condition: This symptom occurs after the aggregate interface is changed between Layer 2 mode and Layer 3 mode more than 20 times.
201507090496
Symptom: The ARP packets of one VLAN interface are sent out of a member port of another
VLAN interface .
Condition: This symptom occurs if more than two VLANs exist and their VLAN interfaces are assigned IP addresses.
201504230195
Symptom: On an IRF fabric, assertion information is displayed and subordinate routers reboot when the IPv4 device is pinged from the IPv6 side.
Condition: This symptom occurs if the traffic processing unit for the AFT traffic of a VLAN interface is not on the same forwarding card as the member interfaces of the VLAN interface.
201506090049
Symptom: The FCM card behaves unexpectedly .
Condition: This symptom occurs if FCM subinterfaces are deleted through MIB.
201507070310
Symptom: The link layer protocol of a DTE interface goes down .
Condition: This symptom occurs if the clock selection mode is set to autonegotiation for the
DTE interface.
201507010073
Symptom: The router reboots repeatedly after traffic statistics are cleared .
Condition: This symptom occurs if the following operations are performed:
a.
Perform an active/standby switchover for HDLC interfaces that forward Layer 3 IP traffic .
b.
Configure NetStream.
c.
Enable the application statistics feature by using the application statistics enable command.
201411030517
Symptom: Web redirection fails for a PPPoE user.
Condition: This symptom occurs if Web redirection parameters are assigned through RADIUS.
201503110069
Symptom: The VLAN ID sent to the RADIUS server is incorrect.
Condition: This symptom occurs if a QinQ PPPoE user comes online.
201503090276
Symptom: Users of a domain cannot be displayed or forcibly logged out.
Condition: This symptom occurs if the users come online without domain information.
201503110472
Symptom: Redirection fails after a PPPoE client issues a redirection attribute.
Condition: This symptom occurs if a PPPoE client issues a redirection attribute.
201503110566
Symptom: The redirection attribute issued through a COA message does not take effect.
Condition: This symptom occurs if the redirection attribute is issued through a COA message.
62
201507150201
Symptom: Assertion information appears when the pppoesd process is restarted on the L2TP
LNS.
Condition: This symptom occurs if a user comes online in NAS-initiated tunneling mode.
201505190435
Symptom: Some BGP peers go down and come up after the router is rebooted.
Condition: This symptom might occur if the following conditions exist:
The router is in an IRF fabric or is a distributed router in standalone mode.
The router has a large number of BGP peers.
201507200270
Symptom: An MSR1000 router reboots repeatedly .
Condition: This symptom occurs if the following operations are performed:
a.
Install a SIC4SAE card into the router.
b.
Send bidirectional traffic between the router and its peer device.
Resolved problems in CMW710-R0304P02
201505200131
Symptom: Voice services are interrupted during long calls.
Condition: This symptom might occur if E&M non-signaling mode and PCM pass-through are enabled.
201506290040
Symptom: On a single-MPU router, the fan speed does not increase when the CPU temperature keeps rising.
Condition: This symptom might occur if the router starts in high-temperature environments.
201505250288
Symptom: NQA TCP operations fail after the router runs for a period of time.
Condition: This symptom might occur if one of following conditions exists:
The interval between NQA probes is shorter than 10 milliseconds.
NQA operations are frequently performed over a long period of time.
201504230250
Symptom: The router displays garbled bandwidth usage-based load-sharing information for an aggregate interface.
Condition: This symptom might occur if bandwidth usage-based load-sharing is enabled on the aggregate interface.
201505250277
Symptom: OpenFlow cannot correctly send ARP packets to the SDN controller.
Condition: This symptom might occur if the following operations have been performed:
a.
Save the running configuration and reboot the router.
b.
Restore OpenFlow configuration by using an .mdb binary file.
63
201505150431
Symptom: 802.1X authentication fails.
Condition: This symptom might occur if the server issues VLAN IDs, but the length of the
Tunnel-Private-Group-id attribute is not 6 bytes in RADIUS packets sent by the server.
201504230250
Symptom: Traffic forwarding is interrupted on the router.
Condition: This symptom might occur if portal users repeatedly come online and go offline over a long period of time when the router is forwarding traffic.
201506120253
Symptom: When the display qos policy interface command is executed for a VT interface configured with QoS policies, nothing is displayed or the console halts.
Condition: This symptom might occur if QoS policies are configured on the VT interface, and more than 2000 online PPPoE users exist on the interface.
201505140232
Symptom: An SD or CF card on the router is not accessible.
Condition: This symptom might occur if the SD or CF card stores more than 15000 files.
201505180304
Symptom: An IRF member router halts after a reboot if it is switched from the IRF mode to the standalone mode.
Condition: This symptom might occur if the following operations have been performed on the router:
a.
Save the running configuration.
b.
Shut down the IRF physical interfaces.
c.
Switch the router to the standalone mode after the IRF fabric splits, and then reboot the router.
201505250207
Symptom: SIP source interface bindings do not take effect after the router reboots.
Condition: This symptom might occur if the following operations have been performed:
a.
Configure SIP source interface bindings.
b.
Save the running configuration and reboot the router.
201506230030
Symptom: When one of the E1 links on the router goes down, fast forwarding entries update slowly, and forwarding services are affected.
Condition: This symptom might occur if the following conditions exist:
Multiple equal-cost E1 links are configured on the router.
PPP IP header compression is enabled on the serial interfaces for the E1 links.
The router is forwarding multiple data flows.
201506080129(CVE-2015-5434)
Symptoms: When an interface without MPLS enabled receives MPLS-labeled packets, the interface incorrectly forwards the MPLS-labeled packets to the next LSR by LFIB entry.
Condition: This symptom occurs when the interface does not have MPLS enabled and the interface receives MPLS-labeled packet that match the FIB entries.
64
Resolved problems in CMW710-R0304
201504210231
Symptom: CVE-2015-1799
Condition: Authentication doesn't protect symmetric associations against DoS attacks.
201504230275
Symptom: A router replies with a re-INVITE message with the Referred-By header field after receiving a REFER request without the Referred-By header field from a Lync server.
Condition: This symptom occurs when a Lync server sends a REFER request without the
Referred-By header field to the router.
201504230289
Symptom: A called phone rings once before going on-hook.
Condition: This symptom occurs if the following conditions exist:
The calling router and called router use different codecs.
The called router connects to the called phone through a VE interface.
201505110326
Symptom: NATed packets fail to be forwarded after the original route becomes unavailable.
Condition: This symptom might occur if the interface used as the backup outgoing interface is not configured with NAT.
201505150401
Symptom: A router configured with IPsec fails to be authenticated by a Comware-V5-based peer device.
Condition: This symptom might occur if the router is configured with an IKE-based IPsec policy and the PFS feature is enabled for the IPsec policy.
Resolved problems in CMW710-E0302P06
201411280347
Symptom: When the MTU of a physical interface is configured greater than 1500 bytes, the interface still uses 1492 as the MTU.
Condition: This symptom occurs when the MTU of the physical interface bound to PPPoE is not
1500.
Workaround: For TPC application, modify the TCP MSS on the dialer or VT interface to avoid improper packet fragmentation.
201502020298
Symptom: On an IRF fabric formed by MSR4000 routers and configured with multichassis
Layer 3 aggregation, after a master/subordinate switchover, all users that log in through
Selected interfaces on the rebooted router are logged out.
Condition: This symptom occurs when the IRF fabric formed by MSR4000 routers acts as the
PPPoE server and the multichassis Layer 3 aggregate interface is used to respond to PPPoE login request.
Workaround: None.
65
201502100609
Symptom: In an FR L2VPN with one end as an FR network and the other end as an Ethernet link, CEs cannot communicate.
Condition: This symptom occurs when one end of the FR L2VPN is an FR network and the other end is an Ethernet link.
Workaround: None.
201501290181
Symptom: When a L2VPN cross-connect is bound to a Layer 3 aggregate interface, receiving
LACPDUs times out, and the aggregation group member ports flap frequently.
Condition: This symptom occurs when the L2VPN cross-connect is bound to a Layer 3 aggregate interface.
Workaround: None.
201501080118
Symptom: The VAM process reboots repeatedly.
Condition: This symptom occurs when the hub device also acts as the VAM server.
Workaround: Use a separate device as the VAM server.
201411140486
Symptom: Ping packets are lost on an eight-wire G.SHDSL.BIS EFM interface of the MSR router after the interface is shut down and then brought up.
Condition: This symptom might occur if the EFM interface is connected to a Cisco device.
201502150313
Symptom: Packet loss occurs on an interface that is configured with both policy nesting and
CBQ.
Condition: This symptom might occur if the interface has been forwarding traffic at near wire rate for a long time.
201502030476
Symptom: The MSR router forwards some packets out of their incoming interface after an active/standby link switchover.
Condition: This symptom might occur if the active/standby link switchover occurs when the router is forwarding a large amount of traffic.
201502270045
Symptom: The serial communication protocol goes down and LCP packets are lost on a serial interface when it is processing bidirectional traffic during the T1 delay test.
Condition: This symptom might occur if the qos qmtoken 1 command is executed on the interface.
201503090250
Symptom: The MSR router does not update the media channel after it receives a re-INVITE message with only the c field updated.
Condition: This symptom might occur if the MSR router receives a re-INVITE message with only the c field updated.
201503160098
Symptom: CAR does not support the bandwidth percentage method.
Condition: This symptom might occur if CAR is configured by using the bandwidth percentage method.
66
201407180184
Symptom: A local PBR policy does not take effect when no other services are configured.
Condition: This symptom might occur if only a local PBR policy is configured on the router.
Resolved problems in CMW710-E0102
RTV7D000933
Symptom: The fragments can
’t be filtered by ACL.
Condition: The fragments can
’t be filtered by ACL when using fragment in the rule.
RTV7D000932
Symptom: The statuses of the router in the VRRP group are both Master when using MD5 authentication mode.
Condition: Using MD5 authentication mode.
Resolved problems in CMW710-E0006P02
CM13040119
Symptom: The devices testing failed for manufacture.
Condition: Test for manufacturing devices.
Support and other resources
Accessing Hewlett Packard Enterprise Support
For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website: www.hpe.com/assistance
To access documentation and support services, go to the Hewlett Packard Enterprise Support
Center website: www.hpe.com/support/hpesc
Information to collect:
Technical support registration number (if applicable).
Product name, model or version, and serial number.
Operating system name and version.
Firmware version.
Error messages.
Product-specific reports and logs.
Add-on products or components.
Third-party products or components.
Documents
To find related documents, see the Hewlett Packard Enterprise Support Center website at http://www.hpe.com/support/hpesc .
67
Enter your product name or number and click Go. If necessary, select your product from the resulting list.
For a complete list of acronyms and their definitions, see HPE FlexNetwork technology acronyms.
Related documents
The following documents provide related information:
HPE FlexNetwork MSR2000 Routers Installation Guide
HPE FlexNetwork MSR3000 Routers Installation Guide
HPE FlexNetwork MSR4000 Routers Installation Guide
HPE FlexNetwork MSR2000 Routers Quick Start
HPE FlexNetwork MSR3000 Routers Quick Start
HPE FlexNetwork MSR4000 Routers Quick Start
HPE FlexNetwork MSR Router Series Interface Module Guide
HPE FlexNetwork MSR2000/3000/4000 Routers Compliance and Safety Manual
About the HPE FlexNetwork MSR Router Series Command References(V7)
HPE FlexNetwork MSR Router Series ACL and QoS Command Reference(V7)
HPE FlexNetwork MSR Router Series EVI Command Reference(V7)
HPE FlexNetwork MSR Router Series Fundamentals Command Reference(V7)
HPE FlexNetwork MSR Router Series High Availability Command Reference(V7)
HPE FlexNetwork MSR Router Series Interface Command Reference(V7)
HPE FlexNetwork MSR Router Series IP Multicast Command Reference(V7)
HPE FlexNetwork MSR Router Series Layer 2 - LAN Switching Command Reference(V7)
HPE FlexNetwork MSR Router Series Layer 2 - WAN Access Command Reference(V7)
HPE FlexNetwork MSR Router Series Layer 3 - IP Routing Command Reference(V7)
HPE FlexNetwork MSR Router Series Layer 3 - IP Services Command Reference(V7)
HPE FlexNetwork MSR Router Series MPLS Command Reference(V7)
HPE FlexNetwork MSR Router Series NEMO Command Reference(V7)
HPE FlexNetwork MSR Router Series Network Management and Monitoring Command
Reference(V7)
HPE FlexNetwork MSR Router Series OAA Command Reference(V7)
HPE FlexNetwork MSR Router Series OpenFlow Command Reference(V7)
HPE FlexNetwork MSR Router Series Probe Command Reference(V7)
HPE FlexNetwork MSR Router Series Security Command Reference(V7)
HPE FlexNetwork MSR Router Series Virtual Technologies Command Reference(V7)
HPE FlexNetwork MSR Router Series Voice Command Reference(V7)
HPE FlexNetwork MSR Router Series WLAN Command Reference(V7)
About the HPE FlexNetwork MSR Router Series Configuration Guides(V7)
HPE FlexNetwork MSR Router Series ACL and QoS Configuration Guide(V7)
HPE FlexNetwork MSR Router Series EVI Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Fundamentals Configuration Guide(V7)
HPE FlexNetwork MSR Router Series High Availability Configuration Guide(V7)
68
HPE FlexNetwork MSR Router Series Interface Configuration Guide(V7)
HPE FlexNetwork MSR Router Series IP Multicast Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Layer 2 - LAN Switching Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Layer 2 - WAN Access Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Layer 3 - IP Routing Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Layer 3 - IP Services Configuration Guide(V7)
HPE FlexNetwork MSR Router Series MPLS Configuration Guide(V7)
HPE FlexNetwork MSR Router Series NEMO Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Network Management and Monitoring Configuration
Guide(V7)
HPE FlexNetwork MSR Router Series OAA Configuration Guide(V7)
HPE FlexNetwork MSR Router Series OpenFlow Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Probe Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Security Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Virtual Technologies Configuration Guide(V7)
HPE FlexNetwork MSR Router Series Voice Configuration Guide(V7)
HPE FlexNetwork MSR Router Series WLAN Configuration Guide(V7)
Documentation feedback
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation
Feedback ( [email protected]
). When submitting your feedback, include the document title, part number, edition, and publication date located on the front cover of the document. For online help content, include the product name, product version, help edition, and publication date located on the legal notices page.
69
Appendix A Feature list
Hardware features
Table 5 MSR1000 specifications
Item
Console/AUX port
USB port
MSR1002-4
1
1
Gigabit Ethernet port
SFP port
Asynchronous/synchronous serial interface
Memory
Flash
SIC/DSIC slot
Dimensions (H × W × D)
(excluding rubber feet and mounting brackets)
5
1
1
512 MB DDR3
256 MB
2 SIC slot (1 DSIC slot)
44.2 × 360 × 300 mm (1.74 ×
14.17 × 11.81 in)
AC power supply
Relative humidity
(noncondensing)
Rated voltage range: 90 VAC to
264 VAC @ 50 Hz/60 Hz
Rated power for AC power supply 30 W
Operating temperature 0°C to 45°C (32°F to 113°F)
5% to 90%
Table 6 MSR2000/MSR2000 TAA specifications
MSR1003-8S
1
1
10
N/A
N/A
1 GB DDR3
256 MB
3 SIC slots (1 DSIC slot)
44.2 × 360 × 300 mm (1.74 ×
14.17 × 11.81 in)
Rated voltage range: 90 VAC to
264 VAC @ 50 Hz/60 Hz
30 W
0°C to 45°C (32°F to 113°F)
5% to 90%
Item
Console/AUX port
USB console port
USB port
GE WAN port
GE LAN port
SFP port
Memory
Flash/CF
SIC/DSIC slot
MSR2003/MSR2003T
AA
1
MSR2004-24
1
1
2
-
1
-
1
3
-
1GB DDR3
1
1GB DDR3
256MB Flash
3 SIC slots
(Slots 1 and 2 can be used for a DSIC interface module by removing the slot divider.)
256MB CF
4 SIC slots
MSR2004-48
1
3
1
-
-
1GB DDR3
256MB CF
4 SIC slots
70
Dimensions (H × W × D)
(excluding rubber feet and mounting brackets)
AC power supply
360mm×305.3mm×44.2
mm
DC power supply
440mm×363.5mm×44.2
440mm×403.5mm×4
4.2
Rated voltage range: 100 VAC to 240 VAC @ 50 Hz/60 Hz
- -
Rated voltage range:
-48V d.c.~-60V d.c
Maximum power for
AC/DC power supply
54W 54W 150W
Operating temperature 0 ~ 45℃
Relative humidity
(noncondensing)
5% to 90%
Table 7 MSR3000/MSR3000 TAA specifications
MSR3024/MSR
3024 TAA
MSR3044 MSR3064 Item MSR3012
CON/AUX ports
USB console ports
USB ports
1
1
2
Gigabit Ethernet ports 3
SIC/DSIC slots 2 SIC slots
HMIM slots
VPM slots
1
1
Memory
DDR3
1 GB/2 GB
2
1
DDR3
2 GB
(default)
4 GB
(maximum)
4 SIC slots/2 DSIC slots
4
2
6
2
DDR3
2 GB (default)
4 GB (maximum)
CF card memory
(inside)
CF card memory
(outside)
CF card slot
Dimensions (H × W ×
D) (excluding rubber feet and mounting brackets)
AC power supply
DC power supply
Maximum power for
AC/DC power supply
Maximum power for
PoE power supply
Maximum power for each PoE port
256 MB (default)
-
0
44.2 × 440 ×
484.3 mm
Rated voltage range: 100 VAC to 240 VAC @ 50 Hz/60 Hz
Rated voltage range:
–48 VDC to –60 VDC
125 W 125 W 300 W 300 W
-
15.4 W
44.2 × 440 ×
484.3 mm
275 W
4 GB (maximum)
1
88.1 × 440 × 480 mm
750 W
130.5 × 440 × 480 mm
750 W
71
RPS power supply
Power pluggable and buckup
800 W
-
Operating temperature 0°C to 45°C (32°F to 113°F)
Relative humidity
(noncondensing)
5% to 90%
Table 8 MSR4000 specifications
Item
MPU slot
SPU slot
HMIM slot
Dimensions (H × W × D), excluding rubber feet and mounting brackets
Power pluggable and buckup
1
6
MSR4060
2
175.1 × 440 × 480 mm
N+1
Operating temperature 0°C to 45°C (32°F to 113°F)
Operating humidity
(noncondensing)
5% to 90%
Table 9 MSR4000/MSR4000 TAA MPU Specification
Item
Console port
AUX port
GE management port
USB console port
USB port
Memory
CF card
Specification
1
1
1
1
1
2 GB DDR3 (default)
4 GB DDR3 (maximum)
512 MB (default)
4 GB (maximum)
CF card slot 1
Flash 8 MB
Table 10 MSR4000 SPU Specification
Item
USB port
VPM slot
SPU-100
2
2
-
Dule power
MSR4080
8
219.5 × 440 × 480 mm
N+1
SPU-200&SPU-300
72
Combo
SFP+ port
Applicable router model
4
0
MSR4060/MSR4080
1
Applicable MPU MPU-100
Table 11 MSR2004-24 AC power module specifications
Item Specification
Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz
Rated power 150 W
Table 12 MSR2004-48 DC power module specifications
Item Specification
Rated input voltage range
–48 VDC to –60 VDC
Rated power 150 W
Table 13 MSR3044/MSR3064/MSR4060/MSR4080 AC power module specifications
Item
Model
Specification
PSR300-12A1
Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz
Max power 300 W
Table 14 MSR3044/MSR3064/MSR4060/MSR4080 DC power module specifications
Item Specification
Model PSR300-12D2
Rated input voltage range
–48 VDC to –60 VDC
Max power 300 W
Table 15 MSR3044/MSR3064/MSR4060/MSR4080 PoE power module specifications
Item
Model
Specification
PSR750-A
Rated input voltage range 100 VAC to 240 VAC @ 50 Hz or 60 Hz
Max power 750 W
Table 16 MSR series routes Module List
Module Description
SIC
Ethernet interface modules:
4-port 10/100 Mbps Ethernet L2 switching module (RJ45) (SIC-4FSW)
73
DSIC
1-port 10/100 Mbps Ethernet electrical SIC interface module (RJ45) (SIC-1FEA)
1-port 100 Mbps Ethernet electrical SIC interface module-SIC-1FEF
4-port 10/100 Mbps Ethernet L2 switching module-PoE card(SIC-4FSW-POE)
1-port 10/100/1000BASE-T(RJ45) and 100BASE-FX/1000BASE-X(SFP,Combo)Ethernet
SIC module(RT-SIC-1GEC-V2(JG738A))
4-port 10/100/1000BASE-T Ethernet L2 switching electrical SIC interface module(RT-SIC-4GSW(JG739A))
4-port 10/100/1000BASE-T Ethernet L2 switching electrical SIC interface module-PoE(RT-SIC-4GSWP(JG740A))
4-port 100BASE-FX/1000BASE-X(SFP) Ethernet L2/L3 SIC Module-RT-SIC-4GSWF
WAN interface modules:
1-port enhanced synchronous/asynchronous serial SIC interface module (SIC-1SAE)
1-port fractional E1 SIC interface module (SIC-1E1-F-V3)
1-port E1/CE1/PRI SIC interface module (SIC-1EPRI)
1-port analog modem SIC interface module (SIC-1AM)
8-port asynchronous serial interface card (SIC-8AS)
16-port asynchronous serial interface card (SIC-16AS)
1-port ISDN BRI S/T interface card (SIC-1BS)
2-port fractional E1 interface module (SIC-2E1-F)
3G access module ( RT-SIC-3G-HSPA)
CDMA 2000 1x RTT/1x EV-DO Rev.0/1x EV-DO Rev.A 3G access module
( RT-SIC-3G-CDMA)
1-port ADSL over POTS SIC interface module (SIC-1ADSL)
1 port E1/CE1/PRI SIC interface module(SIC-1EPRI-V3)
4G LTE Verizon SIC module(RT-SIC-4G-LTE-V(JG742A))
4G LTE AT&T SIC module(SIC-4G-LTE-A(JG743A))
4G LTE Global SIC module(RT-SIC-4G-LTE-G(JG744A))
2-port enhanced synchronous/asynchronous serial SIC interface module(RT-SIC-2SAE(JG736A))
4-port enhanced synchronous/asynchronous serial SIC interface module(RT-SIC-4SAE(JG737A))
HPE MSR 4GLTE SIC Mod for CDMA/WCDMA (JG742B)
HPE MSR 4G LTE SIC Mod for ATT (JG743B)
HPE MSR 4GLTE SIC Mod for Global (JG744B)
HPE MSR HSPA+/WCDMA SIC Module (JG929A)
Voice interface modules:
1-port voice module subscriber circuit SIC interface module (SIC-1FXS)
2-port voice module subscriber circuit SIC interface module (SIC-2FXS)
1-port voice module FXO SIC interface module (SIC-1FXO)
2-port voice module FXO SIC interface module (SIC-2FXO)
1-channel E1 voice SIC interface module (SIC-1VE1)
1-channel T1 voice SIC interface module (SIC-1VT1)
1-port ISDN BRI S/T voice interface card (SIC-1BSV)
2-port ISDN BRI S/T voice interface card (SIC-2BSV)
2-port voice subscriber circuit & 1-port voice AT0 analog trunk interface card-SIC-2FXS1FXO
1-port E1 / T1 Voice SIC Module(JH240A)
9-port 10/100 Mbps Ethernet L2 switching module (RJ45) (DSIC-9FSW)
4-port voice subscriber circuit & 1-port voice AT0 analog trunk interface card
(DSIC-4FXS1FXO)
9-port 10/100 Mbps Ethernet L2 switching module -PoE card (DSIC-9FSW-POE)
74
HMIM
1-port 8-wire G.SHDSL (RJ45) DSIC Module
Ethernet interface modules:
2-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-2GEE)
4-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-4GEE)
8-port 10M/100/1000M Ethernet electrical HMIM interface module (RJ45) (HMIM-8GEE)
2-port 1000BASE-X HMIM Module (HMIM-2GEF)
4-port 1000BASE-X HMIM Module (HMIM-4GEF)
8-port 1000BASE-X HMIM Module (HMIM-8GEF)
24-port Gig-T Switch HMIM Module (HMIM-24GSW)
24-port Gig-T PoE Switch HMIM Module (HMIM-24GSW-POE)
8-port 10/100/1000BASE-T(RJ45)+2-port100BASE-FX/1000BASE-X(SFP,Combo) Ethernet
L2 switching HMIM module(RT-HMIM-8GSW(JG741A))
8-port 100BASE-FX/1000BASE-X / 4-port 1000BASE-T (Combo) L2/L3 HMIM Module
(JH238A)
WAN interface modules:
2 port CE1/PRI interface module (HMIM-2E1)
4 port CE1/PRI interface module (HMIM-4E1)
8 port CE1/PRI interface module (HMIM-8E1)
4-port fractional E1 interface module (HMIM-4E1-F)
8-port fractional E1 interface module (HMIM-8E1-F)
2 port CT1/PRI interface module (HMIM-2T1)
8 port CT1/PRI interface module (HMIM-8T1)
4-port fractional T1 interface module HMIM-4T1-F)
8-port fractional T1 interface module HMIM-8T1-F)
1-port T3/CT3 compatible interface module (HMIM-1CT3)
1-port T3/CT3 compatible interface module (HMIM-1CE3)
2 channel enhanced synchronous/asynchronous interface module (HMIM-2SAE)
4 channel enhanced synchronous/asynchronous interface module (HMIM-4SAE)
8 channel enhanced synchronous/asynchronous interface module (HMIM-8SAE)
8 port asynchronous serial interface panel (RJ45) (HMIM-8ASE)
16 port asynchronous serial interface panel (RJ45) (HMIM-16ASE)
1-port OC-3 / STM-1 CPOS HMIM Module (HMM-1CPOS)
2-port OC-3 / STM-1 CPOS HMIM Module (HMIM-2CPOS)
1-port OC-3c / STM-1c ATM SFP HMIM Module (HMIM-ATMOC3)
8-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH169A)
4-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH170A)
2-port E1 / CE1 / T1 / CT1 / PRI HMIM Module (JH171A)
8-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH172A)
4-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH173A)
2-port E1 / Fractional E1 / T1 / Fractional T1 HMIM Module (JH174A)
Voice interface modules:
16-port voice module subscriber circuit interface board(HMIM-16FXS)
1 channel E1 voice HMIM interface module (HMIM-1VE1)
2 channel E1 voice HMIM interface module (HMIM-2VE1)
1 channel T1 voice HMIM interface module (HMIM-1VT1)
2 channel T1 voice HMIM interface module (HMIM-2VT1)
4-port voice module subscriber circuit interface board (HMIM-4FXS)
4-port voice module FXO interface module (HMIM-4FXO)
75
VPM
HMIM
Adapter
MIM(nee d to config the
HMIM-A dapter)
4 channel voice processing board E&M trunk interface module (HMIM-4EM)
128-channel voice processing module (RT-VPM2-128)
256-channel voice processing module (RT-VPM2-256)
512-channel voice processing module (RT-VPM2-512)
0.5U MIM to HMIM adapter (HMIM Adapter)
1U MIM to HMIM adapter (HMIM Adapter-H)
Ethernet interface modules:
1-port 10M100M Ethernet electrical MIM interface module (RJ45) (MIM-1FE)
2-port 10M/100M Ethernet electrical MIM interface module (RJ45) (MIM-2FE)
4-port 10M/100M Ethernet electrical MIM interface module (RJ45) (MIM-4FE)
1-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-1GBE)
2-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-2GBE)
1-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-1GEF)
2-port 1000M Ethernet electrical MIM interface module (RJ45) (MIM-2GEF)
WAN interface modules:
2 channel enhanced synchronous/asynchronous interface module (MIM-2SAE)
4 channel enhanced synchronous/asynchronous interface module (MIM-4SAE)
8 channel enhanced synchronous/asynchronous interface module (MIM-8SAE)
8 port asynchronous serial interface panel (RJ45) (MIM-8ASE)
16 port asynchronous serial interface panel (RJ45) (MIM-16ASE)
1 port CE1/PRI interface module (MIM-1E1)
2 port CE1/PRI interface module (MIM-2E1)
4 port CE1/PRI interface module (MIM-4E1)
8 port E1 interface module (75ohm) (MIM-8E1 (75))
1-port fractional E1 interface module (MIM-1E1-F)
2-port fractional E1 interface module (MIM-2E1-F)
4-port fractional E1 interface module (MIM-4E1-F)
8 port E1 interface module (75ohm) (MIM-8E1 (75)-F)
2 port CT1/PRI interface module (MIM-2T1)
8 port T1 interface module (MIM-8T1)
2-port fractional T1 interface module MIM-2T1-F)
4-port fractional T1 interface module MIM-4T1-F)
8-port fractional T1 interface module MIM-8T1-F)
1-port T3/CT3 compatible interface module (MIM-1CT3-V2)
1-port T3/CT3 compatible interface module (MIM-1CE3-V2)
1-port SDH/SONET interface module (MIM-1POS-V2)
1-port dual-pair G.SHDSL interface module (MIM-1SHL-4W)
HPE MSR OAP MIM Module with VMware vSphere (JG532A)
Voice interface modules:
1 channel E1 voice MIM interface module (MIM-1VE1)
1 channel T1 voice MIM interface module (MIM-1VT1)
2 channel E1 voice MIM interface module (MIM-2VE1)
2 channel T1 voice MIM interface module (MIM-2VT1)
4-port voice module subscriber circuit interface board (MIM-4FXS)
2-port voice module FXO interface module (MIM-2FXO)
4-port voice module FXO interface module (MIM-4FXO)
8-port voice module FXS-FXO interface module (MIM-8FXS-8FXO)
4 channel voice processing board E&M trunk interface module (MIM-4EM)
76
4-port ISDN BRI S/T voice interface card (MIM-4BSV)
16-port voice module subscriber circuit interface board (MIM-16FXS)
Table 17 Sierra Modem Module and Host/card compatibility matrix
HPE description
HPE MSR 4G LTE SIC Mod for Verizon
HPE MSR 4G LTE SIC Mod for ATT
HPE MSR 4G LTE SIC Mod for Global
Product code
JG742A
JG743A
JG744A
Module name
Sierra-MC7750
Sierra-MC7700
Sierra-MC7710
CAUTION:
The support and restriction of modules on HPE FlexNetwork MSR Routers Interface Configuration
Guide(V7), Appendix Purchase Guide.
Software features
Table 18 MSR Series routers software features
Category
LAN protocol:
WAN protocols:
IP services
Features
ARP (proxy ARP, free ARP, authorization ARP)
Ethernet_II
Ethernet_SNAP
VLAN (PORT-BASED VLAN/MAC-BASED VLAN/VLAN-BASED PORT ISOLATE/
VOICE VLAN)
802.3x
LACP(802.3ad)
802.1p
802.1Q
802.1x
QinQ
RSTP(802.1w)
MSTP(802.1s)
GVRP
PORT MUTILCAST suppression
EVI
PPP
PPPoE Client
DCC, Dialer Watch
ISDN
Modem
3G Modem
FR
Fast forwarding (unicast/multicast)
TCP
UDP
77
Non-IP services:
IP application
IP route
MPLS
IPv6
IP Option
IP unnumber
Policy routing (unicast/multicast)
Netstream
Ping and Trace
DHCP Server
DHCP Client
DNS client
DNS Static
NQA
IP Accounting
NTP
Telnet
TFTP Client
FTP Client
FTP Server
Static routing management
Dynamic routing protocols:
RIP
OSPF
BGP
IS-IS
Multicast routing protocols:
IGMP
PIM-DM
PIM-SM
MBGP
MSDP
Routing policy
LDP
LSPM
MPLS TE
MPLS FW
MPLS/BGP VPN
VPLS
IPv6 basic functions
IPv6 ND
IPv6 PMTU
IPv6 FIB
IPv6 ACL
IPv6 transition technologies
NAT-PT
IPv6 tunneling
6PE, 6VPE
IPv6 routing
IPv6 static routing management
Multicast routing protocols:
78
AAA
Firewall
Security
Reliability
L2 QoS
Traffic supervision
Congestion management
Congestion avoidance
Traffic shaping
Other QOS technologies
MLD
PIM-DM
PIM-SM
PIM-SSM
Local authentication
Radius
HWTacacs
LDAP
ASPF
ACL
FILTER
Port security
IPSec
PORTAL
L2TP
NAT/NAPT
PKI
RSA
SSH V1.5/2.0
URPF
GRE
VRRP
Backup center
BFD
IRF
LR
Flow-base QOS Policy
Port-Based Mirroring
Packet Remarking
Priority Mapping
Port Trust Mode
Port Priority
Flow Filter
FlowControl
ACL
CAR (Committed Access Rate)
LR (Line Rate)
FIFO, PQ, CQ, WFQ, CBQ, RTPQ
WRED/RED
GTS (Generic Traffic Shaping)
MPLS QOS
IPHC
Sub-interface QOS
79
Voice Interfaces
Voice Signaling
SIP
Codec
Media Process
Network management
Local management
User access management
FXS
FXO
E&M
E1VI/T1VI
BSV
R2
DSS1
SIP
SIP Operation
G.711A law
G.711U law
G.723R53
G.723R63
G.729a
G.729R8
G.729bR8
RTP
SNMP V1/V2c/V3
MIB
SYSLOG
RMON
NETCONF
Command line management
License management
File system management
Auto-configure
Dual Image
Console interface login
AUX interface login
TTY interface login
Telnet (VTY) login
SSH login
FTP login
XMODEM
80
Appendix B Upgrading software
This section describes how to upgrade system software while the router is operating normally or when the router cannot correctly start up.
Software types
The following software types are available:
Boot ROM image
—A .bin file that comprises a basic section and an extended section. The basic section is the minimum code that bootstraps the system. The extended section enables hardware initialization and provides system management menus. You can use these menus to load application software and the startup configuration file or manage files when the device cannot correctly start up.
Comware image
—Includes the following image subcategories:
Boot image
—A .bin file that contains the Linux operating system kernel. It provides process management, memory management, file system management, and the emergency shell.
System image—A .bin file that contains the minimum feature modules required for device operation and some basic features, including device management, interface management, configuration management, and routing. To have advanced features, you must purchase feature packages.
Feature package
—Includes a set of advanced software features. Users purchase feature packages as needed.
Patch packages
—Irregularly released packages for fixing bugs without rebooting the device. A patch package does not add new features or functions.
Comware software images that have been loaded are called "current software images."
Comware images specified to load at the next startup are called "startup software images."
Boot ROM image, boot image, and system image are required for the system to work. These images might be released separately or as a whole in one .ipe package file. If an .ipe file is used, the system automatically decompresses the file, loads the .bin boot and system images and sets them as startup software images.
Upgrade methods
You can upgrade system software by using one of the following methods:
Upgrade method Remarks
Centralized devices upgrading from the
You must reboot the router to complete the upgrade.
This method can interrupt ongoing network services.
Distributed devices upgrading from the
You must reboot the router to complete the upgrade.
This method can interrupt ongoing network services.
This method upgrades the router with the least amount of downtime.
Managing files from the BootWare menu
Use this method when the router cannot correctly start up.
81
Preparing for the upgrade
Before you upgrade system software, complete the following tasks:
Set up the upgrade environment as shown in Table 20 .
Configure routes to make sure that the router and the file server can reach each other.
Run a TFTP or FTP server on the file server.
Log in to the CLI of the router through the console port.
Copy the upgrade file to the file server and correctly set the working directory on the
TFTP or FTP server.
Make sure the upgrade has minimal impact on the network services. During the upgrade, the router cannot provide any services.
IMPORTANT:
In the BootWare menu, if you choose to download files over Ethernet, the Ethernet port must be
GE0 on an MSR2003, MSR2004-24, MSR2004-48, MSR3012, MSR3024, MSR3044, and
MSR3064 router, and must be M-GE0 on an MSR4060 and MSR4080 router.
Table 19 Storage media
Model
MSR2003
MSR2004-24
MSR2004-48
MSR3012
MSR3024
MSR3044
MSR3064
Storage medium
Flash
Flash
Flash
CF card
CF card
CF card
CF card
MSR4060 CF card
MSR4080 CF card
Figure 1 Set up the upgrade environment
Path
flash:/ flash:/ flash:/ cfa0:/ cfa0:/ cfa0:/ cfa0:/ cfa0:/ cfa0:/
Router Types
Centralized devices
Centralized devices
Centralized devices
Centralized devices
Centralized devices
Centralized devices
Centralized devices
Centralized devices
Distributed devices
82
Centralized devices upgrading from the CLI
You can use the TFTP or FTP commands on the router to access the TFTP or FTP server to back up or download files.
Saving the running configuration and verifying the storage space
1.
2.
Save the running configuration
<HPE>save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
Configuration is saved to device successfully.
<HPE>
Identify the system software image and configuration file names and verify that the flash has sufficient space for the new system software image.
<HPE>dir
Directory of flash:
0 drw- - Aug 15 2012 12:03:13 diagfile
1 -rw- 84 Aug 15 2012 12:17:59 ifindex.dat
2 drw- - Aug 15 2012 12:03:14 license
3 drw- - Aug 15 2012 12:03:13 logfile
4 -rw- 11418624 Dec 15 2011 09:00:00 msr2000-cmw710-boot-a0005.bin
5 -rw- 1006592 Dec 15 2011 09:00:00 msr2000-cmw710-data-a0005.bin
6 -rw- 10240 Dec 15 2011 09:00:00 msr2000-cmw710-security-a0005.bin
7 -rw- 24067072 Dec 15 2011 09:00:00 msr2000-cmw710-system-a0005.bin
8 -rw- 1180672 Dec 15 2011 09:00:00 msr2000-cmw710-voice-a0005.bin
9 drw- - Aug 15 2012 12:03:13 seclog
10 -rw- 1632 Aug 15 2012 12:18:00 startup.cfg
11 -rw- 25992 Aug 15 2012 12:18:00 startup.mdb
262144 KB total (223992 KB free)
<HPE>
Downloading the image file to the router
Using TFTP
Download the system software image file, for example, msr2000.ipe to the flash on the router.
<HPE>tftp 192.168.1.100 get msr2000.ipe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 35.9M 100 35.9M 0 0 559k 0 0:01:05 0:01:05 --:--:-- 546k
<HPE>
83
Using FTP
1.
2.
From FTP client view, download the system software image file (for example, msr2000.ipe) to the CF card on the router. ftp> get msr2000.ipe msr2000.ipe already exists. Overwrite it? [Y/N]:y
227 Entering passive mode (192,168,1,100,5,20)
125 Using existing data connection
226 Closing data connection; File transfer successful.
37691392 bytes received in 17.7 seconds (2.03 Mbyte/s)
[ftp]
Return to user view.
[ftp]quit
221 Service closing control connection
<HPE>
Specifying the startup image file
1.
2.
Specify the msr2000.ipe file as the main image file at the next reboot.
<HPE>boot-loader file flash:/msr2000.ipe main
Images in IPE:
msr2000-cmw710-boot-a0005.bin
msr2000-cmw710-system-a0005.bin
msr2000-cmw710-security-a0005.bin
msr2000-cmw710-voice-a0005.bin
msr2000-cmw710-data-a0005.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to the device.
Successfully copied flash:/msr2000-cmw710-boot-a0005.bin to flash:/msr2000-cmw710-boot-a0005.bin.
Successfully copied flash:/msr2000-cmw710-system-a0005.bin to flash:/msr2000-cmw710-system-a0005.bin.
Successfully copied flash:/msr2000-cmw710-security-a0005.bin to flash:/msr2000-cmw710-security-a0005.bin.
Successfully copied flash:/msr2000-cmw710-voice-a0005.bin to flash:/msr2000-cmw710-voice-a0005.bin.
Successfully copied flash:/msr2000-cmw710-data-a0005.bin to flash:/msr2000-cmw710-data-a0005.bin.
The images that have passed all examinations will be used as the main startup software images at the next reboot on the device.
<HPE>
Verify that the file has been loaded.
84
<HPE> display boot-loader
Software images on the device:
Current software images:
flash:/msr2000-cmw710-boot-a0004.bin
flash:/msr2000-cmw710-system-a0004.bin
flash:/msr2000-cmw710-security-a0004.bin
flash:/msr2000-cmw710-voice-a0004.bin
flash:/msr2000-cmw710-data-a0004.bin
Main startup software images:
flash:/msr2000-cmw710-boot-a0005.bin
flash:/msr2000-cmw710-system-a0005.bin
flash:/msr2000-cmw710-security-a0005.bin
flash:/msr2000-cmw710-voice-a0005.bin
flash:/msr2000-cmw710-data-a0005.bin
Backup startup software images:
None
<HPE>
Rebooting and completing the upgrade
1.
2.
Reboot the router.
<HPE>reboot
Start to check configuration with next startup configuration file, please wait.........DONE!
This command will reboot the device. Continue? [Y/N]:y
Now rebooting, please wait...
<HPE>
System is starting...
After the reboot is complete, verify that the system software image is correct.
<HPE> display version
HPE Comware Software, Version 7.1.042, Release 000702
Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.
HPE MSR2003 uptime is 0 weeks, 0 days, 13 hours, 23 minutes Last reboot reason : User reboot
Boot image: flash:/msr2000-cmw710-boot-a0005.bin
Boot image version: 7.1.040, Alpha 0005
System image: flash:/msr2000-cmw710-system-a0005.bin
System image version: 7.1.040, Alpha 0005
CPU ID: 0x1
1G bytes DDR3 SDRAM Memory
2M bytes Flash Memory
PCB Version: 3.0
CPLD Version: 1.0
Basic BootWare Version: 1.04
Extended BootWare Version: 1.04
[SLOT 0]AUX (Hardware)3.0 (Driver)1.0, (Cpld)1.0
[SLOT 0]GE0/0 (Hardware)3.0 (Driver)1.0, (Cpld)1.0
[SLOT 0]GE0/1 (Hardware)3.0 (Driver)1.0, (Cpld)1.0
85
[SLOT 0]CELLULAR0/0 (Hardware)3.0 (Driver)1.0, (Cpld)1.0
<HPE>
Distributed devices upgrading from the CLI
You can use the TFTP or FTP commands on the router to access the TFTP or FTP server to back up or download files.
Display the slot number of the active MPU
Perform the display device command in any view to display the slot number of the active MPU. By default, the standby MPU will automatically synchronize the image files from active MPU.
<HPE>display device
Slot No. Board Type Status Primary SubSlots
-----------------------------------------------------------------------------
0 MPU-100 Normal Master 0
1 MPU-100 Normal Standby 0
2 SPU-100 Normal N/A 10
<HPE>
Save the current configuration and verify the storge space
1.
2.
Perform the save command in any view to save the current configuration.
<HPE>save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[cfa0:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
Configuration is saved to device successfully.
<HPE>
Perform the dir command in user view to identify the system software image and configuration file names and verify that the CF card has sufficient space for the new system software image.
<HPE>dir
Directory of cfa0:
0 drw- - Jan 07 2013 14:02:12 diagfile
1 -rw- 307 Jan 22 2013 17:02:02 ifindex.dat
2 drw- - Jan 07 2013 14:02:12 license
3 drw- - Jan 22 2013 13:42:00 logfile
4 -rw- 21412864 Jan 22 2013 16:49:00 MSR4000-cmw710-boot-r0005p01.bin
5 -rw- 1123328 Jan 22 2013 16:50:30 MSR4000-cmw710-data-r0005p01.bin
6 -rw- 11264 Jan 22 2013 16:50:26 MSR4000-cmw710-security-r0005p01.bin
7 -rw- 45056000 Jan 22 2013 16:49:34 MSR4000-cmw710-system-r0005p01.bin
8 -rw- 2746368 Jan 22 2013 16:50:26 MSR4000-cmw710-voice-r0005p01.bin
9 drw- - Jan 07 2013 14:02:12 seclog
10 -rw- 2166 Jan 22 2013 17:02:02 startup.cfg
11 -rw- 34425 Jan 22 2013 17:02:02 startup.mdb
507492 KB total (438688 KB free)
86
<HPE>
Download the image file to the router
Using TFTP
Perform the tftp get command in user view to download the system software image file, for example, msr4000.ipe to the CF card on the router.
<HPE>tftp 192.168.1.100 get msr4000.ipe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
45 67.0M 45 30.4M 0 0 792k 0 0:01:26 0:00:39 0:00:47 844k
100 67.0M 100 67.0M 0 0 772k 0 0:01:28 0:01:28 --:--:-- 745k
<HPE>
Using FTP
1.
2.
Perform the get command in FTP client view to download the system software image file msr4000.ipe to the CF card on the router. ftp> get msr4000.ipe msr4000.ipe already exists. Overwrite it? [Y/N]:y
227 Entering passive mode (192,168,1,100,5,20)
125 Using existing data connection
226 Closing data connection; File transfer successful.
37691392 bytes received in 17.7 seconds (2.03 Mbyte/s)
[ftp]
Perform the quit command in FTP client view to return to user view.
[ftp]quit
221 Service closing control connection
<HPE>
Copy the image file to CF card root directory of the standby MPU
<HPE> copy msr4000.ipe slot1#cfa0:/
Copy cfa0:/msr4000.ipe to slot1#cfa0:/msr4000.ipe?[Y/N]:y
Copying file cfa0:/msr4000.ipe to slot1#cfa0:/ msr4000.ipe...Done.
Specifying the startup image file
1.
Perform the boot-loader command in user view to d specify the msr4000.ipe file as the main image file for the active MPU on slot 0 at the next reboot.
<HPE>boot-loader file flash:/msr4000.ipe slot 0 main
Images in IPE:
msr4000-cmw710-boot-a0005.bin
msr4000-cmw710-system-a0005.bin
msr4000-cmw710-security-a0005.bin
msr4000-cmw710-voice-a0005.bin
msr4000-cmw710-data-a0005.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to the device.
87
2.
3.
Successfully copied flash:/msr4000-cmw710-boot-a0005.bin to cfa0:/msr4000-cmw710-boot-a0005.bin.
Successfully copied flash:/msr4000-cmw710-system-a0005.bin to cfa0:/msr4000-cmw710-system-a0005.bin.
Successfully copied flash:/msr4000-cmw710-security-a0005.bin to cfa0:/msr4000-cmw710-security-a0005.bin.
Successfully copied flash:/msr4000-cmw710-voice-a0005.bin to cfa0:/msr4000-cmw710-voice-a0005.bin.
Successfully copied flash:/msr4000-cmw710-data-a0005.bin to cfa0:/msr4000-cmw710-data-a0005.bin.
The images that have passed all examinations will be used as the main startup software images at the next reboot on the device.
<HPE>
Perform the boot-loader command in user view to d specify the msr4000.ipe file as the main image file for the standby MPU on slot 1 at the next reboot.
<HPE>boot-loader file flash:/msr4000.ipe slot 0 main
Images in IPE:
msr4000-cmw710-boot-a0005.bin
msr4000-cmw710-system-a0005.bin
msr4000-cmw710-security-a0005.bin
msr4000-cmw710-voice-a0005.bin
msr4000-cmw710-data-a0005.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to the device.
Successfully copied flash:/msr4000-cmw710-boot-a0005.bin to cfa0:/msr4000-cmw710-boot-a0005.bin.
Successfully copied flash:/msr4000-cmw710-system-a0005.bin to cfa0:/msr4000-cmw710-system-a0005.bin.
Successfully copied flash:/msr4000-cmw710-security-a0005.bin to cfa0:/msr4000-cmw710-security-a0005.bin.
Successfully copied flash:/msr4000-cmw710-voice-a0005.bin to cfa0:/msr4000-cmw710-voice-a0005.bin.
Successfully copied flash:/msr4000-cmw710-data-a0005.bin to cfa0:/msr4000-cmw710-data-a0005.bin.
The images that have passed all examinations will be used as the main startup software images at the next reboot on the device.
<HPE>
Perform the display boot-loader command in user view to verify that the file has been loaded.
<HPE> display boot-loader
Software images on slot 0:
Current software images:
cfa0:/MSR4000-cmw710-boot-a0004.bin
cfa0:/MSR4000-cmw710-system-a0004.bin
cfa0:/MSR4000-cmw710-security-a0004.bin
cfa0:/MSR4000-cmw710-voice-a0004.bin
cfa0:/MSR4000-cmw710-data-a0004.bin
Main startup software images:
cfa0:/MSR4000-cmw710-boot-a0005.bin
cfa0:/MSR4000-cmw710-system-a0005.bin
cfa0:/MSR4000-cmw710-security-a0005.bin
88
cfa0:/MSR4000-cmw710-voice-a0005.bin
cfa0:/MSR4000-cmw710-data-a0005.bin
Backup startup software images:
None
Software images on slot 1:
Current software images:
cfa0:/MSR4000-cmw710-boot-r0005p01.bin
cfa0:/MSR4000-cmw710-system-r0005p01.bin
cfa0:/MSR4000-cmw710-security-r0005p01.bin
cfa0:/MSR4000-cmw710-voice-r0005p01.bin
cfa0:/MSR4000-cmw710-data-r0005p01.bin
Main startup software images:
cfa0:/MSR4000-cmw710-boot-r0005p01.bin
cfa0:/MSR4000-cmw710-system-r0005p01.bin
cfa0:/MSR4000-cmw710-security-r0005p01.bin
cfa0:/MSR4000-cmw710-voice-r0005p01.bin
cfa0:/MSR4000-cmw710-data-r0005p01.bin
Backup startup software images:
None
Reboot and completing the upgrade
1.
2.
Perform the reboot command in user view to reboot the router.
<HPE>reboot
Start to check configuration with next startup configuration file, please wait.........DONE!
This command will reboot the device. Continue? [Y/N]:y
Now rebooting, please wait...
<HPE>
System is starting..
After the reboot is complete, perform the display version command to verify that the system software image is correct.
<HPE> display version
HPE Comware Software, Version 7.1.042, Release 000702
Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.
HPE MSR4060 uptime is 0 weeks, 0 days, 11 hours, 49 minutes
Last reboot reason : Power on
Boot image: cfa0:/MSR4000-cmw710-boot-a0005.bin
Boot image version: 7.1.040, Alpha 0005
System image: cfa0:/MSR4000-cmw710-system-a0005.bin
System image version: 7.1.040, Alpha 0005
Feature image(s) list:
cfa0:/MSR4000-cmw710-security-a0005.bin, version: 7.1.040
cfa0:/MSR4000-cmw710-voice-a0005.bin, version: 7.1.040
cfa0:/MSR4000-cmw710-data-a0005.bin, version: 7.1.040
Slot 0: MPU-100 uptime is 0 week, 0 day, 1 hour, 20 minutes
Last reboot reason : Power on
CPU ID: 0x3
89
2G bytes DDR3 SDRAM Memory
8M bytes Flash Memory
PCB Version: 2.0
CPLD Version: 1.0
Basic BootWare Version: 1.04
Extended BootWare Version: 1.04
[SUBSLOT 0]CON (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]AUX (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]MGE0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
Slot 1: MPU-100 uptime is 0 week, 0 day, 1 hour, 8 minutes
Last reboot reason : User reboot
CPU ID: 0x3
2G bytes DDR3 SDRAM Memory
8M bytes Flash Memory
PCB Version: 2.0
CPLD Version: 1.0
Basic BootWare Version: 1.05
Extended BootWare Version: 1.05
[SUBSLOT 0]CON (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]AUX (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]MGE0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
Slot 2: SPU-100 uptime is 0 week, 0 day, 1 hour, 19 minutes
Last reboot reason : Power on
CPU ID: 0x5
2G bytes DDR3 SDRAM Memory
8M bytes Flash Memory
PCB Version: 2.0
CPLD Version: 1.0
Basic BootWare Version: 1.02
Extended BootWare Version: 1.02
[SUBSLOT 0]GE2/0/0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]GE2/0/1 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]GE2/0/2 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]GE2/0/3 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]CELLULAR2/0/0 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 0]CELLULAR2/0/1 (Hardware)2.0 (Driver)1.0, (Cpld)1.0
[SUBSLOT 1]HMIM-4SAE (Hardware)3.0 (Driver)1.0, (Cpld)4.0
Distributed devices ISSU
The In-Service Software Upgrade (ISSU) function enables software upgrade with the least amount of downtime.
To implement ISSU of a distributed device, use these guidelines:
Make sure the device has two MPUs.
Upgrade the standby MPU is upgraded first to form a new forwarding plane and a new control plane.
90
Upgrade the active MPU after the standby MPU operates correctly. The standby MPU will synchronize data and configuration from the active MPU and take over the forwarding and control functions.
Disabling the standby MPU auto-update function
When you upgrade the active MPU of a dual-MPU distributed device, the standby MPU auto-update function automatically upgrades the standby MPU by default. To use ISSU, you must disable the function.
To disable the standby MPU auto-update function:
1.
View the roles of the MPUs.
<HPE>display device
Slot No. Board Type Status Primary SubSlots
-----------------------------------------------------------------------------
0 MPU-100 Normal Master 0
1 MPU-100 Normal Standby 0
2 SPU-100 Normal N/A 10
<HPE>
The output shows that the MPU in slot 0 is the active MPU.
2.
Disable the standby MPU auto-update function.
<HPE>system-view
[Sysname]version check ignore
[Sysname]undo version auto-update enable
Saving the running configuration and verifying the storage space
1.
Save the running configuration.
<HPE>save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[cfa0:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
Validating file. Please wait...
Configuration is saved to device successfully.
<HPE>
2.
Check the storage space.
<HPE>dir
Directory of cfa0:
0 drw- - Jan 07 2014 14:02:12 diagfile
1 -rw- 307 Jan 22 2014 17:02:02 ifindex.dat
2 drw- - Jan 07 2014 14:02:12 license
3 drw- - Jan 22 2014 13:42:00 logfile
4 -rw- 20050944 Jan 10 2014 09:06:48 msr4000-cmw710-boot-e010204.bin
5 -rw- 2001920 Jan 10 2014 09:08:28 msr4000-cmw710-data-e010204.bin
6 -rw- 11264 Jan 10 2014 09:08:18 msr4000-cmw710-security-e010204.bin
7 -rw- 61538304 Jan 10 2014 09:07:36 msr4000-cmw710-system-e010204.bin
8 -rw- 3232768 Jan 10 2014 09:08:22 msr4000-cmw710-voice-e010204.bin
9 drw- - Jan 07 2014 14:02:12 seclog
91
10 -rw- 2166 Jan 22 2014 17:02:02 startup.cfg
11 -rw- 34425 Jan 22 2014 17:02:02 startup.mdb
507492 KB total (438688 KB free)
<HPE>
The output shows the CF card has 438688 KB of free storage space. If the CF card of your device is not sufficient for the upgrade image, delete unused files.
Downloading the upgrade image file to the router
Using TFTP
Download the upgrade image file (for example, msr4000.ipe) to the CF card on the router.
<HPE>tftp 192.168.1.100 get msr4000.ipe
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
45 67.0M 45 30.4M 0 0 792k 0 0:01:26 0:00:39 0:00:47 844k
100 67.0M 100 67.0M 0 0 772k 0 0:01:28 0:01:28 --:--:-- 745k
<HPE>
Using FTP
1.
2.
From FTP client view, download the upgrade image file (for example, msr4000.ipe) to the CF card on the router. ftp> get msr4000.ipe msr4000.ipe already exists. Overwrite it? [Y/N]:y
227 Entering passive mode (192,168,1,100,5,20)
125 Using existing data connection
226 Closing data connection; File transfer successful.
37691392 bytes received in 17.7 seconds (2.03 Mbyte/s)
[ftp]
Return to user view.
[ftp]quit
221 Service closing control connection
<HPE>
Copying the image file to the root directory of the CF card on the standby MPU
<HPE> copy msr4000.ipe slot1#cfa0:/
Copy cfa0:/msr4000.ipe to slot1#cfa0:/msr4000.ipe?[Y/N]:y
Copying file cfa0:/msr4000.ipe to slot1#cfa0:/ msr4000.ipe...Done.
Upgrading the standby MPU
1.
Specify the msr4000.ipe file as the main startup image file for the standby MPU.
<HPE>boot-loader file msr4000.ipe slot 1 main
Verifying the IPE file and the images......Done.
HPE MSR4060 images in IPE:
msr4000-cmw710-boot-e010305.bin
msr4000-cmw710-system-e010305.bin
msr4000-cmw710-security-e010305.bin
92
2.
3.
msr4000-cmw710-voice-e010305.bin
msr4000-cmw710-data-e010305.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to slot 1.
Decompressing file msr4000-cmw710-boot-e010305.bin to slot1#cfa0:/msr4000-cmw710-boo t-e010305.bin...............Done.
Decompressing file msr4000-cmw710-system-e010305.bin to slot1#cfa0:/msr4000-cmw710-s ystem-e010305.bin...............................................Done.
Decompressing file msr4000-cmw710-security-e010305.bin to slot1#cfa0:/msr4000-cmw710
-security-e010305.bin...Done.
Decompressing file msr4000-cmw710-voice-e010305.bin to slot1#cfa0:/msr4000-cmw710-vo ice-e010305.bin....Done.
Decompressing file msr4000-cmw710-data-e010305.bin to slot1#cfa0:/msr4000-cmw710-dat a-e010305.bin...Done.
The images that have passed all examinations will be used as the main startup so ftware images at the next reboot on slot 1.
Reboot the standby MPU.
<HPE>reboot slot 1
This command will reboot the specified slot, Continue? [Y/N]:y
Now rebooting, please wait...
After the standby MPU starts up, verify the startup image files.
<HPE>display boot-loader
Software images on slot 0:
Current software images:
cfa0:/msr4000-cmw710-boot-e010204.bin
cfa0:/msr4000-cmw710-system-e010204.bin
cfa0:/msr4000-cmw710-security-e010204.bin
cfa0:/msr4000-cmw710-voice-e010204.bin
cfa0:/msr4000-cmw710-data-e010204.bin
Main startup software images:
cfa0:/msr4000-cmw710-boot-e010204.bin
cfa0:/msr4000-cmw710-system-e010204.bin
cfa0:/msr4000-cmw710-security-e010204.bin
cfa0:/msr4000-cmw710-voice-e010204.bin
cfa0:/msr4000-cmw710-data-e010204.bin
Backup startup software images:
cfa0:/msr4000-cmw710-boot-e010203.bin
cfa0:/msr4000-cmw710-system-e010203.bin
cfa0:/msr4000-cmw710-security-e010203.bin
cfa0:/msr4000-cmw710-voice-e010203.bin
cfa0:/msr4000-cmw710-data-e010203.bin
Software images on slot 1:
Current software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
93
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Main startup software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Backup startup software images:
cfa0:/msr4000-cmw710-boot-e010203.bin
cfa0:/msr4000-cmw710-system-e010203.bin
cfa0:/msr4000-cmw710-security-e010203.bin
cfa0:/msr4000-cmw710-voice-e010203.bin
cfa0:/msr4000-cmw710-data-e010203.bin
The output shows that the standby MPU is running the new images.
Upgrading the active MPU
1.
2.
Specify the msr4000.ipe file as the main startup image file for the active MPU.
<HPE>boot-loader file msr4000.ipe slot 0 main
Verifying the IPE file and the images......Done.
HPE MSR4060 images in IPE:
msr4000-cmw710-boot-e010305.bin
msr4000-cmw710-system-e010305.bin
msr4000-cmw710-security-e010305.bin
msr4000-cmw710-voice-e010305.bin
msr4000-cmw710-data-e010305.bin
This command will set the main startup software images. Continue? [Y/N]:y
Add images to slot 0.
Decompressing file msr4000-cmw710-boot-e010305.bin to cfa0:/msr4000-cmw710-boot-e010
305.bin...............Done.
Decompressing file msr4000-cmw710-system-e010305.bin to cfa0:/msr4000-cmw710-system- e010305.bin..............................................Done.
Decompressing file msr4000-cmw710-security-e010305.bin to cfa0:/msr4000-cmw710-secur ity-e010305.bin...Done.
Decompressing file msr4000-cmw710-voice-e010305.bin to cfa0:/msr4000-cmw710-voice-e0
10305.bin....Done.
Decompressing file msr4000-cmw710-data-e010305.bin to cfa0:/msr4000-cmw710-data-e010
305.bin...Done.
The images that have passed all examinations will be used as the main startup so ftware images at the next reboot on slot 0.
Reboot the active MPU.
94
3.
4.
<HPE>reboot slot 0
This command will reboot the specified slot, Continue? [Y/N]:y
Now rebooting, please wait...
The standby MPU takes over the forwarding and controlling functions before the active MPU reboots.
After the active MPU starts up, verify the startup image files.
<HPE>display boot-loader
Software images on slot 0:
Current software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Main startup software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Backup startup software images:
cfa0:/msr4000-cmw710-boot-e010203.bin
cfa0:/msr4000-cmw710-system-e010203.bin
cfa0:/msr4000-cmw710-security-e010203.bin
cfa0:/msr4000-cmw710-voice-e010203.bin
cfa0:/msr4000-cmw710-data-e010203.bin
Software images on slot 1:
Current software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Main startup software images:
cfa0:/msr4000-cmw710-boot-e010305.bin
cfa0:/msr4000-cmw710-system-e010305.bin
cfa0:/msr4000-cmw710-security-e010305.bin
cfa0:/msr4000-cmw710-voice-e010305.bin
cfa0:/msr4000-cmw710-data-e010305.bin
Backup startup software images:
cfa0:/msr4000-cmw710-boot-e010203.bin
cfa0:/msr4000-cmw710-system-e010203.bin
cfa0:/msr4000-cmw710-security-e010203.bin
cfa0:/msr4000-cmw710-voice-e010203.bin
cfa0:/msr4000-cmw710-data-e010203.bin
Perform the display boot-loader command in user view to verify that the file has been loaded.
<HPE> display boot-loader
Software images on slot 0:
95
Current software images:
cfa0:/MSR4000-cmw710-boot-r0005p01.bin
cfa0:/MSR4000-cmw710-system-r0005p01.bin
cfa0:/MSR4000-cmw710-security-r0005p01.bin
cfa0:/MSR4000-cmw710-voice-r0005p01.bin
cfa0:/MSR4000-cmw710-data-r0005p01.bin
Main startup software images:
cfa0:/MSR4000-cmw710-boot-a0005.bin
cfa0:/MSR4000-cmw710-system-a0005.bin
cfa0:/MSR4000-cmw710-security-a0005.bin
cfa0:/MSR4000-cmw710-voice-a0005.bin
cfa0:/MSR4000-cmw710-data-a0005.bin
Backup startup software images:
None
Software images on slot 1:
Current software images:
cfa0:/MSR4000-cmw710-boot-r0005p01.bin
cfa0:/MSR4000-cmw710-system-r0005p01.bin
cfa0:/MSR4000-cmw710-security-r0005p01.bin
cfa0:/MSR4000-cmw710-voice-r0005p01.bin
cfa0:/MSR4000-cmw710-data-r0005p01.bin
Main startup software images:
cfa0:/MSR4000-cmw710-boot-r0005p01.bin
cfa0:/MSR4000-cmw710-system-r0005p01.bin
cfa0:/MSR4000-cmw710-security-r0005p01.bin
cfa0:/MSR4000-cmw710-voice-r0005p01.bin
cfa0:/MSR4000-cmw710-data-r0005p01.bin
Backup startup software images:
None
Upgrading from the BootWare menu
You can use the following methods to upgrade software from the BootWare menu:
Using TFTP/FTP to upgrade software through an Ethernet port
Using XMODEM to upgrade software through the console port
Accessing the BootWare menu
1.
Power on the router (for example, an HPE MSR 2003 router), and you can see the following information:
System is starting...
Press Ctrl+D to access BASIC-BOOTWARE MENU...
Booting Normal Extended BootWare
The Extended BootWare is self-decompressing....Done.
****************************************************************************
* *
* HPE MSR2003 BootWare, Version 1.20 *
96
* *
****************************************************************************
Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.
Compiled Date : Jun 22 2013
CPU ID : 0x1
Memory Type : DDR3 SDRAM
Memory Size : 1024MB
Flash Size : 2MB
Nand Flash size : 256MB
CPLD Version : 2.0
PCB Version : 3.0
BootWare Validating...
Press Ctrl+B to access EXTENDED-BOOTWARE MENU...
2.
Press Ctrl + B to access the BootWare menu.
Password recovery capability is enabled.
Note: The current operating device is flash
Enter < Storage Device Operation > to select device.
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip authentication for console login |
|<9> Storage Device Operation |
|<0> Reboot |
============================================================================
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9):
Table 20 BootWare menu options
Item
<1> Boot System
<2> Enter Serial SubMenu
<3> Enter Ethernet SubMenu
<4> File Control
Description
Boot the system software image.
Access the Serial submenu (see Table 23 ) for upgrading
system software through the console port or changing the serial port settings.
Access the Ethernet submenu (see Table 21 ) for upgrading
system software through an Ethernet port or changing
Ethernet settings.
Access the File Control submenu (see Table 24 ) to retrieve
and manage the files stored on the router.
97
<5> Restore to Factory Default
Configuration
<6> Skip Current System Configuration
Delete the next-startup configuration files and load the factory-default configuration.
Start the router with the factory default configuration. This is a one-time operation and does not take effect at the next reboot.
You use this option when you forget the console login password.
<7> BootWare Operation Menu
<0> Reboot
Access the BootWare Operation menu for backing up, restoring, or upgrading BootWare. When you upgrade the system software image, BootWare is automatically upgraded.
HPE does not recommend upgrading BootWare separately.
This document does not cover using the BootWare Operation menu.
<8> Skip authentication for console login Clear all the authentication schemes on the console port.
<9> Storage Device Operation
Access the Storage Device Operation menu to manage storage devices. Using this option is beyond this chapter.
Restart the router.
Using TFTP/FTP to upgrade software through an Ethernet port
1.
Enter 3 in the BootWare menu to access the Ethernet submenu.
===============================<File CONTROL>===============================
|Note:the operating device is flash |
|<1> Download Image Program To SDRAM And Run |
|<2> Update Main Image File |
|<3> Update Backup Image File |
|<4> Download Files(*.*) |
|<5> Modify Ethernet Parameter |
|<0> Exit To Main Menu |
============================================================================
Enter your choice(0-4):
Table 21 Ethernet submenu options
Item
<1> Download Application Program To SDRAM And
Run
Description
Download a system software image to the SDRAM and run the image.
<2> Update Main Image File
<3> Update Backup Image File
<4> Download Files(*.*)
Upgrade the main system software image.
Upgrade the backup system software image.
Download a system software image to the Flash or
CF card.
Modify network settings. <5> Modify Ethernet Parameter
<0> Exit To Main Menu Return to the BootWare menu.
2.
Enter 5 to configure the network settings.
=========================<ETHERNET PARAMETER SET>=========================
|Note: '.' = Clear field. |
| '-' = Go to previous field. |
98
| Ctrl+D = Quit. |
==========================================================================
Protocol (FTP or TFTP) :ftp
Load File Name :msr2000.ipe
:
Target File Name :msr2000.ipe
:
Server IP Address :192.168.1.1
Local IP Address :192.168.1.100
Subnet Mask :255.255.255.0
Gateway IP Address :0.0.0.0
FTP User Name :user001
FTP User Password :********
Table 22 Network parameter fields and shortcut keys
Field
'.' = Clear field
'-' = Go to previous field
Ctrl+D = Quit
Protocol (FTP or TFTP)
Load File Name
Target File Name
Server IP Address
Local IP Address
Subnet Mask
Gateway IP Address
FTP User Name
Description
Press a dot (.) and then Enter to clear the setting for a field.
Press a hyphen (-) and then Enter to return to the previous field.
Press Ctrl + D to exit the Ethernet Parameter Set menu.
Set the file transfer protocol to FTP or TFTP.
Set the name of the file to be downloaded.
Set a file name for saving the file on the router. By default, the target file name is the same as the source file name.
Set the IP address of the FTP or TFTP server. If a mask must be set, use a colon (:) to separate the mask length from the IP address.
For example, 192.168.80.10:24.
Set the IP address of the router.
Subnet Mask of the local IP address.
Set a gateway IP address if the router is on a different network than the server.
Set the username for accessing the FTP server. This username must be the same as configured on the FTP server. This field is not available for TFTP.
FTP User Password
Set the password for accessing the FTP server. This password must be the same as configured on the FTP server. This field is not available for TFTP.
3.
Select an option in the Ethernet submenu to upgrade a system software image. For example, enter 2 to upgrade the main system software image.
Loading.....................................................................
............................................................................
............................................................................
.........................................Done.
37691392 bytes downloaded!
The file is exist,will you overwrite it? [Y/N]Y
Image file msr2000-cmw710-boot-a0005.bin is self-decompressing...
Saving file flash:/msr2000-cmw710-boot-a0005.bin .............................
99
......Done.
Image file msr2000-cmw710-system-a0005.bin is self-decompressing...
Saving file flash:/msr2000-cmw710-system-a0005.bin ...........................
.........................................Done.
Image file msr2000-cmw710-security-a0005.bin is self-decompressing...
Saving file flash:/msr2000-cmw710-security-a0005.bin Done.
Image file msr2000-cmw710-voice-a0005.bin is self-decompressing...
Saving file flash:/msr2000-cmw710-voice-a0005.bin ......Done.
Image file msr2000-cmw710-data-a0005.bin is self-decompressing...
Saving file flash:/msr2000-cmw710-data-a0005.bin ..Done.
==========================<Enter Ethernet SubMenu>==========================
|Note:the operating device is flash |
|<1> Download Image Program To SDRAM And Run |
|<2> Update Main Image File |
|<3> Update Backup Image File |
|<4> Download Files(*.*) |
|<5> Modify Ethernet Parameter |
|<0> Exit To Main Menu |
|<Ensure The Parameter Be Modified Before Downloading!> |
============================================================================
Enter your choice(0-4):
4.
Enter 0 to return to the BootWare menu
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Modify BootWare Password |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip authentication for console login |
|<9> Storage Device Operation |
|<0> Reboot |
============================================================================
Enter your choice(0-9):
5.
1 to boot the system.
Loading the main image files...
Loading file flash:/msr2000-cmw710-system-a0005.bin..........................
Done.
Loading file flash:/msr2000-cmw710-boot-a0005.bin..............Done.
Image file flash:/msr2000-cmw710-boot-a0005.bin is self-decompressing.........
.....Done.
System image is starting...
Line aux0 is available.
100
Press ENTER to get started.
Using XMODEM to upgrade software through the console port
1.
Enter 2 in the BootWare menu to access the Serial submenu.
===========================<Enter Serial SubMenu>===========================
|Note:the operating device is flash |
|<1> Download Image Program To SDRAM And Run |
|<2> Update Main Image File |
|<3> Update Backup Image File |
|<4> Download Files(*.*) |
|<5> Modify Serial Interface Parameter |
|<0> Exit To Main Menu |
============================================================================
Enter your choice(0-4):
Table 23 Serial submenu options
Item
<1> Download Application Program To SDRAM And
Run
<2> Update Main Image File
<3> Update Backup Image File
<4>Download Files(*.*)
Description
Download an application to SDRAM through the serial port and run the program.
Upgrade the main system software image.
Upgrade the backup system software image.
Download a system software image to the Flash or
CF card.
<5> Modify Serial Interface Parameter Modify serial port parameters
<0> Exit To Main Menu Return to the BootWare menu.
2.
Select an appropriate baud rate for the console port. For example, enter 5 to select 115200 bps.
===============================<BAUDRATE SET>===============================
|Note:'*'indicates the current baudrate |
| Change The HyperTerminal's Baudrate Accordingly |
|---------------------------<Baudrate Available>---------------------------|
|<1> 9600(Default)* |
|<2> 19200 |
|<3> 38400 |
|<4> 57600 |
|<5> 115200 |
|<0> Exit |
============================================================================
Enter your choice(0-5):
The following messages appear:
Baudrate has been changed to 115200 bps.
Please change the terminal's baudrate to 115200 bps, press ENTER when ready.
101
NOTE:
Typically the size of a .bin file is over 10 MB. Even at 115200 bps, the download takes about 30 minutes.
3.
Select Call > Disconnect in the HyperTerminal window to disconnect the terminal from the router.
Figure 2 Disconnect the terminal connection
NOTE:
If the baud rate of the console port is 9600 bps, jump to step 9.
4.
Select File > Properties, and in the Properties dialog box, click Configure.
Figure 3 Properties dialog box
5.
Select 115200 from the Bits per second list and click OK.
102
Figure 4 Modify the baud rate
6.
Select Call > Call to reestablish the connection.
Figure 5 Reestablish the connection
7.
Press Enter.
The following menu appears:
The current baudrate is 115200 bps
===============================<BAUDRATE SET>===============================
|Note:'*'indicates the current baudrate |
| Change The HyperTerminal's Baudrate Accordingly |
|---------------------------<Baudrate Available>---------------------------|
|<1> 9600(Default) |
|<2> 19200 |
|<3> 38400 |
|<4> 57600 |
|<5> 115200* |
|<0> Exit |
============================================================================
Enter your choice(0-5):
103
8.
Enter 0 to return to the Serial submenu.
===========================<Enter Serial SubMenu>===========================
|Note:the operating device is flash |
|<1> Download Image Program To SDRAM And Run |
|<2> Update Main Image File |
|<3> Update Backup Image File |
|<4> Download Files(*.*) |
|<5> Modify Serial Interface Parameter |
|<0> Exit To Main Menu |
============================================================================
Enter your choice(0-4):
9.
Select an option from options 2 to 3 to upgrade a system software image. For example, enter 2 to upgrade the main system software image.
Please Start To Transfer File, Press <Ctrl+C> To Exit.
Waiting ...CCCCC
10. Select Transfer > Send File in the HyperTerminal window.
Figure 6 Transfer menu
11. In the dialog box that appears, click Browse to select the source file, and select Xmodem from the Protocol list.
Figure 7 File transmission dialog box
12. Click Send. The following dialog box appears:
104
Figure 8 File transfer progress
13. When the Serial submenu appears after the file transfer is complete, enter 0 at the prompt to return to the BootWare menu.
Download successfully!
37691392 bytes downloaded!
Input the File Name:main.bin
Updating File flash:/main.bin..............................................
.....................................................Done!
===========================<Enter Serial SubMenu>===========================
|Note:the operating device is flash |
|<1> Download Image Program To SDRAM And Run |
|<2> Update Main Image File |
|<3> Update Backup Image File |
|<4> Download Files(*.*) |
|<5> Modify Serial Interface Parameter |
|<0> Exit To Main Menu |
============================================================================
Enter your choice(0-4):
14. Enter 1 in the BootWare menu to boot the system.
15. If you are using a download rate other than 9600 bps, change the baud rate of the terminal to
9600 bps. If the baud rate has been set to 9600 bps, skip this step.
Managing files from the BootWare menu
To change the type of a system software image, retrieve files, or delete files, enter 4 in the BootWare menu.
The File Control submenu appears:
==============================<File CONTROL>==============================
|Note:the operating device is cfa0 |
105
|<1> Display All File(s) |
|<2> Set Image File type |
|<3> Set Bin File type |
|<4> Set Configuration File type |
|<5> Delete File |
|<6> Copy File |
|<0> Exit To Main Menu |
==========================================================================
Enter your choice(0-6):
Table 24 File Control submenu options
Item
<1> Display All File
<2> Set Image File type
<3> Set Bin File type
<4> Set Configuration File type
<5> Delete File
<6> Copy File
<0> Exit To Main Menu
Description
Display all files.
Change the type of a system software image (.ipe).
Change the type of a system software image (.bin).
Change the type of a configuration file.
Delete files.
Copy File
Return to the BootWare menu.
Displaying all files
To display all files, enter 1 in the File Control submenu:
Display all file(s) in flash:
'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED
============================================================================
|NO. Size(B) Time Type Name |
|1 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe |
|2 25992 Aug/15/2012 12:18:00 N/A flash:/startup.mdb |
|3 1632 Aug/15/2012 12:18:00 M flash:/startup.cfg |
|4 84 Aug/15/2012 12:17:59 N/A flash:/ifindex.dat |
|5 11029 Aug/15/2012 13:31:16 N/A flash:/logfile/logfile1.log |
|6 17 Aug/16/2012 07:47:24 N/A flash:/.pathfile |
|7 1006592 Aug/16/2012 07:44:16 M flash:/msr2000-cmw710-data-a0005.bin|
|8 815 Aug/15/2012 12:03:14 N/A flash:/license/DeviceID.did |
|9 1180672 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-voice-a0005. bin|
|10 10240 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-security-a0005.bin|
|11 24067072 Aug/16/2012 07:44:10 M flash:/msr2000-cmw710-system-a0005.bin|
|12 11418624 Aug/16/2012 07:44:05 M flash:/msr2000-cmw710-boot-a0005.bin|
============================================================================
Changing the type of a system software image
System software image file attributes include main (M), and backup (B). You can store only one main image, and one backup image on the router. A system software image can have any combination of the M, and B attributes. If the file attribute you are assigning has been assigned to an image, the
106
assignment removes the attribute from that image. The image is marked as N/A if it has only that attribute.
To change the type of a system software image:
1.
Enter 2 in the File Control submenu.
'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED
============================================================================
|NO. Size(B) Time Type Name |
|1 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe |
|0 Exit |
============================================================================
Enter file No:1
2.
Enter the number of the file you are working with, and press Enter.
Modify the file attribute:
==========================================================================
|<1> +Main |
|<2> +Backup |
|<0> Exit |
==========================================================================
Enter your choice(0-2):
3.
Enter a number in the range of 1 to 4 to add or delete a file attribute for the file.
Set the file attribute success!
Deleting files
When storage space is insufficient, you can delete obsolete files to free up storage space.
To delete files:
1.
Enter 5 in the File Control submenu.
Deleting the file in cfa0:
'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED
Deleting the file in flash:
'M' = MAIN 'B' = BACKUP 'N/A' = NOT ASSIGNED
============================================================================
|NO. Size(B) Time Type Name |
|1 37691392 Aug/16/2012 07:09:16 N/A flash:/msr2000.ipe |
|2 25992 Aug/15/2012 12:18:00 N/A flash:/startup.mdb |
|3 1632 Aug/15/2012 12:18:00 M flash:/startup.cfg |
|4 84 Aug/15/2012 12:17:59 N/A flash:/ifindex.dat |
|5 11029 Aug/15/2012 13:31:16 N/A flash:/logfile/logfile1.log |
|6 17 Aug/16/2012 07:47:24 N/A flash:/.pathfile |
|7 1006592 Aug/16/2012 07:44:16 M flash:/msr2000-cmw710-data-a0005.bin|
|8 815 Aug/15/2012 12:03:14 N/A flash:/license/DeviceID.did |
|9 1180672 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-voice-a0005. bin|
|10 10240 Aug/16/2012 07:44:15 M flash:/msr2000-cmw710-security-a0005.bin|
|11 24067072 Aug/16/2012 07:44:10 M flash:/msr2000-cmw710-system-a0005.bin|
|12 11418624 Aug/16/2012 07:44:05 M flash:/msr2000-cmw710-boot-a0005.bin|
0 Exit
Enter file No.:
2.
Enter the number of the file to delete.
107
3.
When the following prompt appears, enter Y.
The file you selected is flash:/msr2000-cmw710-security-a0005.bin,Delete it?
[Y/N]Y
Deleting...Done.
Handling software upgrade failures
If a software upgrade fails, the system runs the old software version. To handle a software failure:
1.
Check the physical ports for a loose or incorrect connection.
2.
If you are using the console port for file transfer, check the HyperTerminal settings (including the baud rate and data bits) for any wrong setting.
3.
Check the file transfer settings:
If XMODEM is used, you must set the same baud rate for the terminal as for the console port.
If TFTP is used, you must enter the same server IP addresses, file name, and working directory as set on the TFTP server.
If FTP is used, you must enter the same FTP server IP address, source file name, working directory, and FTP username and password as set on the FTP server.
4.
Check the FTP or TFTP server for any incorrect setting.
5.
Check that the storage device has sufficient space for the upgrade file.
6.
If the message “Something is wrong with the file” appears, check the file for file corruption.
Appendix C Handling console login password loss
Disabling password recovery capability
Password recovery capability controls console user access to the device configuration and SDRAM from BootWare menus.
If password recovery capability is enabled, a console user can access the device configuration without authentication to configure new passwords.
If password recovery capability is disabled, console users must restore the factory-default configuration before they can configure new passwords. Restoring the factory-default configuration deletes the next-startup configuration files.
To enhance system security, disable password recovery capability.
Table 25 summarizes options whose availability varies with the password recovery capability setting.
Table 25 BootWare options and password recovery capability compatibility matrix
BootWare menu option
Download Image
Program To SDRAM
And Run
Password recovery enabled
Password recovery disabled
Tasks that can be performed
Yes No
Load and run Comware software images in
SDRAM.
108
Skip Authentication for
Console Login
Skip Current System
Configuration
Yes
Yes
No
No
Restore to Factory
Default Configuration
No Yes
To disable password recovery capability:
Enable console login without authentication.
Load the factory-default configuration without deleting the next-startup configuration files.
Delete the next-startup configuration files and load the factory-default configuration.
Step
1.
Enter system view.
Command system-view
Remarks
N/A
2.
Disable password recovery capability.
undo password-recovery enable
By default, password recovery capability is enabled.
When password recovery capability is disabled, you cannot downgrade the device software to a version that does not support the capability through the BootWare menus. You can do so at the CLI, but the BootWare menu password configured becomes effective again.
Handling console login password loss
CAUTION:
Handling console login password loss causes service outage.
The method for handling console login password loss depends on the password recovery capability
Figure 9 Handling console login password loss
Console login password lost
Reboot the router to access
EXTENDED-BOOTWARE menu
Yes
Password recovery capability enabled?
No
Skip Current System
Configuration
Skip Authentication for Console Login
Reboot the router
Configure new passwords in system view
Save the running configuration
109
Restore to Factory Default
Configuration
Examining the password recovery capability setting
1.
Reboot the router.
System is starting...
Press Ctrl+D to access BASIC-BOOTWARE MENU...
Press Ctrl+T to start heavy memory test
Booting Normal Extended BootWare........
The Extended BootWare is self-decompressing....Done.
****************************************************************************
* *
* HPE MSR3000 BootWare, Version 1.20 *
* *
****************************************************************************
Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.
Compiled Date : May 13 2013
CPU ID : 0x2
Memory Type : DDR3 SDRAM
Memory Size : 2048MB
BootWare Size : 1024KB
Flash Size : 8MB cfa0 Size : 247MB
CPLD Version : 2.0
PCB Version : 2.0
BootWare Validating...
Press Ctrl+B to access EXTENDED-BOOTWARE MENU...
2.
Press Ctrl + B within three seconds after the "Press Ctrl+B to access
EXTENDED-BOOTWARE MENU..." prompt message appears.
3.
Read the password recovery capability setting information displayed before the
EXTEND-BOOTWARE menu.
Password recovery capability is enabled.
Note: The current operating device is cfa0
Enter < Storage Device Operation > to select device.
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip Authentication for Console Login |
|<9> Storage Device Operation |
|<0> Reboot |
110
============================================================================
Ctrl+Z: Access EXTEND ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9):
Using the Skip Current System Configuration option
1.
Reboot the router to access the EXTEND-BOOTWARE menu, and then enter
6.
The current mode is password recovery.
Note: The current operating device is cfa0
Enter < Storage Device Operation > to select device.
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip Authentication for Console Login |
|<9> Storage Device Operation |
|<0> Reboot |
============================================================================
Ctrl+Z: Access EXTEND ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9): 6
After the configuration skipping flag is set successfully, the following message appears:
Flag Set Success.
2.
When the EXTEND-BOOTWARE menu appears again, enter
1 to reboot the router.
The router starts up with the factory-default configuration without deleting the next-startup configuration files.
3.
To use the configuration in a next-startup configuration file, load the file in system view.
<HPE> system-view
[HPE] configuration replace file cfa0:/startup.cfg
Current configuration will be lost, save current configuration? [Y/N]:n
Info: Now replacing the current configuration. Please wait...
Info: Succeeded in replacing current configuration with the file startup.cfg.
4.
Configure a new console login authentication mode and a new console login password.
In the following example, the console login authentication mode is password and the authentication password is 123456. For security purposes, the password is always saved in ciphertext, whether you specify the
simple or cipher keyword for the set authentication
password command.
<HPE> system-view
[HPE] line aux 0
[HPE-line-aux0] authentication-mode password
[HPE-line-aux0] set authentication password simple 123456
111
Use the
line aux 0 command on an MSR2000 or MSR 3000 routers. The console port and the
AUX port are the same physical port.
Use the
line console 0 command on an MSR4000 routers. An MSR4000 router has a separate console port.
5.
To make the settings take effect after a reboot, save the running configuration to the next-startup configuration file.
[HPE-line-aux0] save
Using the Skip Authentication for Console Login option
1.
Reboot the router to access the EXTEND-BOOTWARE menu, and then enter
8.
The current mode is password recovery.
Note: The current operating device is cfa0
Enter < Storage Device Operation > to select device.
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip Authentication for Console Login |
|<9> Storage Device Operation |
|<0> Reboot |
============================================================================
Ctrl+Z: Access EXTEND ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9): 8
The router deletes the console login authentication configuration commands from the main next-startup configuration file. After the operation is completed, the following message appears:
Clear Image Password Success!
2.
When the EXTEND-BOOTWARE menu appears again, enter
1 to reboot the router.
The router starts up with the main next-startup configuration file.
3.
Configure a console login authentication mode and a new console login password. See
4.
To make the setting take effect after a reboot, save the running configuration to the next-startup configuration file.
[HPE-line-aux0] save
Using the Restore to Factory Default Configuration option
CAUTION:
Using the Restore to Factory Default Configuration option deletes both the main and backup next-configuration files.
112
1.
Reboot the router to access the EXTEND-BOOTWARE menu, and enter
5.
The current mode is no password recovery.
Note: The current operating device is cfa0
Enter < Storage Device Operation > to select device.
===========================<EXTEND-BOOTWARE MENU>===========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> Skip Current System Configuration |
|<7> BootWare Operation Menu |
|<8> Skip Authentication for Console Login |
|<9> Storage Device Operation |
|<0> Reboot |
============================================================================
Ctrl+Z: Access EXTEND ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9): 5
2.
At the prompt for confirmation, enter
Y.
The router deletes its main and backup next-startup configuration files and restores the factory-default configuration.
The current mode is no password recovery. The configuration files will be deleted, and the system will start up with factory defaults, Are you sure to
continue?[Y/N]Y
Setting...Done.
3.
When the EXTEND-BOOTWARE menu appears again, enter
1 to reboot the router.
The router starts up with the factory-default configuration.
4.
Configure a new console login authentication mode and a new console login password. See
5.
To make the settings take effect after a reboot, save the running configuration to the next-startup configuration file.
[HPE] save
113
HPE
MSR1000_MSR2000_MSR3000_MSR4000-
CMW710-R0306P82
Software Feature Changes
The information in this document is subject to change without notice.
© Copyright [First Year]2013, [Current Year] 2017 Hewlett Packard Enterprise Development LP
1
Contents
Release 0306P82 ··········································································· 13
Release 0306P81 ··········································································· 13
Release 0306P80 ··········································································· 13
Release 0306P70 ··········································································· 13
Release 0306P52 ··········································································· 13
New feature: MAC address recording in TCP packets ···························· 14
New feature: Configuring the leased line service for an ISDN BRI interface 16
New feature: LLDP PVID inconsistency check ······································ 17
Modified feature: High encryption ······················································ 18
Modified feature: OSPF ··································································· 19
Modified feature: Policy-based routing ················································ 19
Modified feature: MIB objects ···························································· 20
Modified feature: Setting ISP domain status ········································· 21
Modified feature: Excluding an attribute from portal protocol packets ········· 22
Modified feature: NTP ····································································· 25
i
Modified feature: Transceiver modules················································ 26
Modified feature: E1POS ································································· 26
Release 0306P30 ··········································································· 26
New feature: SIP compatibility ·························································· 26
Modified feature: OSPF performance optimization ································· 28
Modified feature: Telnet redirect ························································ 29
Modified feature: POS terminal access ··············································· 29
Modified feature: License ································································· 30
Modified feature: IP performance optimization ······································ 30
Release 0306P12 ··········································································· 32
Modified feature: Configuring an SSH user ·········································· 32
Modified feature: AAA ····································································· 32
Modified feature: Configuring a cellular interface for a 3G/4G modem ········ 33
Modified feature: VXLAN ································································· 35
Modified feature: DHCP ··································································· 35
ii
Release 0306P11 ··········································································· 36
New feature: Voice VLAN ································································ 36
Modified feature: MPLS QoS support for matching the EXP field ·············· 40
Modified feature: MPLS QoS support for marking the EXP field ················ 41
Modified feature: Automatic configuration ············································ 42
Removed feature: Tinyproxy ····························································· 42
Release 0306P07 ··········································································· 43
New feature: L2TP-based EAD ························································· 43
New feature: CFD configuration························································· 45
Modified feature: Support using dots in user profile name ······················· 46
Modified feature: Default size of the TCP receive and send buffer ············ 47
Modified feature: Support for obtaining fan tray and power module vendor information through MIB ·································································· 48
Modified feature: Supporting per-packet load sharing ····························· 48
iii
Modified feature: Automatic configuration ············································ 49
Modified feature: Software image signature ········································· 49
Release 0305P08 ··········································································· 53
New feature: mGRE ········································································ 54
New feature: Disabling transceiver module alarm ·································· 72
Modified feature: Default user role ····················································· 73
Modified feature: Debugging ····························································· 74
Release 0305P04 ··········································································· 74
New feature: Public key management support for Suite B ······················· 75
iv
New feature: PKI support for Suite B ·················································· 76
New feature: IPsec support for Suite B ················································ 77
v
New feature: SSL support for Suite B ··············································· 147
New feature: FIPS support for Suit B ················································ 154
New feature: SSH support for Suite B ··············································· 158
vi
New feature: Ignoring the first AS number of EBGP route updates for a peer or peer group ·················································································· 201
Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces ··············································································· 203
Modified feature: Changing the maximum number of FIB table entries ····· 206
Modified feature: Enabling CWMP ··················································· 207
Release 0305 ·············································································· 207
New feature: IKE ·········································································· 208
Modified feature: IPsec ·································································· 208
Release 0304P12 ········································································· 215
New feature: Including vendor information in PPP accounting requests ··· 215
vii
New feature: BFD for an aggregation group ······································· 216
Modified feature: SSH username ····················································· 218
Modified feature: IS-IS hello packet sending interval ···························· 219
Modified feature: MP-group interface numbering ································· 220
Release 0304P04 ········································································· 221
New feature: Media Stream Control (MSC) logging ······························ 221
Modified feature: ESP encryption algorithms ······································ 222
Release 0304P02 ········································································· 223
New feature: IMSI/SN binding authentication ······································ 224
New feature: Specifying a band for a 4G modem ································ 230
New feature: CFD ········································································ 231
New feature: Using tunnel interfaces as OpenFlow ports ······················ 231
New feature: NETCONF support for ACL filtering ································ 231
viii
New feature: Specifying a backup traffic processing unit ······················· 234
New feature: WAAS ······································································ 234
New feature: Support for the MKI field in SRTP or SRTCP packets ········· 234
New feature: SIP domain name ······················································· 235
New feature: E&M logging ······························································ 236
Modified feature: Setting the global link-aggregation load-sharing mode ·· 237
Release 0304 ·············································································· 238
New feature: Setting the RTC version ··············································· 238
New feature: Setting the maximum size of advertisement files ··············· 240
New feature: IRF ·········································································· 240
New feature: Frame Relay ····························································· 240
New feature: EVI ·········································································· 241
New feature: VPLS ······································································· 241
New feature: Multicast VPN support for inter-AS option B ····················· 241
Modified feature: 802.1X redirect URL ·············································· 242
ix
Modified feature: Displaying information about NTP servers from the reference source to the primary NTP server ···················································· 242
Modified feature: Saving, rolling back, and loading the configuration ······· 243
Modified feature: Displaying information about SSH users ···················· 243
Removed feature: Displaying fabric utilization ····································· 244
ESS 0302P06 ·············································································· 244
New feature: Object policies ··························································· 246
New feature: IPHC ······································································· 247
New feature: Support of PPPoE server for IPv6 ·································· 247
New feature: QSIG tunneling over SIP-T ··········································· 247
New feature: Playout delay ····························································· 248
New feature: BGP L2VPN support for NSR ········································ 248
New feature: BGP support for dynamic peers ····································· 249
New feature: ARP PnP ·································································· 249
New feature: Support of Syslog for DNS and support of customlog&userlog for
IPv6 hosts ·················································································· 250
x
New feature: QoS soft forwarding ···················································· 250
New feature: Filtering by application layer protocol status ····················· 251
New feature: ADVPN support for multicast forwarding ·························· 251
New feature: MPLS LDP support for IPv6 ·········································· 252
New feature: Port security ······························································ 252
New feature: Customizable IVR ······················································· 253
New feature: SRST ······································································· 253
New feature: NEMO ······································································ 254
New feature: Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation······················································· 254
New feature: Support for LLDP on CPOS interfaces ···························· 255
New feature: SMS-based automatic configuration ······························· 255
New feature: ARP attack protection ·················································· 255
New feature: SIP support for VRF ···················································· 256
ESS 0102 ··················································································· 257
New feature: Portal authentication ··················································· 258
xi
New feature: MSDP ······································································ 258
New feature: IPsec MIB and IKE MIB ··············································· 259
New feature: PoE ········································································· 259
New feature: CoPP software forwarding feature ·································· 260
New feature: Configuring MPLS LDP FRR ········································· 263
New feature: Enhanced routing features ············································ 266
New feature: Python ····································································· 279
New feature: ATM ········································································ 280
New feature: DHCP MIB ································································ 280
ESS 0006P02 ·············································································· 282
xii
Release 0306P82
None.
Release 0306P81
None.
Release 0306P80
None.
Release 0306P70
None.
Release 0306P52
This release has the following changes:
New feature: MAC address recording in TCP packets
New feature: Configuring the leased line service for an ISDN BRI interface
New feature: LLDP PVID inconsistency check
Modified feature: High encryption
Modified feature: Policy-based routing
Modified feature: Setting ISP domain status
Modified feature: Excluding an attribute from portal protocol packets
Modified feature: Transceiver modules
13
New feature: MAC address recording in
TCP packets
Configuring MAC address recording in TCP packets
The router supports to add an option in each TCP packet sent from the terminal user to record the
MAC address of the terminal user.
Command reference
New command: tcp mac-record enable
Use tcp mac-record enable to enable the MAC address recording in TCP packets.
Use undo tcp mac-record to restore the default.
Syntax tcp mac-record enable undo mac-record
Default
The MAC address recording in TCP packets is disabled.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
This feature enables the device to add an option in each TCP packet to record MAC addresses.
Examples
# Enable the MAC address recording in TCP packets on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] tcp mac-record enable
Related commands tcp mac-record local
14
New command: tcp mac-record local
Use tcp mac-record local to specify the MAC address of the local device for MAC address recording.
Use undo tcp mac-record local to restore the default.
Syntax
tcp mac-record local mac-address
undo tcp mac-record local
Default
The MAC address of the local device for MAC address recording is not specified.
Parameters
mac-address: Specifies the MAC address of the local device. This MAC address cannot be all 0s, broadcast MAC address or multicast MAC address.
Views
System view
Predefined user roles
network-admin
Usage guidelines
This command is typically configured on the access devices that connect to terminal users, and is used together with the tcp mac-record enable command.
With these two commands configured, the device adds options to each TCP packet to record the specified MAC address of itself, and the MAC address of the terminal user.
Examples
# Specify the MAC address of the local device as 0102-0304-0506.
<Sysname> system-view
[Sysname] tcp mac-record local 0102-0304-0506
Related commands tcp mac-record enable
15
New feature: Configuring the leased line service for an ISDN BRI interface
Configuring the leased line service for an ISDN
BRI interface
ISDN leased lines are implemented by establishing semi-permanent connections. This requires the
PBXs of your telecommunication service provider to provide leased lines and be connected to the remote device.
To configure the leased line service for an ISDN BRI interface:
Step
3.
Enter system view.
4.
Enter ISDN BRI interface view.
5.
Configure the leased line service for the ISDN BRI interface.
Command system-view
interface bri interface-number
isdn leased-line [ B1 | B2 | 128 ]
Remarks
N/A
N/A
By default, the leased line service is not configured for an ISDN BRI interface.
Command reference
New command: isdn leased-line
Use isdn leased-line [ B1 | B2 | 128 ] to configure the leased line service for an ISDN BRI interface.
Use undo isdn leased-line [ B1 | B2 | 128 ] to remove the leased line service configuration for an
ISDN BRI interface.
Syntax
isdn leased-line [ B1 | B2 | 128 ]
undo isdn leased-line [ B1 | B2 | 128 ]
Default
The leased line service is not configured for an ISDN BRI interface.
Views
ISDN BRI interface view
Predefined user roles
network-admin network-operator
16
Parameters
B1: Uses channel B1 as a 64-kbps leased line.
B2: Uses channel B2 as a 64-kbps leased line.
128: Combines channels B1 and B2 into a 128-kbps leased line.
Usage guidelines
The isdn leased-line command without any keywords configures both the B1 and B2 channels as
64-kbps leased lines.
The undo isdn leased-line command without any keywords removes the leased line service configuration from the specified BRI interface.
You can directly switch an ISDN BRI interface from 64-kbps leased line service to 128-kbps leased line service, or vice versa.
This command is not available on BSV interfaces.
Examples
# Combine channels B1 and B2 on BRI 2/1 to provide a 128-kbps leased line.
<Sysname> system-view
[Sysname] interface bri 2/1
[Sysname-Bri2/1] isdn leased-line 128
New feature: LLDP PVID inconsistency check
Disabling LLDP PVID inconsistency check
By default, when the system receives an LLDP packet, it compares the PVID value contained in packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log message will be printed to notify the user.
You can disable PVID inconsistency check if different PVIDs are required on a link.
To disable LLDP PVID inconsistency check:
Step
6.
Enter system view.
7.
Disable LLDP PVID inconsistency check.
Command system-view
lldp ignore-pvid-inconsistency
Remarks
N/A
By default, LLDP PVID inconsistency check is enabled.
17
Command reference
lldp ignore-pvid-inconsistency
Use lldp ignore-pvid-inconsistency to disable LLDP PVID inconsistency check.
Use undo lldp ignore-pvid-inconsistency to enable LLDP PVID inconsistency check.
Syntax lldp ignore-pvid-inconsistency undo lldp ignore-pvid-inconsistency
Default
LLDP PVID inconsistency check is enabled.
Views
System view
Default command level
network-admin
Usage guidelines
By default, when the system receives an LLDP packet, it compares the PVID value contained in packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log message will be printed to notify the user.
You can disable PVID inconsistency check if different PVIDs are required on a link.
Examples
# Disable LLDP PVID inconsistency check.
<Sysname> system-view
[Sysname] lldp ignore-pvid-inconsistency
Modified feature: High encryption
Feature change description
In this release, the HPE router does not require a license to support high encryption. It operates in high encryption mode by default.
18
Modified feature: OSPF
Feature change description
The device can automatically obtain a router ID from an OSPF interface.
Command reference
Modified command: OSPF
Old syntax
ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] *
undo ospf [ process-id ]
New syntax
ospf [ process-id | router-id { auto-select | router-id } | vpn-instance vpn-instance-name ] *
undo ospf [ process-id ] [ router-id ]
Views
System view
Change description
The auto-select keyword was added to the command for the device to automatically obtain a router
ID from an OSPF interface.
Modified feature: Policy-based routing
Feature change description
The apply remark-vpn command was newly added. You can execute this command in policy node view or IPv6 policy node view to mark the VPN instance for matching packets.
Command reference
New command: apply remark-vpn
Use apply remark-vpn to mark the VPN instance for matching packets.
Use undo apply remark-vpn to restore the default.
19
Syntax apply remark-vpn undo apply remark-vpn
Default
The VPN instance is not marked for matching packets.
Views
Policy node view
Predefined user roles
network-admin
Usage guidelines
The apply access-vpn vpn-instance command is used to forward matching packets in a specified
VPN instance. To make the VPN instance known to the service modules, use the apply remark-vpn command to mark the VPN instance in the packets.
This command must be used together with the apply access-vpn vpn-instance command.
This command marks a VPN instance in a packet only when the packet is forwarded in the VPN instance specified by the apply access-vpn vpn-instance command.
Examples
# Mark VPN instance vpn1 for packets that match ACL 3000.
<Sysname> system-view
[Sysname] policy-based-route aaa permit node 10
[Sysname-pbr-aaa-10] if-match acl 3000
[Sysname-pbr-aaa-10] apply access-vpn vpn-instance vpn1
[Sysname-pbr-aaa-10] apply remark-vpn
Modified feature: MIB objects
Feature change description
The startup2Net object in the hh3c-config-man.mib was modified to specify the startup configure file. The description for the startup object was changed accordingly.
20
Modified feature: Setting ISP domain status
Feature change description
An ISP domain can be blocked based on time ranges.
Command changes
Modified command: state
Old syntax
state { active | block }
New syntax
state { active | block [ time-range ] [ offline ] }
Views
ISP domain view
Change description
The time-range and offline keywords were added to this command.
time-range: Blocks the ISP domain based on time ranges. If you do not specify this keyword, the ISP domain is in blocked state until you manually set the state to active.
offline: Logs off all online users when the ISP domain state changes from active to blocked.
New command: state block time-range name
Use state block time-range name to specify a time range during which an ISP domain is in blocked state.
Use undo state block time-range name to remove a time range or all time ranges during which an
ISP domain is in blocked state.
Syntax
Default
state block time-range name time-range-name
undo state block time-range { all | name time-range-name }
No time ranges are specified to block an ISP domain.
Views
ISP domain view
21
Predefined user roles
network-admin
Parameters
time-range-name: Specifies a time range by its name, a case-insensitive string of 1 to 32 characters.
The name must start with a letter and cannot be the word all.
all: Removes all time ranges.
Usage guidelines
An ISP domain is blocked during the specified time ranges only when the ISP domain is set to be blocked based on time ranges. To block an ISP domain based on time ranges, use the state block
time-range command.
Execute this command multiple times to specify multiple time ranges during which an ISP domain is blocked.
Examples
# Specify ISP domain test to be blocked during time ranges t1 and t2.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] state block time-range name t1
[Sysname-isp-test] state block time-range name t2
Modified feature: Excluding an attribute from portal protocol packets
Excluding an attribute from portal protocol packets
Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.
To address this issue, you can configure portal protocol packets to not carry the attributes unsupported by the portal authentication server.
To exclude an attribute from portal protocol packets:
Step
8.
Enter system view.
9.
Enter portal authentication server view.
Command system-view
portal server server-name
Remarks
N/A
N/A
10. Exclude an attribute from portal protocol packets.
exclude-attribute number
{ ack-auth | ntf-logout |
ack-logout }
By default, no attributes are excluded from portal protocol packets.
22
Command reference
New command: exclude-attribute
Use exclude-attribute to exclude an attribute from portal protocol packets.
Use undo exclude-attribute to not exclude an attribute from portal protocol packets.
Syntax
exclude-attribute number { ack-auth | ntf-logout | ack-logout }
undo exclude-attribute number { ack-auth | ntf-logout | ack-logout }
Default
No attributes are excluded from portal protocol packets.
Views
Portal authentication server view
Predefined user roles
network-admin
Parameters
number: Specifies an attribute by its number in the range of 1 to 255.
ack-auth: Excludes the attribute from ACK_AUTH packets.
ntf-logout: Excludes the attribute from NTF_LOGOUT packets.
ack-logout: Excludes the attribute from ACK_LOGOUT packets.
Usage guidelines
Support of the portal authentication server for portal protocol attributes varies by the server type. If the device sends the portal authentication server a packet that contains an attribute unsupported by the server, the device and the server cannot communicate.
To address this issue, you can configure this command to exclude the unsupported attributes from specific portal protocol packets sent to the portal authentication server.
You can specify multiple excluded attributes. For an excluded attribute, you can specify multiple types of portal protocol packets (ack-auth, ntf-logout, and ack-logout).
Table 1 describes all attributes of the portal protocol.
Table 1 Portal attributes
Name
UserName
PassWord
Number Description
1 Username of the user to be authenticated.
2 Plaintext password submitted by the user.
23
Name
Challenge
ChapPassWord
TextInfo
Number Description
3 Random challenge for CHAP authentication.
4
5
6
CHAP password encrypted by MD5.
The device uses this attribute to transparently transport prompt information of a RADIUS server or packet error information to the portal authentication server.
The attribute value can be a string excluding the end character '\0'. This attribute can exist in any packet from the device to the portal server. A packet can contain multiple TextInfo attributes. As a best practice, carry only one TextInfo attribute in a packet.
Uplink (output) traffic of the user, an 8-byte unsigned integer, in KB. UpLinkFlux
DownLinkFlux 7 Downlink (input) traffic of the user, an 8-byte unsigned integer, in KB.
Port 8 Port information, a string excluding the end character '\0'.
IP-Config 9
This attribute has different meanings in different types of packets.
The device uses this attribute in ACK _AUTH (Type=0x04) packets to notify the portal server that the user requires re-DHCP.
The device uses this attribute in ACK_LOGOUT (Type=0x06) and
NTF_LOGOUT (Type=0x08) packets to indicate that the current user IP address must be released. The portal server must notify the user to release the public IP address through DHCP. The device will reallocate a private IP address to the user.
Examples
# Exclude the UpLinkFlux attribute (number 6) from portal ACK_AUTH packets.
<Sysname> system-view
[Sysname] portal server pts
[Sysname-portal-server-pts] exclude-attribute 6 ack-auth
Related commands display portal server
Modified command: display portal server
Syntax
display portal server [ server-name ]
Views
Any view
Change description
The Exclude-attribute field was added to the output of this command.
24
Modified feature: NTP
Feature change description
NTP can use advanced ACLs to filter packets by source and destination IP addresses.
Command changes
Modified command: ntp-service authentication-keyid
Old syntax
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value
New syntax
ntp-service authentication-keyid keyid authentication-mode md5 { cipher | simple } value [ acl
ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
Views
System view
Change description
The acl ipv4-acl-number and ipv6 acl ipv6-acl-number options were added to the command.
Modified command: sntp authentication-keyid
Old syntax
sntp authentication-keyid keyid authentication-mode md5 { cipher | simple } value
New syntax
sntp authentication-keyid keyid authentication-mode md5 { cipher | simple } value [ acl
ipv4-acl-number | ipv6 acl ipv6-acl-number ] *
Views
System view
Change description
The acl ipv4-acl-number and ipv6 acl ipv6-acl-number options were added to the command.
25
Modified feature: Transceiver modules
Feature change description
The names of SFP-GE-LH70-SM1550 and SFP-GE-LH70-SM1550-D transceiver modules were changed to SFP-GE-LH80-SM1550 and SFP-GE-LH80-SM1550-D, respectively. Their transmission distance was increased from 70 km (43.50 miles) to 80 km (49.71 miles).
Modified feature: E1POS
Feature change description
This release added support for displaying the modem negotiation rate of E1POS by using the debug command.
Release 0306P30
This release has the following changes:
New feature: SIP compatibility
Modified feature: OSPF performance optimization
Modified feature: Telnet redirect
Modified feature: POS terminal access
Modified feature: IP performance optimization
New feature: SIP compatibility
Configuring SIP compatibility
If a third-party device does not implement SIP in strict accordance with the RFC standard, you can configure SIP compatibility for the router to interoperate with the third-party device.
With the sip-compatible t38 command configured, the router excludes :0 from the following SDP parameters in the originated re-INVITE messages:
26
T38FaxTranscodingJBIG.
T38FaxTranscodingMMR.
T38FaxFillBitRemoval.
With the sip-compatible x-param command configured, the router adds SDP description information (a=X-fax and a=X-modem) for fax pass-through and modem pass-through in the originated re-INVITE messages.
To configure SIP compatibility:
Step
11. Enter system view.
12. Enter voice view.
13. Enter SIP view.
Command system-view
voice-setup
sip
14. Configure SIP compatibility. sip-compatible { t38 | x-param }
Remarks
N/A
N/A
N/A
By default, SIP compatibility is not configured.
Command reference
sipcompatible
Use sip-compatible to configure SIP compatibility with a third-party device.
Use undo
sip-compatible to restore the default.
Syntax
sip-compatible { t38 | x-param }
undo sip-compatible { t38 | x-param }
Default
SIP compatibility is not configured.
Views
SIP view
Predefined user roles
network-admin
Parameters
t38: Configures SIP compatibility for standard T.38 fax. With this keyword specified, the router excludes :0 from the following SDP parameters in the originated re-INVITE messages:
T38FaxTranscodingJBIG.
T38FaxTranscodingMMR.
T38FaxFillBitRemoval.
27
This keyword is required when the router interoperates with a third-party softswitch device to exchange T.38 fax messages.
x-param: Configures SIP compatibility for fax pass-through and modem pass-through. With this keyword specified, the router adds SDP description information for fax pass-through and modem pass-through to outgoing re-INVITE messages. This keyword is required when the router interoperates with a third-party softswitch device to perform fax pass-through and modem pass-through.
Usage guidelines
The t38 and x-param keywords can be both configured to interoperate with a third-party softswitch device.
Examples
# Configure SIP compatibility for standard T.38 fax.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] sip
[Sysname-voice-sip] sip-compatible t38
Modified feature: OSPF performance optimization
Feature change description
You can set a fixed OSPF SPF calculation interval in the range of 0 to 10000 milliseconds.
The value range for the LSU packet sending interval was changed to 0 to 1000 milliseconds.
Command changes
Modified command: spf-schedule-interval
Old syntax
spf-schedule-interval { maximum-interval [ minimum-interval [ incremental-interval ] ] }
New syntax
spf-schedule-interval { maximum-interval [ minimum-interval [ incremental-interval ] ] | millisecond
interval }
Views
OSPF view
28
Change description
The millisecond interval argument was added to the command. You can specify this argument to set a fixed OSPF SPF calculation interval in the range of 0 to 10000 milliseconds.
Modified command: transmit-pacing
Syntax
transmit-pacing interval interval count count
Views
OSPF view
Change description
Before modification: The value range for the interval argument was 10 to 1000 milliseconds.
After modification: The value range for the interval argument is 0 to 1000 milliseconds.
Modified feature: Telnet redirect
Feature change description
Authentication was added on MSR 3000 series routers for Telnet redirect users.
Logging was added for Telnet redirect login events and Telnet redirect exit events.
Modified feature: POS terminal access
Feature change description
The posa auto-stop-service enable command added the function of setting the access interfaces for all E1POS terminal templates to reply with busy tones when all FEPs are unreachable.
Command changes
Modified command: posa auto-stop-service enable
Syntax posa auto-stop-service enable
Views
System view
29
Change description
Before modification, this command enables automatic shutdown of the listening ports for TCP-based
POS terminal templates when all FEPs that correspond to TCP-based POS application templates are unreachable. When any of the FEPs becomes reachable, the router automatically opens the listening ports for all TCP-based POS terminal templates.
After modification, this command enables the router to automatically perform the following operations when all FEPs that correspond to TCP-based POS application templates are unreachable:
Shuts down the listening ports for all TCP-based POS terminal templates.
Sets the access interfaces for all E1POS terminal templates to reply with busy tones.
When any of the FEPs becomes reachable, the router automatically performs the following operations:
Opens the listening ports for all TCP-based POS terminal templates.
Disables busy tone for all E1POS terminal templates.
Modified feature: License
Feature change description
The device uses high encryption algorithms by default and does not require a license.
Modified feature: IP performance optimization
Feature change description
The device supports recording MAC addresses in TCP packets. You can also configure the device to record the MAC address of the local device in TCP packets.
Command changes
New command: tcp mac-record enable
Use tcp mac-record enable to enable MAC address recording in TCP packets.
Use undo tcp mac-record enable to disable MAC address recording in TCP packets.
Syntax tcp mac-record enable
30
undo tcp mac-record enable
Default
MAC address recording in TCP packets is disabled.
Views
Interface view
Default command level
network-admin
Usage guidelines
This feature records the MAC address of the packet originator in a TCP option. When an attack occurs, the administrator can quickly locate the attack source according to the recorded MAC addresses.
Examples
# Enable MAC address recording in TCP packets on GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 0/1
[Sysname-GigabitEthernet0/1] tcp mac-record enable
New command: tcp mac-record local
Use tcp mac-record local to record the MAC address of the local device in TCP packets.
Use undo tcp mac-record local to restore the default.
Syntax
tcp mac-record local mac-address
undo tcp mac-record local
Default
The destination MAC address is recorded.
Views
System view
Default command level
network-admin
Parameters
mac-address: Specifies the MAC address of the local device. The MAC address cannot be all 0s, broadcast MAC address, or multicast MAC address.
Usage guidelines
To make this command take effect, you must enable MAC address recording in TCP packets by using the tcp mac-record enable command.
31
Examples
# Record the MAC address of the local device 0605-0403-0201 in TCP packets.
<Sysname> system-view
[Sysname] tcp mac-record local 0605-0403-0201
Release 0306P12
This release has the following changes:
Modified feature: Configuring an SSH user
Modified feature: Configuring a cellular interface for a 3G/4G modem
Modified feature: Configuring an SSH user
Feature change description
Starting from this software version, the device checks the username validity when an SSH user is created.
Modified feature: AAA
Feature change description
Starting from this software version, you can configure the authorization method for IKE extended authentication.
Command changes
New command: authorization ike
Syntax
Use authorization ike to configure the authorization method for IKE extended authentication.
Use undo authorization ike to restore the default.
In non-FIPS mode:
32
authorization ike { local [ none ] | none | radius-scheme radius-scheme-name [ local ] [ none ] }
undo authorization ike
In FIPS mode:
authorization ike { local | radius-scheme radius-scheme-name [ local ] }
undo authorization ike
Default
The default authorization method for the ISP domain is used for IKE extended authentication.
Views
ISP domain view
Predefined user roles
network-admin
Parameters
local: Performs local authorization.
none: Does not perform authorization.
radius-scheme radius-scheme-name: Specifies a RADIUS scheme by its name, a case-insensitive string of 1 to 32 characters.
Examples
# In ISP domain test, perform local authorization for IKE extended authentication.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ike local
# In ISP domain test, use RADIUS scheme rd as the primary authorization method and local authorization as the backup authorization method for IKE extended authentication.
<Sysname> system-view
[Sysname] domain test
[Sysname-isp-test] authorization ike radius-scheme rd local
Modified feature: Configuring a cellular interface for a 3G/4G modem
Feature change description
In this release, you can set the RSSI thresholds for a 3G/4G modem.
33
Command changes
New command: rssi
Use rssi to set the RSSI thresholds for a 3G/4G modem.
Use undo rssi to restore the default.
Syntax
rssi { gsm | 1xrtt | evdo | lte } { low lowthreshold | medium mediumthreshold } *
undo rssi { gsm | 1xrtt | evdo | lte } [ low | medium ]
Default
The lower and upper thresholds for a 3G/4G modem are
–150 dBm and 0 dBm, respectively.
Views
Cellular interface view
Predefined user roles
network-admin
Parameters
1xrtt: Specifies the 1xRTT mode.
evdo: Specifies the EVDO mode.
gsm: Specifies the GSM mode.
lte: Specifies the LTE mode.
low lowthreshold: Specifies the lower RSSI threshold value in the range of 0 to 150, which represent a lower RSSI threshold in the range of
–150 dBm to 0 dBm. The value of lowthreshold cannot be smaller than the value of mediumthreshold because the system automatically adds a negative sign to the RSSI thresholds.
medium mediumthreshold: Specifies the upper RSSI threshold value in the range of 0 to 150, which represent an upper RSSI threshold in the range of
–150 dBm to 0 dBm.
Usage guidelines
The device performs the following operations based on the actual RSSI of the 3G/4G modem:
Sends a trap that indicates high RSSI when the RSSI exceeds the upper threshold.
Sends a trap that indicates normal RSSI when the RSSI is between the lower threshold and upper threshold (included).
Sends a trap that indicates low RSSI when the RSSI drops to or below the lower threshold.
Sends a trap that indicates low RSSI every 10 minutes when the RSSI remains equal to or smaller than the lower threshold.
To view the RSSI change information for a 3G/4G modem, use the display cellular command.
34
Examples
# Set the lower threshold for a 3G/4G modem in GSM mode to
–110 dBm.
<Sysname> system-view
[Sysname] interface cellular 0/0
[Sysname-Cellular0/0] rssi gsm low 110
Modified feature: VXLAN
Feature change description
This release added support for QoS in the outbound direction of VXLAN tunnel interfaces.
Command changes
None.
Modified feature: DHCP
Feature change description
Starting from this software version, you can configure the DHCP server to send DHCP replies that do not contain Option 60.
Command changes
New command: dhcp server reply-exclude-option60
Use dhcp server reply-exclude-option60 to configure the DHCP server to send DHCP replies that do not contain Option 60.
Use undo dhcp server reply-exclude-option60 to restore the default.
Syntax
Default
The DHCP server sends DHCP replies containing Option 60.
Views
dhcp server reply-exclude-option60
undo dhcp server reply-exclude-option60
System view
35
Predefined user roles
network-admin
Example
# Configure the DHCP server to send DHCP replies that do not contain Option 60.
<Sysname> system-view
[Sysname] dhcp server reply-exclude-option6
Release 0306P11
This release has the following changes:
Modified feature: MPLS QoS support for matching the EXP field
Modified feature: MPLS QoS support for marking the EXP field
Modified feature: Automatic configuration
New feature: Voice VLAN
Configuring a voice VLAN
Configuring a port to operate in automatic voice VLAN assignment mode
Step
15. Enter system view.
16. (Optional.) Set the voice
VLAN aging timer.
Command system-view
voice-vlan aging minutes
Remarks
N/A
By default, the aging timer of a voice VLAN is 1440 minutes.
17. (Optional.) Enable the voice VLAN security mode.
18. (Optional.) Add an OUI address for voice packet identification.
voice-vlan security enable
voice-vlan mac-address oui mask
oui-mask [ description text ]
By default, the voice VLAN security mode is enabled.
By default, system default
OUI addresses exist.
36
Step
19. Enter interface view.
20. Set the link type of the port.
21. Configure the port to operate in automatic voice VLAN assignment mode.
22. Enable the voice VLAN feature on the port.
Command
Enter Layer 2 Ethernet interface view:
interface interface-type
interface-number
Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number
Enter S-channel interface view:
interface s-channel
interface-number.channel-id
Enter S-channel aggregate interface view:
interface schannel-aggregation
interface-number:channel-id
Enter Layer 2 RPR logical interface view:
interface rpr-bridge
interface-number
Set the port link type to trunk:
port link-type trunk
Set the port link type to hybrid:
port link-type hybrid
Remarks
N/A
N/A
voice-vlan mode auto
By default, the automatic voice VLAN assignment mode is enabled.
voice-vlan vlan-id enable
By default, the voice VLAN feature is disabled.
Before you execute this command, make sure the specified VLAN already exists.
Configuring a port to operate in manual voice VLAN assignment mode
Step
23. Enter system view.
Command system-view
24. (Optional.) Enable the voice VLAN security mode.
25. (Optional.) Add an OUI address for voice packet identification.
voice-vlan security enable
voice-vlan mac-address oui mask
oui-mask [ description text ]
Remarks
N/A
By default, the voice VLAN security mode is enabled.
By default, system default OUI addresses exist.
37
Step
26. Enter interface view.
Command
Enter Layer 2 Ethernet interface view:
interface interface-type
interface-number
Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number
Enter S-channel interface view:
interface s-channel
interface-number.channel-id
Enter S-channel aggregate interface view:
interface schannel-aggregation
interface-number:channel-id
Enter Layer 2 RPR logical interface view:
interface rpr-bridge
interface-number
Remarks
N/A
27. Configure the port to operate in manual voice
VLAN assignment mode.
undo voice-vlan mode auto
28. Set the link type of the port.
29. Assign the access, trunk, or hybrid port to the voice VLAN.
30. (Optional.) Configure the voice VLAN as the
PVID of the trunk or hybrid port.
31. Enable the voice VLAN feature on the port.
By default, a port operates in automatic voice VLAN assignment mode.
Set the port link type to access:
port link-type access
Set the port link type to trunk:
port link-type trunk
Set the port link type to hybrid:
port link-type hybrid
For the access port:
port access vlan vlan-id
For the trunk port:
port trunk permit vlan { vlan-id-list |
all }
For the hybrid port:
port hybrid vlan vlan-id-list { tagged |
untagged }
For the trunk port:
port trunk pvid vlan vlan-id
For the hybrid port:
port hybrid pvid vlan vlan-id
By default, each port is an access port.
After you assign an access port to the voice VLAN, the voice VLAN becomes the
PVID of the port.
This step is required for untagged incoming voice traffic and prohibited for tagged incoming voice traffic.
voice-vlan vlan-id enable
By default, the voice VLAN feature is disabled.
Before you execute this command, make sure the specified VLAN already exists.
Enabling LLDP for automatic IP phone discovery
Step
32. Enter system view.
33. Enable LLDP for automatic
IP phone discovery.
Command system-view voice-vlan track lldp
Remarks
N/A
By default, LLDP for automatic IP phone discovery is disabled.
38
Configuring LLDP to advertise a voice VLAN
For IP phones that support LLDP, the device advertises the voice VLAN information to the IP phones through LLDP-MED TLVs.
To configure LLDP to advertise a voice VLAN:
Step
34. Enter system view.
35. Enter Layer 2 Ethernet interface view.
36. Configure an advertised voice VLAN ID.
Command system-view
interface interface-type
interface-number
lldp tlv-enable med-tlv
network-policy vlan-id
Remarks
N/A
N/A
By default, no advertised voice VLAN ID is configured.
Configuring CDP to advertise a voice VLAN
If an IP phone supports CDP but does not support LLDP, it sends CDP packets to the device to request the voice VLAN ID. If the IP phone does not receive the voice VLAN ID within a time period, it sends out untagged voice packets. These untagged voice packets cannot be differentiated from other types of packets.
You can configure CDP compatibility on the device to enable it to perform the following operations:
Receive and identify CDP packets from the IP phone.
Send CDP packets to the IP phone. The voice VLAN information is carried in the CDP packets.
After receiving the advertised VLAN information, the IP phone starts automatic voice VLAN configuration. Packets from the IP phone will be transmitted in the dedicated voice VLAN.
To configure CDP to advertise a voice VLAN:
Step
37. Enter system view.
Command system-view
38. Enable CDP compatibility.
lldp compliance cdp
Remarks
N/A
By default, CDP compatibility is disabled.
39. Enter Layer 2 Ethernet interface view.
40. Configure CDP-compatible
LLDP to operate in TxRx mode.
41. Configure an advertised voice VLAN ID.
interface interface-type
interface-number
lldp compliance admin-status cdp txrx
cdp voice-vlan vlan-id
N/A
By default, CDP-compatible
LLDP operates in disable mode.
By default, no advertised voice VLAN ID is configured.
Displaying and maintaining voice VLANs
Execute display commands in any view.
39
Task
Display the voice VLAN state.
Display OUI addresses on a device.
Command display voice-vlan state display voice-vlan mac-address
Command reference
The following commands were added:
display voice-vlan mac-address.
display voice-vlan state.
voice-vlan aging.
voice-vlan enable.
voice-vlan mac-address.
voice-vlan mode auto.
voice-vlan security enable.
voice-vlan track lldp.
For more information about these commands, see H3C MSR Series Routers Layer 2
—LAN
Switching Command Reference(V7).
Modified feature: MPLS QoS support for matching the EXP field
Matching the EXP field in the second MPLS label
In this release, MPLS QoS supports matching the EXP fields in both the topmost (first) MPLS label and the second MPLS label.
Command reference
New command: if-match second-mpls-exp
Syntax
Use if-match second-mpls-exp to define a criterion to match the EXP field in the second MPLS label.
Use undo if-match second-mpls-exp to delete the match criterion.
if-match [ not ] second-mpls-exp exp-value&<1-8>
undo if-match [ not ] second-mpls-exp exp-value&<1-8>
40
Default
No criterion is defined to match the EXP field in the second MPLS label.
Views
Traffic class view
Predefined user roles
network-admin
Parameters
not: Matches packets not conforming to the specified criterion.
exp-value&<1-8>: Specifies a space-separated list of up to eight EXP values. The value range for the exp-value argument is 0 to 7. If the same MPLS EXP value is specified multiple times, the system considers them as one. If a packet matches one of the defined MPLS EXP values, it matches the
if-match clause.
Examples
# Define a criterion to match packets with EXP value 3 or 4 in the second MPLS label.
<Sysname> system-view
[Sysname] traffic classifier database
[Sysname-classifier-database] if-match second-mpls-exp 3 4
Modified feature: MPLS QoS support for marking the EXP field
Marking the EXP field in the second MPLS label
In this release, MPLS QoS supports marking the EXP fields in both the topmost (first) MPLS label and the second MPLS label.
Command reference
New command: remark second-mpls-exp
Use remark
second-mpls-exp to configure an EXP value marking action for the second MPLS label in a traffic behavior.
Use undo remark
second-mpls-exp to delete the action.
Syntax remark
second-mpls-exp second-mpls-exp-value
undo remark
second-mpls-exp second-mpls-exp-value
41
Default
No EXP value marking action for the second MPLS label is configured in a traffic behavior.
Views
Traffic behavior view
Predefined user roles
network-admin
Parameters
second-mpls-exp-value: Specifies an EXP value for the second MPLS label, in the range of 0 to 7.
Examples
# Define a traffic behavior to mark packets with EXP value 3 for the second MPLS label.
<Sysname> system-view
[Sysname] traffic behavior b1
[Sysname-behavior-b1] remark second-mpls-exp 3
Modified feature: Automatic configuration
Feature change description
In this release, you can set the maximum retry attempts for automatic configuration. The device will retry obtaining the settings until the retry attempts reach the limit. If you set the maximum retry attempts to 0, the device does not perform a retry when encountering an automatic configuration failure.
Removed feature: Tinyproxy
Feature change description
Support for the tinyproxy feature was removed.
Removed command
http-proxy
Syntax http-proxy undo http-proxy
42
Views
System view
Release 0306P07
This release has the following changes:
New feature: CFD configuration
Modified feature: Support using dots in user profile name
Modified feature: Default size of the TCP receive and send buffer
Modified feature: Support for obtaining fan tray and power module vendor information through MIB
Modified feature: Supporting per-packet load sharing
Modified feature: Automatic configuration
Modified feature: Software image signature
New feature: L2TP-based EAD
Enabling L2TP-based EAD
EAD authenticates PPP users that pass the access authentication. PPP users that pass EAD authentication can access network resources. PPP users that fail EAD authentication can only access the resources in the quarantine areas.
EAD uses the following procedure:
1.
The iNode client uses L2TP to access the LNS. After the client passes the PPP authentication, the CAMS/IMC server assigns isolation ACLs to the LNS. The LNS uses the isolation ACLs to filter incoming packets.
2.
After the IPCP negotiation, the LNS sends the IP address of the CAMS/IMC server to the iNode client. The server IP address is permitted by the isolation ACLs.
3.
The CAMS/IMC sever authenticates the iNode client and performs security check for the iNode client. If the iNode client passes security check, the CAMS/IMC server assigns security ACLs for the iNode client to the LNS. The iNode client can access network resources.
To enable L2TP-based EAD:
Step
42. Enter system view.
43. Create a VT interface and enter its view
Command system-view interface virtual-template
virtual-template-number
Remarks
N/A
N/A
43
Step Command
44. Enable L2TP-based EAD.
ppp access-control enable
Command reference
Remarks
By default, L2TP-based EAD is disabled.
ppp access-control enable
Use ppp access-control enable to enable L2TP-based EAD.
Use undo ppp access-control enable to disable L2TP-based EAD.
Syntax
ppp access-control enable
undo ppp access-control enable
Default
L2TP-based EAD is disabled.
Views
VT interface view
Predefined user roles
network-admin
Usage guidelines
This command does not apply to VA interfaces that already existed in the VT interface. It only applies to newly created VA interfaces.
Different ACLs are required for different users if the VT interface is used as the access interface for the LNS.
After L2TP-based EAD is enabled, the LNS transparently passes CAMS/IMC packets to the iNode client to inform the client of EAD server information, such as the IP address.
Examples
# Enable L2TP-based EAD.
<Sysname> system-view
[Sysname] interface virtual-template 10
[Sysname-Virtual-Template10] ppp access-control enable
display ppp access-control interface
Use display ppp access-control interface to display access control information for VA interfaces on a VT interface.
Syntax
display ppp access-control interface { interface-type interface-number | interface-name }
44
Views
Any view
Predefined user roles
network-admin network-operator
Parameters
interface-type interface-number: Specifies an interface by its type and number.
interface-name: Specifies an interface by its name.
Examples
# Display access control information for VA interfaces on VT interface 2.
<Sysname> display ppp access-control interface virtual-template 2
Interface: Virtual-Template2:0
User Name: mike
In-bound Policy: acl 3000
Totally 0 packets, 0 bytes, 0% permitted,
Totally 0 packets, 0 bytes, 0% denied.
Interface: Virtual-Template2:1
User Name: tim
In-bound Policy: acl 3001
Totally 0 packets, 0 bytes, 0% permitted,
Totally 0 packets, 0 bytes, 0% denied.
Table 1 Command output
Field Description
Interface
User Name
VA interface that the PPP user accesses.
Username of the PPP user.
In-bound Policy
Totally x packets, x bytes, x% denied
Security ACLs for the PPP user.
Totally x packets, x bytes, x% permitted
Total number, data rate, and pass percentage of permitted packets.
Total number, data rate, and reject percentage of denied packets.
New feature: CFD configuration
Configuring CFD configuration
Configuring a two-way DM continuity test.
Setting the delay thresholds in a two-way DM continuity test.
45
Configuring a one-way packet loss continuity test.
Setting the packet loss ratio thresholds in a one-way packet loss continuity test.
Setting the time that a blocked port must wait before it comes up in a one-way packet loss continuity test.
Configuring a bit error continuity test.
Setting the error packet ratio thresholds in a bit error continuity test.
Displaying two-way DM continuity test results.
Displaying one-way packet loss continuity test results.
Setting the test mode and action for triggering port association.
Displaying bit error test results.
Command reference
cfd dm two-way continual
cfd dm two-way threshold
cfd slm continual
cfd slm threshold
cfd slm port-trigger up-delay
cfd tst continual
cfd tst threshold
display cfd dm two-way history
display cfd slm history
cfd port-trigger
display cfd tst history
See HPE FlexNetwork MSR Router Series Command References(V7).
Modified feature: Support using dots in user profile name
Feature change description
In this release, the user profile name supports using dots (.).
46
Command changes
Modified command: user-profile
Syntax
user-profile profile-name
undo user-profile profile-name
Views
System view
Change description
Before modification: The user profile name is a case-sensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_), and the name must start with an English letter.
After modification: The user profile name is a case-sensitive string of 1 to 31 characters. Valid characters are letters, digits, underscores (_), and dots (.), and the name must start with an English letter.
Modified feature: Default size of the TCP receive and send buffer
Feature change description
The default value for the TCP receive and send buffer size was changed to 63 KB.
To set the TCP buffer size:
Step
45. Enter system view.
Command system-view
46. Set the TCP receive and send buffer size.
tcp window window-size
Remarks
N/A
By default, the TCP receive and send buffer size is 63 KB.
Command changes
Modified command: tcp window
Syntax
tcp window window-size
undo tcp window
47
Views
System view
Change description
Before modification: The default value for the window-size argument was 64 KB.
After modification: The default value for the window-size argument is 63 KB.
Modified feature: Support for obtaining fan
tray and power module vendor information through MIB
Feature change description
In this release, the device supports obtaining fan tray and power module vendor information through
MIB.
Command changes
None
Modified feature: Supporting per-packet load sharing
Feature change description
The per-packet keyword was added to the ip load-sharing mode command to support per-packet load sharing.
Command changes
Modified command: ip load-sharing mode
Old syntax
Centralized devices:
ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ]
Centralized IRF devices
–Distributed devices–In standalone mode:
ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] [ slot
slot-number ]
48
Distributed devices
–In IRF mode:
ip load-sharing mode per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] [ chassis
chassis-number slot slot-number ]
New syntax
Centralized devices:
ip load-sharing mode { per-flow [ [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }
Centralized IRF devices
–Distributed devices–In standalone mode:
ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }
Distributed devices
–In IRF mode:
ip load-sharing mode { per-flow [ dest-ip | dest-port | ip-pro | src-ip | src-port ] * ] | per-packet }
Views
System view
Change description
The per-packet keyword was added to the ip load-sharing mode command to support per-packet load sharing.
Modified feature: Automatic configuration
Feature change description
A limit was added to the number of automatic configuration attempts. If the device fails to be automatically configured within the limit, the device quits the automatic configuration process.
Command changes
None
Modified feature: Software image signature
Feature change description
A field was added to output from a set of display commands to display software image signature information.
49
Command changes
Modified command: display install active
Syntax
Centralized devices:
display install active [ verbose ]
Centralized IRF devices
–Distributed devices–In standalone mode:
display install active [ slot slot-number ] [ verbose ]
Distributed devices
–In IRF mode:
display install active [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
Table 2 Command output
Field
Software image signature
Description
Signature for the software image:
HP
—For software images of the HP version.
HP-US
—For software images of the HP US version.
HPE
—For software images of the HPE version.
Modified command: display install backup
Syntax
Centralized devices:
display install backup [ verbose ]
Centralized IRF devices
–Distributed devices–In standalone mode:
display install backup [ slot slot-number ] [ verbose ]
Distributed devices
–In IRF mode:
display install backup [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
50
Table 3 Command output
Field
Software image signature
Description
Signature for the software image:
HP
—For software images of the HP version.
HP-US
—For software images of the HP US version.
HPE
—For software images of the HPE version.
Modified command: display install committed
Syntax
Centralized devices:
display install committed [ verbose ]
Centralized IRF devices
–Distributed devices–In standalone mode:
display install committed [ slot slot-number ] [ verbose ]
Distributed devices
–In IRF mode:
display install committed [ chassis chassis-number slot slot-number ] [ verbose ]
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
Table 4 Command output
Field
Software image signature
Description
Signature for the software image:
HP
—For software images of the HP version.
HP-US
—For software images of the HP US version.
HPE
—For software images of the HPE version.
Modified command: display install inactive
Syntax
Centralized devices:
display install inactive [ verbose ]
Centralized IRF devices
–Distributed devices–In standalone mode:
display install inactive [ slot slot-number ] [ verbose ]
Distributed devices
–In IRF mode:
display install inactive [ chassis chassis-number slot slot-number ] [ verbose ]
51
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
Table 5 Command output
Field
Software image signature
Description
Signature for the software image:
HP
—For software images of the HP version.
HP-US
—For software images of the HP US version.
HPE
—For software images of the HPE version.
Modified command: display install ipe-info
Syntax
display install ipe-info ipe-filename
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
Table 6 Command output
Field
Software image signature
Description
Signature for the software image:
HP
—For software images of the HP version.
HP-US
—For software images of the HP US version.
HPE
—For software images of the HPE version.
Modified command: display install package
Syntax
display install package { filename | all } [ verbose ]
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
52
Table 7 Command output
Field
Software image signature
Description
Signature for the software image:
HP
—For software images of the HP version.
HP-US
—For software images of the HP US version.
HPE
—For software images of the HPE version.
Modified command: display install which
Syntax
Centralized devices:
display install which { component name | file filename }
Centralized IRF devices
–Distributed devices–In standalone mode:
display install which { component name | file filename } [ slot slot-number ]
Distributed devices
–In standalone mode:
Distributed devices
–In IRF mode:
display install which { component name | file filename } [ chassis chassis-number slot
slot-number ]
Views
Any view
Change description
The Software image signature field was added to display software image signature information.
Table 8 Command output
Field
Software image signature
Release 0305P08
Description
Signature for the software image:
HP
—For software images of the HP version.
HP-US
—For software images of the HP US version.
HPE
—For software images of the HPE version.
This release has the following changes:
New feature: Disabling transceiver module alarm
53
Modified feature: Default user role
New feature: mGRE
Overview
Multipoint Generic Routing Encapsulation (mGRE) is a dynamic VPN technology that uses the Next
Hop Resolution Protocol (NHRP).
Traditional GRE tunnels for a VPN are static and require manual configuration and maintenance, resulting in poor extensibility. If branches of an enterprise accesses the public network by using dynamic IP addresses, it is difficult to set GRE tunnels between the branches. mGRE can dynamically establish tunnels for the branches, because NHRP can map the private IP address of a branch to its public IP address.
mGRE operation scheme
An mGRE network uses the client/server model. It has the following types of nodes:
NHS
—NHRP server, the hub device in the mGRE network. The NHS is the routing information exchange center. It is also the data forwarding center in a NHS-NHC network.
NHC
—NHRP client, a spoke device in the mGRE network. Typically, it is the gateway of a branch network. An NHC does not forward data received from other mGRE nodes. mGRE obtains dynamic public addresses of NHCs through their private addresses to establish mGRE tunnels and forward packets. The public address is the IP address of the interface connected to the Internet. The private address is the IP address of the mGRE tunnel interface.
An NHC registers its public and private addresses with the NHS and it registers its public address whenever the public address changes. An NHC obtains the current public address of a peer NHC from the NHS through NHRP, so the two NHCs can establish an mGRE tunnel over the Internet.
mGRE operation procedure
The mGRE operation includes the following phases:
Registration.
Tunnel establishment.
Route learning and packet forwarding.
Registration
As shown in Figure 10 , the registration process is as follows:
54
1.
The NHC sends a registration request to the NHS.
2.
After the NHS receives the request, it performs the NHRP packet authentication key and GRE key matching. If both keys are matched, registration succeeds. The NHS sends a registration success message to the NHC.
Figure 10 Registration process
NHC NHS
1) Registration request
2) Registration acknowledgment
Tunnel establishment
mGRE networks support the following types of networking:
Full-mesh network
—NHCs can establish tunnels between each other for direct communication. The NHS acts as the routing information exchange center.
Figure 11 Full-mesh network
NHS
N
H
S
-N
H
C
Public network
N
H
S
-N
H
C
NHC 1
NHC 2
NHC-NHC
Site 1
Data
Site 2
NHS-NHC network
—NHCs cannot establish tunnels between each other. Instead, they establish tunnels with the NHS. The NHS forwards data for the NHCs. The NHS acts as both the routing information exchange center and the data forwarding center.
55
Figure 12 NHS-NHC network
NHS
D at a
N
H
S
-N
H
C
Public network
N
H
S
-N
H
C
D ata
NHC 1 NHC 2
Site 1 Site 2
A mGRE tunnel is as established as follows:
NHC-NHS tunnel establishment process:
An NHC-NHS tunnel is established in the registration process. During registration, the
NHC-NHS tunnel is in initialization state. After registration succeeds, the NHC-NHS tunnel is in success state.
An NHC-NHS tunnel is permanent. An NHC can establish permanent tunnels to any number of
NHSs.
NHC-NHC tunnel establishment process:
a. In a full-mesh network, when an NHC receives a data packet but finds no tunnel for forwarding the packet, the NHC (initiator) sends an address resolution request to the NHS.
b. After receiving the request, the NHS looks up the local NHRP mapping table to find the peer
NHC (responder) and forwards the request to the peer NHC.
c. After receiving the request, the peer NHC creates a temporary tunnel and sends an address resolution response to the initiator.
An NHC-NHC tunnel is dynamic. If no data is exchanged within the NHC-NHC tunnel idle timeout, the tunnel will be deleted.
Route learning and packet forwarding
mGRE nodes learn private routes by using dynamic routing protocols.
Dynamic routing must be configured for all private networks and mGRE tunnel interfaces to ensure
IP connectivity among the private networks. From the perspective of private networks, an mGRE tunnel is a link that connects different private networks. A dynamic routing protocol discovers neighbors and updates routes over mGRE tunnels, and establishes a routing table.
56
When an NHC receives a packet destined for a remote private network, it performs the following operations:
1.
Searches the routing table for the next hop address to the target private network.
2.
Looks up the local NHRP mapping table to obtain the public address that corresponds to the next hop address.
3.
Uses the public address as the tunnel destination address to encapsulate the packet.
4.
Sends the encapsulated packet to the peer NHC over the mGRE tunnel.
mGRE support for NAT traversal
An NHC-NHC tunnel can traverse a NAT gateway. The tunnel can be established when the tunnel initiator, receiver, or both ends reside behind the NAT gateway. mGRE configuration task list
To set up an mGRE network, first configure the NHSs and then the NHCs.
IMPORTANT:
The device can act only as an NHC. It cannot act as an NHS.
To configure mGRE on an NHC:
Tasks at a glance
(Required.) Configuring routing
(Optional.) Configuring IPsec for an mGRE tunnel
Configuring an mGRE tunnel
The public address of an NHC can be statically configured or dynamically assigned. The private address of an NHC must be statically configured.
For more information about tunnel interfaces, see tunneling configuration in Layer 3
—IP Services
Configuration Guide. For more information about the interface tunnel, source, and tunnel dfbit
enable commands and other commands for a tunnel interface, see tunneling commands in Layer
3
—IP Services Command Reference.
To configure an mGRE tunnel:
57
Step
47. Enter system view.
48. Create an mGRE tunnel interface and enter tunnel interface view.
49. Configure a private address for the tunnel interface.
Command system-view
interface tunnel number
mode mgre
Remarks
N/A
By default, no tunnel interfaces exist.
ip address ip-address { mask |
mask-length } [ sub ]
By default, no private address is configured for a tunnel interface.
50. Configure a source address or source interface for the tunnel interface.
51. Configure an NHRP packet authentication key.
source { ip-address |
interface-type
interface-number }
nhrp authentication [ cipher |
simple ] string
By default, no source address or source interface is configured for a tunnel interface.
If you specify a source address, it is used as the source IP address of tunneled packets.
If you specify a source interface, the primary IP address of this interface is used as the source IP address of tunneled packets.
By default, no NHRP packet authentication key is configured.
NHRP nodes do not authenticate
NHRP packets received from each other.
52. Configure an NHRP network
ID for the mGRE tunnel.
nhrp network-id number
By default, an mGRE tunnel does not have an NHRP network ID.
53. Configure the holdtime for
NHRP mapping entries.
nhrp holdtime seconds
By default, the holdtime of NHRP mapping entries is 7200 seconds.
54. Configure an NHS private-to-public address mapping.
nhrp nhs nhs-address nbma
nbma-address
By default, no NHS private-to-public address mappings are configured.
55. (Optional.) Configure a GRE key for the tunnel interface.
gre key key
56. (Optional.) Set the DF bit for tunneled packets.
tunnel dfbit enable
By default, no GRE key is configured for an mGRE tunnel interface.
You must configure the same GRE key or configure no key on both ends of a tunnel.
On the device, you must configure different GRE keys for mGRE tunnel interfaces that have the same source address or source interface.
For more information about the GRE key, see GRE in Layer 3
—IP
Services Configuration Guide.
By default, the DF bit is not set.
Tunneled packets can be fragmented for forwarding.
Configuring routing mGRE clients support dynamic routing protocols of OSPF, RIP, and BGP.
When you configure routing for mGRE client, following these restrictions and guidelines:
58
When OSPF is used, specify the OSPF interface network type as broadcast in a full-mesh network and as p2mp in a NHS-NHC network.
Full-mesh networks do not support RIP. NHS-NHC networks must use the RIP-2 multicast mode and disable the split horizon feature for NHS nodes.
When BGP is used, configure routing polices to ensure the following:
In a full-mesh network, ensure that the local NHC learns a route to the remote private network, and the route's next hop address is the address of the remote NHC.
In an NHS-NHC network, ensure that the local NHC learns a route to the remote private network, and the route's next hop address is the address of the NHS.
For more information about OSPF, RIP, BGP, and routing policy configuration, see Layer 3
—IP
Routing Configuration Guide.
Configuring IPsec for an mGRE tunnel
The device supports protecting mGRE tunnel data and control packets by using IPsec profiles.
To configure IPsec for an mGRE tunnel:
1.
Configure an IPsec transform set to specify the security protocol, authentication and encryption algorithms, and encapsulation type.
2.
Configure an IKE-based IPsec profile.
3.
Apply the IKE-based IPsec profile to the mGRE tunnel interface.
For more information about IPsec configuration, see "Configuring IPsec."
Displaying and maintaining mGRE
Execute display commands in any view and reset commands in user view.
Task
Display information about NHRP mapping entries.
Command
display nhrp map [ interface tunnel
interface-number [ peer ipv4-address ] ] [ verbose ]
Display NHRP packet statistics for tunnel interfaces.
display nhrp statistics [ interface tunnel
interface-number ]
Display mGRE session information.
display mgre session [ interface tunnel
interface-number [ peer ipv4-address ] ] [ verbose ]
Clear NHRP packet statistics for tunnel interfaces.
Reset mGRE sessions.
Clear mGRE session statistics.
reset nhrp statistics [ interface tunnel
inteface-number ]
reset mgre session [ interface tunnel
interface-number [ peer ipv4-address ] ]
reset mgre statistics [ interface tunnel
interface-number [ peer ipv4-address ] ]
59
Command reference
New command: display mgre session
Use display mgre session to display mGRE session information.
Syntax
display mgre session [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin network-operator
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command displays mGRE session information for all mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command displays all mGRE session information for the specified mGRE tunnel interface.
verbose: Displays detailed information about IPv4 mGRE sessions. If you do not specify this keyword, the command displays brief information about mGRE sessions.
Usage guidelines
If you do not specify any parameters, this command displays brief information about all mGRE sessions on all tunnel interfaces.
Examples
# Display brief information about all mGRE sessions.
<Sysname> display mgre session
Interface : Tunnel1
Number of sessions: 2
Peer NBMA address Peer protocol address Type State State duration
10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01
10.0.1.4 192.168.180.137 C-C Establishing 00:30:02
# Display brief information about mGRE sessions on the specified tunnel interface.
<Sysname> display mgre session interface tunnel 1
Interface : Tunnel1
Number of sessions: 2
Peer NBMA address Peer protocol address Type State State duration
10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01
10.0.1.4 192.168.180.137 C-C Establishing 00:30:02
60
# Display brief information about the mGRE session with the specified peer address.
<Sysname> display mgre session interface tunnel 1 peer 10.0.0.3
Interface : Tunnel1
Number of sessions: 1
Peer NBMA address Peer protocol address Type State State duration
10.0.0.3 192.168.180.136 C-S Succeeded 00:30:01
Table 26 Command output
Field Description
Interface
Number of sessions
Peer NBMA address
Peer protocol address
Type
State
State duration
Name of the mGRE tunnel interface.
Total number of mGRE sessions on the tunnel interface.
Public address of the peer.
IP address of the peer tunnel interface. mGRE session type:
C-S
—The local end is an NHC, and the peer end is the NHS.
C-C
—The local end is an NHC, and the peer end is an NHC.
UNKNOWN
—The local end is an NHC, and the peer end type is unknown.
mGRE session state:
Succeeded.
Establishing.
Duration of the current session state, in the format of hh:mm:ss.
# Display detailed information about all IPv4 mGRE sessions.
<Sysname> display mgre session verbose
Interface : Tunnel1
Link protocol : GRE
Number of sessions: 2
Peer NBMA address : 10.0.1.3
Peer protocol address: 192.168.180.136
Session type : C-S
State : Succeeded
State duration : 00:30:01
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Peer NBMA address : 10.0.1.4
Peer protocol address: 192.168.180.137
Session type : C-S
State : Succeeded
State duration : 00:31:01
Input : 1 packets, 0 data packets, 1 control packets
61
0 multicasts, 0 errors
Output: 16 packets, 0 data packets, 16 control packets
0 multicasts, 0 errors
Interface : Tunnel2
Link protocol : IPsec-GRE
SA's SPI :
Inbound : 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
Number of sessions: 1
Peer NBMA address : 20.0.0.3
Peer protocol Aaddress: 192.168.181.137
Behind NAT : No
Session type : C-C
SA's SPI :
Inbound : 187199087 (0xb286e6f) [ESP]
Outbound: 3562274487 (0xd453feb7) [ESP]
State : Establishing
State duration : 00:31:01
Input : 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
# Display detailed information about IPv4 mGRE sessions on interface Tunnel1.
<Sysname> display mgre session interface tunnel 1 verbose
Interface : Tunnel1
Link protocol : GRE
Number of sessions: 1
Peer NBMA address : 20.0.0.3
Peer protocol address: 192.168.181.137
Behind NAT : No
Session type : C-C
State : Succeeded
State duration : 00:31:01
Input : 0 packets, 0 data packets, 0 control packets
0 multicasts, 0 errors
Output: 1 packets, 0 data packets, 1 control packets
0 multicasts, 0 errors
# Display detailed information about the mGRE session with the peer public address 202.12.12.12.
<Sysname> display mgre session peer 202.12.12.12 verbose
Interface : Tunnel1
Link protocol : GRE
Number of sessions: 1
Peer NBMA address : 202.12.12.12
Peer protocol address: 192.168.180.136
Session type : C-S
State : Succeeded
62
State duration : 00:30:01
Input : 2201 packets, 218 data packets, 3 control packets
2191 multicasts, 0 errors
Output: 2169 packets, 2168 data packets, 1 control packets
2163 multicasts, 0 errors
Table 27 Command output
Field
Interface
Link protocol
Number of sessions
Peer NBMA address
Peer protocol address
SA's SPI
Behind NAT
Session type
State
State duration
Input
Output
Description
Name of the mGRE tunnel interface.
Encapsulation protocol used by the mGRE tunnel:
GRE.
IPsec-GRE.
Total number of mGRE sessions on the tunnel interface.
Public address of the peer.
IP address of the peer tunnel interface.
SPI of the inbound and outbound SAs. This field is available when the mGRE tunnel is carried over IPsec.
Whether the peer NHC has traversed a NAT device. mGRE session type:
C-S
—The local end is an NHC, and the peer end is the NHS.
C-C
—The local end is an NHC, and the peer end is an NHC. mGRE session state:
Succeeded.
Establishing.
Duration of the current session state, in the format of hh:mm:ss.
Statistics on received packets:
packets
—Total number of packets.
data packets
—Number of data packets.
control packets
—Number of control packets.
multicasts
—Number of multicast packets.
errors
—Number of error packets.
Statistics on received packets:
packets
—Total number of packets.
data packets
—Number of data packets.
control packets
—Number of control packets.
multicasts
—Number of multicast packets.
errors
—Number of error packets.
New command: display nhrp map
Use display nhrp map to display information about NHRP mapping entries.
63
Syntax
display nhrp map [ interface tunnel interface-number [ peer ipv4-address ] ] [ verbose ]
Views
Any view
Predefined user roles
network-admin network-operator
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command displays NHRP mapping table information for all mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command displays NHRP mapping entries for all peers.
verbose: Displays detailed information about NHRP mapping entries. If you do not specify this keyword, the command displays brief information about NHRP mapping entries.
Usage guidelines
If you do not specify any parameters, this command displays brief information about all NHRP mapping entries.
Examples
# Display brief information about all NHRP mapping entries.
<Sysname> display nhrp map
Destination/mask Next hop NBMA address Type Interface
172.16.1.1/32 172.16.1.1 105.112.100.4 cached Tunnel0
172.16.1.2/32 172.16.1.2 105.112.100.92 cached Tunnel0
# Display detailed information about all NHRP mapping entries.
<Sysname> display nhrp map verbose
Interface : Tunnel0
Destination/mask : 172.16.1.1/32
Next hop : 172.16.1.1
Creation time : 00:38:44
Expiration time : 01:21:15
Type : cached
Flags : unique, up, used
NBMA address : 105.112.100.4
Interface : Tunnel0
Destination/mask : 172.16.1.2/32
Next hop : 172.16.1.2
Creation time : 00:25:53
Expiration time : 01:34:06
64
Type : cached
Flags : unique, up, used, ipsec
NBMA address : 105.112.100.92
Table 28 Command output
Field
Destination/mask
Nexthop
Creation time
Expiration time
Type
Flags
Description
Destination tunnel interface address and mask of the mapping entry.
Next hop address to reach the destination network.
Period of time for which the mapping entry has been created.
Period of time in which the mapping entry will expire.
Mapping entry type:
static
—The entry is statically configured.
cached
—The entry is dynamically obtained.
Incomplete
—The entry is dynamic and incomplete.
Mapping entry flags:
unique
—The mapping entry in the registration request cannot be overwritten by a mapping entry that has the same protocol address and different public addresses. A client can register the new entry with the server only after the mapping entry on the server expires.
used
—This mapping entry is used for packet forwarding.
up
—Packets can be forwarded.
ipsec
—IPsec negotiation succeeded. Packets will be protected by IPsec.
init
—Initialization state.
New command: display nhrp statistics
Use display nhrp statistics to display NHRP packet statistics for a tunnel interface.
Syntax
display nhrp statistics [ interface tunnel interface-number ]
Views
Any view
Predefined user roles
network-admin network-operator
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command displays NHRP packet statistics for all tunnel interfaces.
65
Examples
# Display NHRP packet statistics.
<Sysname> display nhrp statistics
Tunnel0:
NHRP packets sent : 815
Resolution requests : 15
Resolution replies : 1
Registration requests : 0
Registration replies : 797
Purge requests : 2
Purge replies : 0
Error indications : 0
Traffic indications : 0
NHRP packets received : 1453
Resolution requests : 15
Resolution replies : 1
Registration requests : 1435
Registration replies : 2
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
Tunnel1:
NHRP packets sent : 3
Resolution Requests : 0
Resolution replies : 0
Registration requests : 0
Registration replies : 3
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
NHRP packets received : 3
Resolution requests : 0
Resolution replies : 0
Registration requests : 3
Registration replies : 0
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
# Display NHRP packet statistics for the specified tunnel interface.
<Sysname> display nhrp statistics interface tunnel 0
Tunnel0:
66
NHRP packets sent : 815
Resolution requests : 15
Resolution replies : 1
Registration requests : 0
Registration replies : 797
Purge requests : 2
Purge replies : 0
Error indications : 0
Traffic indications : 0
NHRP packets received : 1453
Resolution requests : 15
Resolution replies : 1
Registration requests : 1435
Registration replies : 2
Purge requests : 0
Purge replies : 0
Error indications : 0
Traffic indications : 0
New command: nhrp authentication
Use nhrp authentication to configure an NHRP packet authentication key.
Use undo nhrp authentication to restore the default.
Syntax
nhrp authentication { cipher | simple } string
undo nhrp authentication
Default
No NHRP packet authentication key is configured. NHRP nodes do not authenticate NHRP packets received from each other.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
cipher: Specifies an authentication key in encrypted form.
simple: Specifies an authentication key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key string. Its plaintext form is a case-sensitive string of 1 to 8 characters. Its encrypted form is a case-sensitive string of 1 to 41 characters.
67
Usage guidelines
After an NHRP packet authentication key is configured for a tunnel interface, the tunnel interface adds the key in packets sent to the peer. The tunnel interface also uses the key to authenticate
NHRP packets it receives. If a packet fails the authentication, the packet will be dropped.
For mGRE tunnels to be established successfully, configure the same NHRP authentication key for all NHCs and servers in the same mGRE network.
Examples
# On interface Tunnel1, set the NHRP packet authentication key to 123456.
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp authentication simple 123456
Related commands
interface tunnel (Layer 3
—IP Services Command Reference)
New command: nhrp holdtime
Use nhrp holdtime to configure the holdtime for NHRP mapping entries.
Use undo nhrp holdtime to restore the default.
Syntax
nhrp holdtime seconds
undo nhrp holdtime
Default
The holdtime of NHRP mapping entries is 7200 seconds.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
seconds: Specifies the holdtime in the range of 1 to 65535 seconds.
Usage guidelines
After the holdtime is configured, the local NHRP holdtime carried in outgoing packets is updated to the configured holdtime.
Examples
# On interface Tunnel1, set the holdtime of NHRP mapping entries to 600 seconds
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp holdtime 600
68
Related commands
interface tunnel (Layer 3
—IP Services Command Reference)
New command: nhrp network-id
Use nhrp network-id to configure an NHRP network ID for an mGRE tunnel.
Use undo nhrp network-id to delete the NHRP network ID of an mGRE tunnel.
Syntax
nhrp network-id number
undo nhrp network-id
Default
An mGRE tunnel does not have an NHRP network ID.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
number: Specifies an NHRP network ID in the range of 1 to 4294967295.
Usage guidelines
A network ID is only locally significant. You can configure different NHRP network IDs for different tunnel interfaces on the device. The NHC and server can have different NHRP network IDs.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Set the NHRP network ID to 10 for mGRE tunnel interface Tunnel1.
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp network-id 10
Related commands
interface tunnel (Layer 3
—IP Services Command Reference)
New command: nhrp nhs
Syntax
Use nhrp nhs to configure an NHS private-to-public address mapping.
Use undo nhrp nhs to delete an NHS private-to-public address mapping.
nhrp nhs nhs-address nbma nbma-address
69
undo nhrp nhs nhs-address nbma nbma-address
Default
No NHS private-to-public address mappings are configured.
Views
mGRE tunnel interface view
Predefined user roles
network-admin
Parameters
nhs-address: Specifies the private address of an NHS.
nbma-address: Specifies the public address (NBMA address) of the NHS.
Usage guidelines
You can configure multiple NHSs for redundancy. If multiple NHSs are configured, NHCs register with all the NHSs.
Examples
# On interface Tunnel1, configure the NHS private address as 1.1.1.1 and public address as
120.1.1.120.
<Sysname> system-view
[Sysname] interface tunnel 1 mode mgre
[Sysname-Tunnel1] nhrp nhs 1.1.1.1 nbma 120.1.1.120
Related commands
interface tunnel (Layer 3
—IP Services Command Reference)
New command: reset mgre session
Use reset mgre session to reset dynamic mGRE sessions.
Syntax
reset mgre session [ interface tunnel interface-number [ peer ipv4-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command resets dynamic mGRE sessions for all mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command resets all dynamic mGRE sessions for the specified mGRE tunnel interface.
70
Usage guidelines
If you do not specify any parameters, this command resets all dynamic mGRE sessions. When an mGRE session is reset, the NHC reregisters with the NHS.
Examples
# Reset the mGRE sessions on interface Tunnel1.
<Sysname> reset mgre session interface tunnel 1
# Reset the mGRE session with peer address 202.12.12.12 on interface Tunnel1.
<Sysname> reset mgre session interface tunnel 1 peer 202.12.12.12
Related commands display mgre session
New command: reset mgre statistics
Use reset mgre statistics to clear mGRE session statistics.
Syntax
reset mgre statistics [ interface tunnel interface-number [ peer ipv4-address ] ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command clears mGRE session statistics for all mGRE tunnel interfaces.
peer ipv4-address: Specifies a peer public address. If you do not specify this option, the command clears statistics about all mGRE sessions on the specified mGRE tunnel interface.
Examples
# Clear statistics about mGRE sessions on interface Tunnel1.
<Sysname> reset mgre statistics interface tunnel 1
# Clear statistics about the mGRE session with peer public address 192.168.1.200 on interface
Tunnel1.
<Sysname> reset mgre statistics interface tunnel 1 peer 192.168.1.200
New command: reset nhrp statistics
Use reset nhrp statistics to clear NHRP packet statistics.
71
Syntax
reset nhrp statistics [ interface tunnel interface-number ]
Views
User view
Predefined user roles
network-admin
Parameters
interface tunnel interface-number: Specifies an mGRE tunnel interface by its number in the range of 0 to 4095. If you do not specify this option, the command clears NHRP packet statistics for all mGRE tunnel interfaces.
Examples
# Clear NHRP packet statistics for interface Tunnel1.
<Sysname> reset nhrp statistics interface tunnel 1
Related commands display nhrp statistics
New feature: Disabling transceiver module alarm
Configuring Disabling transceiver module alarm
The device regularly checks transceiver modules for their vendor information. If a transceiver module does not have a vendor name or the vendor name is not HPE, the device outputs traps and logs to prompt you to replace the module. This feature enables you to suppress the traps and logs.
Command reference
New command: transceiver phony-alarm-disable
Use transceiver phony-alarm-disable to disable the transceiver module alarm feature.
Use undo transceiver phony-alarm-disable to restore the default.
Syntax transceiver phony-alarm-disable undo transceiver phony-alarm-disable
72
Default
The transceiver module alarm feature is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The device regularly checks transceiver modules for their vendor information. If a transceiver module does not have a vendor name or the vendor name is not HPE, the device outputs traps and logs to prompt you to replace the module. To suppress the traps and alarms, execute this command.
Examples
#Disable the transceiver module alarm feature.
<Sysname> system-view
[Sysname] transceiver phony-alarm-disable
Modified feature: Default user role
Feature change description
The default user role can be changed. The role-name argument was added to the role default-role
enable command for specifying a user role as the default user role.
Command changes
Modified command: role default-role enable
Old syntax role default-role enable undo role default-role enable
New syntax
role default-role enable [ role-name ]
undo role default-role enable
Views
System view
Change description
Before modification: The default user role is network-operator.
73
After modification: The role-name argument was added to specify any user role that exists in the system as the default user role. The argument is a case-sensitive string of 1 to 63 characters. If you do not specify this argument, the default user role is network-operator.
Modified feature: Debugging
Feature change description
The all keyword and the timeout time option were removed from the debugging command. You can no longer use the command to enable debugging for all modules at the same time or automatically disable debugging for all modules after a specific period of time.
Command changes
Modified command: debugging
Old syntax
debugging { all [ timeout time ] | module-name [ option ] }
undo debugging { all | module-name [ option ] }
New syntax
debugging module-name [ option ]
undo debugging module-name [ option ]
Views
User view
Change description
The following parameters were removed from the debugging command:
all: Enables debugging for all modules.
timeout time: Specifies the timeout time for the debugging all command. The system automatically executes the undo debugging all command after the timeout time. The time argument is in the range of 1 to 1440 minutes. If you do not specify a timeout time, you must manually execute the undo debugging all command to disable debugging for all modules.
Release 0305P04
This release has the following changes:
New feature: Public key management support for Suite B
74
New feature: PKI support for Suite B
New feature: IPsec support for Suite B
New feature: SSL support for Suite B
New feature: FIPS support for Suit B
New feature: SSH support for Suite B
New feature: Ignoring the first AS number of EBGP route updates for a peer or peer group
Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces
Modified feature: Changing the maximum number of FIB table entries
Modified feature: Enabling CWMP
New feature: Public key management support for Suite B
Configuring Suite B in public key management
Suite B contains a set of encryption and authentication algorithms that meet high security requirements.
In this software version, Suite B is available in public key management. Support for new elliptic curve algorithms was added for generating ECDSA key pairs.
Command reference
Modified command: public-key local create
Old syntax
public-key local create { dsa | ecdsa | rsa } [ name key-name ]
New syntax
public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1] | rsa } [ name
key-name ]
Views
System view
Change description
Before modification: The secp192r1 curve was used to generate the ECDSA key pair by default. No other elliptic curve algorithms were available.
75
After modification: You can specify the elliptic curve used to generate the ECDSA key pair. The following elliptic curve algorithms are available:
secp192r1: Uses the secp192r1 curve to generate a 192-bit ECDSA key pair. The secp192r1 curve is used by default.
secp256r1: Uses the secp256r1 curve to generate a 256-bit ECDSA key pair.
secp384r1: Uses the secp384r1 curve to generate a 384-bit ECDSA key pair.
New feature: PKI support for Suite B
Configuring Suite B in PKI
Suite B contains a set of encryption and authentication algorithms that meet high security requirements. PKI commands were modified to support Suite B.
Command reference
Modified command: public-key ecdsa
Old syntax
public-key ecdsa name key-name
undo public-key
New syntax
public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1]
undo public-key
Views
PKI domain view
Change description
Before modification: The secp192r1 curve was used to generate the ECDSA key pair by default. No other elliptic curve algorithms were available.
After modification: You can specify the elliptic curve used to generate the ECDSA key pair. The following elliptic curve algorithms are available:
secp192r1: Uses the secp192r1 curve to generate the key pair. The secp192r1 curve is used by default.
secp256r1: Uses the secp256r1 curve to generate the key pair.
secp384r1: Uses the secp384r1 curve to generate the key pair.
76
New feature: IPsec support for Suite B
Suite B contains a set of encryption and authentication algorithms that meet high security requirements. IPsec provide stronger protection by supporting Suite B and IKEv2.
Overview
Internet Key Exchange version 2 (IKEv2) is an enhanced version of IKEv1. The same as IKEv1,
IKEv2 has a set of self-protection mechanisms and can be used on insecure networks for reliable identity authentication, key distribution, and IPsec SA negotiation. IKEv2 provides stronger protection against attacks and higher key exchange ability and needs less message exchanges than
IKEv1.
IKEv2 negotiation process
Compared with IKEv1, IKEv2 simplifies the negotiation process and is much more efficient.
IKEv2 defines three types of exchanges: initial exchanges, CREATE_CHILD_SA exchange, and
INFORMATIONAL exchange.
As shown in
Figure 13 , IKEv2 uses two exchanges during the initial exchange process:
IKE_SA_INIT and IKE_AUTH, each with two messages.
IKE_SA_INIT exchange
—Negotiates IKE SA parameters and exchanges keys.
IKE_AUTH exchange
—Authenticates the identity of the peer and establishes IPsec SAs.
After the four-message initial exchanges, IKEv2 sets up one IKE SA and one pair of IPsec SAs. For
IKEv1 to set up one IKE SA and one pair of IPsec SAs, it must go through two phases that use a minimum of six messages.
To set up one more pair of IPsec SAs within the IKE SA, IKEv2 goes on to perform an additional two-message exchange
—the CREATE_CHILD_SA exchange. One CREATE_CHILD_SA exchange creates one pair of IPsec SAs. IKEv2 also uses the CREATE_CHILD_SA exchange to rekey IKE
SAs and Child SAs.
IKEv2 uses the INFORMATIONAL exchange to convey control messages about errors and notifications.
77
Figure 13 IKEv2 Initial exchange process
Peer 1
Peer 2
Send the local
IKE policy and
SA exchange, key exchange key info
Initiator
’s policy and key information
Confirmed policy and key information
Search for a matched policy and generate the key
Negotiate algorithms and generate the key
Receive the policy and generate the key
Initiator
’s identity, authentication data, and
IPsec proposals
ID exchange, authentication,
IPsec SA setup
Perform ID and exchange authentication and negotiate IPsec SAs
Responder
’s identity, authentication data, and
IPsec proposals
Perform ID and exchange authentication and negotiate IPsec SAs
Authenticate the identity and negotiate IPsec
SAs
New features in IKEv2
DH guessing
In the IKE_SA_INIT exchange, the initiator guesses the DH group that the responder is most likely to use and sends it in an IKE_SA_INIT request message. If the initiator's guess is correct, the responder responds with an IKE_SA_INIT response message and the IKE_SA_INIT exchange is finished. If the guess is wrong, the responder responds with an INVALID_KE_PAYLOAD message that contains the DH group that it wants to use. The initiator then uses the DH group selected by the responder to reinitiate the IKE_SA_INIT exchange. The DH guessing mechanism allows for more flexible DH group configuration and enables the initiator to adapt to different responders.
Cookie challenging
Messages for the IKE_SA_INIT exchange are in plain text. An IKEv1 responder cannot confirm the validity of the initiators and must maintain half-open IKE SAs, which makes the responder susceptible to DoS attacks. An attacker can send a large number of IKE_SA_INIT requests with forged source IP addresses to the responder, exhausting the responder's system resources.
IKEv2 introduces the cookie challenging mechanism to prevent such DoS attacks. When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation.
The cookie challenging mechanism automatically stops working when the number of half-open IKE
SAs drops below the threshold.
78
IKEv2 SA rekeying
For security purposes, both IKE SAs and IPsec SAs have a lifetime and must be rekeyed when the lifetime expires. An IKEv1 SA lifetime is negotiated. An IKEv2 SA lifetime, in contrast, is configured. If two peers are configured with different lifetimes, the peer with the shorter lifetime always initiates the
SA rekeying. This mechanism reduces the possibility that two peers will simultaneously initiate a rekeying. Simultaneous rekeying results in redundant SAs and SA status inconsistency on the two peers.
IKEv2 message retransmission
Unlike IKEv1 messages, IKEv2 messages appear in request/response pairs. IKEv2 uses the
Message ID field in the message header to identify the request/response pair. If an initiator sends a request but receives no response with the same Message ID value within a specific period of time, the initiator retransmits the request.
It is always the IKEv2 initiator that initiates the retransmission, and the retransmitted message must use the same Message ID value.
Protocols and standards
RFC 2408, Internet Security Association and Key Management Protocol (ISAKMP)
RFC 4306, Internet Key Exchange (IKEv2) Protocol
RFC 4718, IKEv2 Clarifications and Implementation Guidelines
RFC 2412, The OAKLEY Key Determination Protocol
RFC 5996, Internet Key Exchange Protocol Version 2 (IKEv2)
IKEv2 configuration task list
Determine the following parameters prior to IKEv2 configuration:
The strength of the algorithms for IKEv2 negotiation, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. Different algorithms provide different levels of protection. A stronger algorithm means better resistance to decryption of protected data but requires more resources. Typically, the longer the key, the stronger the algorithm.
The local and remote identity authentication methods.
To use the pre-shared key authentication method, you must determine the pre-shared key.
To use the RSA digital signature authentication method, you must determine the PKI domain for the local end to use. For information about PKI, see "Configuring PKI."
To configure IKEv2, perform the following tasks:
79
Tasks at a glance
(Required.) Configuring an IKEv2 profile
(Required.) Configuring an IKEv2 policy
(Optional.) Configuring an IKEv2 proposal
Remarks
N/A
N/A
If you specify an IKEv2 proposal in an
IKEv2 policy, you must configure the
IKEv2 proposal.
Required when either end or both ends use the pre-shared key authentication method.
Configure global IKEv2 parameters
(Optional.) Enabling the cookie challenging feature
(Optional.) Configuring the IKEv2 DPD feature
(Optional.) Configuring the IKEv2 NAT keepalive feature
(Optional.) Configuring IKEv2 address pools
Configuring an IKEv2 profile
The cookie challenging feature takes effect only on IKEv2 responders.
An IKEv2 profile is intended to provide a set of parameters for IKEv2 negotiation. To configure an
IKEv2 profile, perform the following tasks:
1.
Specify the local and remote identity authentication methods.
The local and remote identity authentication methods must both be specified and they can be different. You can specify only one local identity authentication method and multiple remote identity authentication methods.
2.
Configure the IKEv2 keychain or PKI domain for the IKEv2 profile to use:
To use digital signature authentication, configure a PKI domain.
To use pre-shared key authentication, configure an IKEv2 keychain.
3.
Configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2 negotiation:
For digital signature authentication, the device can use an ID of any type. If the local ID is an
IP address that is different from the IP address in the local certificate, the device uses the
FQDN as the local ID. The FQDN is the device name configured by using the sysname command.
For pre-shared key authentication, the device can use an ID of any type other than the DN.
4.
Configure peer IDs.
The device compares the received peer ID with the peer IDs of its local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. IKEv2 profiles will be compared in descending order of their priorities.
5.
Specify a local interface or IP address for the IKEv2 profile so the profile can be applied only to the specified interface or IP address. For this task, specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command). If no local address is configured, specify the IP address of the interface that uses the IPsec policy.
80
6.
Specify a priority number for the IKEv2 profile. To determine the priority of an IKEv2 profile:
a. First, the device examines the existence of the match local command. An IKEv2 profile with the match local command configured has a higher priority.
b. If a tie exists, the device compares the priority numbers. An IKEv2 profile with a smaller priority number has a higher priority.
c. If a tie still exists, the device prefers an IKEv2 profile configured earlier.
7.
Specify a VPN instance for the IKEv2 profile. The IKEv2 profile is used for IKEv2 negotiation only on the interfaces that belong to the VPN instance.
8.
Configure the IKEv2 SA lifetime.
The local and remote ends can use different IKEv2 SA lifetimes. They do not negotiate the lifetime. The end with a smaller SA lifetime will initiate an SA negotiation when the lifetime expires.
9.
Configure IKEv2 DPD to detect dead IKEv2 peers. You can also configure this feature in system view. If you configure IKEv2 DPD in both views, the IKEv2 DPD settings in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.
10. Specify an inside VPN instance. This setting determines where the device should forward received IPsec packets after it de-encapsulates them. If you specify an inside VPN instance, the device looks for a route in the specified VPN instance to forward the packets. If you do not specify an inside VPN instance, the internal and external networks are in the same VPN instance. The device looks for a route in this VPN instance to forward the packets.
11. Configure the NAT keepalive interval.
Configure this task when the device is behind a NAT gateway. The device sends NAT keepalive packets regularly to its peer to prevent the NAT session from being aged because of no matching traffic.
12. Enable the configuration exchange feature.
The configuration exchange feature enables the local and remote ends to exchange configuration data, such as gateway address, internal IP address, and route. The exchange includes data request and response, and data push and response.
This feature typically applies to scenarios where branches and the headquarters communicate through virtual tunnels.
This feature enables the IPsec gateway at a branch to send IP address requests to the IPsec gateway at the headquarters. When the headquarters receives the request, it sends an IP address to the branch in the response packet. The headquarters can also actively push an IP address to the branch. The branch uses the allocated IP address as the IP address of the virtual tunnel to communicate with the headquarters.
13. Enable AAA authorization.
81
The AAA authorization feature enables IKEv2 to request authorization attributes, such as the
IKEv2 address pool, from AAA. IKEv2 uses the address pool to assign IP addresses to remote users. For more information about AAA authorization, see "Configuring AAA."
To configure an IKEv2 profile:
Step
57. Enter system view.
Command system-view
58. Create an IKEv2 profile and enter IKEv2 profile view.
ikev2 profile profile-name
59. Configure the local and remote identity authentication methods.
authentication-method { local |
remote } { dsa-signature |
ecdsa-signature | pre-share |
rsa-signature }
Remarks
N/A
By default, no IKEv2 profiles exist.
By default, no local or remote identity authentication method is configured.
60. Specify a keychain.
61. Specify a PKI domain.
62. Configure the local ID.
keychain keychain-name
certificate domain domain-name
[ sign | verify ]
By default, the device uses PKI domains configured in system view.
Perform this task when the digital signature authentication method is specified.
identity local { address
{ ipv4-address | ipv6 ipv6-address }
| dn | email email-string | fqdn
fqdn-name | key-id key-id-string }
By default, no local ID is configured, and the device uses the IP address of the interface where the IPsec policy applies as the local ID.
63. Configure peer IDs.
match remote { certificate
policy-name | identity { address
{ { ipv4-address [ mask |
mask-length ] | range
low-ipv4-address
high-ipv4-address } | ipv6
{ ipv6-address [ prefix-length ] |
range low-ipv6-address
high-ipv6-address } } | fqdn
fqdn-name | email email-string |
key-id key-id-string } }
64. (Optional.) Specify the local interface or IP address to which the
IKEv2 profile can be applied.
65. (Optional.) Specify a priority for the IKEv2 profile.
66. (Optional.) Specify a
VPN instance for the
IKEv2 profile.
67. (Optional.) Set the
IKEv2 SA lifetime for the
IKEv2 profile.
match local address
{ interface-type interface-number |
{ ipv4-address | ipv6
ipv6-address } }
priority priority
match vrf { name vrf-name | any }
sa duration seconds
By default, no keychain is specified for an IKEv2 profile.
Perform this task when the pre-shared key authentication method is specified.
By default, no peer ID is configured.
You must configure a minimum of one peer ID on each of the two peers.
By default, an IKEv2 profile can be applied to any local interface or IP address.
By default, the priority of an IKEv2 profile is 100.
By default, an IKEv2 profile belongs to the public network.
By default, the IKEv2 SA lifetime is
86400 seconds.
82
68. (Optional.) Configure the DPD feature for the
IKEv2 profile.
69. (Optional.) Specify an inside VPN instance for the IKEv2 profile.
dpd interval interval [ retry
seconds ] { on-demand | periodic }
By default, DPD is disabled for an
IKEv2 profile. The global DPD settings in system view are used. If
DPD is also disabled in system view, the device does not perform DPD.
inside-vrf vrf-name
By default, no inside VPN instance is specified for an IKEv2 profile. The internal and external networks are in the same VPN instance. The device forwards protected data to this VPN instance.
70. (Optional.) Set the
IKEv2 NAT keepalive interval.
71. (Optional.) Enable the configuration exchange feature.
nat-keepalive seconds
config-exchange { request | set
{ accept | send } }
By default, the global IKEv2 NAT keepalive setting is used.
By default, all configuration exchange options are disabled.
72. (Optional.) Enable AAA authorization.
aaa authorization domain
domain-name username
user-name
By default, AAA authorization is disabled for IKEv2.
Configuring an IKEv2 policy
During the IKE_SA_INIT exchange, each end tries to find a matching IKEv2 policy, using the IP address of the local security gateway as the matching criterion.
If IKEv2 policies are configured, IKEv2 searches for an IKEv2 policy that uses the IP address of the local security gateway. If no IKEv2 policy uses the IP address or the policy is using an incomplete proposal, the IKE_SA_INIT exchange fails.
If no IKEv2 policy is configured, IKEv2 uses the system default IKEv2 policy default.
The device matches IKEv2 policies in the descending order of their priorities. To determine the priority of an IKEv2 policy:
1.
First, the device examines the existence of the match local address command. An IKEv2 policy with the match local address command configured has a higher priority.
2.
If a tie exists, the device compares the priority numbers. An IKEv2 policy with a smaller priority number has a higher priority.
3.
If a tie still exists, the device prefers an IKEv2 policy configured earlier.
To configure an IKEv2 policy:
Step
73. Enter system view.
Command system-view
Remarks
N/A
74. Create an IKEv2 policy and enter IKEv2 policy view.
75. Specify the local interface or address used for IKEv2 policy matching.
ikev2 policy policy-name
By default, an IKEv2 policy named
default exists.
match local address
{ interface-type interface-number |
{ { ipv4-address | ipv6
ipv6-address } } }
By default, no local interface or address is used for IKEv2 policy matching, and the policy matches any local interface or address.
83
76. Specify a VPN instance for
IKEv2 policy matching.
77. Specify an IKEv2 proposal for the IKEv2 policy.
78. Specify a priority for the
IKEv2 policy.
match vrf { name vrf-name | any }
By default, no VPN instance is specified for IKEv2 policy matching. The IKEv2 policy matches all local addresses in the public network.
proposal proposal-name
By default, no IKEv2 proposal is specified for an IKEv2 policy.
priority priority
By default, the priority of an IKEv2 policy is 100.
Configuring an IKEv2 proposal
An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups. An algorithm specified earlier has a higher priority.
A complete IKEv2 proposal must have at least one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.
To configure an IKEv2 proposal:
Step
79. Enter system view.
80. Create an IKEv2 proposal and enter IKEv2 proposal view.
ikev2 proposal proposal-name
81. Specify the encryption algorithms.
Command system-view
In non-FIPS mode:
encryption { 3des-cbc |
Remarks
N/A
By default, an IKEv2 proposal named default exists.
In non-FIPS mode, the default proposal uses the following settings:
Encryption algorithms
AES-CBC-128 and 3DES.
Integrity protection algorithms
HMAC-SHA1 and HMAC-MD5.
PRF algorithms HMAC-SHA1 and HMAC-MD5.
DH groups 2 and 5.
In FIPS mode, the default proposal uses the following settings:
Encryption algorithms
AES-CBC-128 and
AES-CTR-128.
Integrity protection algorithms
HMAC-SHA1 and
HMAC-SHA256.
PRF algorithms HMAC-SHA1 and HMAC-SHA256.
DH groups 14 and 19.
By default, an IKEv2 proposal does not have any encryption algorithms.
84
82. Specify the integrity protection algorithms.
83. Specify the PRF algorithms.
84. Specify the DH groups.
aes-cbc-128 | aes-cbc-192 |
aes-cbc-256 | aes-ctr-128 |
aes-ctr-192 | aes-ctr-256 |
camellia-cbc-128 |
camellia-cbc-192 |
camellia-cbc-256 | des-cbc } *
In FIPS mode:
encryption { aes-cbc-128 |
aes-cbc-192 | aes-cbc-256 |
aes-ctr-128 | aes-ctr-192 |
aes-ctr-256 } *
In non-FIPS mode:
integrity { aes-xcbc-mac | md5 |
sha1 | sha256 | sha384 | sha512 }
*
In FIPS mode:
integrity { sha1 | sha256 | sha384
| sha512 } *
By default, an IKEv2 proposal does not have any integrity protection algorithms.
In non-FIPS mode:
prf { aes-xcbc-mac | md5 | sha1 |
sha256 | sha384 | sha512 } *
In FIPS mode:
prf { sha1 | sha256 | sha384 |
sha512 } *
By default, an IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.
In non-FIPS mode:
dh { group1 | group14 | group2 |
group24 | group5 | group19 |
group20 } *
In FIPS mode:
dh { group14 | group24 | group19
| group20 } *
By default, an IKEv2 proposal does not have any DH groups.
Configuring an IKEv2 keychain
An IKEv2 keychain specifies the pre-shared keys used for IKEv2 negotiation.
An IKEv2 keychain can have multiple IKEv2 peers. Each peer has a symmetric pre-shared key or an asymmetric pre-shared key pair, and information for identifying the peer (such as the peer's host name, IP address or address range, or ID).
An IKEv2 negotiation initiator uses the peer host name or IP address/address range as the matching criterion to search for a peer. A responder uses the peer host IP address/address range or ID as the matching criterion to search for a peer.
To configure an IKEv2 keychain:
Step
85. Enter system view.
86. Create an IKEv2 keychain and enter IKEv2 keychain view.
Command system-view
ikev2 keychain keychain-name
Remarks
N/A
By default, no IKEv2 keychains exist.
85
87. Create an IKEv2 peer and enter IKEv2 peer view.
88. Configure the information for identifying the IKEv2 peer.
89. Configure a pre-shared key for the peer.
peer name By default, no IKEv2 peers exist.
To configure a host name for the peer:
hostname host-name
To configure a host IP address or address range for the peer:
address { ipv4-address
[ mask | mask-length ] | ipv6
ipv6-address
[ prefix-length ] }
To configure an ID for the peer:
identity { address
{ ipv4-address | ipv6
{ ipv6-address } } | fqdn
fqdn-name | email
email-string | key-id
key-id-string }
By default, no hostname, host IP address, address range, or identity information is configured for an
IKEv2 peer.
You must configure different IP addresses/address ranges for different peers.
pre-shared-key [ local | remote ]
{ ciphertext | plaintext } string
By default, an IKEv2 peer does not have a pre-shared key.
Configure global IKEv2 parameters
Enabling the cookie challenging feature
Enable cookie challenging on responders to protect them against DoS attacks that use a large number of source IP addresses to forge IKE_SA_INIT requests.
To enable cookie challenging:
Step
90. Enter system view.
91. Enable cookie challenging.
Command system-view
ikev2 cookie-challenge number
Remarks
N/A
By default, IKEv2 cookie challenging is disabled..
Configuring the IKEv2 DPD feature
IKEv2 DPD detects dead IKEv2 peers in periodic or on-demand mode.
Periodic DPD
—Verifies the liveness of an IKEv2 peer by sending DPD messages at regular intervals.
On-demand DPD
—Verifies the liveness of an IKEv2 peer by sending DPD messages before sending data.
86
Before the device sends data, it identifies the time interval for which the last IPsec packet has been received from the peer. If the time interval exceeds the DPD interval, it sends a
DPD message to the peer to detect its liveliness.
If the device has no data to send, it never sends DPD messages.
If you configure IKEv2 DPD in both IKEv2 profile view and system view, the IKEv2 DPD settings in
IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.
To configure global IKEv2 DPD:
Step
92. Enter system view.
93. Configure global IKEv2
DPD.
Command system-view
ikev2 dpd interval interval [ retry
seconds ] { on-demand | periodic }
Remarks
N/A
By default, global DPD is disabled.
Configuring the IKEv2 NAT keepalive feature
Configure this feature on the IKEv2 gateway behind the NAT device. The gateway then sends NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
This feature takes effect after the device detects the NAT device.
To configure the IKEv2 NAT keepalive feature:
Step
94. Enter system view.
Command system-view
95. Set the IKEv2 NAT keepalive interval.
ikev2 nat-keepalive seconds
Remarks
N/A
By default, the IKEv2 NAT keepalive interval is 10 seconds.
Configuring IKEv2 address pools
To perform centralized management on remote users, an IPsec gateway can use an address pool to assign private IP addresses to remote users.
You must use an IKEv2 address pool together with AAA authorization by specifying the IKEv2 address pool as an AAA authorization attribute. For more information about AAA authorization, see
"Configuring AAA."
To configure IKE address pools:
Step
96. Enter system view.
Command system-view
Remarks
N/A
87
Step
97. Configure an IKEv2 IPv4 address pool.
98. Configure an IKEv2 IPv6 address pool.
Command
ikev2 address-group
group-name start-ipv4-address
end-ipv4-address [ mask |
mask-length ]
ikev2 ipv6-address-group
group-name prefix
prefix/prefix-len assign-len
assign-len
Remarks
By default, no IKEv2 IPv4 address pool exists.
By default, no IKEv2 IPv6 address pool exists.
Displaying and maintaining IKEv2
Execute display commands in any view and reset commands in user view.
Task
Display the IKEv2 proposal configuration.
Display the IKEv2 policy configuration.
Display the IKEv2 profile configuration.
Display the IKEv2 SA information.
Display IKEv2 statistics.
Delete IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs.
Clear IKEv2 statistics.
Command
display ikev2 proposal [ name | default ]
display ikev2 policy [ policy-name | default ]
display ikev2 profile [ profile-name ]
display ikev2 sa [ { local | remote } { ipv4-address |
ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ]
display ikev2 statistics
reset ikev2 sa [ [ { local | remote } { ipv4-address |
ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]
reset ikev2 statistics
Command reference
New command: aaa authorization
Use aaa authorization to enable IKEv2 AAA authorization.
Use undo aaa authorization to disable IKEv2 AAA authorization.
Syntax
Default
IKEv2 AAA authorization is disabled.
Views
aaa authorization domain domain-name username user-name
undo aaa authorization
IKEv2 profile view
88
Predefined user roles
network-admin
Parameters
domain domain-name: Specifies the ISP domain used for requesting authorization attributes. The
ISP domain name is a case-insensitive string of 1 to 255 characters and must meet the following requirements:
The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).
The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn,
if-unkno, if-unknow, or if-unknown.
username user-name: Specifies the username used for requesting authorization attributes. The username is a case-sensitive string of 1 to 55 characters and must meet the following requirements:
The username cannot contain the domain name.
The username cannot contain a forward slash (/), backslash (\), vertical bar (|), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or an at sign (@).
The username cannot be a, al, or all.
Usage guidelines
The AAA authorization feature enables IKEv2 to request authorization attributes, such as the IKEv2
IPv4 address pool, from AAA.
IKEv2 uses the ISP domain and username to request authorization attributes. AAA uses the authorization settings in the ISP domain to request the user's authorization attributes from the remote AAA server or the local user database. After IKEv2 passes the username authentication, it obtains the authorization attributes.
This feature is applicable when AAA is used to centrally manage and deploy authorization attributes.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Enable AAA authorization. Specify the ISP domain name abc and the username test.
[Sysname-ikev2-profile-profile1] aaa authorization domain abc username test
Related commands display ikev2 profile
New command: address
Use address to specify the IP address or IP address range of an IKEv2 peer.
Use undo address to restore the default.
89
Syntax
address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
undo address
Default
An IKEv2 peer's IP address or IP address range is not specified.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the IPv4 address of the IKEv2 peer.
mask: Specifies the subnet mask of the IPv4 address.
mask-length: Specifies the subnet mask length of the IPv4 address, in the range of 0 to 32.
ipv6 ipv6-address: Specifies the IPv6 address of the IKEv2 peer.
prefix-length: Specifies the prefix length of the IPv6 address, in the range of 0 to 128.
Usage guidelines
Both the initiator and the responder can look up an IKEv2 peer by IP address in IKEv2 negotiation.
The IP addresses of different IKEv2 peers in the same IKEv2 keychain cannot be the same.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify the IKEv2 peer's IP address 3.3.3.3 with the subnet mask 255.255.255.0.
[Sysname-ikev2-keychain-key1-peer-peer1] address 3.3.3.3 255.255.255.0
Related commands
ikev2 keychain
peer
New command: authentication-method
Use authentication-method to specify the local or remote identity authentication method.
Use undo authentication-method to remove the local or remote identity authentication method.
90
Syntax
authentication-method { local | remote } { dsa-signature | ecdsa-signature | pre-share |
rsa-signature }
undo authentication-method local
undo authentication-method remote { dsa-signature | ecdsa-signature | pre-share |
rsa-signature }
Default
No local or remote identity authentication method is specified.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
local: Specifies the local identity authentication method.
remote: Specifies the remote identity authentication method.
dsa-signature: Specifies the DSA signatures as the identity authentication method.
ecdsa-signature: Specifies the ECDSA signatures as the identity authentication method.
pre-share: Specifies the pre-shared key as the identity authentication method.
rsa-signature: Specifies the RSA signatures as the identity authentication method.
Usage guidelines
The local and remote identity authentication methods must both be specified and they can be different.
You can specify only one local identity authentication method. You can specify multiple remote identity authentication methods by executing this command multiple times when there are multiple remote ends whose authentication methods are unknown.
If you use RSA, DSA, or ECDSA signature authentication, you must specify PKI domains for obtaining certificates. You can specify PKI domains by using the certificate domain command in
IKEv2 profile view. If you do not specify PKI domains in IKEv2 profile view, the PKI domains configured by the pki domain command in system view will be used.
If you specify the pre-shared key method, you must specify a pre-shared key for the IKEv2 peer in the keychain used by the IKEv2 profile.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
91
# Specify the pre-shared key and RSA signatures as the local and remote authentication methods, respectively.
[Sysname-ikev2-profile-profile1] authentication local pre-share
[Sysname-ikev2-profile-profile1] authentication remote rsa-signature
# Specify the PKI domain genl as the PKI domain for obtaining certificates.
[Sysname-ikev2-profile-profile1] certificate domain genl
# Specify the keychain keychain1.
[Sysname-ikev2-profile-profile1] keychain keychain1
Related commands
display ikev2 profile
certificate domain (IKEv2 profile view)
keychain (IKEv2 profile view)
New command: certificate domain
Use certificate domain to specify a PKI domain for signature authentication in IKEv2 negotiation.
Use undo certificate domain to remove a PKI domain for signature authentication in IKEv2 negotiation.
Syntax
certificate domain domain-name [ sign | verify ]
undo certificate domain domain-name
Default
PKI domains configured in system view are used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
domain-name: Specifies a PKI domain by its name, a case-insensitive string of 1 to 31 characters.
sign: Uses the local certificate in the PKI domain to generate a signature.
verify: Uses the CA certificate in the PKI domain to verify the remote end's certificate.
Usage guidelines
If you do not specify the sign or verify keyword, the PKI domain is used for both sign and verify purposes. You can specify a PKI domain for each purpose by executing this command multiple times.
If you specify the same PKI domain for both purposes, the later configuration takes effect. For example, if you execute certificate domain abc sign and certificate domain abc verify successively, the PKI domain abc will be used only for verification.
92
If the local end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for signature generation. If the remote end uses RSA, DSA, or ECDSA signature authentication, you must specify a PKI domain for verifying the remote end's certificate. If you do not specify PKI domains, the PKI domains configured in system view will be used.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the PKI domain abc for signature. Specify the PKI domain def for verification.
[Sysname-ikev2-profile-profile1] certificate domain abc sign
[Sysname-ikev2-profile-profile1] certificate domain def verify
Related commands
authentication-method
pki domain
New command: config-exchange
Use config-exchange to enable the configuration exchange feature.
Use undo config-exchange to disable the configuration exchange feature.
Syntax
config-exchange { request | set { accept | send } }
undo config-exchange { request | set { accept | send } }
Default
Configuration exchange is disabled.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
request: Enables the device to send request messages carrying the configuration request payload during the IKE_AUTH exchange.
set: Specifies the configuration set payload exchange.
accept: Enables the device to accept the configuration set payload carried in Info messages.
send: Enables the device to send Info messages carrying the configuration set payload.
93
Usage guidelines
The configuration exchange feature enables the local and remote ends to exchange configuration data, such as gateway address, internal IP address, and route. The exchange includes data request and response, and data push and response. The enterprise center can push IP addresses to branches. The branches can request IP addresses, but the requested IP addresses cannot be used.
You can specify both request and set for the device.
If you specify request for the local end, the remote end will respond if it can obtain the requested data through AAA authorization.
If you specify set send for the local end, you must specify set accept for the remote end.
The device with set send specified pushes an IP address after the IKEv2 SA is set up if it does not receive any configuration request from the peer.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Enable the local end to add the configuration request payload to the request message of
IKE_AUTH exchange.
[Sysname-ikev2-profile-profile1] config-exchange request
Related commands
aaa authorization
configuration policy
display ikev2 profile
New command: description
Use description to configure a description for an IKE proposal.
Use undo description to restore the default.
Syntax
description text
undo description
Default
An IKE proposal does not have a description.
Views
IKE proposal view
Predefined user roles
network-admin
94
Parameters
text: Specifies a description, a case-sensitive string of 1 to 80 characters.
Usage guidelines
If multiple IKE proposals exist, you can use this command to configure different descriptions for them to distinguish them.
Examples
# Configure the description test for the IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] description test
New command: display ike statistics
Use display ike statistics to display IKE statistics.
Syntax
display ike statistics
Views
Any view
Predefined user roles
network-admin network-operator
Examples
# Display IKE statistics.
<Sysname> display ike statistics
IKE statistics:
No matching proposal: 0
Invalid ID information: 0
Unavailable certificate: 0
Unsupported DOI: 0
Unsupported situation: 0
Invalid proposal syntax: 0
Invalid SPI: 0
Invalid protocol ID: 0
Invalid certificate: 0
Authentication failure: 0
Invalid flags: 0
Invalid message id: 0
Invalid cookie: 0
Invalid transform ID: 0
Malformed payload: 0
Invalid key information: 0
95
Invalid hash information: 0
Unsupported attribute: 0
Unsupported certificate type: 0
Invalid certificate authority: 0
Invalid signature: 0
Unsupported exchange type: 0
No available SA: 0
Retransmit timeout: 0
Not enough memory: 0
Enqueue fails: 0
New command: display ikev2 policy
Use display ikev2 policy to display the IKEv2 policy configuration.
Syntax
display ikev2 policy [ policy-name | default ]
Views
Any view
Predefined user roles
network-admin network-operator
Parameters
policy-name: Specifies an IKEv2 policy by its name, a case-insensitive string of 1 to 63 characters.
default: Specifies the default IKEv2 policy.
Usage guidelines
If you do not specify any parameters, this command displays the configuration of all IKEv2 policies.
Examples
# Display the configuration of all IKEv2 policies.
<Sysname> display ikev2 policy
IKEv2 policy: 1
Priority: 100
Match local address: 1.1.1.1
Match local address ipv6: 1:1::1:1
Match VRF: vpn1
Proposal: 1
Proposal: 2
IKEv2 policy: default
Match local address: Any
Match VRF: Any
Proposal: default
96
Table 29 Command output
Field
IKEv2 policy
Priority
Match local address
Match local address ipv6
Match VRF
Proposal
Related commands
ikev2 policy
Description
Name of the IKEv2 policy.
Priority of the IKEv2 policy.
IPv4 address to which the IKEv2 policy can be applied.
IPv6 address to which the IKEv2 policy can be applied.
VPN instance to which the IKEv2 policy can be applied.
IKEv2 proposal that the IKEv2 policy uses.
New command: display ikev2 profile
Use display ikev2 profile to display the IKEv2 profile configuration.
Syntax
display ikev2 profile [ profile-name ]
Views
Any view
Predefined user roles
network-admin network-operator
Parameters
profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an IKEv2 profile, this command displays the configuration of all IKEv2 profiles.
Examples
# Display the configuration of all IKEv2 profiles.
<Sysname> display ikev2 profile
IKEv2 profile: 1
Priority: 100
Match criteria:
Local address 1.1.1.1
Local address GigabitEthernet1/0/1
Local address 1:1::1:1
Remote identity address 3.3.3.3/32
VRF vrf1
Inside VRF: vrf1
Local identity: address 1.1.1.1
Local authentication method: pre-share
97
Remote authentication methods: pre-share
Keychain: Keychain1
Sign certificate domain:
Domain1
abc
Verify certificate domain:
Domain2
yy
SA duration: 500 seconds
DPD: Interval 32 secs, retry-interval 23 secs, periodic
Config exchange: request, set accept, set send
NAT keepalive: 10 seconds
AAA authorization: Domain domain1, username ikev2
Table 30 Command output
Field
IKEv2 profile
Priority
Match criteria
Inside vrf
Local identity
Local authentication method
Remote authentication methods
Keychain
Sign certificate domain
Verify certificate domain
SA duration
DPD
Config exchange
NAT keepalive
AAA authorization
Description
Name of the IKEv2 profile.
Priority of the IKEv2 profile.
Criteria for looking up the IKEv2 profile.
Inside VPN instance.
ID of the local end.
Method that the local end uses for authentication.
Methods that the remote end uses for authentication.
IKEv2 keychain that the IKEv2 profile uses.
PKI domain used for signature generation.
PKI domain used for verifying the remote end's certificate.
Lifetime of the IKEv2 SA.
DPD settings:
Detection interval in seconds.
Retry interval in seconds.
Detection mode, on demand or periodically.
If DPD is disabled, this field displays Disabled.
Configuration exchange settings:
request
—The local end sends request messages carrying the configuration request payload during the
IKE_AUTH exchange.
set accept
—The local end accepts the configuration set payload carried in Info messages.
set send
—The local end sends Info messages carrying the configuration set payload.
NAT keepalive interval in seconds.
AAA authorization settings:
ISP domain name.
Username.
98
Related commands
ikev2 profile
New command: display ikev2 proposal
Use display ikev2 proposal to display the IKEv2 proposal configuration.
Syntax
display ikev2 proposal [ name | default ]
Views
Any view
Predefined user roles
network-admin network-operator
Parameters
name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.
default: Specifies the default IKEv2 proposal.
Usage guidelines
This command displays IKEv2 proposals in descending order of priorities. If you do not specify any parameters, this command displays the configuration of all IKEv2 proposals.
Examples
# Display the configuration of all IKEv2 proposals.
<Sysname> display ikev2 proposal
IKEv2 proposal: 1
Encryption: 3DES-CBC, AES-CBC-128, AES-CTR-192, CAMELLIA-CBC-128
Integrity: MD5, SHA256, AES-XCBC
PRF: MD5, SHA256, AES-XCBC
DH group: MODP1024/Group 2, MODP1536/Group 5
IKEv2 proposal: default
Encryption: AES-CBC-128, 3DES-CBC
Integrity: SHA1, MD5
PRF: SHA1, MD5
DH group: MODP1536/Group 5, MODP1024/Group 2
Table 31 Command output
Field
IKEv2 proposal
Encryption
Integrity
Description
Name of the IKEv2 proposal.
Encryption algorithms that the IKEv2 proposal uses.
Integrity protection algorithms that the IKEv2 proposal uses.
99
Field
PRF
DH group
Related commands
ikev2 proposal
Description
PRF algorithms that the IKEv2 proposal uses.
DH groups that the IKEv2 proposal uses.
New command: display ikev2 sa
Use display ikev2 sa to display the IKEv2 SA information.
Syntax
display ikev2 sa [ { count | local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ]
Views
Any view
Predefined user roles
network-admin network-operator
Parameters
count:Displays the number of IKEv2 SAs.
local: Displays IKEv2 SA information for a local IP address.
remote: Displays IKEv2 SA information for a remote IP address.
ipv4-address: Specifies a local or remote IPv4 address.
ipv6 ipv6-address: Specifies a local or remote IPv6 address.
vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays information about IKEv2 SAs for the public network.
verbose: Displays detailed information. If you do not specify this keyword, the command displays the summary information.
tunnel tunnel-id: Displays detailed IKEv2 SA information for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.
Usage guidelines
If you do not specify any parameters, this command displays summary information about all IKEv2
SAs.
100
Examples
# Display summary information about all IKEv2 SAs.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
# Display summary IKEv2 SA information for the remote IP address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
Status:
IN-NEGO: Negotiating, EST: Established, DEL: Deleting
Table 32 Command output
Field
Tunnel ID
Description
ID of the IPsec tunnel to which the IKEv2 SA belongs.
Local
Remote
Status
Local IP address of the IKEv2 SA.
Remote IP address of the IKEv2 SA.
Status of the IKEv2 SA:
IN-NEGO (Negotiating)
—The IKEv2 SA is under negotiation.
EST (Established)
—The IKEv2 SA has been set up.
DEL (Deleting)
—The IKEv2 SA is about to be deleted.
# Display detailed information about all IKEv2 SAs.
<Sysname> display ikev2 sa verbose
Tunnel ID: 1
Local IP/Port: 1.1.1.1/500
Remote IP/Port: 1.1.1.2/500
Outside VRF: -
Inside VRF: -
Local SPI: 8f8af3dbf5023a00
Remote SPI: 0131565b9b3155fa
Local ID type: FQDN
Local ID: router_a
Remote ID type: FQDN
Remote ID: router_b
Auth sign method: Pre-shared key
Auth verify method: Pre-shared key
Integrity algorithm: HMAC_MD5
101
PRF algorithm: HMAC_MD5
Encryption algorithm: AES-CBC-192
Life duration: 86400 secs
Remaining key duration: 85604 secs
Diffie-Hellman group: MODP1024/Group2
NAT traversal: Not detected
DPD: Interval 20 secs, retry interval 2 secs
Transmitting entity: Initiator
Local window: 1
Remote window: 1
Local request message ID: 2
Remote request message ID:2
Local next message ID: 0
Remote next message ID: 0
Pushed IP address: 192.168.1.5
Assigned IP address: 192.168.2.24
# Display detailed IKEv2 SA information for the remote IP address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2 verbose
Tunnel ID: 1
Local IP/Port: 1.1.1.1/500
Remote IP/Port: 1.1.1.2/500
Outside VRF: -
Inside VRF: -
Local SPI: 8f8af3dbf5023a00
Remote SPI: 0131565b9b3155fa
Local ID type: FQDN
Local ID: router_a
Remote ID type: FQDN
Remote ID: router_b
Auth sign method: Pre-shared key
Auth verify method: Pre-shared key
Integrity algorithm: HMAC_MD5
PRF algorithm: HMAC_MD5
Encryption algorithm: AES-CBC-192
Life duration: 86400 secs
Remaining key duration: 85604 secs
Diffie-Hellman group: MODP1024/Group2
NAT traversal: Not detected
DPD: Interval 30 secs, retry 10 secs
Transmitting entity: Initiator
102
Local window: 1
Remote window: 1
Local request message ID: 2
Remote request message ID: 2
Local next message ID: 0
Remote next message ID: 0
Pushed IP address: 192.168.1.5
Assigned IP address: 192.168.2.24
Table 33 Command output
Field
Tunnel ID
Local IP/Port
Remote IP/Port
Outside VRF
Inside VRF
Local SPI
Remote SPI
Local ID type
Local ID
Remote ID type
Remote ID
Auth sign method
Auth verify method
Integrity algorithm
PRF algorithm
Encryption algorithm
Life duration
Remaining key duration
Diffie-Hellman group
NAT traversal
DPD
Description
ID of the IPsec tunnel to which the IKEv2 SA belongs.
IP address and port number of the local security gateway.
IP address and port number of the remote security gateway.
Name of the VPN instance to which the protected outbound data flow belongs.
If the protected outbound data flow belongs to the public network, this field displays a hyphen (-).
Name of the VPN instance to which the protected inbound data flow belongs.
If the protected inbound data flow belongs to the public network, this field displays a hyphen (-).
SPI that the local end uses.
SPI that the remote end uses.
ID type of the local security gateway.
ID of the local security gateway.
ID type of the remote security gateway.
ID of the remote security gateway.
Signature method that the IKEv2 proposal uses in authentication.
Verification method that the IKEv2 proposal uses in authentication.
Integrity protection algorithms that the IKEv2 proposal uses.
PRF algorithms that the IKEv2 proposal uses.
Encryption algorithms that the IKEv2 proposal uses.
Lifetime of the IKEv2 SA, in seconds.
Remaining lifetime of the IKEv2 SA, in seconds.
DH groups used in IKEv2 key negotiation.
Whether a NAT gateway is detected between the local and remote ends.
DPD settings:
Detection interval in seconds.
Retry interval in seconds.
103
Field
Transmitting entity
Local window
Remote window
Local request message ID
Remote request message ID
Local next message ID
Remote next message ID
Pushed IP address
Assigned IP address
Description
If DPD is disabled, this field displays Disabled.
Role of the local end in IKEv2 negotiation, initiator or responder.
Window size that the local end uses.
Window size that the remote end uses.
ID of the request message that the local end is about to send.
ID of the request message that the remote end is about to send.
ID of the message that the local end expects to receive.
ID of the message that the remote end expects to receive.
IP address pushed to the local end by the remote end.
IP address assigned to the remote end by the local end .
New command: display ikev2 statistics
Use display ikev2 statistics to display IKEv2 statistics.
Syntax
display ikev2 statistics
Views
Any view
Predefined user roles
network-admin network-operator
Examples
# Display IKEv2 statistics.
<Sysname> display ikev2 statistics
IKEv2 statistics:
Unsupported critical payload: 0
Invalid IKE SPI: 0
Invalid major version: 0
Invalid syntax: 0
Invalid message ID: 0
Invalid SPI: 0
No proposal chosen: 0
Invalid KE payload: 0
Authentication failed: 0
Single pair required: 0
TS unacceptable: 0
Invalid selectors: 0
104
Temporary failure: 0
No child SA: 0
Unknown other notify: 0
No enough resource: 0
Enqueue error: 0
No IKEv2 SA: 0
Packet error: 0
Other error: 0
Retransmit timeout: 0
DPD detect error: 0
Del child for IPsec message: 0
Del child for deleting IKEv2 SA: 0
Del child for receiving delete message: 0
New command: dh
Use dh to specify DH groups to be used in IKEv2 key negotiation.
Use undo group to restore the default.
Syntax
In non-FIPS mode:
dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *
undo dh
In FIPS mode:
dh { group14 | group24 | group19 | group20 } *
undo dh
Default
No DH group is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
group1: Uses the 768-bit Diffie-Hellman group.
group2: Uses the 1024-bit Diffie-Hellman group.
group5: Uses the 1536-bit Diffie-Hellman group.
group14: Uses the 2048-bit Diffie-Hellman group.
group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.
105
group19: Uses the 256-bit ECP Diffie-Hellman group.
group20: Uses the 384-bit ECP Diffie-Hellman group.
Usage guidelines
A DH group with a higher group number provides higher security but needs more time for processing.
To achieve the best trade-off between processing performance and security, choose proper DH groups for your network.
You must specify a minimum of one DH group for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless.
You can specify multiple DH groups for an IKEv2 proposal. A group specified earlier has a higher priority.
Examples
# Specify DH groups 1 for the IKEv2 proposal 1.
<Sysname> system-view
[Sysname] ikev2 proposal 1
[Sysname-ikev2-proposal-1] dh group1
Related commands
ikev2 proposal
New command: dpd
Use dpd to configure the IKEv2 DPD feature.
Use undo dpd to disable the IKEv2 DPD feature.
Syntax
dpd interval interval [ retry seconds ] { on-demand | periodic }
undo dpd interval
Default
IKEv2 DPD is disabled. The global IKEv2 DPD settings are used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds.
106
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.
periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.
Usage guidelines
DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.
The triggering interval must be longer than the retry interval, so that the device will not trigger a new round of DPD during a DPD retry.
Examples
# Configure on-demand IKEv2 DPD. Set the DPD triggering interval to 10 seconds and the retry interval to 5 seconds.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] dpd interval 10 retry 5 on-demand
Related commands ikev2 dpd
New command: encryption
Use encryption to specify encryption algorithms for an IKEv2 proposal.
Use undo encryption to restore the default.
Syntax
In non-FIPS mode:
encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 |
aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc } *
undo encryption
In FIPS mode:
encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 } *
undo encryption
Default
No encryption algorithm is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
107
Parameters
3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.
aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key.
aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.
aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key.
aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key.
aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key.
camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key.
camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key.
camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key.
des-cbc: Specifies the DES algorithm in CBC mode, which uses a 56-bit key.
Usage guidelines
You must specify a minimum of one encryption algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. You can specify multiple encryption algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Examples
# Specify the 168-bit 3DES algorithm in CBC mode as the encryption algorithm for the IKE proposal
prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption-algorithm 3des-cbc
Related commands
ikev2 proposal
New command: hostname
Use hostname to specify the host name of an IKEv2 peer.
Use undo hostname to restore the default.
Syntax
Default
hostname name
undo hostname
An IKEv2 peer's host name is not specified.
108
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
name: Specifies the host name of the IKEv2 peer, a case-insensitive string of 1 to 253 characters.
Usage guidelines
Only the initiator can look up an IKEv2 peer by host name in IKEv2 negotiation, and the initiator must use an IPsec policy rather than an IPsec profile.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify the host name test of the IKEv2 peer.
[Sysname-ikev2-keychain-key1-peer-peer1] hostname test
Related commands
ikev2 keychain
peer
New command: identity
Use identity to specify the ID of an IKEv2 peer.
Use undo identity to restore the default.
Syntax
identity { address { ipv4-address | ipv6 { ipv6-address } } | fqdn fqdn-name | email email-string |
key-id key-id-string }
undo identity
Default
An IKEv2 peer's ID is not specified.
Views
IKEv2 peer view
Predefined user roles
network-admin
109
Parameters
ipv4-address: Specifies the IPv4 address of the peer.
ipv6 ipv6-address: Specifies the IPv6 address of the peer.
fqdn fqdn-name: Specifies the FQDN of the peer. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
email email-string: Specifies the email address of the peer. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as [email protected].
key-id key-id-string: Specifies the remote gateway's key ID. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.
Usage guidelines
Only the responder can look up an IKEv2 peer by ID in IKEv2 negotiation. The initiator does not know the peer ID when initiating the IKEv2 negotiation, so it cannot use an ID for IKEv2 peer lookup.
Examples
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Specify the peer IPv4 address 1.1.1.2 as the ID of the IKEv2 peer.
[Sysname-ikev2-keychain-key1-peer-peer1] identity address 1.1.1.2
Related commands
ikev2 keychain
peer
New command: identity local
Syntax
Use identity local to configure the local ID, the ID that the device uses to identify itself to the peer during IKEv2 negotiation.
Use undo identity local to restore the default.
identity local { address { ipv4-address | ipv6 ipv6-address } | dn | email email-string | fqdn
fqdn-name | key-id key-id-string }
undo identity local
110
Default
No local ID is specified. The IP address of the interface to which the IPsec policy is applied is used as the local ID.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.
dn: Uses the DN in the local certificate as the local ID.
email email-string: Uses an email address as the local ID. The email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by RFC 822, such as [email protected].
fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
key-id key-id-string: Uses the device's key ID as the local ID. The key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.
Usage guidelines
Peers exchange local IDs for identifying each other in negotiation.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Use the IP address 2.2.2.2 as the local ID.
[Sysname-ikev2-profile-profile1] identity local address 2.2.2.2
Related commands
peer
New command: ikev2 address-group
Syntax
Use ikev2 address-group to configure an IKEv2 IPv4 address pool for assigning IPv4 addresses to remote peers.
Use undo ikev2 address-group to delete an IKEv2 IPv4 address pool.
ikev2 address-group group-name start-ipv4-address end-ipv4-address [ mask | mask-length ]
undo ikev2 address-group group-name
111
Default
No IKEv2 IPv4 address pools exist.
Views
System view
Predefined user roles
network-admin
Parameters
group-name: Specifies an name for the IKEv2 IPv4 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters.
start-ipv4-address end-ipv4-address: Specifies an IPv4 address range. The start-ipv4-address argument specifies the start IPv4 address. The end-ipv4-address argument specifies the end IPv4 address.
mask: Specifies the IPv4 address mask.
mask-length: Specifies the length of the IPv4 address mask.
Usage guidelines
An IKE IPv4 address pool can contain a maximum of 8192 IPv4 addresses.
Examples
# Configure an IKEv2 IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2, and the mask 255.255.255.0.
<Sysname> system-view
[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 255.255.255.0
# Configure an IKEv2 IPv4 address pool with the name ipv4group, address range 1.1.1.1 to 1.1.1.2, and the mask length 32.
<Sysname> system-view
[Sysname] ikev2 address-group ipv4group 1.1.1.1 1.1.1.2 32
Related commands address-group
New command: ikev2 cookie-challenge
Use ikev2 cookie-challenge to enable the cookie challenging feature.
Use undo ikev2 cookie-challenge to disable the cookie challenging feature.
Syntax
Default
ikev2 cookie-challenge number
undo ikev2 cookie-challenge
The cookie challenging feature is disabled.
112
Views
System view
Predefined user roles
network-admin
Parameters
number: Specifies the threshold for triggering the cookie challenging feature. The value range for this argument is 0 to 1000 half-open IKE SAs.
Usage guidelines
When an IKEv2 responder maintains a threshold number of half-open IKE SAs, it starts the cookie challenging mechanism. The responder generates a cookie and includes it in the response sent to the initiator. If the initiator initiates a new IKE_SA_INIT request that carries the correct cookie, the responder considers the initiator valid and proceeds with the negotiation. If the carried cookie is incorrect, the responder terminates the negotiation.
This feature can protect the responder against DoS attacks which aim to exhaust the responder's system resources by using a large number of IKE_SA_INIT requests with forged source IP addresses.
Examples
# Enable the cookie challenging feature and set the threshold to 450.
<Sysname> system-view
[Sysname] ikev2 cookie-challenge 450
New command: ikev2 dpd
Use ikev2 dpd to configure the global IKEv2 DPD feature.
Use undo ikev2 dpd to disable the global IKEv2 DPD feature.
Syntax
ikev2 dpd interval interval [ retry seconds ] { on-demand | periodic }
undo ikev2 dpd interval
Default
The global IKEv2 DPD feature is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval interval: Specifies a DPD triggering interval in the range of 10 to 3600 seconds.
113
retry seconds: Specifies the DPD retry interval in the range of 2 to 60 seconds. The default is 5 seconds.
on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.
periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.
Usage guidelines
DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKEv2 peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.
The triggering interval must be longer than the retry interval, so that the device will not trigger a new round of DPD during a DPD retry.
You can configure IKEv2 DPD in both IKEv2 profile view and system view. The IKEv2 DPD settings in IKEv2 profile view apply. If you do not configure IKEv2 DPD in IKEv2 profile view, the IKEv2 DPD settings in system view apply.
Examples
# Configure the device to trigger IKEv2 DPD if it has IPsec traffic to send and has not received any
IPsec packets from the peer for 15 seconds.
<Sysname> system-view
[Sysname] ikev2 dpd interval 15 on-demand
# Configure the device to trigger IKEv2 DPD every 15 seconds.
<Sysname> system-view
[Sysname] ikev2 dpd interval 15 periodic
Related commands
dpd (IKEv2 profile view)
New command: ikev2 ipv6-address-group
Use ikev2 ipv6-address-group to configure an IKEv2 IPv6 address pool for assigning IPv6 addresses to remote peers.
Use undo ikev2 ipv6-address-group to delete an IKEv2 IPv6 address pool.
Syntax
Default
No IKEv2 IPv6 address pools exist.
Views
ikev2 ipv6-address-group group-name prefix prefix/prefix-len assign-len assign-len
undo ikev2 ipv6-address-group group-name
System view
114
Predefined user roles
network-admin
Parameters
group-name: Specifies a name for the IKEv2 IPv6 address pool. The group-name argument is a case-insensitive string of 1 to 63 characters.
prefix prefix/prefix-len: Specifies an IPv6 prefix in the format of prefix/prefix length. The value range for the prefix-len argument is 1 to 128.
assign-len assign-len: Specifies the assigned prefix length. The value range for the assign-len argument is 0 to 128, and the value must be greater than or equal to prefix-len. The difference between assign-len and prefix-len must be no more than 16.
Usage guidelines
Different from the IKEv2 IPv4 address pool, the device assigns an IPv6 subnet to a peer from the
IKEv2 IPv6 address pool. The peer can use the assigned IPv6 subnet to assign IPv6 addresses to other devices.
IKEv2 IPv6 address pools cannot overlap with each other.
Examples
# Configure an IKEv2 IPv6 address pool with the name ipv6group, prefix 1:1::/64, and the assigned prefix length 80.
<Sysname> system-view
[Sysname] ikev2 ipv6-address-group ipv6group prefix :1:1::/64 assign-len 80
Related commands ipv6-address-group
New command: ikev2 keychain
Use ikev2 keychain to create an IKEv2 keychain and enter its view, or enter the view of an existing
IKEv2 keychain.
Use undo ikev2 keychain to delete an IKEv2 keychain.
Syntax
ikev2 keychain keychain-name
undo ikev2 keychain keychain-name
Default
No IKEv2 keychains exist.
Views
System view
Predefined user roles
network-admin
115
Parameters
keychain-name: Specifies a name for the IKEv2 keychain. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).
Usage guidelines
An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication. The pre-shared key configured on both ends must be the same.
You can configure multiple IKEv2 peers in an IKEv2 keychain.
Examples
# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.
<Sysname> system-view
[Sysname] ikev2 keychain key1
[Sysname-ikev2-keychain-key1]
New command: ikev2 nat-keepalive
Use ikev2 nat-keepalive to set the NAT keepalive interval.
Use undo ikev2 nat-keepalive to restore the default.
Syntax
ikev2 nat-keepalive seconds
undo ikev2 nat-keepalive
Default
The NAT keepalive interval is 10 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.
Usage guidelines
This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
Examples
# Set the NAT keepalive interval to 5 seconds.
<Sysname> system-view
[Sysname] ikev2 nat-keepalive 5
116
New command: ikev2 policy
Use ikev2 policy to create an IKEv2 policy and enter its view, or enter the view of an existing IKEv2 policy.
Use undo ikev2 policy to delete an IKEv2 policy.
Syntax
ikev2 policy policy-name
undo ikev2 policy policy-name
Default
An IKEv2 policy named default exists, which uses the default IKEv2 proposal and matches any local addresses.
Views
System view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a name for the IKEv2 policy. The policy name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs. An
IKEv2 policy uses IKEv2 proposals to define the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups to be used for negotiation.
You can configure multiple IKEv2 policies. An IKEv2 policy must have a minimum of one IKEv2 proposal. Otherwise, the policy is incomplete.
If the initiator uses an IPsec policy that is bound to a source interface, the initiator looks up an IKEv2 policy by the IP address of the source interface.
You can set priorities to adjust the match order of IKEv2 policies that have the same match criteria.
If no IKEv2 policy is configured, the default IKEv2 policy is used. You cannot enter the view of the default IKEv2 policy, nor modify it.
Examples
# Create an IKEv2 policy named policy1 and enter IKEv2 policy view.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1]
117
Related commands
display ikev2 policy
New command: ikev2 profile
Use ikev2 profile to create an IKEv2 profile and enter its view, or enter the view of an existing IKEv2 profile.
Use undo ikev2 profile to delete an IKEv2 profile.
Syntax
ikev2 profile profile-name
undo ikev2 profile profile-name
Default
No IKEv2 profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a name for the IKEv2 profile. The profile name is a case-insensitive string of
1 to 63 characters.
Usage guidelines
An IKEv2 profile contains the IKEv2 SA parameters that are not negotiated, such as the identity information and authentication methods of the peers, and the matching criteria for profile lookup.
Examples
# Create an IKEv2 profile named profile1 and enter IKEv2 profile view.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1]
Related commands display ikev2 profile
New command: ikev2 proposal
Use ikev2 proposal to create an IKEv2 proposal and enter its view, or enter the view of an existing
IKEv2 proposal.
Use undo ikev2 proposal to delete an IKEv2 proposal.
118
Syntax
ikev2 proposal proposal-name
undo ikev2 proposal proposal-name
Default
An IKEv2 proposal named default exists, which has the lowest priority and uses the following settings:
In non-FIPS mode:
Encryption algorithm
—AES-CBC-128 and 3DES.
Integrity protection algorithm
—HMAC-SHA1 and HMAC-MD5.
PRF algorithm
—HMAC-SHA1 and HMAC-MD5.
DH group
—Group 5 and group 2.
In FIPS mode:
Encryption algorithm
—AES-CBC-128 and AES-CTR-128.
Integrity protection algorithm
—HMAC-SHA1 and HMAC-SHA256.
PRF algorithm
—HMAC-SHA1 and HMAC-SHA256.
DH group
—Group 14 and group 19.
Views
System view
Predefined user roles
network-admin
Parameters
proposal-name: Specifies a name for the IKEv2 proposal. The proposal name is a case-insensitive string of 1 to 63 characters and cannot be default.
Usage guidelines
An IKEv2 proposal contains security parameters used in IKE_SA_INIT exchanges, including the encryption algorithms, integrity protection algorithms, PRF algorithms, and DH groups.
An IKEv2 proposal must have a minimum of one set of security parameters, including one encryption algorithm, one integrity protection algorithm, one PRF algorithm, and one DH group.
In an IKEv2 proposal, you can specify multiple parameters of the same type. The parameters of different types combine and form multiple sets of security parameters. If you want to use only one set of security parameters, configure only one set of security parameters for the IKEv2 proposal.
Examples
# Create an IKEv2 proposal named prop1. Specify the encryption algorithm AES-CBC-128, integrity protection algorithm SHA1, PRF algorithm SHA1, and DH group 2.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
[Sysname-ikev2-proposal-prop1] encryption-algorithm aes-cbc-128
119
[Sysname-ikev2-proposal-prop1] authentication-algorithm sha1
[Sysname-ikev2-proposal-prop1] prf sha1
[Sysname-ikev2-proposal-prop1] dh group2
Related commands
encryption-algorithm
integrity
prf
dh
New command: inside-vrf
Use inside-vrf to specify an inside VPN instance.
Use undo inside-vrf to restore the default.
Syntax
inside-vrf vrf-name
undo inside-vrf
Default
No inside VPN instance is specified. The internal and external networks are in the same VPN instance. The device forwards protected data to this VPN instance.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
vrf-name: Specifies the VPN instance to which the protected data belongs. The vrf-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
This command determines where the device should forward received IPsec packets after it de-encapsulates them. If you configure this command, the device looks for a route in the specified
VPN instance to forward the packets. If you do not configure this command, the internal and external networks are in the same VPN instance. The device looks for a route in this VPN instance to forward the packets.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the inside VPN instance vpn1.
120
[Sysname-ikev2-profile-profile1] inside-vrf vpn1
New command: integrity
Use integrity to specify integrity protection algorithms for an IKEv2 proposal.
Use undo integrity to restore the default.
Syntax
In non-FIPS mode:
integrity { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
undo integrity
In FIPS mode:
integrity { sha1 | sha256 | sha384 | sha512 } *
undo integrity
Default
No integrity protection algorithm is specified for an IKEv2 proposal.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm.
md5: Uses the HMAC-MD5 algorithm.
sha1: Uses the HMAC-SHA1 algorithm.
sha256: Uses the HMAC-SHA256 algorithm.
sha384: Uses the HMAC-SHA384 algorithm.
sha512: Uses the HMAC-SHA512 algorithm.
Usage guidelines
You must specify a minimum of one integrity protection algorithm for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless. You can specify multiple integrity protection algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
121
# Specify HMAC-SHA1 and HMAC-MD5 as the integrity protection algorithms, with HMAC-SHA1 preferred.
[Sysname-ikev2-proposal-prop1] integrity sha1 md5
Related commands
ikev2 proposal
New command: keychain
Use keychain to specify an IKEv2 keychain for pre-shared key authentication.
Use undo keychain to restore the default.
Syntax
keychain keychain-name
undo keychain
Default
No IKEv2 keychain is specified for an IKEv2 profile.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies an IKEv2 keychain by its name. The keychain name is a case-insensitive string of 1 to 63 characters and cannot contain a hyphen (-).
Usage guidelines
An IKEv2 keychain is required on both ends if either end uses pre-shared key authentication. You can specify only one IKEv2 keychain for an IKEv2 profile.
You can specify the same IKEv2 keychain for different IKEv2 profiles.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify the IKEv2 keychain keychain1.
[Sysname-ikev2-profile-profile1] keychain keychain1
Related commands
display ikev2 profile
ikev2 keychain
122
New command: match local (IKEv2 profile view)
Use match local to specify a local interface or a local IP address to which an IKEv2 profile can be applied.
Use undo match local to remove a local interface or a local IP address to which an IKEv2 profile can be applied.
Syntax
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }
undo match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }
Default
An IKEv2 profile can be applied to any local interface or IP address.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
address: Specifies a local interface or IP address to which an IKEv2 profile can be applied.
interface-type interface-number: Specifies a local interface by its type and number. It can be any
Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
Usage guidelines
Use this command to specify which address or interface can use the IKEv2 profile for IKEv2 negotiation. The interface is the interface that receives IKEv2 packets. The IP address is the IP address of the interface that receives IKEv2 packets.
An IKEv2 profile configured earlier has a higher priority. To give an IKEv2 profile that is configured later a higher priority, you can configure the priority command or this command for the profile. For example, suppose you configured IKEv2 profile A before configuring IKEv2 profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKEv2 profile
A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKEv2 profile B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKEv2 profile A is preferred because IKEv2 profile A was configured earlier. To use IKEv2 profile B, you can use this command to restrict the application scope of IKEv2 profile B to IPv4 address 3.3.3.3.
You can specify multiple applicable local interfaces or IP addresses for an IKEv2 profile.
Examples
# Create an IKEv2 profile named profile1.
123
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Apply the IKEv2 profile profile1 to the interface whose IP address is 2.2.2.2.
[Sysname-ikev2-profile-profile1] match local address 2.2.2.2
Related commands match remote
New command: match local address (IKEv2 policy view)
Use match local address to specify a local interface or a local address that an IKEv2 policy matches.
Use undo match local address to remove a local interface or a local address that an IKEv2 policy matches.
Syntax
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }
undo match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } }
Default
No local interface or address is specified, and the IKEv2 policy matches any local interface or address.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies a local interface by its type and number. It can be any
Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
Usage guidelines
IKEv2 policies with this command configured are looked up before those that do not have this command configured.
Examples
# Configure the IKEv2 policy policy1 to match the local address 3.3.3.3.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] match local address 3.3.3.3
124
Related commands
display ikev2 policy
match vrf
New command: match remote
Use match remote to configure a peer ID that an IKEv2 profile matches.
Use undo match remote to delete a peer ID that an IKEv2 profile matches.
Syntax
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ]
| range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range
low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id key-id-string } }
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask
|mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] |
range low-ipv6-address high-ipv6-address } } | fqdn fqdn-name | email email-string | key-id
key-id-string } }
Default
No matching peer ID is configured for an IKEv2 profile.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
certificate policy-name: Uses the information in the peer's digital certificate as the peer ID for IKEv2 profile matching. The policy-name argument specifies a certificate-based access control policy by its name, a case-insensitive string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKEv2 profile matching. The specified information is configured on the peer by using the identity local command.
address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKEv2 profile matching. The value range for the mask-length argument is 0 to 32.
address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.
address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKEv2 profile matching. The value range for the prefix-length argument is 0 to 128.
address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKEv2 profile matching. The end address must be higher than the start address.
125
fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKEv2 profile matching. The
fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
email email-string: Uses peer's email address as the peer ID for IKEv2 profile matching. The
email-string argument is a case-sensitive string of 1 to 255 characters in the format defined by
RFC 822, such as [email protected].
key-id key-id-string: Uses the peer's key ID as the peer ID for IKEv2 profile matching. The
key-id-string argument is a case-sensitive string of 1 to 255 characters, and is usually a vendor-specific string for doing proprietary types of identification.
Usage guidelines
The device compares the received peer ID with the peer IDs configured in local IKEv2 profiles. If a match is found, it uses the IKEv2 profile with the matching peer ID for IKEv2 negotiation. If you have configured the match local address and match vrf commands, the IKEv2 profile must also match the specified local interface or address and the specified VPN instance.
To make sure only one IKEv2 profile is matched for a peer, do not configure the same peer ID for two or more IKEv2 profiles. If you configure the same peer ID for two or more IKEv2 profiles, which IKEv2 profile is selected for IKEv2 negotiation is unpredictable.
You can configure an IKEv2 profile to match multiple peer IDs. A peer ID configured earlier has a higher priority.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Configure the IKEv2 profile to match the peer ID that is the FQDN name www.test.com.
[Sysname-ikev2-profile-profile1] match remote identity fqdn www.test.com
# Configure the IKEv2 profile to match the peer ID that is the IP address 10.1.1.1.
[Sysname-ikev2-profile-profile1]match remote identity address 10.1.1.1
Related commands
identity local
match local address
match vrf
New command: match vrf (IKEv2 policy view)
Syntax
Use match vrf to specify a VPN instance that an IKEv2 policy matches.
Use undo match vrf to restore the default.
match vrf { name vrf-name | any }
undo match vrf
126
Default
No VPN instance is specified, and the IKEv2 policy matches all local IP addresses in the public network.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.
any: Specifies the public network and all VPN instances.
Usage guidelines
Each end must have an IKEv2 policy for the IKE_SA_INIT exchange. The initiator looks up an IKEv2 policy by the IP address of the interface to which the IPsec policy is applied and the VPN instance to which the interface belongs. The responder looks up an IKEv2 policy by the IP address of the interface that receives the IKEv2 packet and the VPN instance to which the interface belongs.
IKEv2 policies with this command configured are looked up before those that do not have this command configured.
Examples
# Create an IKEv2 policy named policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
# Configure the IKEv2 policy to match the VPN instance vpn1.
[Sysname-ikev2-policy-policy1] match vrf name vpn1
Related commands
display ikev2 policy
match local address
New command: match vrf (IKEv2 profile view)
Use match vrf to specify a VPN instance for an IKEv2 profile.
Use undo match vrf to restore the default.
Syntax
Default
match vrf { name vrf-name | any }
undo match vrf
An IKEv2 profile belongs to the public network.
127
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
name vrf-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.
any: Specifies the public network and all VPN instances.
Usage guidelines
If an IKEv2 profile belongs to a VPN instance, only interfaces in the VPN instance can use the IKEv2 profile for IKEv2 negotiation. The VPN instance is the VPN instance to which the interface that receives IKEv2 packets belongs. If you specify the any keyword, interfaces in any VPN instance can use the IKEv2 profile for IKEv2 negotiation.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Specify vrf1 as the VPN instance that the IKEv2 profile belongs to.
[Sysname-ikev2-profile-profile1] match vrf name vrf1
Related commands match remote
New command: nat-keepalive
Use nat-keepalive to set the NAT keepalive interval.
Use ikev2 nat-keepalive to restore the default.
Syntax
nat-keepalive seconds
undo nat-keepalive
Default
The NAT keepalive interval set in system view is used.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 3600.
128
Usage guidelines
This command takes effect when the device resides in the private network behind a NAT device. The device must send NAT keepalive packets regularly to its peer to keep the NAT session alive, so that the peer can access the device.
The NAT keepalive interval must be shorter than the NAT session lifetime.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Set the NAT keepalive interval to 1200 seconds.
[Sysname-ikev2-profile-profile1]nat-keepalive 1200
Related commands
display ikev2 profile
ikev2 nat-keepalive
New command: peer
Use peer to create an IKEv2 peer and enter its view, or enter the view of an existing IKEv2 peer.
Use undo peer to delete an IKEv2 peer.
Syntax
peer name
undo peer name
Default
No IKEv2 peers exist.
Views
IKEv2 keychain view
Predefined user roles
network-admin
Parameters
name: Specifies a name for the IKEv2 peer. The peer name is a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IKEv2 peer contains a pre-shared key and the criteria for looking up the peer. The criteria for peer lookup include the peer's host name, IP address, IP address range, and ID. The IKEv2 negotiation initiator uses the peer's host name, IP address, or IP address range to look up its peer. The responder uses the peer's IP address, IP address range, or ID to look up its peer.
129
Examples
# Create an IKEv2 keychain named key1 and enter IKEv2 keychain view.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
Related commands
address
hostname
identity
ikev2 keychain
New command: pre-shared-key
Use pre-shared-key to configure a pre-shared key.
Use undo pre-shared-key to delete a pre-shared key.
Syntax
pre-shared-key [ local | remote ] { ciphertext | plaintext } string
undo pre-shared-key [ local | remote ]
Default
No pre-shared key exists.
Views
IKEv2 peer view
Predefined user roles
network-admin
Parameters
local: Specifies a pre-shared key for certificate signing.
remote: Specifies a pre-shared key for certificate authentication.
ciphertext: Specifies a pre-shared key in encrypted form.
plaintext: Specifies a pre-shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the pre-shared key. The key is case sensitive. In non-FIPS mode, its plaintext form is a string of 1 to 128 characters and its encrypted form is a string of 1 to 201 characters. In FIPS mode, its plaintext form is a string of 15 to 128 characters and its encrypted form is a string of 15 to
201 characters.
130
Usage guidelines
If you specify the local or remote keyword, you configure an asymmetric key. If you specify neither the local nor the remote keyword, you configure a symmetric key.
To delete a key by using the undo command, you must specify the correct key type. For example, if you configure a key by using the pre-shared-key local command, you cannot delete the key by using the undo pre-shared-key or undo pre-shared-key remote command.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
On the initiator:
# Create an IKEv2 keychain named key1.
<Sysname> system-view
[Sysname] ikev2 keychain key1
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-key1] peer peer1
# Configure the symmetric plaintext pre-shared key 111-key.
[Sysname-ikev2-keychain-key1-peer-peer1] pre-shared-key plaintext 111-key
[Sysname-ikev2-keychain-key1-peer-peer1] quit
# Create an IKEv2 peer named peer2.
[Sysname-ikev2-keychain-key1] peer peer2
# Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 111-key-a and the key for certificate authentication is 111-key-b.
[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key local plaintext 111-key-a
[Sysname-ikev2-keychain-key1-peer-peer2] pre-shared-key remote plaintext 111-key-b
On the responder:
# Create an IKEv2 keychain named telecom.
<Sysname> system-view
[Sysname] ikev2 keychain telecom
# Create an IKEv2 peer named peer1.
[Sysname-ikev2-keychain-telecom] peer peer1
# Configure the symmetric plaintext pre-shared key 111-key.
[Sysname-ikev2-keychain-telecom-peer-peer1] pre-shared-key plaintext 111-key
[Sysname-ikev2-keychain-telecom-peer-peer1] quit
# Create an IKEv2 peer named peer2.
[Sysname-ikev2-keychain-telecom] peer peer2
# Configure asymmetric plaintext pre-shared keys. The key for certificate signing is 111-key-b and the key for certificate authentication is 111-key-a.
[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key local plaintext
111-key-b
[Sysname-ikev2-keychain-telecom-peer-peer2] pre-shared-key remote plaintext
111-key-a
131
Related commands
ikev2 keychain
peer
New command: prf
Use prf to specify pseudo-random function (PRF) algorithms for an IKEv2 proposal.
Use undo prf to restore the default.
Syntax
In non-FIPS mode:
prf { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 } *
undo prf
In FIPS mode:
prf { sha1 | sha256 | sha384 | sha512 } *
undo prf
Default
An IKEv2 proposal uses the integrity protection algorithms as the PRF algorithms.
Views
IKEv2 proposal view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Uses the HMAC-AES-XCBC-MAC algorithm.
md5: Uses the HMAC-MD5 algorithm.
sha1: Uses the HMAC-SHA1 algorithm.
sha256: Uses the HMAC-SHA256 algorithm.
sha384: Uses the HMAC-SHA384 algorithm.
sha512: Uses the HMAC-SHA512 algorithm.
Usage guidelines
You can specify multiple PRF algorithms for an IKEv2 proposal. An algorithm specified earlier has a higher priority.
Examples
# Create an IKEv2 proposal named prop1.
<Sysname> system-view
[Sysname] ikev2 proposal prop1
132
# Specify HMAC-SHA1 and HMAC-MD5 as the PRF algorithms, with HMAC-SHA1 preferred.
[Sysname-ikev2-proposal-prop1] prf sha1 md5
Related commands
ikev2 proposal
integrity
New command: priority (IKEv2 policy view)
Use priority to set a priority for an IKEv2 policy.
Use undo priority to restore the default.
Syntax
priority priority
undo priority
Default
The priority of an IKEv2 policy is 100.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
priority: Specifies the priority of the IKEv2 policy, in the range of 1 to 65535. A smaller number represents a higher priority.
Usage guidelines
The priority set by this command can only be used to adjust the match order of IKEv2 policies.
Examples
# Set the priority to 10 for the IKEv2 policy policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] priority 10
Related commands display ikev2 policy
New command: priority (IKEv2 profile view)
Use priority to set a priority for an IKEv2 profile.
Use undo priority to restore the default.
133
Syntax
priority priority
undo priority
Default
The priority of an IKEv2 profile is 100.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
priority: Specifies the priority of the IKEv2 profile, in the range of 1 to 65535. A smaller number represents a higher priority.
Usage guidelines
The priority set by this command can only be used to adjust the match order of IKEv2 profiles.
Examples
# Set the priority to 10 for the IKEv2 profile profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
[Sysname-ikev2-profile-profile1] priority 10
New command: proposal
Use proposal to specify an IKEv2 proposal for an IKEv2 policy.
Use undo proposal to remove an IKEv2 proposal from an IKEv2 policy.
Syntax
proposal proposal-name
undo proposal proposal-name
Default
No IKEv2 proposal is specified for an IKEv2 policy.
Views
IKEv2 policy view
Predefined user roles
network-admin
Parameters
proposal-name: Specifies an IKEv2 proposal by its name, a case-insensitive string of 1 to 63 characters.
134
Usage guidelines
You can specify multiple IKEv2 proposals for an IKEv2 policy. A proposal specified earlier has a higher priority.
Examples
# Specify the IKEv2 proposal proposal1 for the IKEv2 policy policy1.
<Sysname> system-view
[Sysname] ikev2 policy policy1
[Sysname-ikev2-policy-policy1] proposal proposal1
Related commands
display ikev2 policy
ikev2 proposal
New command: reset ikev2 sa
Use reset ikev2 sa to delete IKEv2 SAs.
Syntax
reset ikev2 sa [ [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance
vpn-instance-name ] ] | tunnel tunnel-id ] [ fast ]
Views
User view
Predefined user roles
network-admin
Parameters
local: Deletes IKEv2 SAs for a local IP address.
remote: Deletes IKEv2 SAs for a remote IP address.
ipv4-address: Specifies a local or remote IPv4 address.
ipv6 ipv6-address: Specifies a local or remote IPv6 address.
vpn-instance vpn-instance-name: Deletes IKEv2 SAs in an MPLS L3VPN instance. The
vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command deletes IKEv2 SAs for the public network.
tunnel tunnel-id: Deletes IKEv2 SAs for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.
fast: Notifies the peers of the deletion and deletes IKEv2 SAs directly before receiving the peers' responses. If you do not specify this keyword, the device notifies the peers of the deletion and deletes IKEv2 SAs after it receives the peers' responses.
135
Usage guidelines
Deleting an IKEv2 SA will also delete the child SAs negotiated through the IKEv2 SA.
If you do not specify any parameters, this command deletes all IKEv2 SAs and the child SAs negotiated through the IKEv2 SAs.
Examples
# Display information about IKEv2 SAs.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
1 1.1.1.1/500 1.1.1.2/500 EST
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating EST: Established, DEL: Deleting
# Delete the IKEv2 SA whose remote IP address is 1.1.1.2.
<Sysname> reset ikev2 sa remote 1.1.1.2
# Display information about IKEv2 SAs again. Verify that the IKEv2 SA is deleted.
<Sysname> display ikev2 sa
Tunnel ID Local Remote Status
--------------------------------------------------------------------
2 2.2.2.1/500 2.2.2.2/500 EST
Status:
IN-NEGO: Negotiating EST: Established, DEL: Deleting
Related commands
display ikev2 sa
New command: reset ikev2 statistics
Use reset ikev2 statistics to clear IKEv2 statistics.
Syntax
reset ikev2 statistics
Views
Any view
Predefined user roles
network-admin
Examples
# Clear IKEv2 statistics.
<Sysname> reset ikev2 statistics
136
New command: sa duration
Use sa duration to set the IKEv2 SA lifetime.
Use undo sa duration to restore the default.
Syntax
sa duration seconds
undo sa duration
Default
The IKEv2 SA lifetime is 86400 seconds.
Views
IKEv2 profile view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IKEv2 SA lifetime in seconds, in the range of 120 to 86400.
Usage guidelines
An IKEv2 SA can be used for subsequent IKEv2 negotiations before its lifetime expires, saving a lot of negotiation time. However, the longer the lifetime, the higher the possibility that attackers collect enough information and initiate attacks.
Two peers can have different IKEv2 SA lifetime settings, and they do not perform lifetime negotiation.
The peer with a shorter lifetime always initiates the rekeying.
Examples
# Create an IKEv2 profile named profile1.
<Sysname> system-view
[Sysname] ikev2 profile profile1
# Set the IKEv2 SA lifetime to 1200 seconds.
[Sysname-ikev2-profile-profile1] sa duration 1200
Related commands
display ikev2 profile
New command: esn enable
Syntax
Use esn enable to enable the Extended Sequence Number (ESN) feature.
Use undo esn enable to disable the ESN feature.
esn enable [ both ]
137
undo esn enable
Default
ESN is disabled.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
both: Specifies IPsec to support both extended sequence number and traditional sequence number.
If you do not specify this keyword, IPsec only supports extended sequence number.
Usage guidelines
The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does not need to be renegotiated.
This feature must be enabled at both the initiator and the responder.
Examples
# Enable the ESN feature in the IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esn enable
Related commands display ipsec transform-set
New command: ikev2-profile
Syntax
Default
ikev2-profile profile-name
undo ikev2-profile
No IKEv2 profile is specified.
Views
Use ikev2-profile to specify an IKEv2 profile for an IPsec policy or IPsec policy template.
Use undo ikev2-profile to restore the default.
IPsec policy view, IPsec policy template view
138
Predefined user roles
network-admin
Parameters
profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The IKEv2 profile specified for an IPsec policy or IPsec policy template defines the parameters used for IKEv2 negotiation.
You can specify only one IKEv2 profile for an IPsec policy or IPsec policy template. On the initiator, an IKEv2 profile is required. On the responder, an IKEv2 profile is optional. If you do not specify an
IKEv2 profile, the responder can use any IKEv2 profile for negotiation.
Examples
# Specify the IKEv2 profile profile1 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ikev2-profile profile1
Related commands
display ipsec ipv6-policy
display ipsec policy
ikev2 profile
New command: tfc enable
Use tfc enable to enable the Traffic Flow Confidentiality (TFC) padding feature.
Use undo tfc enable to disable the TFC padding feature.
Syntax tfc enable
undo tfc enable
Default
TFC padding is disabled.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Usage guidelines
The TFC padding feature can hide the length of the original packet, and might affect the packet encapsulation and de-encapsulation performance. This feature takes effect on UDP packets
139
encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel mode.
Examples
# Enable TFC padding for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] tfc enable
Related commands
display ipsec ipv6-policy
display ipsec policy
Modified command: ah authentication-algorithm
Old syntax
In non-FIPS mode:
ah authentication-algorithm { md5 | sha1 | sm3 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm sha1
undo ah authentication-algorithm
New syntax
In non-FIPS mode:
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
undo ah authentication-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm.
sha256: Specifies the HMAC-SHA256 algorithm.
sha384: Specifies the HMAC-SHA384 algorithm.
sha512: Specifies the HMAC-SHA512 algorithm.
140
Modified command: display ipsec { ipv6-policy | policy }
Syntax
display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ]
Views
Any view
Change description
The following fields were added to the command output:
Traffic Flow Confidentiality
—Whether Traffic Flow Confidentiality (TFC) padding is enabled.
IKEv2 profile
—IKEv2 profile used by the IPsec policy.
Modified command: display ipsec { ipv6-policy-template | policy-template }
Syntax
display ipsec { ipv6-policy-template | policy-template } [ template-name [ seq-number ] ]
Views
Any view
Change description
The following fields were added to the command output:
Traffic Flow Confidentiality
—Whether Traffic Flow Confidentiality (TFC) padding is enabled.
Selector mode
—Data flow protection mode of the IPsec policy template.
Local address
—Local end IP address of the IPsec tunnel.
IKEv2 profile
—IKEv2 profile used by the IPsec policy template.
SA idle time
—Idle timeout of the IPsec SA, in seconds.
Modified command: display ipsec sa
Syntax
display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy }
policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]
Views
Any view
Change description
The following fields were added to the command output:
141
Extended Sequence Number enable
—Whether Extended Sequence Number (ESN) is enabled.
Traffic Flow Confidentiality enable
—Whether Traffic Flow Confidentiality (TFC) padding is enabled.
Inside VRF
—VPN instance to which the protected data flow belongs.
The following values were added to the Perfect Forward Secrecy field:
dh-group19
—256-bit ECP Diffie-Hellman group.
dh-group20
—384-bit ECP Diffie-Hellman group.
Modified command: display ipsec transform-set
Syntax
display ipsec transform-set [ transform-set-name ]
Views
Any view
Change description
The following fields were added to the command output:
ESN
—Whether Extended Sequence Number (ESN) is enabled.
PFS
—Perfect Forward Secrecy (PFS) configuration.
Modified command: display ipsec tunnel
Syntax
display ipsec tunnel { brief | count | tunnel-id tunnel-id }
Views
Any view
Change description
The following values were added to the Perfect Forward Secrecy field of the command output:
dh-group19
—256-bit ECP Diffie-Hellman group.
dh-group20
—384-bit ECP Diffie-Hellman group.
Modified command: esp authentication-algorithm
Old syntax
In non-FIPS mode:
esp authentication-algorithm { md5 | sha1 | sm3 } *
142
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm sha1
undo esp authentication-algorithm
New syntax
In non-FIPS mode:
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
undo esp authentication-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm.
sha256: Specifies the HMAC-SHA256 algorithm.
sha384: Specifies the HMAC-SHA384 algorithm.
sha512: Specifies the HMAC-SHA512 algorithm.
Modified command: esp encryption-algorithm
Old syntax
In non-FIPS mode:
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null }
*
undo esp encryption-algorithm
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*
undo esp encryption-algorithm
New syntax
In non-FIPS mode:
143
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 |
aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc |
gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null } *
undo esp encryption-algorithm
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192
| aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*
undo esp encryption-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-ctr-128: Uses the AES algorithm with a 128-bit key in CTR mode. This keyword is available only for IKEv2.
aes-ctr-192: Uses the AES algorithm with a 192-bit key in CTR mode. This keyword is available only for IKEv2.
aes-ctr-256: Uses the AES algorithm with a 256-bit key in CTR mode. This keyword is available only for IKEv2.
camellia-cbc-128: Uses the Camellia algorithm with a 128-bit key in CBC mode. This keyword is available only for IKEv2.
camellia-cbc-192: Uses the Camellia algorithm with a 192-bit key in CBC mode. This keyword is available only for IKEv2.
camellia-cbc-256: Uses the Camellia algorithm with a 256-bit key in CBC mode. This keyword is available only for IKEv2.
gmac-128: Uses the GMAC algorithm with a 128-bit key. This keyword is available only for
IKEv2.
gmac-192: Uses the GMAC algorithm with a 192-bit key. This keyword is available only for
IKEv2.
gmac-256: Uses the GMAC algorithm with a 256-bit key. This keyword is available only for
IKEv2.
gcm-128: Uses the GCM algorithm with a 128-bit key. This keyword is available only for IKEv2.
gcm-192: Uses the GCM algorithm with a 192-bit key. This keyword is available only for IKEv2.
gcm-256: Uses the GCM algorithm with a 256-bit key. This keyword is available only for IKEv2.
144
Modified command: pfs
Old syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }
undo pfs
In FIPS mode:
pfs dh-group14
undo pfs
New syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 |
dh-group24 }
undo pfs
In FIPS mode:
pfs { dh-group14 | dh-group19 | dh-group20 | dh-group24 }
undo pfs
Views
IPsec transform set view
Change description
The following keywords were added:
dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
dh-group20: Uses 384-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
Modified command: pre-shared-key
Old syntax
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
| hostname host-name } key { cipher cipher-key | simple simple-key }
undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address
[ prefix-length ] } | hostname host-name }
New syntax
In non-FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
| hostname host-name } key { cipher cipher-key | simple simple-key }
145
undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address
[ prefix-length ] } | hostname host-name }
In FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] }
| hostname host-name } key [ cipher cipher-key ]
undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address
[ prefix-length ] } | hostname host-name }
Views
IKE keychain view
Change description
After modification, if you do not specify the cipher cipher-key option, you specify a plaintext pre-shared key in interactive mode. The key is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters other than the question mark (?). In non-FIPS mode, this command does not support configuring a pre-shared key in interactive mode.
Modified command: authentication-algorithm
Old syntax
In non-FIPS mode:
authentication-algorithm { md5 | sha | sm3 }
undo authentication-algorithm
In FIPS mode:
authentication-algorithm sha
undo authentication-algorithm
New syntax
In non-FIPS mode:
authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 | sm3 }
undo authentication-algorithm
In FIPS mode:
authentication-algorithm { sha| sha256 | sha384 | sha512 }
undo authentication-algorithm
Views
IKE proposal view
146
Change description
The following keywords were added:
sha256: Specifies the HMAC-SHA256 algorithm.
sha384: Specifies the HMAC-SHA384 algorithm.
sha512: Specifies the HMAC-SHA512 algorithm.
New feature: SSL support for Suite B
Configuring Suite B in SSL
Suite B contains a set of encryption and authentication algorithms that meet high security requirements.
In this software version, Suite B is available in SSL. In addition, a new command was added to display the algorithm version number on the device.
Command reference
New command: display crypto version
Use display crypto version to display the algorithm version number.
Syntax display crypto version
Views
Any view
Predefined user roles
network-admin network-operator
Usage guidelines
The algorithm version number identifies a suite of cryptographic algorithms.
Examples
# Display the algorithm version number.
<Sysname> display crypto version
7.1.886
147
Table 1 Command output
Field
7.1.1.886
Description
Version number information, in the format of 7.1.X.
7.1 represents Comware V700R001, and X represents the algorithm version number.
New command: ssl version disable
Use ssl version disable to disable SSL protocol versions on the device.
Use undo ssl version disable enable SSL protocol versions on the device.
Syntax
In non-FIPS mode:
ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable
undo ssl version { ssl3.0 | tls1.0 | tls1.1 } * disable
In FIPS mode:
ssl version { tls1.0 | tls1.1 } * disable
undo ssl version { tls1.0 | tls1.1 } * disable
Default
In non-FIPS mode, the device supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
In FIPS mode, the device supports TLS 1.0, TLS 1.1, and TLS 1.2.
Views
System view
Predefined user roles
network-admin
Parameters
ssl3.0: Specifies SSL 3.0.
tls1.0: Specifies TLS 1.0.
tls1.1: Specifies TLS 1.1.
Usage guidelines
Use this command to disable SSL 3.0, TLS 1.0, and TLS 1.1 on the device to enhance system security.
An SSL client always uses the SSL protocol version specified for it (by using the version command), whether you disable the SSL protocol version or not.
An SSL server supports only TLS 1.2 after SSL 3.0, TLS 1.0, and TLS 1.1 are disabled.
148
Disabling an SSL protocol version on the device does not affect the availability of earlier SSL protocol versions. For example, if you execute the ssl version tls1.1 disable command, TLS 1.1 is disabled but TLS 1.0 is still available.
In FIPS mode, the device does not support SSL 3.0.
Examples
# Disable SSL 3.0 on the device.
<Sysname> system-view
[Sysname] ssl version ssl3.0 disable
# Disable TLS 1.0 on the device.
<Sysname> system-view
[Sysname] ssl version tls1.0 disable
New command: ssl renegotiation disable
Use ssl renegotiation disable to disable SSL session renegotiation.
Use undo ssl renegotiation disable to restore the default.
Syntax ssl renegotiation disable undo ssl renegotiation disable
Default
SSL session renegotiation is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The SSL session renegotiation feature enables the SSL client and server to reuse a previously negotiated SSL session for an abbreviated handshake.
Disabling session renegotiation causes more computational overhead to the system but it can avoid potential risks. Disable SSL session renegotiation only when explicitly required.
Examples
#Disable SSL session renegotiation.
<Sysname> system-view
[Sysname] ssl renegotiation disable
149
Modified command: version
Old syntax
In non-FIPS mode:
version { ssl3.0 | tls1.0 }
undo version
In FIPS mode:
version tls1.0 undo version
New syntax
In non-FIPS mode:
version { ssl3.0 | tls1.0 | tls1.1 | tls1.2 }
undo version
In FIPS mode:
version { tls1.0 | tls1.1 | tls1.2 }
undo version
Views
SSL client policy view
Change description
The following keywords were added:
tls1.1: Specifies TLS 1.0 for the SSL client policy.
tls1.2: Specifies TLS 1.2 for the SSL client policy.
Modified command: ciphersuite
Old syntax
In non-FIPS mode:
ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |
exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |
rsa_rc4_128_sha } *
undo ciphersuite
In FIPS mode:
150
ciphersuite { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha
| rsa_aes_256_cbc_sha } *
undo ciphersuite
New syntax
In non-FIPS mode:
ciphersuite
{
dhe_rsa_aes_128_cbc_sha
|
dhe_rsa_aes_256_cbc_sha
|
exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |
rsa_rc4_128_sha
|
rsa_aes_128_cbc_sha256 dhe_rsa_aes_128_cbc_sha256
|
|
rsa_aes_256_cbc_sha256 dhe_rsa_aes_256_cbc_sha256
|
|
ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_128_cbc_sha256
|
|
|
ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_256_gcm_sha384 ecdhe_ecdsa_aes_256_cbc_sha384
ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_gcm_sha384 } *
|
|
|
undo ciphersuite
In FIPS mode:
cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha256 |
rsa_aes_256_cbc_sha256
|
ecdhe_rsa_aes_128_cbc_sha256
|
ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_256_gcm_sha384
|
|
ecdhe_rsa_aes_128_gcm_sha256 ecdhe_ecdsa_aes_128_cbc_sha256
|
|
ecdhe_ecdsa_aes_256_cbc_sha384
ecdhe_ecdsa_aes_256_gcm_sha384 } *
|
ecdhe_ecdsa_aes_128_gcm_sha256
|
undo ciphersuite
Views
SSL server policy view
Change description
The following keywords were added:
rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES CBC , and the MAC algorithm SHA256.
rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256.
dhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
dhe_rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256.
ecdhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
151
ecdhe_rsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.
ecdhe_rsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.
ecdhe_rsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.
ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.
Modified command: prefer-cipher
Old syntax
In non-FIPS mode:
prefer-cipher { dhe_rsa_aes_128_cbc_sha | dhe_rsa_aes_256_cbc_sha |
exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |
rsa_rc4_128_sha }
undo prefer-cipher
In FIPS mode:
prefer-cipher { dhe_rsa_aes_128_cbc_sha
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha }
undo prefer-cipher
New syntax
In non-FIPS mode:
| dhe_rsa_aes_256_cbc_sha |
prefer-cipher
{
dhe_rsa_aes_128_cbc_sha
|
dhe_rsa_aes_256_cbc_sha
|
exp_rsa_des_cbc_sha | exp_rsa_rc2_md5 | exp_rsa_rc4_md5 | rsa_3des_ede_cbc_sha |
rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_des_cbc_sha | rsa_rc4_128_md5 |
rsa_rc4_128_sha
|
rsa_aes_128_cbc_sha256
|
rsa_aes_256_cbc_sha256
|
dhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_cbc_sha256 ecdhe_rsa_aes_128_gcm_sha256
|
|
|
dhe_rsa_aes_256_cbc_sha256 ecdhe_rsa_aes_256_cbc_sha384 ecdhe_rsa_aes_256_gcm_sha384
|
|
|
152
ecdhe_ecdsa_aes_128_cbc_sha256
|
ecdhe_ecdsa_aes_256_cbc_sha384
ecdhe_ecdsa_aes_128_gcm_sha256 | ecdhe_ecdsa_aes_256_gcm_sha384 }
undo prefer-cipher
In FIPS mode:
|
prefer-cipher { rsa_aes_128_cbc_sha | rsa_aes_256_cbc_sha | rsa_aes_128_cbc_sha256 |
rsa_aes_256_cbc_sha256| ecdhe_rsa_aes_128_cbc_sha256 | ecdhe_rsa_aes_256_cbc_sha384
|
ecdhe_rsa_aes_128_gcm_sha256
|
ecdhe_rsa_aes_256_gcm_sha384 ecdhe_ecdsa_aes_256_cbc_sha384
ecdhe_ecdsa_aes_256_gcm_sha384 }
|
|
ecdhe_ecdsa_aes_128_cbc_sha256 ecdhe_ecdsa_aes_128_gcm_sha256
|
|
undo prefer-cipher
Views
SSL client policy view
Change description
The following keywords were added:
rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 128-bit AES CBC , and the MAC algorithm SHA256.
rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256.
dhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
dhe_rsa_aes_256_cbc_sha256: Specifies the key exchange algorithm DHE RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA256.
ecdhe_rsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
ecdhe_rsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.
ecdhe_rsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.
ecdhe_rsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE RSA, the data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.
ecdhe_ecdsa_aes_128_cbc_sha256: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 128-bit AES CBC, and the MAC algorithm SHA256.
ecdhe_ecdsa_aes_256_cbc_sha384: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 256-bit AES CBC, and the MAC algorithm SHA384.
ecdhe_ecdsa_aes_128_gcm_sha256: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 128-bit AES GCM, and the MAC algorithm SHA256.
153
ecdhe_ecdsa_aes_256_gcm_sha384: Specifies the key exchange algorithm ECDHE ECDSA, the data encryption algorithm 256-bit AES GCM, and the MAC algorithm SHA384.
New feature: FIPS support for Suit B
Configuring Suite B in FIPS
Suite B contains a set of encryption and authentication algorithms that meet high security requirements.
In this software version, new FIPS commands were added to support Suite B.
Command reference
New command: fips rng random size filename
Use fips rng random size filename to generate a random number and save it to a file.
Syntax
fips rng random size random-size filename filename
Views
Probe view
Predefined user roles
network-admin
Parameters
random-size: Specifies the random number size in the range of 1 to 1000000 bytes.
filename: Specifies the name of the file to save the random number. The file name is a case-insensitive string.
Usage guidelines
Use this command in FIPS mode to generate a random number and save it to a file.
Examples
# Generate a 100000-byte random number and save it to a file named out.bin.
<Sysname> system-view
[Sysname-probe] fips rng random size 100000 filename out.bin
Generating random number. Please wait...
Random number saved to file successfully.
154
New command: fips rng random size round rate-statistics
Use fips rng random size round rate-statistics to calculate the average rate at which random numbers are generated.
Syntax
fips rng random size random-size round round rate-statistics
Views
Probe view
Predefined user roles
network-admin
Parameters
random-size: Specifies the random number size in the range of 1 to 1000000 bytes.
round: Specifies the number of random number generations, in the range of 3 to 10.
Usage guidelines
Use this command in FIPS mode to calculate the average rate at which random numbers are generated.
Examples
# Generate five 100000-byte random numbers and calculate the average rate at which the random numbers are generated.
<Sysname> system-view
[Sysname-probe] fips rng random size 100000 round 5 rate-statistics
Random number generated successfully.
Rate: 5000 bytes/s
Rate: 5100 bytes/s
Rate: 4900 bytes/s
Rate: 4800 bytes/s
Rate: 52000 bytes/s
Average rate: 5000 bytes/s
New command: fips rng entropy size filename
Use fips rng entropy size filename to generate a random number entropy and save it to a file.
Syntax
fips rng entropy size entropy-size filename filename
Views
Probe view
Predefined user roles
network-admin
155
Parameters
entropy-size: Specifies the random number entropy size in the range of 1 to 1000000 bytes.
filename: Specifies the name of the file to save the random number entropy. The file name is a case-insensitive string.
Usage guidelines
Use this command in FIPS mode to generate a random number entropy and save it to a file.
Examples
# Generate a 100000-byte random number entropy and save it to a file named out.bin.
<Sysname> system-view
[Sysname-probe] fips rng entropy size 100000 filename out.bin
Generating random number entropy. Please wait...
Entropy saved to file successfully.
New command: fips rng entropy size round rate-statistics
Use fips rng entropy size round rate-statistics to calculate the average rate at which random number entropies are generated.
Syntax
fips rng entropy size entropy-size round round rate-statistics
Views
Probe view
Predefined user roles
network-admin
Parameters
entropy-size: Specifies the random number entropy size in the range of 1 to 1000000 bytes.
round: Specifies the number of random number entropy generations, in the range of 3 to 10.
Usage guidelines
Use this command in FIPS mode to calculate the average rate at which random number entropies are generated.
Examples
# Generate five 100000-byte random number entropies and calculate the average rate at which the random number entropies are generated.
<Sysname> system-view
[Sysname-probe]fips rng entropy size 100000 round 5 rate-statistics
Entropy generated successfully.
Rate: 5000 bytes/s
Rate: 5100 bytes/s
Rate: 4900 bytes/s
Rate: 4800 bytes/s
156
Rate: 52000 bytes/s
Average rate: 5000 bytes/s
New command: fips kdf
Use fips kdf to derive a key from an import file and save it to an export file.
Syntax
fips kdf { ikev1 { dsa | psk } | ikev2 | tls } import inputfile export outputfile
Views
Probe view
Predefined user roles
network-admin
Usage guidelines
Use this command in FIPS mode to derive a key for the third-party to determine whether the key meets the CC/FIPS authentication requirements.
Examples
# Derive an ikev1 pre-shared key from an import file named ikev1_psk.req and save the key to an export file named ikev1_psk.rsp.
<Sysname> system-view
[Sysname-probe] fips kdf ikev1 psk import ikev1_psk.req export ikev1_psk.rsp
New command: fips algorithm verify param
Use fips algorithm verify param to execute an algorithm test vector and generate a result file.
Syntax
fips algorithm verify param param
Views
System view
Predefined user roles
network-admin
Usage guidelines
Use this command in FIPS mode to execute an algorithm test vector and generate a result file for the third-party to verify the result.
Examples
# Execute the DSA2 test vector in a file named 01-HP-MPC8544/DSA2/req/PQGGen.req, and generate a result file named 01-HP-MPC8544/DSA2/resp/PQGGen.rsp.
<Sysname> system-view
157
[Sysname] fips algorithm verify fips_dssvs pqg 01-HP-MPC8544/DSA2/req/PQGGen.req
01-HP-MPC8544/DSA2/resp/PQGGen.rsp
Modified command: fips self-test
Syntax fips self-test
Views
System view
Change description
Self-tests were added for the following algorithms:
3DES.
ECDH.
Random number generator (RNG).
GCM.
GMAC.
New feature: SSH support for Suite B
Configuring SSH based on Suite B algorithms
Suite B contains a set of encryption and authentication algorithms that meet high security
requirements. Table 2 lists all algorithms in Suite B.
The SSH server and client support using the X.509v3 certificate for identity authentication in compliance with the algorithm, negotiation, and authentication specifications defined in RFC 6239.
Table 2 Suite B algorithms
Security level
128-bit
192-bit
Both
Key exchange algorithm
ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ecdh-sha2-nistp384
Encryption algorithm and HMAC algorithm
AEAD_AES_128_GCM
AEAD_AES_256_GCM
AEAD_AES_128_GCM
AEAD_AES_256_GCM
Public key algorithm
x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384
Specifying a PKI domain for the SSH server
The PKI domain specified for the SSH server has the following functions:
158
The SSH server uses the PKI domain to send its certificate to the client in the key exchange stage.
The SSH server uses the PKI domain to authenticate the client's certificate if no PKI domain is specified for the client authentication by using the ssh user command.
To specify a PKI domain for the SSH server:
Step
99. Enter system view.
Command system-view
100. Specify a PKI domain for the
SSH server.
ssh server pki-domain
domain-name
Remarks
N/A
By default, no PKI domain is specified for the SSH server.
Establishing a connection to an Stelnet server based on Suite
B
Task Command Remarks
Establish a connection to an
Stelnet server based on Suite B.
Establish a connection to an IPv4 Stelnet server based on Suite B:
ssh2 server [ port-number ] [ vpn-instance
vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain
domain-name ] [ prefer-compress zlib ] [ dscp
dscp-value | escape character | source
{ interface interface-type interface-number | ip
ip-address } ] *
Establish a connection to an IPv6 Stelnet server based on Suite B:
ssh2 ipv6 server [ port-number ] [ vpn-instance
vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain
domain-name ] [ -i interface-type
interface-number ] [ prefer-compress zlib ]
[ dscp dscp-value | escape character | source
{ interface interface-type interface-number |
ipv6 ipv6-address } ] *
Available in user view.
The client cannot establish connections to both IPv4 and IPv6 Stelnet servers.
159
Establishing a connection to an SFTP server based on Suite
B
Task
Establish a connection to an
SFTP server based on Suite B.
Command
Establish a connection to an IPv4 SFTP server based on Suite B:
sftp server [ port-number ] [ vpn-instance
vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain
domain-name ] [ prefer-compress zlib ] [ dscp
dscp-value | source { interface interface-type
interface-number | ip ip-address } ] *
Establish a connection to an IPv6 SFTP server based on Suite B:
sftp ipv6 server [ port-number ] [ vpn-instance
vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain
domain-name ] [ -i interface-type
interface-number ] [ prefer-compress zlib ]
[ dscp dscp-value | source { interface
interface-type interface-number | ipv6
ipv6-address } ] *
Remarks
Available in user view.
The client cannot establish connections to both IPv4 and IPv6 SFTP servers.
Establishing a connection to an SCP server based on Suite B
Task Command Remarks
Establish a connection to an SCP server based on Suite
B.
Establish a connection to an IPv4 SCP server based on Suite B:
scp server [ port-number ] [ vpn-instance
vpn-instance-name ] { put | get }
source-file-name [ destination-file-name ]
suite-b [ 128-bit | 192-bit ] pki-domain
domain-name [ server-pki-domain
domain-name ] [ prefer-compress zlib ]
[ source { interface interface-type
interface-number | ip ip-address } ] *
Establish a connection to an IPv6 SCP server based on Suite B:
scp ipv6 server [ port-number ] [ vpn-instance
vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name
[ destination-file-name ] suite-b [ 128-bit |
192-bit ] pki-domain domain-name
[ server-pki-domain domain-name ]
[ prefer-compress zlib ] [ source { interface
interface-type interface-number | ipv6
ipv6-address } ] *
Available in user view.
The client cannot establish connections to both IPv4 and IPv6 SCP servers.
160
Specifying algorithms for SSH2
Perform this task to specify the following types of algorithms that the SSH2 client and server use for algorithm negotiation during the Stelnet, SFTP, or SCP session establishment:
Key exchange algorithms.
Public key algorithms.
Encryption algorithms.
MAC algorithms.
If you specify algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The client uses the specified algorithms to initiate the negotiation, and the server uses the matching algorithms to negotiate with the client.
If multiple algorithms of the same type are specified, the algorithm specified earlier has a higher priority during negotiation.
Specifying key exchange algorithms for SSH2
Step
101. Enter system view.
102. Specify key exchange algorithms for SSH2.
Command system-view
In non-FIPS mode:
ssh2 algorithm key-exchange
{ dh-group-exchange-sha1
| dh-group1-sha1 |
dh-group14-sha1 |
ecdh-sha2-nistp256 |
ecdh-sha2-nistp384 } *
In FIPS mode:
ssh2 algorithm key-exchange
{ dh-group14-sha1 |
ecdh-sha2-nistp256 |
ecdh-sha2-nistp384 } *
Specifying public key algorithms for SSH2
Remarks
N/A
By default, SSH2 uses the key exchange algorithms
ecdh-sha2-nistp256,
ecdh-sha2-nistp384,
dh-group-exchange-sha1,
dh-group14-sha1, and
dh-group1-sha1 in descending order of priority for algorithm negotiation.
Step
103. Enter system view.
104. Specify public key algorithms for SSH2.
Command system-view
In non-FIPS mode:
ssh2 algorithm public-key
{ dsa | ecdsa | rsa |
x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 }
*
In FIPS mode:
ssh2 algorithm public-key
{ ecdsa | rsa |
x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 }
*
Remarks
N/A
By default, SSH2 uses the public key algorithms
x509v3-ecdsa-sha2-nistp256,
x509v3-ecdsa-sha2-nistp384,
ecdsa, rsa, and dsa in descending order of priority for algorithm negotiation.
161
Specifying encryption algorithms for SSH2
Step
105. Enter system view.
106. Specify encryption algorithms for SSH2.
Specifying MAC algorithms for SSH2
Command system-view
In non-FIPS mode:
ssh2 algorithm cipher
{ 3des-cbc | aes128-cbc |
aes256-cbc | des-cbc |
aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm |
aes256-gcm } *
In FIPS mode:
ssh2 algorithm cipher
{ aes128-cbc | aes256-cbc |
aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm |
aes256-gcm } *
Remarks
N/A
By default, SSH2 uses the encryption algorithms aes128-ctr,
aes192-ctr, aes256-ctr,
aes128-gcm, aes256-gcm,
aes128-cbc, 3des-cbc,
aes256-cbc, and des-cbc in descending order of priority for algorithm negotiation.
Step
107. Enter system view.
108. Specify MAC algorithms for
SSH2.
Command system-view
In non-FIPS mode:
ssh2 algorithm mac { md5 |
md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } *
In FIPS mode:
ssh2 algorithm mac { sha1
| sha1-96 | sha2-256 |
sha2-512 } *
Remarks
N/A
By default, SSH2 uses the MAC algorithms sha2-256, sha2-512,
sha1, md5, sha1-96, and md5-96 in descending order of priority for algorithm negotiation.
Command reference
New command: display ssh2 algorithm
Use display ssh2 algorithm to display algorithms used by SSH2 in the algorithm negotiation stage.
Syntax display ssh2 algorithm
Views
Any view
Predefined user roles
network-admin network-operator
Examples
# Display algorithms used by SSH2 in the algorithm negotiation stage.
<Sysname> display ssh2 algorithm
162
Key exchange algorithms : ecdh-sha2-nistp256 ecdh-sha2-nistp384 dh-group-exchange-sha1 dh-group14-sha1 dh-group1-sha1
Public key algorithms : x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 ecdsa rsa dsa
Encryption algorithms : aes128-ctr aes192-ctr aes256-ctr aes128-gcm aes256-gcm aes128-cbc 3des-cbc aes256-cbc des-cbc
MAC algorithms : sha2-256 sha2-512 sha1 md5 sha1-96 md5-96
Table 3 Command output
Field
Key exchange algorithms
Public key algorithms
Encryption algorithms
Description
Key exchange algorithms in descending order of priority for algorithm negotiation.
Public key algorithms in descending order of priority for algorithm negotiation.
Encryption algorithms in descending order of priority for algorithm negotiation.
MAC algorithms
Related commands
MAC algorithms in descending order of priority for algorithm negotiation.
ssh2 algorithm cipher
ssh2 algorithm key-exchange
ssh2 algorithm mac
ssh2 algorithm public-key
New command: ssh server pki-domain
Use ssh server pki-domain to specify a PKI domain for the SSH server.
Use undo ssh server pki-domain to delete the PKI domain of the SSH server.
Syntax
ssh server pki-domain domain-name
undo ssh server pki-domain
Default
No PKI domain is specified for an SSH server.
Views
System view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters,
excluding the characters listed in Table 4 .
163
Table 4 Invalid characters for a PKI domain name
Character name
Tilde
Asterisk
Backslash
Vertical bar
Colon
Examples
*
\
|
:
Symbol
~
Character name
Dot
Left angle bracket
Right angle bracket
Quotation marks
Apostrophe
# Specify the PKI domain serverpkidomain for the SSH server.
<Sysname> system-view
[Sysname] ssh server pki-domain serverpkidomain
Symbol
.
"
'
<
>
New command: scp ipv6 suite-b
Use scp ipv6 suite-b to establish a connection to an IPv6 SCP server based on Suite B algorithms and transfer files with the server.
Syntax
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name [ destination-file-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ source
{ interface interface-type interface-number | ipv6 ipv6-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for SCP packets. Specify this option when the server uses a link-local address to provide the SCP service for the client. The specified output interface on the SCP client must have a link-local address.
get: Downloads the file.
put: Uploads the file.
164
source-file-name: Specifies the name of the source file.
destination-file-name: Specifies the name of the target file. If you do not specify this argument, the target file uses the same file name as the source file.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 5 .
Table 5 Invalid characters for a PKI domain name
Character name
Tilde
Asterisk
Backslash
Vertical bar
Colon
|
:
*
\
Symbol
~
Character name
Dot
Left angle bracket
Right angle bracket
Quotation marks
Apostrophe
Symbol
.
"
'
<
>
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 5 .
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
source: Specifies a source IPv6 address or source interface for IPv6 SCP packets. By default, the device automatically selects a source address for IPv6 SCP packets in compliance with RFC 3484.
For successful SCP connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv6 address of the loopback interface as the source IPv6 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The
IPv6 address of this interface is the source IPv6 address of the IPv6 SCP packets.
ipv6 ipv6-address: Specifies a source IPv6 address.
165
Usage guidelines
Table 6 Suite B algorithms
Security level
Key exchange algorithm
Encryption algorithm and HMAC algorithm
Public key algorithm
128-bit
192-bit
Both ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ecdh-sha2-nistp384
AEAD_AES_128_GCM
AEAD_AES_256_GCM
AEAD_AES_128_GCM
AEAD_AES_256_GCM x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp384 x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Use the 192-bit Suite B algorithms to establish a connection to the SCP sever 2000::1 and download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> scp ipv6 2000::1 get abc.txt suite-b 192-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
New command: scp suite-b
Use scp suite-b to establish a connection to an SCP server based on Suite B algorithms and transfer files with the server.
Syntax
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name
[ destination-file-name ] suite-b [ 128-bit | 192-bit ] pki-domain domain-name [ server-pki-domain
domain-name ] [ prefer-compress zlib ] [ source { interface interface-type interface-number | ip
ip-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
166
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
get: Downloads the file.
put: Uploads the file.
source-file-name: Specifies the name of the source file.
destination-file-name: Specifies the name of the target file. If you do not specify this argument, the target file uses the same file name as the source file.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 7 .
Table 7 Invalid characters for a PKI domain name
Character name
Tilde
Asterisk
Backslash
Vertical bar
Colon
Symbol
~
*
\
|
:
Character name
Dot
Left angle bracket
Right angle bracket
Quotation marks
Apostrophe
Symbol
.
<
>
"
'
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 7 .
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
source: Specifies a source IP address or source interface for SCP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of
SCP packets. For successful SCP connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv4 address of the loopback interface as the source IPv4 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The
IPv4 address of this interface is the source IPv4 address of the SCP packets.
167
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Use the 128-bit Suite B algorithms to establish a connection to the SCP sever 200.1.1.1 and download the file abc.txt from the server. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> scp 200.1.1.1 get abc.txt suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
New command: sftp ipv6 suite-b
Use sftp ipv6 suite-b to establish a connection to an IPv6 SFTP server based on Suite B algorithms and enter SFTP client view.
Syntax
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ]
[ prefer-compress zlib ] [ dscp dscp-value | source { interface interface-type interface-number |
ipv6 ipv6-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for IPv6
SFTP packets. Specify this option when the server uses a link-local address to provide the SFTP service for the client. The specified output interface on the SFTP client must have a link-local address.
168
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 8 .
Table 8 Invalid characters for a PKI domain name
Character name
Tilde
Asterisk
Backslash
Vertical bar
Colon
\
|
:
Symbol
~
*
Character name
Dot
Left angle bracket
Right angle bracket
Quotation marks
Apostrophe
>
"
'
Symbol
.
<
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 8 .
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets. The value range for the
dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
source: Specifies a source IP address or source interface for IPv6 SFTP packets. By default, the device automatically selects a source address for IPv6 SFTP packets in compliance with RFC 3484.
For successful IPv6 SFTP connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv6 address of the loopback interface as the source IPv6 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The
IPv6 address of this interface is the source IP address of the IPv6 SFTP packets.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
169
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Use the 192-bit Suite B algorithms to establish a connection to the SFTP sever 2000::1. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> sftp ipv6 2000::1 suite-b 192-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
New command: sftp suite-b
Use sftp suite-b to establish a connection to an IPv4 SFTP server based on Suite B algorithms and enter SFTP client view.
Syntax
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp
dscp-value | source { interface interface-type interface-number | ip ip-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 9 .
170
Table 9 Invalid characters for a PKI domain name
Character name
Tilde
Asterisk
Backslash
Vertical bar
Colon
*
\
|
:
Symbol
~
Character name
Dot
Left angle bracket
Right angle bracket
Quotation marks
Apostrophe
Symbol
.
"
'
<
>
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 9 .
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the
dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
source: Specifies a source IP address or source interface for the SFTP packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of SFTP packets. For successful SFTP connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv4 address of the loopback interface as the source IPv4 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IPv4 address of the SFTP packets.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Use the 128-bit Suite B algorithms to establish a connection to the SFTP sever 10.1.1.2. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> sftp 10.1.1.2 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
171
New command: ssh2 ipv6 suite-b
Use ssh2 ipv6 suite-b to establish a connection to an IPv6 Stelnet server based on Suite B algorithms.
Syntax
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain domain-name ] [ -i interface-type interface-number ]
[ prefer-compress zlib ] [ dscp dscp-value | escape character | source { interface interface-type
interface-number | ipv6 ipv6-address } ] *
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
-i interface-type interface-number: Specifies an output interface by its type and number for IPv6 SSH packets. Specify this option when the server uses a link-local address to provide the Stelnet service for the client. The specified output interface on the Stelnet client must have a link-local address.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 10 .
Table 10 Invalid characters for a PKI domain name
Character name
Tilde
Asterisk
Backslash
*
\
Symbol
~
Character name
Dot
Left angle bracket
Right angle bracket
Symbol
.
<
>
172
Character name
Vertical bar
Colon
Symbol
|
:
Character name
Quotation marks
Apostrophe
Symbol
"
'
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 10 .
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv6 SSH packets. The value range for the
dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).
source: Specifies a source IP address or source interface for IPv6 SSH packets. By default, the device automatically selects a source address for IPv6 SSH packets in compliance with RFC 3484.
For successful IPv6 Stelnet connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv6 address of the loopback interface as the source IPv6 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The
IPv6 address of this interface is the source IP address of the IPv6 SSH packets.
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next line. HPE recommends that you use the default escape character (~). Do not use any character in
SSH usernames as the escape character.
173
Examples
# Use the 192-bit Suite B algorithms to establish a connection to the Stelnet sever 2000::1. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> ssh2 ipv6 2000::1 suite-b 192-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
New command: ssh2 suite-b
Use ssh2 suite-b to establish a connection to an IPv4 Stelnet server based on Suite B algorithms.
Syntax
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] suite-b [ 128-bit | 192-bit ]
pki-domain domain-name [ server-pki-domain domain-name ] [ prefer-compress zlib ] [ dscp
dscp-value | escape character | source { interface interface-type interface-number | ip ip-address } ]
*
Views
User view
Predefined user roles
network-admin
Parameters
server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 253 characters.
port-number: Specifies the port number of the server, in the range 1 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the server belongs.
The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to
31 characters.
suite-b: Specifies the Suite B algorithms. If neither the 128-bit keyword nor the 192-bit keyword is specified, all algorithms in Suite B are used. For more information about the Suite B algorithms, see
128-bit: Specifies the 128-bit Suite B security level.
192-bit: Specifies the 192-bit Suite B security level.
pki-domain domain-name: Specifies the PKI domain of the client's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters, excluding
the characters listed in Table 11 .
Table 11 Invalid characters for a PKI domain name
Character name
Tilde
Symbol
~
Character name
Dot
Symbol
.
174
Character name
Asterisk
Backslash
Vertical bar
Colon
\
|
:
Symbol
*
Character name
Left angle bracket
Right angle bracket
Quotation marks
Apostrophe
Symbol
<
>
"
'
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters, excluding the characters listed in Table 11 .
prefer-compress: Specifies the preferred compression algorithm for data compression between the server and the client. By default, compression is not supported.
zlib: Specifies the compression algorithm zlib.
dscp dscp-value: Specifies the DSCP value in the IPv4 SSH packets. The value range for the
dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the transmission priority of the packet.
escape character: Specifies a case-sensitive escape character. By default, the escape character is a tilde (~).
source: Specifies a source IP address or source interface for SSH packets. By default, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of
SSH packets. For successful Stelnet connections, use one of the following methods:
Specify the loopback interface as the source interface.
Specify the IPv4 address of the loopback interface as the source IPv4 address.
interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IPv4 address of the SSH packets.
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need to save the server's public key before authentication. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
The combination of an escape character and a dot (.) works as an escape sequence. This escape sequence is typically used to quickly terminate an SSH connection when the server reboots or malfunctions.
For the escape sequence to take effect, you must enter it at the very beginning of a line. If you have entered other characters or performed operations in a line, enter the escape sequence in the next
175
line. HPE recommends that you use the default escape character (~). Do not use any character in
SSH usernames as the escape character.
Examples
# Use the 128-bit Suite B algorithms to establish a connection to the SFTP sever 3.3.3.3. Specify the client's PKI domain and the server's PKI domain as clientpkidomain and serverpkidomain, respectively.
<Sysname> ssh2 3.3.3.3 suite-b 128-bit pki-domain clientpkidomain server-pki-domain serverpkidomain
New command: ssh2 algorithm cipher
Use ssh2 algorithm cipher to specify encryption algorithms for SSH2.
Use undo ssh2 algorithm cipher to restore the default.
Syntax
In non-FIPS mode:
ssh2 algorithm cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr
| aes256-ctr | aes128-gcm | aes256-gcm } *
undo ssh2 algorithm cipher
In FIPS mode:
ssh2 algorithm cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } *
undo ssh2 algorithm cipher
Default
SSH2 uses the encryption algorithms aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm,
aes256-gcm, aes128-cbc, 3des-cbc, aes256-cbc, and des-cbc in descending order of priority for algorithm negotiation.
Views
System view
Predefined user roles
network-admin
Parameters
3des-cbc: Specifies the encryption algorithm 3des-cbc. Support for this keyword depends on the device model.
aes128-cbc: Specifies the encryption algorithm aes128-cbc.
aes256-cbc: Specifies the encryption algorithm aes256-cbc.
des-cbc: Specifies the encryption algorithm des-cbc.
176
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
Usage guidelines
If you specify the encryption algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm 3des-cbc as the encryption algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm cipher 3des-cbc
Related commands
display ssh2 algorithm
ssh2 algorithm key-exchange
ssh2 algorithm mac
ssh2 algorithm public-key
New command: ssh2 algorithm key-exchange
Use ssh2 algorithm key-exchange to specify key exchange algorithms for SSH2.
Use undo ssh2 algorithm key-exchange to restore the default.
Syntax
Default
In non-FIPS mode:
ssh2 algorithm key-exchange
{
dh-group-exchange-sha1
|
dh-group1-sha1
|
dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *
undo ssh2 algorithm key-exchange
In FIPS mode:
ssh2 algorithm key-exchange { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 }
*
undo ssh2 algorithm key-exchange
SSH2 uses the key exchange algorithms ecdh-sha2-nistp256, ecdh-sha2-nistp384,
dh-group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1 in descending order of priority for algorithm negotiation.
177
Views
System view
Predefined user roles
network-admin
Parameters
dh-group-exchange-sha1: Specifies
diffie-hellman-group-exchange-sha1. the key exchange
dh-group1-sha1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
dh-group14-sha1: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256. algorithm
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
Usage guidelines
If you specify the key exchange algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm dh-group1-sha1 as the key exchange algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm key-exchange dh-group1-sha1
Related commands
display ssh2 algorithm
ssh2 algorithm cipher
ssh2 algorithm mac
ssh2 algorithm public-key
New command: ssh2 algorithm mac
Syntax
Use ssh2 algorithm mac to specify MAC algorithms for SSH2.
Use undo ssh2 algorithm mac to restore the default.
In non-FIPS mode:
ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *
undo ssh2 algorithm mac
In FIPS mode:
ssh2 algorithm mac { sha1 | sha1-96 | sha2-256 | sha2-512 } *
undo ssh2 algorithm mac
178
Default
SSH2 uses the MAC algorithms sha2-256, sha2-512, sha1, md5, sha1-96, and md5-96 in descending order of priority for algorithm negotiation.
Views
System view
Predefined user roles
network-admin
Parameters
md5: Specifies the HMAC algorithm hmac-md5.
md5-96: Specifies the HMAC algorithm hmac-md5-96.
sha1: Specifies the HMAC algorithm hmac-sha1.
sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
sha2-256: Specifies the HMAC algorithm hmac-sha2-256.
sha2-512: Specifies the HMAC algorithm hmac-sha2-512.
Usage guidelines
If you specify the MAC algorithms, SSH2 uses only the specified algorithms for algorithm negotiation.
The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm md5 as the MAC algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm mac md5
Related commands
display ssh2 algorithm
ssh2 algorithm cipher
ssh2 algorithm key-exchange
ssh2 algorithm public-key
New command: ssh2 algorithm public-key
Syntax
Use ssh2 algorithm public-key to specify public key algorithms for SSH2.
Use undo ssh2 algorithm public-key to restore the default.
In non-FIPS mode:
ssh2 algorithm public-key { dsa | ecdsa | rsa | x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } *
179
undo ssh2 algorithm public-key
In FIPS mode:
ssh2 algorithm public-key
{
ecdsa
| rsa | x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } *
undo ssh2 algorithm public-key
Default
SSH2 uses the public key algorithms x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384,
ecdsa, rsa, and dsa in descending order of priority for algorithm negotiation.
Views
System view
Predefined user roles
network-admin
Parameters
dsa: Specifies the public key algorithm dsa.
ecdsa: Specifies the public key algorithm ecdsa.
rsa: Specifies the public key algorithm rsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm x509v3-ecdsa-sha2-nistp384.
Usage guidelines
If you specify the public key algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The algorithm specified earlier has a higher priority during negotiation.
Examples
# Specify the algorithm dsa as the public key algorithm for SSH2.
<Sysname> system-view
[Sysname] ssh2 algorithm public-key dsa
Related commands
display ssh2 algorithm
ssh2 algorithm cipher
ssh2 algorithm key-exchange
ssh2 algorithm mac
Modified command: display ssh server
Syntax
display ssh server { session | status }
180
Views
Any view
Change description
In the command output, the SSH Server PKI domain name field was added to represent the PKI domain of the SSH server.
Modified command: ssh user
Old syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type
{ password | { any | password-publickey | publickey } assign { pki-domain domain-name |
publickey keyname } }
undo ssh user username
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type
{ password | password-publickey assign { pki-domain domain-name | publickey keyname } }
undo ssh user username
New syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type
{ password | { any | password-publickey | publickey } [ assign { pki-domain domain-name |
publickey keyname } ] }
undo ssh user username
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type
{ password | password-publickey [ assign { pki-domain domain-name | publickey keyname } ] }
undo ssh user username
Views
System view
Change description
Before modification: The options assign { pki-domain domain-name | publickey keyname } are required for verifying the client.
After modification: The options assign { pki-domain domain-name | publickey keyname } are optional for verifying the client.
181
Modified command: scp
Old syntax
In non-FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name
[ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher
{ 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex
{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |
des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ publickey keyname | source
{ interface interface-type interface-number | ip ip-address } ] *
In FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name
[ destination-file-name ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |
aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher
{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source
{ interface interface-type interface-number | ip ip-address } ] *
New syntax
In non-FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name
[ destination-file-name ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |
dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |
aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |
aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type
interface-number | ip ip-address } ] *
In FIPS mode:
scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name
[ destination-file-name ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } |
prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher
{ aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |
prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname |
server-pki-domain domain-name } | source { interface interface-type interface-number | ip
ip-address } ] *
182
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character name
Tilde
Asterisk
Backslash
~
*
\
Symbol
Character name
Dot
Left angle bracket
Right angle bracket
.
<
>
Symbol
Vertical bar | Quotation marks "
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa
: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
183
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
184
After modification: The default is sha2-256.
Modified command: scp ipv6
Old syntax
In non-FIPS mode:
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa }
| prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac
{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |
prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |
sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ipv6
ipv6-address } ] *
In FIPS mode:
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key rsa |
prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 |
sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac
{ sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number |
ipv6 ipv6-address } ] *
New syntax
In non-FIPS mode:
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa
| rsa | { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name }
| prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |
aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 |
md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |
dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } ] * [ { public-key keyname | server-pki-domain domain-name } | source
{ interface interface-type interface-number | ipv6 ipv6-address } ] *
In FIPS mode:
scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { ecdsa | rsa
| { x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |
prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 |
sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
185
prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type
interface-number | ipv6 ipv6-address } ] *
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character name
Tilde
Asterisk
Backslash
Vertical bar
\
|
~
*
Symbol
Character name
Dot
Left angle bracket
Right angle bracket
Quotation marks
.
<
>
"
Symbol
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa
: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
186
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
187
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
Modified command: sftp
Old syntax
In non-FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |
prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac
{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |
prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |
sha1-96 } ] * [ dscp dscp-value | publickey keyname | source { interface interface-type
interface-number | ip ip-address} ] *
In FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa |
prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 |
sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac
{ sha1 | sha1-96 } ] * [ publickey keyname | source { interface interface-type interface-number | ip
ip-address } ] *
New syntax
In non-FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa |
{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |
prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |
aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 |
md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |
dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } ] * [ dscp dscp-value | { public-key keyname | server-pki-domain
domain-name } | source { interface interface-type interface-number | ip ip-address } ] *
In FIPS mode:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { ecdsa | rsa |
{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |
prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 |
sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
188
prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ { public-key keyname | server-pki-domain domain-name } | source { interface interface-type
interface-number | ip ip-address } ] *
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character name
Tilde
Asterisk
Backslash
Vertical bar
\
|
~
*
Symbol
Character name
Dot
Left angle bracket
Right angle bracket
Quotation marks
.
<
>
"
Symbol
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa
: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
189
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
190
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
Modified command: sftp ipv6
Old syntax
In non-FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des |
aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex
{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |
des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | publickey
keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *
In FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |
aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher
{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ publickey keyname | source
{ interface interface-type interface-number | ipv6 ipv6-address } ] *
New syntax
In non-FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |
dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |
aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |
aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ dscp dscp-value | { public-key keyname | server-pki-domain domain-name } | source { interface
interface-type interface-number | ipv6 ipv6-address } ] *
In FIPS mode:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
191
aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } |
prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher
{ aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |
prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ { public-key keyname |
server-pki-domain domain-name } | source { interface interface-type interface-number | ipv6
ipv6-address } ] *
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character name
Tilde
Asterisk
Backslash
Vertical bar
~
*
\
|
Symbol
Character name
Dot
Left angle bracket
Right angle bracket
Quotation marks
.
<
>
"
Symbol
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa
: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
192
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.
193
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
Modified command: ssh2
Old syntax
In non-FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } |
prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac
{ md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } |
prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 |
sha1-96 } ] * [ dscp dscp-value | escape character | publickey keyname | source { interface
interface-type interface-number | ip ip-address } ] *
In FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa |
prefer-compress zlib | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 |
sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac
{ sha1 | sha1-96 } ] * [ escape character | publickey keyname | source { interface interface-type
interface-number | ip ip-address } ] *
New syntax
In non-FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | ecdsa | rsa |
{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |
prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc |
aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 |
md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 |
dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | { public-key keyname |
server-pki-domain domain-name } | source { interface interface-type interface-number | ip
ip-address } ] *
In FIPS mode:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { ecdsa | rsa |
{ x509v3-ecdsa-sha2-nistp384 | x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } |
194
prefer-compress zlib | prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 |
sha2-512 } | prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } |
prefer-stoc-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } | prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ escape character | { public-key keyname | server-pki-domain domain-name } | source
{ interface interface-type interface-number | ip ip-address } ] *
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character name
Tilde
Asterisk
Backslash
~
*
\
Symbol
Character name
Dot
Left angle bracket
Right angle bracket
.
<
>
Symbol
Vertical bar | Quotation marks "
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa
: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
195
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.
196
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
Modified command: ssh2 ipv6
Old syntax
In non-FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des |
aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex
{ dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 |
des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] * [ dscp dscp-value | escape
character | publickey keyname | source { interface interface-type interface-number | ipv6
ipv6-address } ] *
In FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key rsa | prefer-compress zlib | prefer-ctos-cipher { aes128 |
aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher
{ aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] * [ escape character | publickey
keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *
New syntax
In non-FIPS mode:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { dsa | ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr |
aes256-ctr | aes128-gcm | aes256-gcm } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 |
sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 |
dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc |
aes128-cbc | aes256-cbc | des-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm |
aes256-gcm } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] *
[ dscp dscp-value | escape character | { public-key keyname | server-pki-domain domain-name }
| source { interface interface-type interface-number | ipv6 ipv6-address } ] *
In FIPS mode:
197
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type
interface-number ] [ identity-key { ecdsa | rsa | { x509v3-ecdsa-sha2-nistp384 |
x509v3-ecdsa-sha2-nistp256 } pki-domain domain-name } | prefer-compress zlib |
prefer-ctos-cipher { aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr |
aes128-gcm | aes256-gcm } | prefer-ctos-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } |
prefer-kex { dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher
{ aes128-cbc | aes256-cbc | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm | aes256-gcm } |
prefer-stoc-hmac { sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ escape character | { public-key
keyname | server-pki-domain domain-name } | source { interface interface-type interface-number
| ipv6 ipv6-address } ] *
Views
User view
Change description
The following keywords were added:
Keywords for specifying PKI domains used in certificate verification:
pki-domain domain-name: Specifies the PKI domain of the client's certificate. When the public key algorithm is x509v3 (x509v3-ecdsa-sha2-nistp256 or
x509v3-ecdsa-sha2-nistp384), you must specify this option for the client to get the correct local certificate.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate. The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31 characters. If you do not specify the server's PKI domain, the client uses the PKI domain of its own certificate to verify the server's certificate.
The PKI domain name cannot contain characters in the following table:
Character name
Tilde
Asterisk
Backslash
~
*
\
Symbol
Character name
Dot
Left angle bracket
Right angle bracket
.
<
>
Symbol
Vertical bar | Quotation marks "
Colon : Apostrophe '
Keywords for specifying the publickey algorithms used in publickey authentication:
ecdsa
: Specifies the public key algorithm ecdsa.
x509v3-ecdsa-sha2-nistp256: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp256.
x509v3-ecdsa-sha2-nistp384: Specifies the public key algorithm
x509v3-ecdsa-sha2-nistp384.
Keywords for specifying the preferred client-to-server encryption algorithms:
198
aes128-ctr: Specifies the encryption algorithm aes128-ctr.
aes192-ctr: Specifies the encryption algorithm aes192-ctr.
aes256-ctr: Specifies the encryption algorithm aes256-ctr.
aes256-gcm: Specifies the encryption algorithm aes256-gcm.
aes128-gcm: Specifies the encryption algorithm aes128-gcm.
Keywords for specifying the preferred client-to-server HMAC algorithms:
sha2-256: Specifies the HMAC algorithm sha2-256.
sha2-512: Specifies the HMAC algorithm sha2-512.
Keywords for specifying the preferred key exchange algorithms:
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
The following keywords were modified:
Keywords for the preferred client-to-server encryption algorithm prefer-ctos-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
Keywords for the preferred key exchange algorithm prefer-kex:
The dh-group-exchange keyword was changed to dh-group-exchange-sha1.
The dh-group1 keyword was changed to dh-group1-sha1.
The dh-group14 keyword was changed to dh-group14-sha1.
Keywords for the preferred server-to-client encryption algorithm prefer-stoc-cipher:
The 3des keyword was changed to 3des-cbc.
The aes128 keyword was changed to aes128-cbc.
The aes256 keyword was changed to aes256-cbc.
The des keyword was changed to des-cbc.
The default settings for the following algorithms were changed:
For the preferred client-to-server encryption algorithm prefer-ctos-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred client-to-server HMAC algorithm prefer-ctos-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
For the preferred key exchange algorithm prefer-kex:
199
Before modification: The default is dh-group-exchange in non-FIPS mode and is
dh-group14 in FIPS mode.
After modification: The default is ecdh-sha2-nistp256 in both non-FIPS mode and FIPS mode.
For the preferred server-to-client encryption algorithm prefer-stoc-cipher:
Before modification: The default is aes128.
After modification: The default is aes128-ctr.
For the preferred server-to-client HMAC algorithm prefer-stoc-hmac:
Before modification: The default is sha1.
After modification: The default is sha2-256.
New command: fips kdf ssh
Use fips kdf ssh to generate a validation file in SSH Key Derivation Function (KDF) test.
Syntax
fips kdf ssh import single-request-file export validation-file
Views
Probe view
Predefined user roles
network-admin
Parameters
import single-request-file: Specifies the name of the single request file generated by CAVS.
export validation-file: Specifies a name for the validation file to be generated.
Usage guidelines
SSH gets parameters from the single request file and sends them to the key derivation module. After the key derivation module returns the calculation result, SSH stores the calculation result in the validation file.
Examples
# Specify ssh.req and ssh.txt as the single request file and the validation file, respectively.
<Sysname> system-view
[Sysname] probe
[Sysname-probe] fips ssh kdf import ssh.req export ssh.txt
200
New feature: Ignoring the first AS number of EBGP route updates for a peer or peer group
Configuring Ignoring the first AS number of EBGP route updates for a peer or peer group
By default, BGP checks the first AS number of a received EBGP route update. If the first AS number is neither the AS number of the BGP peer nor a private AS number, the BGP router disconnects the
BGP session to the peer.
To ignore the first AS number of EBGP route updates for a peer or peer group:
Step Command
109. Enter system view.
110. Enter BGP instance view or
BGP-VPN instance view.
system-view
Enter BGP instance view:
bgp as-number
Enter BGP-VPN instance view:
a. bgp as-number
b. ip vpn-instance
vpn-instance-name
111. Configure BGP to ignore the first AS number of
EBGP route updates for a peer or peer group.
peer { group-name | ipv4-address
[ mask-length ] | ipv6-address
[ prefix-length ] } ignore-first-as
Remarks
N/A
N/A
By default, BGP checks the first AS number of EBGP route updates.
Command reference
peer ignore-first-as
Syntax
Use peer ignore-first-as to configure BGP to ignore the first AS number of EBGP route updates for a peer or peer group.
Use undo peer ignore-first-as to restore the default.
peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] } ignore-first-as
undo peer { group-name | ipv4-address [ mask-length ] | ipv6-address [ prefix-length ] }
ignore-first-as
201
Default
BGP checks the first AS number of a received EBGP route update.
Views
BGP instance view
BGP-VPN instance view
Predefined user roles
network-admin
Parameters
group-name: Specifies a peer group by its name, a case-sensitive string of 1 to 47 characters. The peer group must have created.
ipv4-address: Specifies a peer by its IPv4 address. The peer must have been created.
mask-length: Specifies a mask length in the range of 0 to 32. You can use the ipv4-address and
mask-length arguments together to specify a subnet. If you specify a subnet, BGP ignores the first
AS number of EBGP route updates for all dynamic peers in the subnet.
ipv6-address: Specifies a peer by its IPv6 address. The peer must have been created.
prefix-length: Specifies a prefix length in the range of 0 to 128. You can use the ipv6-address and
prefix-length arguments together to specify a subnet. If you specify a subnet, BGP ignores the first
AS number of EBGP route updates for all dynamic peers in the subnet.
Usage guidelines
By default, BGP checks the first AS number of a received EBGP route update. If the first AS number is neither the AS number of the BGP peer nor a private AS number, the BGP router disconnects the
BGP session to the peer.
The peer ignore-first-as command takes effect only on routes received after the configuration of the command. After you configure the undo peer ignore-first-as command, BGP requests the EBGP peer or peer group to resend the routes.
Examples
# In BGP instance view, configure BGP to ignore the first AS number of EBGP route updates for the peer group test.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp-default] peer test ignore-first-as
202
Modified feature: Support for Ethernet link aggregation on Layer 3 Ethernet subinterfaces
Feature change description
Layer 3 Ethernet subinterfaces can be assigned to Layer 3 aggregation groups. The following commands are supported in Layer 3 Ethernet subinterface view:
lacp mode
lacp period short
link-aggregation port-priority
port link-aggregation group
To configure a Layer 3 static aggregation group:
Step
112. Enter system view.
Command system-view
113. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.
interface route-aggregation
interface-number
Remarks
N/A
When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same.
114. Return to system view.
quit
N/A
115. Assign an interface or subinterface to the specified
Layer 3 aggregation group.
a. Enter Layer 3 Ethernet interface or subinterface view:
interface interface-type
{ interface-number |
interface-number.subnu
mber }
b. Assign the interface or subinterface to the specified Layer 3 aggregation group:
port link-aggregation
group number
To configure a Layer 3 dynamic aggregation group:
Repeat these two substeps to assign more Layer 3 Ethernet interfaces or subinterfaces to the aggregation group.
Step
116. Enter system view.
Command system-view
Remarks
N/A
203
Step
117. Set the system LACP priority.
118. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.
Command
lacp system-priority
system-priority
interface route-aggregation
interface-number
Remarks
By default, the system LACP priority is 32768.
Changing the system LACP priority might affect the aggregation states of the ports in the dynamic aggregation group.
When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same.
119. Configure the aggregation group to operate in dynamic mode.
120. Return to system view.
link-aggregation mode dynamic
121. Assign an interface or subinterface to the specified
Layer 3 aggregation group.
122. Set the LACP operating mode for the interface or subinterface.
quit
a. Enter Layer 3 Ethernet interface or subinterface view:
interface interface-type
{ interface-number |
interface-number.subnu
mber }
b. Assign the interface or subinterface to the specified Layer 3 aggregation group:
port link-aggregation
group number
Set the LACP operating mode to passive:
lacp mode passive
Set the LACP operating mode to active:
undo lacp mode
By default, an aggregation group operates in static mode.
N/A
Repeat these two substeps to assign more Layer 3 Ethernet interfaces or subinterfaces to the aggregation group.
By default, LACP is operating in active mode.
123. Set the port priority for the interface or subinterface.
link-aggregation port-priority
port-priority
The default setting is 32768.
124. Set the short LACP timeout interval (3 seconds) for the interface or subinterface.
lacp period short
By default, the long LACP timeout interval (90 seconds) is used by the interface or subinterface.
To avoid traffic interruption during an ISSU, do not set the short
LACP timeout interval before performing the ISSU. For more information about ISSU, see
Fundamentals Configuration
Guide.
204
Command changes
Modified command: lacp mode
Syntax lacp mode passive
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view
Change description
Layer 3 Ethernet subinterface view was added.
Modified command: lacp period short
Syntax lacp period short
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view
Change description
Layer 3 Ethernet subinterface view was added.
Modified command: link-aggregation port-priority
Syntax
link-aggregation port-priority port-priority
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view
Change description
Layer 3 Ethernet subinterface view was added.
Modified command: port link-aggregation group
Syntax
port link-aggregation group number
Views
Layer 2 Ethernet interface view, Layer 3 Ethernet interface view, Layer 3 Ethernet subinterface view
205
Change description
Layer 3 Ethernet subinterface view was added.
A Layer 3 Ethernet subinterface can belong to only one aggregation group.
You cannot create subinterfaces on a Layer 3 Ethernet interface that is in an aggregation group. You cannot assign a Layer 3 Ethernet interface that contains subinterfaces to an aggregation group.
When you assign a Layer 3 Ethernet subinterface to an aggregation group, follow these restrictions and guidelines:
As a best practice, configure the VLAN termination commands on the subinterface first if VLAN termination is required. VLAN termination configuration on the subinterface cannot be modified after the subinterface is assigned to an aggregation group.
Make sure the VLAN termination configuration is the same on all Layer 3 Ethernet subinterfaces when you assign the subinterfaces to the same aggregation group.
When you configure the vlan-type dot1q vid vlan-id-list [ loose ] command on a subinterface to be assigned a dynamic aggregation group, make sure the vlan-id-list argument specifies only one VLAN ID.
You cannot assign Layer 3 Ethernet interfaces and Layer 3 Ethernet subinterfaces to the same aggregation group.
You cannot create aggregate subinterfaces on a Layer 3 aggregate interface whose corresponding aggregation group uses Layer 3 Ethernet subinterfaces as member ports. You cannot assign Layer 3
Ethernet subinterfaces to an aggregation group whose corresponding aggregate interface has aggregate subinterfaces.
Modified feature: Changing the maximum number of FIB table entries
Feature change description
The maximum number of FIB entries that MSR2003 supports for the IPv4 public network is changed to 300000.
The maximum number of FIB entries that MSR2003 supports for the IPv6 public network is changed to 300000.
Command changes
None
206
Modified feature: Enabling CWMP
Feature change description
The default CWMP status was changed from disabled to enabled.
To enable CWMP:
Step
125. Enter system view.
126. Enter CWMP view.
127. Enable CWMP.
Command system-view cwmp cwmp enable
Remarks
N/A
N/A
By default, CWMP is enabled.
Command changes
Modified command: cwmp enable
Syntax
cwmp enable
undo cwmp enable
Views
CWMP view
Change description
Before modification: CWMP is disabled by default.
After modification: CWMP is enabled by default.
Release 0305
This release has the following changes:
207
New feature: IKE
Feature change description
IKEv2 was added.
For more information about IKEv2 configuration guide, see the following HPE FlexNetwork MSR
Routers Security Configuration Guide(V7).
Command changes
New command: IKEv2 command
For more information about IKEv2 commands, see the following HPE FlexNetwork MSR Routers
Security Command Reference(V7).
Modified feature: IPsec
Feature change description
IPsecv3 was Modified.
Command changes
Modified command: ah authentication-algorithm
Old syntax
In non-FIPS mode:
ah authentication-algorithm { md5 | sha1 | sm3 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm sha1
undo ah authentication-algorithm
New syntax
In non-FIPS mode:
208
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
undo ah authentication-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm, which uses a 128-bit key.
This keyword is available only for IKEv2.
sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.
sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key. This keyword is available only for IKEv2.
sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key. This keyword is available only for IKEv2.
New command: esn enable
Use esn enable to enable the Extended Sequence Number (ESN) feature.
Use undo esn enable to disable ESN.
Syntax
esn enable [ both ]
undo esn enable
Default
ESN is disabled.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
both: Specifies IPsec to support both extended sequence number and traditional sequence number.
If you do not specify this keyword, IPsec only supports extended sequence number.
209
Usage guidelines
The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does not need to be renegotiated.
This feature must be enabled at both the initiator and the responder.
Examples
# Enable ESN in the IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esn enable
Related commands display ipsec transform-set
Modified command: esp authentication-algorithm
Old syntax
In non-FIPS mode:
esp authentication-algorithm { md5 | sha1 | sm3 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm sha1
undo esp authentication-algorithm
New syntax
In non-FIPS mode:
esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm { sha1 | sha256 | sha384 | sha512 } *
undo esp authentication-algorithm
Views
IPsec transform set view
Change description
The following keywords were added:
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-MAC algorithm, which uses a 128-bit key.
This keyword is available only for IKEv2.
210
sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.
sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key. This keyword is available only for IKEv2.
sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key. This keyword is available only for IKEv2.
Modified command: esp encryption-algorithm
Old syntax
Low encryption:
esp encryption-algorithm des-cbc undo esp encryption-algorithm
High encryption (in non-FIPS mode):
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null
| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 } *
undo esp encryption-algorithm
High encryption (in FIPS mode):
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*
undo esp encryption-algorithm
New syntax
Low encryption:
esp encryption-algorithm des-cbc undo esp encryption-algorithm
High encryption (in non-FIPS mode):
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 |
aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc |
gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null | sm1-cbc-128 |
sm1-cbc-192 | sm1-cbc-256 | sm4-cbc } *
undo esp encryption-algorithm
High encryption (in FIPS mode):
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192
| aes-ctr-256 | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 }*
undo esp encryption-algorithm
211
Views
IPsec transform set view
Change description
The following keywords were added:
aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key. This keyword is available only for IKEv2.
aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key. This keyword is available only for IKEv2.
aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key. This keyword is available only for IKEv2.
camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key.
This keyword is available only for IKEv2.
camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key.
This keyword is available only for IKEv2.
camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key.
This keyword is available only for IKEv2.
gmac-128: Specifies the GMAC algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
gmac-192: Specifies the GMAC algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.
gmac-256: Specifies the GMAC algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.
gcm-128: Specifies the GCM algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.
gcm-192: Specifies the GCM algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.
gcm-256: Specifies the GCM algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.
sm4-cbc: Specifies SM4 algorithm in CBC mode, which uses a 128-bit key.
Modified command: pfs
Old syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }
undo pfs
In FIPS mode:
212
pfs dh-group14
undo pfs
New syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 | dh-group19 |
dh-group20 }
undo pfs
In FIPS mode:
pfs { dh-group14 | dh-group19 | dh-group20 }
undo pfs
Views
IPsec transform set view
Change description
The following keywords were added:
dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
dh-group20: Uses 384-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.
New command: tfc enable
Use tfc enable to enable the Traffic Flow Confidentiality (TFC) padding feature.
Use undo tfc enable to disable TFC padding.
Syntax tfc enable
undo tfc enable
Default
TFC padding is disabled.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Usage guidelines
The TFC padding feature can hide the length of the original packet and might affect the packet encapsulation and de-encapsulation performance. This feature takes effect on UDP packets
213
encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel mode.
Examples
# Enable TFC padding for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] tfc enable
Related commands
display ipsec ipv6-policy
display ipsec policy
Modified command: public-key local create
Old syntax
public-key local create { dsa | ecdsa | rsa } [ name key-name ]
New syntax
public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 ] | rsa } [ name
key-name ]
Views
System view
Change description
The following keywords were added:
secp192r1: Uses the secp192r1 curve to create a 192-bit ECDSA key pair. The secp192r1 curve is used by default.
secp256r1: Uses the secp256r1 curve to create a 256-bit ECDSA key pair.
secp384r1: Uses the secp384r1 curve to create a 384-bit ECDSA key pair.
Modified command: public-key ecdsa
Old syntax
public-key ecdsa name key-name
New syntax
public-key ecdsa name key-name [ secp192r1 | secp256r1 | secp384r1 ]
Views
PKI domain view
Change description
The following keywords were added:
214
secp192r1: Uses the secp192r1 curve to generate the key pair.
secp256r1: Uses the secp256r1 curve to generate the key pair.
secp384r1: Uses the secp384r1 curve to generate the key pair.
Release 0304P12
This release has the following changes:
New feature: Including vendor information in PPP accounting requests
New feature: BFD for an aggregation group
Modified feature: SSH username
Modified feature: IS-IS hello packet sending interval
Modified feature: MP-group interface numbering
New feature: Including vendor information in PPP accounting requests
Configuring Including vendor information in PPP accounting requests
This feature enables vendor information to be included in PPP accounting requests.
Command reference
pppoe-server account-vendor
Use pppoe-server account-vendor to include vendor information in PPP accounting requests.
Use undo pppoe-server account-vendor to exclude vendor information from PPP accounting requests.
Syntax
Default
pppoe-server account-vendor { adsl-forum | cn-telecom }
undo pppoe-server account-vendor { adsl-forum | cn-telecom }
Vendor information is not included in PPP accounting requests.
215
Views
Ethernet interface view
Ethernet subinterface view
Predefined user roles
network-admin
Parameters
adsl-forum: Specifies the ADSL forum vendor information.
cn-telecom: Specifies the China Telecom vendor information.
Examples
# Include China Telecom vendor information in the PPP accounting requests.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname–GigabitEthernet2/0/1] pppoe-server account-vendor cn-telecom
New feature: BFD for an aggregation group
Configuring BFD for an aggregation group
BFD for Ethernet link aggregation can monitor member link status in an aggregation group. After you enable BFD on an aggregate interface, each Selected port in the aggregation group establishes a
BFD session with its peer port. BFD operates differently depending on the aggregation modes.
BFD for static aggregation
—When BFD detects a link failure, BFD notifies the Ethernet link aggregation module that the peer port is unreachable. The local port is placed in Unselected state. The BFD session between the local and peer ports remains, and the local port keeps sending BFD packets. When the link is recovered, the local port receives BFD packets from the peer port, and BFD notifies the Ethernet link aggregation module that the peer port is reachable.
The local port is placed in Selected state again. This mechanism ensures that the local and peer ports of a static aggregate link have the same aggregation state.
BFD for dynamic aggregation
—When BFD detects a link failure, BFD notifies the Ethernet link aggregation module that the peer port is unreachable. BFD clears the session and stops sending BFD packets. When the link is recovered and the local port is placed in Selected state again, the local port establishes a new session with the peer port. BFD notifies the Ethernet link aggregation module that the peer port is reachable. Because BFD provides fast failure detection, the local and peer systems of a dynamic aggregate link can negotiate the aggregation state of their member ports faster.
For more information about BFD, see High Availability Configuration Guide.
216
Configuration restrictions and guidelines
When you enable BFD for an aggregation group, follow these restrictions and guidelines:
Make sure the source and destination IP addresses are consistent at two ends of an aggregate link. For example, if you execute link-aggregation bfd ipv4 source 1.1.1.1 destination
2.2.2.2 on the local end, execute link-aggregation bfd ipv4 source 2.2.2.2 destination
1.1.1.1 on the peer end. The source and destination IP addresses cannot be the same.
The BFD parameters configured on an aggregate interface take effect on all BFD sessions in the aggregation group. BFD sessions for link aggregation do not support the echo packet mode and the Demand mode.
HPE recommends not configuring other protocols to collaborate with BFD on a BFD-enabled aggregate interface.
Make sure the number of member ports in a BFD-enabled aggregation group is not larger than the number of BFD sessions supported by the device. Otherwise, this command might cause some Selected ports in the aggregation group to change to the Unselected state.
Configuration procedure
To enable BFD for an aggregation group:
Step
Enter system view.
Enter Layer 3 aggregate interface view.
Enable BFD for the aggregation group.
Command system-view
interface route-aggregation
interface-number
link-aggregation bfd ipv4 source
ip-address destination ip-address
Command reference
Remarks
N/A
N/A
By default, BFD is disabled for an aggregation group.
link-aggregation bfd ipv4
Use link-aggregation bfd ipv4 to enable BFD for an aggregation group.
Use undo link-aggregation bfd to disable BFD for an aggregation group.
Syntax
link-aggregation bfd ipv4 source ip-address destination ip-address
undo link-aggregation bfd
Default
BFD is disabled for an aggregation group.
217
Views
Layer 3 aggregate interface view
Predefined user roles
network-admin
Parameters
source ip-address: Specifies the unicast source IP address of BFD sessions. The source IP address cannot be 0.0.0.0.
destination ip-address: Specifies the unicast destination IP address of BFD sessions. The destination IP address cannot be 0.0.0.0.
Usage guidelines
Make sure the source and destination IP addresses are consistent at two ends of an aggregate link.
For example, if you execute link-aggregation bfd ipv4 source 1.1.1.1 destination 2.2.2.2 on the local end, execute link-aggregation bfd ipv4 source 2.2.2.2 destination 1.1.1.1 on the peer end.
The source and destination IP addresses cannot be the same.
The BFD parameters configured on an aggregate interface take effect on all BFD sessions in the aggregation group. BFD sessions for link aggregation do not support the echo packet mode and the
Demand mode.
HPE recommends not configuring other protocols to collaborate with BFD on a BFD-enabled aggregate interface.
Make sure the number of member ports in a BFD-enabled aggregation group is not larger than the number of BFD sessions supported by the device. Otherwise, this command might cause some
Selected ports in the aggregation group to change to the Unselected state.
Examples
# Enable BFD for Layer 3 aggregation group 1, and specify the source and destination IP addresses as 1.1.1.1 and 2.2.2.2 for BFD sessions.
<Sysname> system-view
[Sysname] interface route-aggregation 1
[Sysname-Route-Aggregation1] link-aggregation bfd ipv4 source 1.1.1.1 destination 2.2.2.2
Modified feature: SSH username
Feature change description
In this release, an SSH username cannot be a, al, all, or include the following characters:
\ | / : * ? < >
The at sign (@) can only be used in the username format pureusername@domain when the username contains an ISP domain name.
218
Command changes
Modified command: ssh user
Syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password
| {
any | password-publickey | publickey } assign { pki-domain domain-name | publickey
keyname } }
undo ssh user username
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password
|
password-publickey assign { pki-domain domain-name | publickey keyname } }
undo ssh user username
Views
System view
Change description
Before modification: The username argument is a case-insensitive string of 1 to 80 characters. If the username contains an ISP domain name, use the format pureusername@domain.
After modification: The username argument is a case-insensitive string of 1 to 80 characters, excluding
\ | / : * ? < >
a, al, all, and the following characters:
The at sign (@) can only be used in the username format pureusername@domain when the username contains an ISP domain name.
Modified feature: IS-IS hello packet sending interval
Feature change description
The value range of the interval for sending hello packets was changed to 1 to 255 seconds.
219
Command changes
Modified command: isis timer hello
Syntax
isis timer hello seconds [ level-1 | level-2 ]
undo isis timer hello [ level-1 | level-2 ]
Views
Interface view
Change description
The value range for the seconds argument was changed to 1 to 255 seconds.
Modified feature: MP-group interface numbering
Feature change description
In this release, the numbering for MP-group interfaces is changed.
Command changes
Modified command: interface mp-group
Syntax
interface mp-group mp-number
Views
System view
Change description
MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.
Modified command: display interface mp-group
Syntax
display interface [ mp-group [ interface-number ] ] [ brief [ description | down ] ]
220
Views
Any view
Change description
MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.
Modified command: ppp mp mp-group
Syntax
ppp mp mp-group mp-number
Views
Interface view
Change description
MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.
Modified command: reset counters interface mp-group
Syntax
reset counters interface [ mp-group [ interface-number ] ]
Views
Interface view
Change description
MP-group interfaces on MSR4000 routers are numbered in the 2/0/x format.
Release 0304P04
This release has the following changes:
New feature: Media Stream Control (MSC) logging
Modified feature: ESP encryption algorithms
New feature: Media Stream Control (MSC) logging
This feature enables the router to generate MSC logs and send the logs to the information center.
221
Command reference
sip log enable
Use sip log enable to enable Media Stream Control (MSC) logging.
Use undo sip log enable to disable MSC logging.
Syntax sip log enable undo sip log enable
Default
MSC logging is disabled.
Views
Voice view
Predefined user roles
network-admin
Usage guidelines
This command enables the router to generate MSC logs and send the logs to the information center.
The information center outputs the logs to a destination according to an output rule. For more information about the information center, see Network Management and Monitoring Configuration
Guide.
MSC logging is used for auditing purposes.
Examples
# Enable MSC logging.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] sip log enable
Modified feature: ESP encryption algorithms
Feature change description
Support for the CBC-mode SM4 algorithm was added for high encryption in non-FIPS mode.
222
Command changes
Modified command: esp encryption-algorithm
Old Syntax
High encryption (in non-FIPS mode):
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null
| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 } *
New Syntax
High encryption (in non-FIPS mode):
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null
| sm1-cbc-128 | sm1-cbc-192 | sm1-cbc-256 | sm4-cbc } *
Views
IPsec transform set view
Change description
The sm4-cbc keyword was added to support the CBC-mode SM4 algorithm, which uses a 128-bit key.
Release 0304P02
This release has the following changes:
New feature: IMSI/SN binding authentication
New feature: Specifying a band for a 4G modem
New feature: Using tunnel interfaces as OpenFlow ports.
New feature: NETCONF support for ACL filtering
New feature: Specifying a backup traffic processing unit
New feature: Support for the MKI field in SRTP or SRTCP packets
Modified feature: Setting the global link-aggregation load-sharing mode
223
New feature: IMSI/SN binding authentication
This feature enables the device to include the IMSI/SN information in the LCP authentication information.
Command reference
ppp lcp imsi accept
Use ppp lcp imsi accept to enable the client to accept the IMSI binding authentication requests from the LNS.
Use undo ppp lcp imsi accept to restore the default.
Syntax ppp lcp imsi accept undo ppp lcp imsi accept
Default
The client declines the IMSI binding authentication requests from the LNS.
Views
Interface view
Predefined user roles
network-admin
Examples
# Enable the client to accept the IMSI binding authentication requests from the LNS.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp imsi accept
Related commands
ppp lcp imsi request
ppp lcp imsi string
ppp lcp imsi request
Use ppp lcp imsi request to enable the LNS to initiate IMSI binding authentication requests.
Use undo ppp lcp imsi request to restore the default.
224
Syntax ppp lcp imsi request undo ppp lcp imsi request
Default
The LNS does not initiate IMSI binding authentication requests.
Views
Interface view
Predefined user roles
network-admin
Examples
# Enable the LNS to initiate IMSI binding authentication requests.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp imsi request
Related commands
ppp lcp imsi accept
ppp lcp imsi string
ppp lcp imsi string
Use ppp lcp imsi string imsi-info to configure the IMSI information on the client.
Use undo ppp lcp imsi string to delete the IMSI information on the client.
Syntax
ppp lcp imsi string imsi-info
undo ppp lcp imsi string
Default
The client automatically obtains the IMSI information from its SIM card.
Views
Interface view
Predefined user roles
network-admin
Parameters
string imsi-info: Specifies the IMSI information, a case-sensitive string of 1 to 31 characters.
Examples
# Configure the IMSI information as imsi1.
<Sysname> system-view
225
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp imsi string imsi1
Related commands
ppp lcp imsi request
ppp lcp imsi accept
ppp lcp sn accept
Use ppp lcp sn accept to enable the client to accept the SN binding authentication requests from the LNS.
Use undo ppp lcp sn accept to restore the default.
Syntax ppp lcp sn accept undo ppp lcp sn accept
Default
The client declines the SN binding authentication requests from the LNS.
Views
Interface view
Predefined user roles
network-admin
Examples
# Enable the client to accept the SN binding authentication requests from the LNS.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp sn accept
Related commands
ppp lcp sn request
ppp lcp sn string
ppp lcp sn request
Syntax
Use ppp lcp sn request to enable the LNS to initiate SN binding authentication requests.
Use undo ppp lcp sn request to restore the default.
ppp lcp sn request undo ppp lcp sn request
226
Default
The LNS does not initiate SN binding authentication requests.
Views
Interface view
Predefined user roles
network-admin
Examples
# Enable the LNS to initiate SN binding authentication requests.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp imsi request
Related commands
ppp lcp sn accept
ppp lcp sn string
ppp lcp sn string
Use ppp lcp sn string sn-info to configure the SN information on the client.
Use undo ppp lcp sn string to delete the SN information on the client.
Syntax
ppp lcp sn string sn-info
undo ppp lcp sn string
Default
The client automatically obtains the SN information from its SIM card.
Views
Interface view
Predefined user roles
network-admin
Parameters
string sn-info: Specifies the SN information, a case-sensitive string of 1 to 31 characters.
Examples
# Configure the SN information as sn1.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp lcp sn string sn1
227
Related commands
ppp lcp sn request
ppp lcp sn accept
ppp user accept-format imsi-sn split
Use ppp user accept-format imsi-sn split splitchart to configure the separator for the received authentication information.
Use undo ppp user accept-format to restore the default.
Syntax
ppp user accept-format imsi-sn split splitchart
undo ppp user accept-format
Default
No separator is configured for the received authentication information.
Views
Interface view
Predefined user roles
network-admin
Parameters
splitchart: Specifies the separator. The separator contains one character, and it can be a letter, a digit, or any sign other than the at sign (@), slash (/), and backslash (\).
Usage guidelines
By default, the authentication information contains only the client username. If you include the IMSI or SN information in the authentication information, you need to configure the separator to separate different types of information.
If no IMSI/SN information is received from the peer during the authentication process, t he IMSI/SN information split from the received authentication information is used.
Examples
# Configure the pound sign (#) as the separator for the authentication information.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp user accept-format imsi-sn split #
Related commands
ppp lcp sn request
ppp lcp imsi request
ppp lcp sn accept
ppp lcp imsi accept
228
ppp user attach-format imsi-sn split
Use ppp user attach-format imsi-sn split splitchart to configure the separator for the sent authentication information.
Use undo ppp user attach-format to restore the default.
Syntax
ppp user attach-format imsi-sn split splitchart
undo ppp user attach-format
Default
No separator is configured for the sent authentication information.
Views
Interface view
Predefined user roles
network-admin
Parameters
splitchart: Specifies the separator. The separator contains one character, and it can be a letter, a digit, or any sign other than the at sign (@), slash (/), and backslash (\).
Usage guidelines
By default, the authentication information contains only the client username. If you include the IMSI or SN information in the authentication information, you need to configure the separator to separate different types of information.
Examples
# Configure the pound sign (#) as the separator for the sent authentication information.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp user attach-format imsi-sn split #
Related commands
ppp lcp sn request
ppp lcp imsi request
ppp lcp sn accept
ppp lcp imsi accept
ppp user replace
Use ppp user replace to replace the client username with the IMSI or SN information for authentication.
229
Use undo ppp user replace to restore the default.
Syntax ppp user replace { imsi | sn } undo ppp user replace
Default
The client username is used for authentication.
Views
Interface view
Predefined user roles
network-admin
Examples
# Replace the client username with the IMSI information for authentication.
<Sysname> system-view
[Sysname] interface virtual-template 1
[Sysname-Virtual-Template1] ppp user replace imsi
Related commands
ppp user accept-format imsi-sn split
ppp user attach-format imsi-sn split
New feature: Specifying a band for a 4G modem
You can specify a band for a 4G modem.
Command reference
lte band
Use ite band to specify a band for a 4G modem.
Use undo lte band to restore the default.
Syntax
Default
lte band band-number
undo lte band
The default setting varies by 4G modem model.
230
Views
Cellular interface view
Predefined user roles
network-admin
Parameters
band-number: Specifies a band for a 4G modem. The available bands vary by modem model.
Usage guidelines
This command is supported only on the following 4G modems:
Sierra MC7354 and MC7304.
Long Sung U8300C, U8300W, and U8300.
WNC DM11-2.
Examples
# Specify band 3 for Cellular 1/0.
<Sysname> system-view
[Sysname] controller cellular 1/0
[Sysname-Controller-Cellular1/0]lte band 3
New feature: CFD
The router supports the CFD feature.
New feature: Using tunnel interfaces as
OpenFlow ports
The MSR1000 routers support using tunnel interfaces as OpenFlow ports.
New feature: NETCONF support for ACL filtering
The feature enables the device to use an ACL to filter NETCONF over SOAP traffic.
231
Command reference
netconf soap http acl
Use netconf soap http acl to apply an ACL to NETCONF over SOAP over HTTP traffic.
Use undo netconf soap http acl to remove the application.
Syntax
netconf soap http acl { acl-number | name acl-name }
undo netconf soap http acl
Default
No ACL is applied to NETCONF over SOAP over HTTP traffic.
Views
System view
Predefined user roles
network-admin
Parameters
acl-number: Specifies an ACL by its number in the range of 2000 to 2999.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. The specified ACL must be an IPv4 basic ACL that has already been created.
Usage guidelines
This command is not available in FIPS mode.
If you execute this command multiple times, the most recent configuration takes effect.
Only NETCONF clients permitted by the applied ACL can access the device through SOAP over
HTTP.
Examples
# Use ACL 2001 to allow only NETCONF clients in the subnet 10.10.0.0/16 to access the device through SOAP over HTTP.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] netconf soap http acl 2001
232
netconf soap https acl
Use netconf soap https acl to apply an ACL to NETCONF over SOAP over HTTPS traffic.
Use undo netconf soap https acl to remove the application.
Syntax
netconf soap https acl { acl-number | name acl-name }
undo netconf soap https acl
Default
No ACL is applied to NETCONF over SOAP over HTTPS traffic.
Views
System view
Predefined user roles
network-admin
Parameters
acl-number: Specifies an ACL by its number in the range of 2000 to 2999.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all. The specified ACL must be an IPv4 basic ACL that has already been created.
Usage guidelines
If you execute this command multiple times, the most recent configuration takes effect.
Only NETCONF clients permitted by the applied ACL can access the device through SOAP over
HTTPS.
Examples
# Use ACL 2001 to allow only NETCONF clients in the subnet 10.10.0.0/16 to access the device through SOAP over HTTPS.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 10.10.0.0 0.0.255.255
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] netconf soap https acl 2001
233
New feature: Specifying a backup traffic processing unit
Specifying a backup traffic processing unit
This release added support for specifying a backup traffic unit for an interface.
Command reference
service standby
For more information about this command, see HPE FlexNetwork MSR Command References(V7).
New feature: WAAS
Configuring WAAS
This release added support for the Wide Area Application Services (WAAS) feature in the DATA image on the following router series:
MSR1000.
MSR3000.
MSR4000.
Command reference
For more information about WAAS commands, see HPE FlexNetwork MSR Routers Layer 3 - IP
Services Command Reference(V7).
New feature: Support for the MKI field in
SRTP or SRTCP packets
This feature enables the router to add the MKI field to outgoing SRTP or SRTCP packets. You can set the length of the MKI field.
234
Command reference
mki
Use mki to add the MKI field to outgoing SRTP or SRTCP packets and set the length of the MKI field.
Use undo mki to restore the default.
Syntax
mki mki-length
undo mki
Default
Outgoing SRTP or SRTCP packets do not carry the MKI field.
Views
SIP view
Predefined user roles
network-admin
Parameters
mki-length: Specifies the length of the MKI field, in the range of 1 to 128 bits.
Usage guidelines
This command takes effect only when SRTP is the media stream protocol for SIP calls. To specify
SRTP as the medial stream protocol for SIP calls, use the srtp command.
Examples
# Add the MKI field to outgoing SRTP or SRTCP packets and set the length of the MKI field to 1 bit.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] sip
[Sysname-voice-sip] mki 1
New feature: SIP domain name
This feature enables the router to populate the CONTACT header field of outgoing SIP packets with the router's SIP domain name.
235
Command reference
sip-domain
Use sip-domain to populate the CONTACT header field of outgoing SIP packets with the router's
SIP domain name.
Use undo sip-domain to restore the default.
Syntax
sip-domain domain-name
undo sip-domain
Default
The router populates the CONTACT header field of an outgoing SIP packet with the IP address of the outgoing interface.
Views
SIP view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the SIP domain name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, underscore (_), hyphen (-), and dot (.).
Examples
# Populate the CONTACT header field of outgoing SIP packets with the SIP domain name abc.com.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] sip
[Sysname-voice-sip] sip-domain abc.com
New feature: E&M logging
This feature enables the router to generate E&M logs.
Command reference
em log enable
Use em log enable to enable E&M logging.
236
Use undo em log enable to disable E&M logging.
Syntax em log enable undo em log enable
Default
E&M logging is disabled.
Views
Voice view
Predefined user roles
network-admin
Usage guidelines
This command enables the router to generate E&M logs.
Examples
# Enable E&M logging.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] em log enable
Modified feature: Setting the global link-aggregation load-sharing mode
Feature change description
The bandwidth-usage keyword was added to the link-aggregation global load-sharing mode command. You can set the global load-sharing mode to load share traffic based on bandwidth usage.
Command changes
Modified command: link-aggregation global load-sharing mode
Old syntax link-aggregation global load-sharing
mode { destination-ip | destination-mac |
destination-port | mpls-label1 | source-ip | source-mac | source-port } *
undo link-aggregation global load-sharing mode
237
New syntax
link-aggregation global load-sharing mode { bandwidth-usage | destination-ip |
destination-mac | destination-port | mpls-label1 | source-ip | source-mac | source-port } *
undo link-aggregation global load-sharing mode
Views
System view
Change description
The bandwidth-usage keyword was added. You can specify this keyword to set the global load sharing mode to load share traffic based on bandwidth usage.
Release 0304
This release has the following changes:
New feature: Setting the RTC version
New feature: Setting the maximum size of advertisement files
New feature: Multicast VPN support for inter-AS option B
Modified feature: 802.1X redirect URL
Modified feature: Displaying information about NTP servers from the reference source to the primary
Modified feature: Saving, rolling back, and loading the configuration
Modified feature: Displaying information about SSH users
Removed feature: Displaying fabric utilization
New feature: Setting the RTC version
Configuring Setting the RTC version
The RTC protocol has the following versions: Version 3 and Version 5. Comware V3-based routers support only Version 3. Comware V5- or Comware V7-based routers support both Version 3 and
Version 5.
238
To set the RTC version:
Step
128. Enter system view.
Command system-view
129. Configure the RTC version.
rta rtc version { v3 | v5 }
Command reference
Remarks
N/A
By default, the router uses
Version 5.
rta rtc version
Use rta rtc version to set the RTC version.
Use undo rta rtc version to o restore the default.
Syntax
rta rtc version { v3 | v5 }
undo rta rtc version
Default
The router uses RTC Version 5.
Views
System view
Predefined user roles
network-admin
Parameters
V3: Sets the RTC version to Version 3.
V5: Sets the RTC version to Version 5.
Usage guidelines
Comware V5/V7-based routers support both RTC Version 3 and Version 5. Comware V3-based routers support only RTC Version 3.
For a Comware V5/V7-based router to communicate with a Comware V3-based, set the RTC version to Version 3 on the Comware V5/V7-based router.
For Comware V5/V7-based routers to communicate each other, set the RTC version on the routers to the same version.
Examples
# Set the RTC version to Version 3.
<Sysname> system-view
[Sysname] rta rtc version v3
239
New feature: Setting the maximum size of advertisement files
Configuring the maximum size of advertisement files
You can set the maximum size of advertisement files sent to wireless clients to 10 MB when the clients access the wireless network.
Command reference
None
New feature: IRF
Configuring IRF
See HP MSR Router Series Virtual Technologies Configuration Guide (V7).
Command reference
See HPE FlexNetwork MSR Router Virtual Technologies Command Reference(V7).
New feature: Frame Relay
Configuring Frame Relay
See HPE FlexNetwork MSR Routers Layer 2 - WAN Configuration Guide(V7).
Command reference
See HPE FlexNetwork MSR Routers Layer 2 - WAN Command Reference(V7).
240
New feature: EVI
Configuring EVI
See HPE FlexNetwork MSR Router EVI Configuration Guide (V7).
Command reference
See HPE FlexNetwork MSR Router EVI Command Reference(V7).
New feature: VPLS
Configuring VPLS
See HPE FlexNetwork MSR Routers MPLS Configuration Guide(V7).
Command reference
See HPE FlexNetwork MSR Routers MPLS Command Reference(V7).
New feature: Multicast VPN support for inter-AS option B
Configuring Multicast VPN support for inter-AS option B
See HPE FlexNetwork MSR Routers IP Multicast Configuration Guide(V7).
Command reference
See HPE FlexNetwork MSR Routers IP Multicast Command Reference(V7).
241
Modified feature: 802.1X redirect URL
Feature change description
The value range for the url-string argument was changed to 1 to 256 characters for the dot1x
ead-assistant url command.
Command changes
Modified command: dot1x ead-assistant url
Syntax
dot1x ead-assistant url url-string
Views
System view
Change description
Before modification: The value range for the url-string argument is 1 to 64 characters.
After modification: The value range for the url-string argument is 1 to 256 characters.
Modified feature: Displaying information about NTP servers from the reference source to the primary NTP server
Feature change description
The source interface-type interface-number option was added to the display ntp-service trace command.
Command changes
Modified command: display ntp-service trace
Old syntax
dot1x ead-assistant url url-string
242
New syntax
display ntp-service trace [ source interface-type interface-number ]
Views
Any view
Change description
The source interface-type interface-number option was added to the display ntp-service trace command.
Modified feature: Saving, rolling back, and loading the configuration
Feature change description
The following configuration guidelines were added when you use NETCONF to save, roll back, or load the configuration:
The save, rollback, and load operations supplement NETCONF requests. Performing the operations might consume a lot of system resources.
Multiple users are allowed to simultaneously perform the save, rollback, or load operation, but the result returned to each user might be inconsistent with the user request. Do not perform the save, rollback, or load operation when a lot of users are performing the operation.
Command changes
None
Modified feature: Displaying information about SSH users
Feature change description
In this release, the display ssh user-information command does not display the public key name for an SSH user that uses password authentication.
243
Command changes
Modified command: display ssh user-information
Syntax
display ssh user-information [ username ]
Views
Any view
Change description
Before modification: The User-public-key-name field in the command output displays null for an
SSH user that uses password authentication.
After modification: The User-public-key-name field in the command output is blank for an SSH user that uses password authentication.
Removed feature: Displaying fabric utilization
Feature change description
The device does not support displaying switching fabric channel usage on interface cards.
Removed command
display fabric utilization
Syntax
In standalone mode:
display fabric utilization [ slot slot-number ]
In IRF mode:
display fabric utilization [ chassis chassis-number slot slot-number ]
Views
Any view
ESS 0302P06
244
This release has the following changes:
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: Support of PPPoE server for IPv6
See HPE FlexNetwork MSR Configuration Guides( V7) and HPE FlexNetwork MSR Command
New feature: QSIG tunneling over SIP-T
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: BGP L2VPN support for NSR
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: BGP support for dynamic peers
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: QoS soft forwarding
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: Filtering by application layer protocol status
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: ADVPN support for multicast forwarding
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
245
New feature: MPLS LDP support for IPv6
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: Support of MFR and FR for L2VPN, FR QoS, and FR compression and fragmentation
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: Support for LLDP on CPOS interfaces
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: SMS-based automatic configuration
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
New feature: ARP attack protection
New feature: SIP support for VRF
New feature: Object policies
Configuring Object policies
A zone pair has a source security zone and a destination security zone. ASPF uses zone pairs to identify the data flows to be examined. ASPF examines only received first data packets.
246
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: IPHC
Configuring IPHC
The device supports PPP IPHC and frame relay IPHC.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Support of PPPoE server for
IPv6
Configuring Support of PPPoE server for IPv6
On IPv6 networks, PPP negotiates only the IPv6 interface identifier instead of the IPv6 address and
IPv6 DNS server address during IPv6CP negotiation.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: QSIG tunneling over SIP-T
Configuring QSIG tunneling over SIP-T
QSIG tunneling over SIP-T tunnels QSIG messages across a SIP network by encapsulating them in
SIP message bodies. This feature enables ISDN networks to communicate over a SIP network.
247
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Playout delay
Configuring Playout delay
By buffering incoming voice packets with different delay times for a period of time (playout delay time), the receiver can smoothly play out the voice packets to the codec. By configuring playout delay, you can prevent delay variation (jitter) from affecting voice quality.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: BGP L2VPN support for NSR
Configuring BGP L2VPN support for NSR
The active BGP process backs up BGP peers and routing information to the standby BGP process only when BGP NSR is enabled.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
248
New feature: BGP support for dynamic peers
Configuring BGP support for dynamic peers
The dynamic BGP peer feature enables BGP to establish dynamic BGP peer relationships with devices in a network. BGP accepts connection requests from the network. After a device in the network initiates a connection request, BGP establishes a dynamic peer relationship with the device.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: ARP PnP
Configuring ARP PnP
The ARP plug and play (PnP) feature allows end users to access the gateway without changing their
IP addresses on subnets different from the subnet where the gateway resides.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
249
New feature: Support of Syslog for DNS and support of customlog&userlog for
IPv6 hosts
Configuring Support of Syslog for DNS and support of customlog&userlog for IPv6 hosts
The two flow log export destinations (information center and log host) are mutually exclusive. Only one export destination can be used at a time. If you configure both export destinations, the flow logs are exported to the information center and are not exported to the log host.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: QoS soft forwarding
Configuring QoS soft forwarding
Configuring PQ: You can define a set of assignment rules in a PQ list and then apply the PQ list to an interface or PVC.
Configuring CQ: You can configure a CQ list that contains up to 16 queues. The CQ list specifies the following information:
The queue where a packet is placed in.
The maximum length of each queue.
The number of bytes sent from the queue during a cycle of round robin scheduling.
Configuring RTPQ.
Configuring packet information pre-extraction: To process the original IP packets with QoS on the physical interface for a tunnel interface, configure packet information pre-extraction on the tunnel interface.
250
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Filtering by application layer protocol status
Configuring Filtering by application layer protocol status
ASPF inspection supports protocol status validity check for application protocols of DNS, FTP, H323,
HTTP, SCCP, SIP, and SMTP. ASPF drops packets with invalid protocol status.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: ADVPN support for multicast forwarding
Configuring ADVPN support for multicast forwarding
After NBMA mode is enabled on an ADVPN tunnel interface, the interface forwards multicast data only to spokes that need the data.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
251
New feature: MPLS LDP support for IPv6
Configuring MPLS LDP support for IPv6
LDP can operate on a pure IPv4 or IPv6 network or a network where IPv4 and IPv6 coexist. LDP operates similarly on IPv4 and IPv6 networks.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Port security
Configuring Port security
MAC move
—This feature allows 802.1X or MAC authenticated users to move from a port to another port on the device. The authentication session is deleted from the first port, and the users are reauthenticated on the new port.
SNMP notifications for port security
—This feature allows the port security module to generate SNMP notifications to report important events.
MAC authentication delay
—When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered. If no 802.1X authentication is triggered or 802.1X authentication fails within the delay period, the port continues to process MAC authentication.
VLAN assignment
—Both the 802.1X and MAC authentication features support VLAN assignment for users.
ACL assignment
—Both the 802.1X and MAC authentication features support ACL assignment for users. You can specify an authorization ACL for a user to control the user's access to network resources. After the user passes authentication, the authentication server (local or remote) assigns the authorization ACL to the access port of the user. The ACL will filter traffic for this user.
802.1X EAD assistant
—This feature allows unauthenticated 802.1X users to access the free
IP. The feature also enables the device to redirect a user who is seeking to access the network to a specific URL on the free IP. For example, you can use this feature to redirect the user to the
EAD client software download page.
252
802.1X SmartOn
—This feature was developed to support the NEC 802.1X client. The device performs SmartOn authentication before 802.1X authentication. If a user fails SmartOn authentication, the device stops 802.1X authentication for the user.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Customizable IVR
Configuring Customizable IVR
Interactive voice response (IVR) is extensively used in voice communications. The IVR system enables you to customize interactive operations and humanize other services. If a subscriber dials an IVR access number, the IVR system plays the prerecorded voice prompts to direct the subscriber about how to proceed.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: SRST
Configuring SRST
SRST provides call handling for a branch office when the branch office loses connectivity to the central voice server or the WAN connection is down. An SRST router in the branch office takes over to manage calls to ensure that local phones can make and receive calls. When the WAN connection is restored, call handling reverts back to the central voice server.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
253
New feature: NEMO
Configuring NEMO
As an extension of MIP, network mobility (NEMO) enables a node to retain the same IP address and maintain application connectivity when the node travels across networks. It allows location-independent routing of IP datagrams on the Internet. A mobile router is a router that operates as a mobile node connecting the mobile network and the home agent.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: Support of MFR and FR for
L2VPN, FR QoS, and FR compression and fragmentation
Configuring Support of MFR and FR for L2VPN,
FR QoS, and FR compression and fragmentation
Frame Relay supports MPLS L2VPN and can then communicate with other networks through MPLS
L2VPN. As a result, Layer 2 data can be transparently transmitted between Frame Relay networks through an MPLS or IP network.
When FRTS is disabled, only FR interface queues are in effect. The predefined FR PVC queues take effect only when FRTS is enabled.
The Frame Relay compression feature can compress Frame Relay packets to save bandwidth, reduce the network load, and improve the transmission efficiency for data in the Frame Relay network. The Frame Relay fragmentation feature can divide a large Frame Relay packet into several small packets, so that large packets can be transmitted over a low-speed link with a low delay.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
254
New feature: Support for LLDP on CPOS interfaces
Configuring Support for LLDP on CPOS interfaces
LLDP is supported on CPOS interfaces.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: SMS-based automatic configuration
Configuring SMS-based automatic configuration
Support for SMS-based automatic configuration. With SMS-based automatic configuration, the device can connect to an IMC server over a 3G or 4G network to obtain a configuration file.
To initiate SMS-based automatic configuration process, the administrator can use a cell phone or the
IMC server to send a short message to the device. The IMC server sends short messages to devices through an SMS gateway. This feature can be used when the devices to be configured are widely distributed and there are 3G or 4G networks available for wireless communication.
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: ARP attack protection
Configuring ARP attack protection
None
255
Command reference
See HPE FlexNetwork MSR Configuration Guides(V7) and HPE FlexNetwork MSR Command
References(V7).
New feature: SIP support for VRF
Configuring SIP support for VRF
This feature enables a PE device to provide SIP services for a VPN instance. To enable this feature, you can associate the VPN instance with SIP on the PE device. The PE device uses the interface bound to the VPN instance as the source for sending SIP signaling and media streams.
Configuration guidelines
When you enable SIP support for VRF, follow these guidelines:
You cannot associate a VPN instance with SIP or remove the association when a SIP service such as calling, registration, subscription, or the keepalive function is being used.
The VPN instance to associate with SIP must be already created.
Configuration procedure
To enable SIP support for VRF:
Step
Enter system view.
Create a VPN instance.
Enter voice view.
Enter SIP view.
Associate a VPN instance with
SIP.
Command system-view
Remarks
N/A
ip vpn-instance
vpn-instance-name
voice-setup
By default, no VPN instance exists.
N/A
sip
N/A
vpn-instance vpn-instance-name
By default, no VPN instance is associated with SIP.
Command reference
vpn-instance
Use vpn-instance to associate a VPN instance with SIP.
256
Use undo vpn-instance to remove the association.
Syntax
vpn-instance vpn-instance-name
undo vpn-instance
Default
No VPN instance is associated with SIP.
Views
SIP view
Predefined user roles
network-admin
Parameters
vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.
Usage guidelines
The VPN instance to associate with SIP must be already created.
You cannot associate a VPN instance or remove the association when a SIP service is being used.
Examples
# Associate the VPN instance vpn-voice with SIP.
<Sysname> system-view
[Sysname] voice-setup
[Sysname-voice] sip
[Sysname-voice-sip] vpn-instance vpn-voice
Related commands
ip binding vpn-instance (MPLS Command Reference)
ip vpn-instance (MPLS Command Reference)
ESS 0102
This release has the following changes:
New feature: Portal authentication
New feature: IPsec MIB and IKE MIB
New feature: CoPP software forwarding feature
New feature: Configuring MPLS LDP FRR
New feature: Enhanced routing features
257
New feature: Portal authentication
Portal authentication controls user access to the Internet. Portal authenticates a user by the username and password the user enters on a portal authentication page. Therefore, portal authentication is also known as Web authentication. When portal authentication is deployed on a network, an access device redirects unauthenticated users to the website provided by a portal Web server. The users can access the resources provided by the website. If the users want to access the
Internet, they must pass authentication on the website.
Portal authentication is classified into the following types:
Active authentication
—Users visit the authentication website provided by the portal Web server and enter their username and password for authentication.
Forced authentication
—Users visit other websites and are redirected to the portal authentication website for authentication.
Portal authentication flexibly imposes access control on the access layer and vital data entries. It has the following advantages:
Replaces client software with convenient authentication pages.
Provides ISPs with diversified management choices and extended functions. For example, the
ISPs can place advertisements, provide community services, and publish information on the authentication page.
Supports multiple authentication modes. For example, re-DHCP authentication implements a flexible address assigning scheme and saves public IP addresses. Cross-subnet authentication can authenticate users reside in subnets different from the access device.
The device support portal 2.0 and portal 3.0.
Command reference
See HPE FlexNetwork MSR Command References(V7).
New feature: MSDP
Configuring MSDP
MSDP is an inter-domain multicast solution that addresses the interconnection of PIM-SM domains.
It discovers multicast source information in other PIM-SM domains.
258
In the basic PIM-SM mode, a multicast source registers only with the RP in the local PIM-SM domain, and the multicast source information in each domain is isolated. As a result, both of the following occur:
The RP obtains the source information only within the local domain.
A multicast distribution tree is built only within the local domain to deliver multicast data locally.
MSDP enables the RPs of different PIM-SM domains to share their multicast source information. The local RP can then join the SPT rooted at the multicast source across the PIM-SM domains. This allows multicast data to be transmitted among different domains.
With MSDP peer relationships established between appropriate routers in the network, the RPs of different PIM-SM domains are interconnected with one another. These MSDP peers exchange source active (SA) messages, so that the multicast source information is shared among these domains.
For more information about configuring MSDP, see "MSDP Configuration Guide" in HPE
FlexNetwork MSR Configuration Guides(V7).
Command reference
See HPE FlexNetwork MSR Command References(V7).
New feature: IPsec MIB and IKE MIB
IPsec-Monitor-MIB (HH3C-IPSEC-MONITOR-V2-MIB) monitors IPsec tunnels. NMS can use this
MIB to obtain IPsec tunnel information, including algorithms, gateway addresses, and tunnel statistics. Except the trap function, all nodes of this MIB are read only.
Ike-Monitor-MIB (HH3C-IKE-MONITOR-MIB) monitors IKE tunnels. NMS can use this MIB to obtain
IKE tunnel information.
For more information, see the MIB companion document.
New feature: PoE
Configuring PoE
IEEE 802.3af-compliant power over Ethernet (PoE) enables a power sourcing equipment (PSE) to supply power to powered devices (PDs) through Ethernet interfaces over twisted pair cables.
Examples of PDs include IP telephones, wireless APs, portable chargers, card readers, Web cameras, and data collectors. A PD can also use a different power source from the PSE at the same time for power redundancy.
259
For more information about configuring PoE, see "PoE Configuration Guide" in HPE FlexNetwork
MSR Configuration Guides(V7).
Command reference
See HPE FlexNetwork MSR Command References(V7).
New feature: CoPP software forwarding feature
Configuring CoPP
If the rate of packets sent to the control plane exceeds the processing capabilities of the control plane (for example, when the device is suffering DoS attacks), the normal packets sent to the control plane cannot be promptly processed, thus affecting the normal operation of protocols.
To protect the management interface against DoS attacks, which will cause service interruption, you must perform traffic policing for the management interface.
CoPP allows you to perform traffic policing for the control plane or management interface control plane. By default, the predefined QoS parameters are configured for packets of each protocol sent to the control plane. Also, you can apply a user-defined QoS policy to the control plane to filter and rate-limit the packets sent to the control plane. This makes sure the control plane can correctly receive, transmit, and process packets.
Command reference
control-plane
Syntax
Use control-plane to enter control plane view.
MSR2000 / MSR3000:
control-plane
MSR4000:
control-plane slot slot-number
Views
System view
260
Predefined user roles
network-admin
Examples
# (MSR2000 / MSR3000.) Enter control plane view.
<Sysname> system-view
[Sysname] control-plane
[Sysname-cp]
# (MSR4000.) Enter control plane view of the card in slot 3.
<Sysname> system-view
[Sysname] control-plane slot 3
[Sysname-cp-slot3]
control-plane management
Syntax
IMPORTANT:
A QoS policy applied to the management interface control plane takes effect on the packets sent from the management interface to the control plane.
Use control-plane management to enter management interface control plane view.
control-plane management
Views
System view
Predefined user roles
network-admin
Examples
# Enter management interface control plane view.
<Sysname> system-view
[Sysname] control-plane management
[Sysname-cp-management]
qos apply policy (interface view, control plane view)
IMPORTANT:
A QoS policy applied to the management interface control plane takes effect on the packets sent from the management interface to the control plane.
Use qos apply policy to apply a QoS policy to an interface, a control plane.
Use undo qos apply policy to remove a QoS policy from an interface, a control plane.
261
Syntax
qos apply policy policy-name { inbound | outbound }
undo qos apply policy policy-name { inbound | outbound }
Default
No QoS policy is applied to an interface, a control plane, or a management interface control plane.
Views
Interface view, control plane view
Predefined user roles
network-admin
Parameters
policy-name: Specifies a QoS policy by its name, a case-sensitive string of 1 to 31 characters.
inbound: Applies the QoS policy to the incoming traffic of an interface, a control plane, or a management interface control plane.
outbound: Applies the QoS policy to the outgoing traffic of an interface.
Usage guidelines
To successfully apply a QoS policy to an interface, make sure the total bandwidth assigned to AF and
EF queues in the QoS policy is smaller than the available bandwidth of the interface. If you modify the available bandwidth of the interface to a value smaller the total bandwidth for AF and EF queues, the applied QoS policy is removed. For a QoS policy to be applied in the inbound direction, the referenced traffic behaviors cannot be configured with any of the commands queue af, queue ef,
queue wfq, and gts.
When you apply a QoS policy to an interface, follow these guidelines:
You can apply a QoS policy configured with various QoS actions (such as remark, car, gts,
queue af, queue ef, queue wfq, and wred) to common physical interfaces.
An inbound QoS policy cannot contain a GTS action or any of these queuing actions queue ef,
queue af, or queue wfq.
Examples
# Apply the QoS policy named USER1 to the outgoing traffic of GigabitEthernet 0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 0/1
[Sysname-GigabitEthernet0/1] qos apply policy USER1 outbound
262
New feature: Configuring MPLS LDP FRR
Configuring MPLS LDP FRR
A link or router failure on a path can cause packet loss until LDP completes LSP establishment on the new path. LDP FRR enables fast rerouting to minimize the failover time. LDP FRR bases on IP FRR and is enabled automatically after IP FRR is enabled.
Figure 1 Network diagram for LDP FRR
LSR C
LSR A
B ac ku p
LS
P
B ac ku p L
S
P
LSR B
Primary LSP
In Figure 1, configure IP FRR on LSR A by using IGP to calculate or specify a backup next hop. LDP creates a primary LSP and a backup LSP according to the primary route and the backup route calculated by IGP. When the primary LSP operates correctly, it forwards the MPLS packets. W hen the primary LSP fails, LDP directs packets to the backup LSP.
When packets are forwarded through the backup LSP, IGP calculates the optimal path based on the new network topology. When IGP route convergence occurs, LDP establishes a new LSP according to the optimal path. If a new LSP is not established after IGP route convergence, traffic forwarding might be interrupted. Therefore, HPE recommends that you enable LDP IGP synchronization to work with LDP FRR to reduce the traffic interruption time.
Command reference
igp sync delay
Syntax
Use igp sync delay to configure the delay for LDP to notify IGP of the LDP convergence completion.
Use undo igp sync delay to restore the default.
igp sync delay time
undo igp sync delay
263
Default
LDP immediately notifies IGP of the LDP convergence completion.
Views
LDP view
Predefined user roles
network-admin
Parameters
time: Specifies the notification delay in the range of 5 to 300 seconds.
Usage guidelines
LDP convergence on a link is completed when the followings occur:
The local device establishes an LDP session to at least one peer, and the LDP session is already in Operation state.
The local device has distributed the label mappings to at least one peer.
MPLS traffic forwarding might be interrupted in one of the following scenarios:
When the peer uses the Ordered label distribution control mode, the local device needs to wait for a label mapping from its downstream LSR after the LDP session goes into Operation state.
If LDP immediately notifies IGP of the LDP convergence completion when the label mapping from downstream is not received, MPLS traffic forwarding might be interrupted.
When a large number of label mappings are distributed from downstream, if LDP immediately notifies IGP of the LDP convergence completion, label advertisement might not be finished, and
MPLS traffic forwarding is interrupted.
In these scenarios, you must use this command to configure the notification delay. When LDP convergence on a link is completed, LDP waits a delay time to notify IGP of the LDP convergence completion to reduce the traffic interruption time.
Examples
# Configure the notification delay as 30 seconds.
<Sysname> system-view
[Sysname] mpls ldp
[Sysname-ldp] igp sync delay 30
Related commands
igp sync delay on-restart
mpls ldp igp sync disable
mpls ldp sync (IS-IS view)
mpls ldp sync (OSPF view/OSPF area view)
264
igp sync delay on-restart
Use igp sync delay on-restart to configure the maximum delay for LDP to notify IGP of the LDP IGP synchronization status after an LDP restart or an active/standby switchover occurs.
Use undo igp sync delay on-restart to restore the default.
Syntax
igp sync delay on-restart time
undo igp sync delay on-restart
Default
The maximum notification delay is 90 seconds.
Views
LDP view
Predefined user roles
network-admin
Parameters
time: Specifies the maximum notification delay in the range of 60 to 600 seconds.
Usage guidelines
After LDP restarts or an active/standby switchover occurs, LDP convergence begins after a period of time. If LDP immediately notifies IGP of all the current LDP IGP synchronization status, and updates the status after LDP convergence, IGP might frequently process the status, and the cost might increase.
The notification delay mechanism for an LDP restart or an active/standby switchover provides a notification delay of LDP process levels. When LDP restarts or an active/standby switchover occurs, this mechanism enables LDP to wait a period of time till LDP recovers to the status before the restart or switchover, and then notify IGP of the LDP IGP synchronization status in bulk. If LDP does not recover to the status before the restart or switchover when the maximum delay set by this command expires, LDP immediately notifies IGP of the LDP IGP synchronization status in bulk.
Examples
# Configure the maximum notification delay as 300 seconds.
<Sysname> system-view
[Sysname] mpls ldp
[Sysname-ldp] igp sync delay on-restart 300
Related commands
igp sync delay
mpls ldp igp sync disable
mpls ldp sync (IS-IS view)
mpls ldp sync (OSPF view/OSPF area view)
265
mpls ldp igp sync disable
Use mpls ldp igp sync disable to disable LDP IGP synchronization on an interface.
Use undo mpls ldp igp sync disable to restore the default.
Syntax mpls ldp igp sync disable undo mpls ldp igp sync disable
Default
LDP IGP synchronization is enabled on an interface.
Views
Interface view
Predefined user roles
network-admin
Usage guidelines
After you enable LDP IGP synchronization for IGP, for example, an OSPF area or an IS-IS process,
LDP IGP synchronization is enabled on the OSPF interfaces and IS-IS interfaces. To disable LDP
IGP synchronization on an interface, execute the mpls ldp igp sync disable command on that interface.
Examples
# Enable LDP IGP synchronization on GigabitEthernet 0/1.
<Sysname> System-view
[Sysname] interface gigabitethernet 0/1
[Sysname-GigabitEthernet0/1] mpls ldp igp sync disable
Related commands
mpls ldp sync (IS-IS view)
mpls ldp sync (OSPF view/OSPF area view)
New feature: Enhanced routing features
Configuring enhanced routing features
This release supports RIB NSR, IPv4 static route FRR, direct route redistribution, and RFC4382 MIB
(MPLS-L3VPN-STD-MIB).
266
Command reference
non-stop-routing
Use non-stop-routing to enable RIB NSR to back up routing information.
Use undo non-stop-routing to restore the default.
Syntax non-stop-routing
undo non-stop-routing
Default
RIB NSR is disabled.
Views
RIB IPv4 address family view, RIB IPv6 address family view
Predefined user roles
network-admin
Examples
# Enable NSR for the RIB IPv4 address family.
<Sysname> system-view
[Sysname] rib
[Sysname-rib] address-family ipv4
[Sysname-rib-ipv4] non-stop-routing
ip route-static fast-reroute auto
Use ip route-static fast-reroute auto to configure static route FRR to automatically select a backup next hop.
Use undo ip route-static fast-reroute auto to disable static route FRR.
Syntax
Default
Static route FRR is disabled.
Views ip route-static fast-reroute auto undo ip route-static fast-reroute auto
System view
267
Predefined user roles
network-admin
Examples
# Configure static route FRR to automatically select a backup next hop.
<Sysname> system-view
[Sysname] ip route-static fast-reroute auto
import-route (RIP view)
Use import-route to enable route redistribution from another routing protocol.
Use undo import-route to disable route redistribution.
Syntax
import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |
route-policy route-policy-name | tag tag ] *
undo import-route protocol [ process-id | all-processes ]
Default
RIP does not redistribute routes from any other routing protocol.
Views
RIP view
Predefined user roles
network-admin
Parameters
protocol: Specifies a routing protocol from which RIP redistributes routes. It can be bgp, direct, isis,
ospf, rip, or static.
process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. This argument is available only when the protocol is isis, rip, or ospf.
all-processes: Enables route redistribution from all the processes of the specified protocol. This keyword takes effect only when the protocol is rip, ospf, or isis.
allow-ibgp: Allows redistribution of IBGP routes. This keyword is available when the protocol argument is set to bgp.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost cost: Specifies a cost for redistributed routes, in the range of 0 to 16. The default cost is 0.
268
route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to
63 characters.
tag tag: Specifies a tag for marking redistributed routes, in the range of 0 to 65535. The default is 0.
Usage guidelines
The import-route bgp command redistributes only EBGP routes. The import-route bgp allow-ibgp command additionally redistributes IBGP routes and might cause routing loops. Therefore, use it with caution.
This command redistributes only active routes. To view route state information, use the display ip
routing-table protocol command.
The undo import-route protocol all-processes command removes only the configuration made by the import-route protocol all-processes command, instead of the configuration made by the
import-route protocol process-id command.
Examples
# Redistribute static routes into RIP, and set the cost for redistributed routes to 4.
<Sysname> system-view
[Sysname] rip 1
[Sysname-rip-1] import-route static cost 4
Related commands
default cost
import-route (OSPF view)
Use import-route to redistribute AS-external routes from another routing protocol.
Use undo import-route to disable route redistribution from another routing protocol.
Syntax
import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |
nssa-only | route-policy route-policy-name | tag tag | type type ] *
undo import-route protocol [ process-id | all-processes ]
Default
OSPF does not redistribute AS-external routes from any other routing protocol.
Views
OSPF view
Predefined user roles
network-admin
Parameters
protocol: Redistributes routes from the specified protocol, which can be bgp, direct, isis, ospf, rip, or static.
269
process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. It is available only when the protocol is rip, ospf, or isis.
all-processes: Redistributes routes from all the processes of the specified routing protocol. This keyword takes effect only when the protocol is rip, ospf, or isis.
allow-ibgp: Redistributes IBGP routes. It is available only when the protocol is bgp.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost cost: Specifies a route cost in the range of 0 to 16777214. The default is 1.
nssa-only: Limits the route advertisement to the NSSA area by setting the P-bit of Type-7 LSAs to 0.
By default, the P-bit of Type-7 LSAs is set to 1. If the router acts as both an ASBR and an ABR and
FULL state neighbors exist in the backbone area, the P-bit of Type-7 LSAs originated by the router is set to 0. This keyword applies to NSSA routers.
route-policy route-policy-name: Specifies a routing policy to filter redistributed routes. The
route-policy-name argument is a case-sensitive string of 1 to 63 characters.
tag tag: Specifies a tag for marking external LSAs, in the range of 0 to 4294967295. The default is 1.
type type: Specifies a cost type, 1 or 2. The default is 2.
Usage guidelines
This command redistributes routes destined for other ASs from another protocol. AS external routes include the following types:
Type-1 external route
Type-2 external route
A Type-1 external route has high reliability. Its cost is comparable with the cost of OSPF internal routes. The cost from an OSPF router to a Type-1 external route's destination equals the cost from the router to the ASBR plus the cost from the ASBR to the external route's destination.
A Type-2 external route has low credibility. OSPF considers the cost from the ASBR to the destination of a Type-2 external route is much bigger than the cost from the ASBR to an OSPF internal router. The cost from an internal router to a Type-2 external route's destination equals the cost from the ASBR to the Type-2 external route's destination.
The import-route command cannot redistribute default external routes.
The import-route bgp command redistributes only EBGP routes. Because the import-route bgp
allow-ibgp command redistributes both EBGP and IBGP routes and might cause routing loops, use it with caution.
270
Only active routes can be redistributed. To view information about active routes, use the display ip
routing-table protocol command.
The undo import-route protocol all-processes command removes only the configuration made by the import-route protocol all-processes command, instead of the configuration made by the
import-route protocol process-id command.
The import-route nssa-only command redistributes AS-external routes in Type-7 LSAs only into the NSSA area.
Examples
# Redistribute routes from RIP process 40 and specify the type, tag, and cost as 2, 33, and 50 for redistributed routes.
<Sysname> system-view
[Sysname] ospf 100
[Sysname-ospf-100] import-route rip 40 type 2 tag 33 cost 50
Related commands
default-route-advertise (OSPF view)
import-route (IS-IS view)
Use import-route to redistribute routes from another routing protocol or another IS-IS process.
Use undo import-route to remove the redistribution.
Syntax
import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |
cost-type { external | internal } | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name |
tag tag ] *
undo import-route protocol [ process-id | all-processes ]
Default
No route redistribution is configured.
Views
IS-IS view
Predefined user roles
network-admin
Parameters
protocol: Redistributes routes from a routing protocol, which can be BGP, direct, IS-IS, OSPF, RIP, or static.
process-id: Specifies a process by its ID in the range of 1 to 65535. It is available only when the protocol is isis, ospf, or rip.
271
all-processes: Redistributes routes from all the processes of the specified routing protocol. This keyword takes effect only when the protocol is rip, ospf, or isis.
allow-ibgp: Allows redistribution of IBGP routes. It is available when the protocol is BGP.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost: Specifies a cost for redistributed routes, which is in the range of 0 to 4261412864.
For the styles of narrow, narrow-compatible, and compatible, the cost is in the range of 0 to
63.
For the styles of wide and wide-compatible, the cost is in the range of 0 to 4261412864.
cost-type { external | internal }: Specifies the cost type. The internal type indicates internal routes, and the external type indicates external routes. If external is specified, the cost of a redistributed route is added by 64 to make internal routes take priority over external routes. The type is external by default. The keywords are available only when the cost type is narrow, narrow-compatible, or
compatible.
level-1: Redistributes routes into the Level-1 routing table.
level-1-2: Redistributes routes into both Level-1 and Level-2 routing tables.
level-2: Redistributes routes into the Level-2 routing table. If no level is specified, the routes are redistributed into the Level-2 routing table by default.
route-policy route-policy-name: Redistributes only routes matching the specified routing policy. The
route-policy-name argument is a case-sensitive string of 1 to 63 characters.
tag tag: Specifies a tag value for marking redistributed routes, in the range of 1 to 4294967295.
Usage guidelines
IS-IS takes all the redistributed routes as external routes to destinations outside the IS-IS routing domain.
The effective cost depends on the cost style. For the styles of narrow, narrow-compatible, and
compatible, the cost is in the range of 0 to 63. If the cost is more than 63, 63 is used. For the style of wide or wide-compatible, the configured value is the effective value.
This import-route command cannot redistribute default routes. The command redistributes only active routes. To display route state information, use the display ip routing-table protocol command.
The import-route bgp command redistributes only EBGP routes.
The import-route bgp allow-ibgp command redistributes both EBGP and IBGP routes. Because this command might cause routing loops, use it with caution.
272
The undo import-route protocol all-processes command removes only the configuration made by the import-route protocol all-processes command, instead of the configuration made by the
import-route protocol process-id command.
Examples
# Redistribute static routes into IS-IS, and set the cost for redistributed routes to 15.
<Sysname> system-view
[Sysname] isis 1
[Sysname-isis-1] import-route static cost 15
Related commands import-route limit
import-route (BGP view)
Use import-route to enable BGP to redistribute routes from an IGP protocol.
Use undo import-route to disable route redistribution from an IGP protocol.
Syntax
In BGP IPv4 unicast address family view/BGP-VPN IPv4 unicast address family view:
import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy
route-policy-name ] * ]
undo import-route protocol [ process-id | all-processes ]
In BGP IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view:
import-route protocol [ process-id [ allow-direct | med med-value | route-policy
route-policy-name ] * ]
undo import-route protocol [ process-id ]
Default
BGP does not redistribute IGP routes.
Views
BGP IPv4 unicast address family view, BGP-VPN IPv4 unicast address family view, BGP IPv6 unicast address family view, BGP-VPN IPv6 unicast address family view
Predefined user roles
network-admin
Parameters
protocol: Redistributes routes from a specified IGP protocol. In BGP IPv4 unicast address family view/BGP-VPN IPv4 unicast address family view, it can be direct, isis, ospf, rip, or static. In BGP
IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view, it can be direct, isisv6,
ospfv3, ripng, or static.
273
process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. In BGP IPv4 unicast address family view/BGP-VPN IPv4 unicast address family view, it is available only when the protocol is isis, ospf, or rip. In BGP IPv6 unicast address family view/BGP-VPN IPv6 unicast address family view, it is available only when the protocol is isisv6, ospfv3, or ripng.
all-processes: Redistributes routes from all the processes of the specified IGP protocol. This keyword takes effect only when the protocol is isis, ospf, or rip.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
med med-value: Specifies a MED value for redistributed routes, in the range of 0 to 4294967295. If no MED is specified, the metric of a redistributed route is used as its MED.
route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to
63 characters, to filter redistributed routes or set route attributes for redistributed routes.
Usage guidelines
The import-route command cannot redistribute default IGP routes. To redistribute default IGP routes, use the default-route imported command together with the import-route command.
Only active routes can be redistributed. You can use the display ip routing-table protocol or
display ipv6 routing-table protocol command to view route state information.
The ORIGIN attribute of routes redistributed by the import-route command is INCOMPLETE.
Examples
# In BGP IPv4 unicast address family view, redistribute routes from RIP process 1, and set the MED value for redistributed routes to 100.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp] address-family ipv4 unicast
[Sysname-bgp-ipv4] import-route rip 1 med 100
# In BGP-VPN IPv4 unicast address family view, redistribute routes from RIP process 1, and reference a routing policy imprt to exclude route 1.1.1.0/24 from route redistribution.
<Sysname> system-view
[Sysname] ip prefix-list imprt deny 1.1.1.0 24
[Sysname] ip prefix-list imprt permit 0.0.0.0 0 less-equal 32
[Sysname] route-policy imprt permit node 0
[Sysname-route-policy-imprt-0] if-match ip address prefix-list imprt
[Sysname-route-policy-imprt-0] quit
[Sysname] bgp 100
[Sysname-bgp] ip vpn-instance vpn1
[Sysname-bgp-vpn1] address-family ipv4 unicast
[Sysname-bgp-ipv4-vpn1] import-route rip 1 route-policy imprt
274
# In BGP IPv6 unicast address family view, redistribute routes from RIP process 1.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp] address-family ipv6 unicast
[Sysname-bgp-ipv6] import-route ripng
# In BGP-VPN IPv6 unicast address family view, redistribute routes from RIP process 1.
<Sysname> system-view
[Sysname] bgp 100
[Sysname-bgp] ip vpn-instance vpn1
[Sysname-bgp-vpn1] address-family ipv6 unicast
[Sysname-bgp-ipv6-vpn1] import-route ripng
Related commands
display ip routing-table protocol
display ipv6 routing-table protocol
import-route (RIPng view)
Use import-route to redistribute routes from another routing protocol.
Use undo import-route to disable route redistribution.
Syntax
import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost | route-policy
route-policy-name ] *
undo import-route protocol [ process-id ]
Default
RIPng does not redistribute routes from another routing protocol.
Views
RIPng view
Predefined user roles
network-admin
Parameters
protocol: Specifies a routing protocol from which RIPng redistributes routes. It can be bgp4+, direct,
isisv6, ospfv3, ripng, or static.
process-id: Specifies a process by its ID in the range of 1 to 65535. The default is 1. This argument is available only when the protocol is isisv6, ospfv3, or ripng.
allow-ibgp: Allows redistribution of IBGP routes. This keyword is available when the protocol argument is set to bgp4+.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
275
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost cost: Specifies a metric for redistributed routes, in the range of 0 to 16. The default metric is 0.
route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to
63 characters.
Usage guidelines
The import-route bgp4+ command redistributes only EBGP routes. The import-route bgp4+
allow-ibgp command redistributes both EBGP and IBGP routes.
Examples
# Redistribute routes from IPv6 IS-IS process 7 into RIPng and set the metric for redistributed routes to 7.
<Sysname> system-view
[Sysname] ripng 100
[Sysname-ripng-100] import-route isisv6 7 cost 7
import-route (OSPFv3 view)
Use import-route to redistribute routes.
Use undo import-route to disable route redistribution.
Syntax
import-route protocol [ process-id | all-processes | allow-ibgp ] [ allow-direct | cost cost |
nssa-only | route-policy route-policy-name | tag tag | type type ] *
undo import-route protocol [ process-id | all-processes ]
Default
OSPFv3 route redistribution is disabled.
Views
OSPFv3 view
Predefined user roles
network-admin
Parameters
protocol: Redistributes routes from the specified routing protocol, which can be bgp4+, direct,
isisv6, ospfv3, ripng, or static.
process-id: Specifies the process ID of a routing protocol, in the range of 1 to 65536. It defaults to 1.
This argument takes effect only when the protocol is isisv6, ospfv3, or ripng.
276
all-processes: Redistributes routes from all the processes of the specified routing protocol. This keyword takes effect only when the protocol is ripng, ospfv3, or isisv6.
allow-ibgp: Redistributes IBGP routes. It is available only when the protocol is bgp4+.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost cost: Specifies a cost for redistributed routes, in the range of 1 to 16777214. The default is 1.
nssa-only: Limits the route advertisement to the NSSA area by setting the P-bit of Type-7 LSAs to 0.
By default, the P-bit of Type-7 LSAs is set to 1. If the router acts as both an ASBR and an ABR and
FULL state neighbors exist in the backbone area, the P-bit of Type-7 LSAs originated by the router is set to 0. This keyword applies to NSSA routers.
route-policy route-policy-name: Specifies a routing policy to filter redistributed routes. The
route-policy-name argument is a case-sensitive string of 1 to 63 characters.
tag tag: Specifies a tag for marking external LSAs, in the range of 0 to 4294967295. If this option is not specified, no tag is contained in advertised LSAs by default.
type type: Specifies the type for redistributed routes, 1 or 2. The default is 2.
Usage guidelines
An external route is a route to a destination outside the OSPFv3 AS. External routes types are as follows:
A Type-1 external route has high reliability. Its cost is comparable with the cost of OSPFv3 internal routes. The cost from an OSPFv3 router to a Type-1 external route's destination equals the cost from the router to the ASBR plus the cost from the ASBR to the external route's destination.
A Type-2 external route has low credibility, so OSPFv3 considers the cost from the ASBR to a
Type-2 external route is much bigger than the cost from the ASBR to an OSPFv3 internal router.
The cost from an internal router to a Type-2 external route's destination equals the cost from the
ASBR to the Type-2 external route's destination.
The import-route command cannot redistribute default routes.
The import-route bgp4+ command redistributes only EBGP routes. The import-route bgp4+
allow-ibgp command redistributes both EBGP and IBGP routes, and might cause routing loops.
Therefore, use it with caution.
The import-route nssa-only command redistributes AS-external routes in Type-7 LSAs only into the NSSA area.
277
Examples
# Configure OSPFv3 process 1 to redistribute routes from RIPng and specify the type as type 2 and cost as 50.
<Sysname> system-view
[Sysname] ospfv3
[Sysname-ospfv3-1] import-route ripng 10 type 2 cost 50
# Configure OSPFv3 process 100 to redistribute the routes discovered by OSPFv3 process 160.
<Sysname> system-view
[Sysname] ospfv3 100
[Sysname-ospfv3-100] import-route ospfv3 160
ipv6 import-route (IPv6 IS-IS view)
Use ipv6 import-route to enable IPv6 IS-IS to redistribute routes from another routing protocol.
Use undo ipv6 import-route to disable route redistribution.
Syntax
ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ allow-direct | cost cost | [ level-1 |
level-1-2 | level-2 ] | route-policy route-policy-name| tag tag ] *
undo ipv6 import-route protocol [ process-id ]
Default
IPv6 does not redistribute routes from any other routing protocol.
Views
IS-IS view
Predefined user roles
network-admin
Parameters
protocol: Redistributes routes from the specified routing protocol, which can be direct, static, ripng,
isisv6, bgp4+, or ospfv3.
process-id: Specifies a process by its ID in the range of 1 to 65535. It is available only when the protocol is ripng, isisv6, or ospfv3.
allow-direct: Redistributes the networks of the local interfaces enabled with the specified routing protocol. By default, the networks of the local interfaces are not redistributed. If you specify both the
allow-direct keyword and the route-policy route-policy-name option, make sure the if-match rule defined in the routing policy does not conflict with the allow-direct keyword. For example, if you specify the allow-direct keyword, do not configure the if-match route-type rule for the routing policy.
Otherwise, the allow-direct keyword does not take effect.
cost cost: Specifies a cost for redistributed routes, in the range of 0 to 4261412864.
level-1: Redistributes routes into the Level-1 routing table.
278
level-1-2: Redistributes routes into Level-1 and Level-2 routing tables.
level-2: Redistributes routes into the Level-2 routing table.
route-policy route-policy-name: Specifies a routing policy by its name, a case-sensitive string of 1 to
63 characters, to filter redistributed routes.
tag tag: Specifies an administrative tag for marking redistributed routes, in the range of 1 to
4294967295.
allow-ibgp: Allows redistribution of IBGP routes. This keyword is available only when the protocol is
bgp4+.
Usage guidelines
IPv6 IS-IS considers redistributed routes as AS-external routes.
You can specify a cost and a level for redistributed routes.
The import-route bgp4+ command redistributes only EBGP routes. The import-route bgp4+
allow-ibgp command redistributes both EBGP and IBGP routes, and might cause routing loops.
Therefore, use it with caution.
Examples
# Configure IPv6 IS-IS to redistribute static routes and set the cost for redistributed routes to 15.
<Sysname> system-view
[Sysname] isis 1
[Sysname-isis-1] ipv6 import-route static cost 15
New feature: Python
Using Python
Python is an easy to learn, powerful programming language. It has efficient high-level data structures and a simple but effective approach to object-oriented programming. Python's elegant syntax and dynamic typing, together with its interpreted nature, make it an ideal language for scripting and rapid application development in many areas on most platforms.
Comware V7 provides a built-in Python interpreter that supports the following items:
Python 2.7 commands.
Python 2.7 standard API.
Comware V7 extended API.
Python scripts. You can use a Python script to configure the system automatically.
To use Python 2.7 commands and the APIs, you must enter the Python shell.
279
Command reference
See HPE FlexNetwork MSR Command References(V7).
New feature: ATM
Configuring ATM
Asynchronous Transfer Mode (ATM) is a technology based on packet transmission mode while incorporating the high-speed of circuit transmission mode. ATM was adopted as the transmission and switching mode for broadband ISDN by the ITU-T in June 1992. Due to its flexibility and support for multimedia services, ATM is regarded as core broadband technology.
As defined by the ITU-T, data is encapsulated in cells in ATM. Each ATM cell is 53 bytes in length, of which the first five bytes contain cell header information and the last 48 bytes contain payload. The major function of the cell header is to identify virtual connection. In addition, it can be used to carry limited flow control, congestion control, and error control information.
Command reference
See HPE FlexNetwork MSR Command References(V7).
New feature: DHCP MIB
DHCP MIB
The MIB supports HH3C-DHCP4-MIB and HH3C-DHCP-SNOOP2-MIB.
For more information about
MIB nodes, see the MIB companion document.
Command reference
if-match
Use if-match to configure a match rule for a DHCP user class.
Use undo if-match to remove the match rule for a DHCP user class.
280
Syntax
if-match rule rule-number option option-code [ hex hex-string [ mask mask | offset offset length
length ] ]
undo if-match rule rule-number
Syntax
No match rule is configured for the DHCP user class.
Views
DHCP user class view
Predefined user roles
network-admin
Parameters
rule rule-number: Assigns the match rule an ID in the range of 1 to 16. A smaller ID represents a higher match priority.
option option-code: Matches a DHCP option by a number in the range of 1 to 254.
hex hex-string: Matches the specified string in the option, which must be a hex string of even numbers in the range of 2 to 256. If you do not specify the hex-string argument, the DHCP server only checks whether the specified option exists in the received packets.
mask mask: Specifies the mask used to match the option content. The mask argument is a hex string of even numbers in the range of 2 to 256. The length of mask must be the same as that of
hex-string.
offset offset: Specifies the offset to match the option, in the range of 0 to 254 bytes. If you do not specify the offset argument, the server matches the entire option with the rule.
length length: Matches the specified length of the option, in the range of 1 to 128 bytes. The specified length must be the same as the hex-string length.
Usage guidelines
You can configure multiple match rules for a DHCP user class. Each match rule is uniquely identified by a rule ID. Different match rules can include the same option code, but they cannot have the exact same matching criteria.
The DHCP server matches DHCP requests against the match rules. A DHCP client matches a DHCP user class when its request matches one of the specified match rules.
The match operation follows these guidelines:
If only the option-code argument is specified in the rule, packets containing the option match the rule.
If only the option-code and hex-string arguments are specified in the rule, packets that have the specified hex string in the specified option match the rule.
281
If the option-code, hex-string, offset and length arguments are specified in the rule, packets match the rule as long as their content from offset+1 bit to offset+length bit in the specified option is the same as the specified hex string.
If the option-code, hex-string, and mask arguments are specified in the rule, the DHCP server
ANDs the content from the first bit to the mask-1 bit in the specified option with the mask, and then compares the result with the result of the AND operation between hex-string and mask. If the two results are the same, the received packet matches the rule.
Examples
# Configure match rule 1 to match DHCP requests that contain Option 82 for DHCP user class
contain-option82.
<Sysname> system-view
[Sysname] dhcp class contain-option82
[Sysname-dhcp-class-contain-option82] if-match rule 1 option 82
# Configure match rule 2 to match DHCP requests that contain Option 82 whose first three bytes is
0x13ae92 for DHCP user class exam.
<Sysname> system-view
[Sysname] dhcp class exam
[Sysname-dhcp-class-exam] if-match rule 2 option 82 hex 13ae92 offset 0 length 3
# Configure match rule 3 to match DHCP requests that contain Option 82 whose highest bit of the fourth byte is 1 for DHCP user class exam.
<Sysname> system-view
[Sysname] dhcp class exam
[Sysname-dhcp-class-exam] if-match rule 3 option 82 hex 00000080 mask 00000080
Related commands
dhcp class
ESS 0006P02
None
282
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 5 Version information
- 5 Version number
- 6 Version history
- 11 Hardware and software compatibility matrix
- 12 Upgrading restrictions and guidelines
- 13 Hardware feature updates
- 13 CMW710-R0306P
- 13 CMW710-R0305P
- 13 CMW710-R0304P
- 13 CMW710-R
- 14 CMW710-E0302P
- 14 CMW710-E
- 14 Software feature and command updates
- 15 MIB updates
- 24 Operation changes
- 25 Restrictions and cautions
- 25 Open problems and workarounds
- 25 List of resolved problems
- 25 Resolved problems in CMW710-R0306P
- 47 Resolved problems in CMW710-R0305P
- 57 Resolved problems in CMW710-R
- 58 Resolved problems in CMW710-R0304P
- 69 Resolved problems in CMW710-R
- 69 Resolved problems in CMW710-E0302P
- 71 Resolved problems in CMW710-E
- 71 Resolved problems in CMW710-E0006P
- 71 Support and other resources
- 71 Accessing Hewlett Packard Enterprise Support
- 71 Documents
- 72 Related documents
- 73 Documentation feedback
- 74 Appendix A Feature list
- 74 Hardware features
- 81 Software features
- 85 Appendix B Upgrading software
- 85 Software types
- 85 Upgrade methods
- 86 Preparing for the upgrade
- 87 Centralized devices upgrading from the CLI
- 87 Saving the running configuration and verifying the storage space
- 87 Downloading the image file to the router
- 88 Specifying the startup image file
- 89 Rebooting and completing the upgrade
- 90 Distributed devices upgrading from the CLI
- 90 Display the slot number of the active MPU
- 90 Save the current configuration and verify the storge space
- 91 Download the image file to the router
- 91 Specifying the startup image file
- 93 Reboot and completing the upgrade
- 94 Distributed devices ISSU
- 95 Disabling the standby MPU auto-update function
- 95 Saving the running configuration and verifying the storage space
- 96 Downloading the upgrade image file to the router
- 96 Upgrading the standby MPU
- 98 Upgrading the active MPU
- 100 Upgrading from the BootWare menu
- 100 Accessing the BootWare menu
- 102 Using TFTP/FTP to upgrade software through an Ethernet port
- 105 Using XMODEM to upgrade software through the console port
- 109 Managing files from the BootWare menu
- 110 Displaying all files
- 110 Changing the type of a system software image
- 111 Deleting files
- 112 Handling software upgrade failures
- 112 Appendix C Handling console login password loss
- 112 Disabling password recovery capability
- 113 Handling console login password loss
- 114 Examining the password recovery capability setting
- 115 Using the Skip Current System Configuration option
- 116 Using the Skip Authentication for Console Login option
- 116 Using the Restore to Factory Default Configuration option