VRP3.4 Command - Manual 09 - Security

Command Manual – Security
VRP3.4 Table of Contents
Table of Contents
Chapter 1 AAA and RADIUS/HWTACACS Protocol Configuration Commands...................... 1-1

1.1 AAA Configuration Commands.......................................................................................... 1-1
1.1.1 access-limit.............................................................................................................. 1-1
1.1.2 accounting optional ................................................................................................. 1-2
1.1.3 display connection................................................................................................... 1-2
1.1.4 display domain ........................................................................................................ 1-4
1.1.5 display local-user..................................................................................................... 1-4
1.1.6 domain..................................................................................................................... 1-6
1.1.7 ip pool...................................................................................................................... 1-7
1.1.8 level ......................................................................................................................... 1-8
1.1.9 local-user................................................................................................................. 1-9
1.1.10 local-user password-display-mode...................................................................... 1-10
1.1.11 password ............................................................................................................. 1-11
1.1.12 scheme................................................................................................................ 1-11
1.1.13 service-type ......................................................................................................... 1-13
1.1.14 service-type ftp .................................................................................................... 1-14
1.1.15 service-type ppp .................................................................................................. 1-14
1.1.16 state..................................................................................................................... 1-15
1.2 RADIUS Protocol Configuration Commands ................................................................... 1-16
1.2.1 data-flow-format .................................................................................................... 1-16
1.2.2 debugging radius................................................................................................... 1-17
1.2.3 display radius ........................................................................................................ 1-18
1.2.4 display radius statistics ......................................................................................... 1-20
1.2.5 display stop-accounting-buffer .............................................................................. 1-21
1.2.6 key......................................................................................................................... 1-22
1.2.7 nas-ip..................................................................................................................... 1-23
1.2.8 primary accounting................................................................................................ 1-24
1.2.9 primary authentication........................................................................................... 1-25
1.2.10 radius scheme ..................................................................................................... 1-26
1.2.11 radius nas-ip........................................................................................................ 1-27
1.2.12 reset radius statistics........................................................................................... 1-28
1.2.13 reset stop-accounting-buffer ............................................................................... 1-29
1.2.14 retry ..................................................................................................................... 1-30
1.2.15 retry realtime-accounting..................................................................................... 1-31
1.2.16 retry stop-accounting........................................................................................... 1-32
1.2.17 secondary accounting ......................................................................................... 1-33
1.2.18 secondary authentication .................................................................................... 1-33
i
1.2.19 server-type .......................................................................................................... 1-34

1.2.20 state..................................................................................................................... 1-35
1.2.21 stop-accounting-buffer enable............................................................................. 1-36
1.2.22 timer quiet............................................................................................................ 1-37
1.2.23 timer realtime-accounting.................................................................................... 1-38
1.2.24 timer response-timeout ....................................................................................... 1-39
1.2.25 user-name-format................................................................................................ 1-40
1.3 HWTACACS Configuration Commands .......................................................................... 1-41
1.3.1 data-flow-format .................................................................................................... 1-41
1.3.2 debugging hwtacacs ............................................................................................. 1-42
1.3.3 display hwtacacs ................................................................................................... 1-43
1.3.4 display stop-accounting-buffer .............................................................................. 1-43
1.3.5 hwtacacs nas-ip..................................................................................................... 1-44
1.3.6 hwtacacs scheme.................................................................................................. 1-45
1.3.7 key......................................................................................................................... 1-46
1.3.8 nas-ip..................................................................................................................... 1-47
1.3.9 primary accounting................................................................................................ 1-47
1.3.10 primary authentication......................................................................................... 1-48
1.3.11 primary authorization........................................................................................... 1-49
1.3.12 reset hwtacacs statistics ..................................................................................... 1-50
1.3.13 reset stop-accounting-buffer ............................................................................... 1-51
1.3.14 retry stop-accounting........................................................................................... 1-52
1.3.15 secondary accounting ......................................................................................... 1-52
1.3.16 secondary authentication .................................................................................... 1-53
1.3.17 secondary authorization ...................................................................................... 1-54
1.3.18 timer quiet............................................................................................................ 1-55
1.3.19 timer realtime-accounting.................................................................................... 1-56
1.3.20 timer response-timeout ....................................................................................... 1-57
1.3.21 user-name-format................................................................................................ 1-58
Chapter 2 Access Control List Configuration Commands........................................................ 2-1

2.1 ACL Configuration Commands .......................................................................................... 2-1
2.1.1 acl............................................................................................................................ 2-1
2.1.2 display acl................................................................................................................ 2-2
2.1.3 reset acl counter...................................................................................................... 2-3
2.1.4 rule .......................................................................................................................... 2-3
2.2 Time-range Configuration Commands .............................................................................. 2-8
2.2.1 display time-range ................................................................................................... 2-8
2.2.2 time-range ............................................................................................................... 2-9
Chapter 3 Firewall Configuration Commands ............................................................................ 3-1

3.1 Packet Filtering Firewall Configuration Commands........................................................... 3-1
3.1.1 debugging firewall ................................................................................................... 3-1
3.1.2 display firewall-statistics.......................................................................................... 3-2
ii
3.1.3 firewall default ......................................................................................................... 3-2

3.1.4 firewall enable ......................................................................................................... 3-3
3.1.5 firewall fragments-inspect ....................................................................................... 3-4
3.1.6 firewall fragments-inspect { high | low }................................................................... 3-4
3.1.7 firewall packet-filter ................................................................................................. 3-6
3.1.8 reset firewall-statistics ............................................................................................. 3-7
3.2 ASPF Configuration Commands........................................................................................ 3-7
3.2.1 aging-time................................................................................................................ 3-8
3.2.2 aspf-policy ............................................................................................................... 3-8
3.2.3 debugging aspf........................................................................................................ 3-9
3.2.4 detect..................................................................................................................... 3-10
3.2.5 display aspf all....................................................................................................... 3-11
3.2.6 display aspf interface ............................................................................................ 3-13
3.2.7 display aspf policy ................................................................................................. 3-14
3.2.8 display aspf session .............................................................................................. 3-14
3.2.9 display port-mapping............................................................................................. 3-16
3.2.10 firewall aspf ......................................................................................................... 3-16
3.2.11 log enable............................................................................................................ 3-17
3.2.12 port-mapping ....................................................................................................... 3-18
Chapter 4 IPSec Configuration Commands................................................................................ 4-1

4.1 IPSec Configuration Commands ....................................................................................... 4-1
4.1.1 ah authentication-algorithm..................................................................................... 4-1
4.1.2 debugging ipsec ...................................................................................................... 4-2
4.1.3 display ipsec policy ................................................................................................. 4-3
4.1.4 display ipsec policy-template .................................................................................. 4-6
4.1.5 display ipsec proposal............................................................................................. 4-7
4.1.6 display ipsec sa ....................................................................................................... 4-8
4.1.7 display ipsec statistics........................................................................................... 4-11
4.1.8 encapsulation-mode.............................................................................................. 4-12
4.1.9 esp authentication-algorithm ................................................................................. 4-14
4.1.10 esp encryption-algorithm..................................................................................... 4-15
4.1.11 ipsec policy(interface view) ................................................................................. 4-16
4.1.12 ipsec policy (system view)................................................................................... 4-17
4.1.13 ipsec policy-template........................................................................................... 4-18
4.1.14 ipsec proposal ..................................................................................................... 4-20
4.1.15 ipsec sa global-duration ...................................................................................... 4-21
4.1.16 pfs........................................................................................................................ 4-22
4.1.17 proposal............................................................................................................... 4-23
4.1.18 reset ipsec sa ...................................................................................................... 4-24
4.1.19 reset ipsec statistics ............................................................................................ 4-25
4.1.20 sa authentication-hex .......................................................................................... 4-26
4.1.21 sa duration........................................................................................................... 4-28
iii
4.1.22 sa encryption-hex................................................................................................ 4-29

4.1.23 sa spi ................................................................................................................... 4-30
4.1.24 sa string-key ........................................................................................................ 4-32
4.1.25 security acl .......................................................................................................... 4-34
4.1.26 transform ............................................................................................................. 4-34
4.1.27 tunnel local .......................................................................................................... 4-36
4.1.28 tunnel remote ...................................................................................................... 4-37
4.2 Encryption Card Configuration Commands ..................................................................... 4-38
4.2.1 debugging encrypt-card ........................................................................................ 4-38
4.2.2 display encrypt-card sa ......................................................................................... 4-40
4.2.3 display encrypt-card statistics ............................................................................... 4-41
4.2.4 display encrypt-card syslog................................................................................... 4-43
4.2.5 display interface encrypt ....................................................................................... 4-43
4.2.6 encrypt-card backuped.......................................................................................... 4-45
4.2.7 interface encrypt.................................................................................................... 4-45
4.2.8 ipsec card-proposal............................................................................................... 4-46
4.2.9 reset counters encrypt........................................................................................... 4-47
4.2.10 reset encrypt-card sa .......................................................................................... 4-48
4.2.11 reset encrypt-card statistics ................................................................................ 4-49
4.2.12 reset encrypt-card syslog .................................................................................... 4-49
4.2.13 snmp-agent trap enable encrypt-card ................................................................. 4-50
4.2.14 use encrypt-card ................................................................................................. 4-51
Chapter 5 IKE Configuration Commands.................................................................................... 5-1

5.1 IKE Configuration Commands ........................................................................................... 5-1
5.1.1 authentication-algorithm.......................................................................................... 5-1
5.1.2 authentication-method............................................................................................. 5-1
5.1.3 debugging ike .......................................................................................................... 5-3
5.1.4 dh ............................................................................................................................ 5-3
5.1.5 display ike proposal................................................................................................. 5-4
5.1.6 display ike sa........................................................................................................... 5-5
5.1.7 encryption-algorithm................................................................................................ 5-6
5.1.8 exchange-mode....................................................................................................... 5-7
5.1.9 id-type...................................................................................................................... 5-8
5.1.10 ike local-name ....................................................................................................... 5-9
5.1.11 ike peer (system view) .......................................................................................... 5-9
5.1.12 ike peer (IPSec policy view, IPSec policy template view) ................................... 5-10
5.1.13 ike proposal ......................................................................................................... 5-10
5.1.14 ike sa keepalive-timer interval............................................................................. 5-12
5.1.15 ike sa keepalive-timer timeout............................................................................. 5-13
5.1.16 local ..................................................................................................................... 5-14
5.1.17 local-address ....................................................................................................... 5-14
5.1.18 max-connections ................................................................................................. 5-15
iv
5.1.19 nat traversal......................................................................................................... 5-16

5.1.20 pre-shared-key .................................................................................................... 5-16
5.1.21 peer ..................................................................................................................... 5-17
5.1.22 remote-address ................................................................................................... 5-18
5.1.23 remote-name ....................................................................................................... 5-19
5.1.24 reset ike sa .......................................................................................................... 5-19
5.1.25 sa duration........................................................................................................... 5-21
Chapter 6 PKI Configuration Commands.................................................................................... 6-1

6.1 PKI Domain Configuration Commands.............................................................................. 6-1
6.1.1 ca identifier .............................................................................................................. 6-1
6.1.2 certificate request from............................................................................................ 6-1
6.1.3 certificate request mode.......................................................................................... 6-2
6.1.4 certificate request polling ........................................................................................ 6-3
6.1.5 certificate request url............................................................................................... 6-4
6.1.6 crl update period...................................................................................................... 6-5
6.1.7 crl url........................................................................................................................ 6-5
6.1.8 ldap server............................................................................................................... 6-6
6.1.9 pki domain ............................................................................................................... 6-7
6.2 PKI Entity Configuration Commands ................................................................................. 6-8
6.2.1 fqdn ......................................................................................................................... 6-8
6.2.2 common-name ........................................................................................................ 6-8
6.2.3 country..................................................................................................................... 6-9
6.2.4 ip............................................................................................................................ 6-10
6.2.5 locality ................................................................................................................... 6-10
6.2.6 organization........................................................................................................... 6-11
6.2.7 organizational-unit ................................................................................................. 6-11
6.2.8 state....................................................................................................................... 6-12
6.2.9 pki entity ................................................................................................................ 6-13
6.3 PKI Certificate Operation Commands.............................................................................. 6-13
6.3.1 pki delete certificate .............................................................................................. 6-13
6.3.2 pki request certificate ............................................................................................ 6-14
6.3.3 pki retrieval certificate ........................................................................................... 6-15
6.3.4 pki retrieval crl ....................................................................................................... 6-16
6.3.5 pki validation certificate ......................................................................................... 6-16
6.4 PKI Displaying and Debugging Commands .................................................................... 6-17
6.4.1 debugging pki certificate ....................................................................................... 6-17
6.4.2 display pki certificate ............................................................................................. 6-21
6.4.3 display pki crl......................................................................................................... 6-22
v
Command Manual – Security Chapter 1 AAA and RADIUS/HWTACACS Protocol
VRP3.4 Configuration Commands
Chapter 1 AAA and RADIUS/HWTACACS Protocol

Configuration Commands
1.1 AAA Configuration Commands
1.1.1 access-limit
Syntax
access-limit { disable | enable max-user-number }
undo access-limit
View
ISP domain view
Parameter
disable: No limit to the supplicant number in the current ISP domain.
enable max-user-number: Specifies the maximum supplicant number in the current

ISP domain, ranging from 1 to 1024.
Description
Using the access-limit command, you can configure a limit to the amount of
supplicants in the current ISP domain. Using the undo access-limit command, you
can restore the limit to the default setting.
By default, there is no limit to the amount of supplicants in the current ISP domain.
This command limits the amount of supplicants contained in the current ISP domain.
The supplicants may compete for the network resources. So setting a suitable limit to
the amount will guarantee the reliable performance to the existing supplicants.
Example
# Set a limit of 500 supplicants for the ISP domain huawei163.net.

[Quidway-isp-huawei163.net] access-limit enable 500
1-1
1.1.2 accounting optional
Syntax
accounting optional
undo accounting optional
View
ISP domain view
Parameter
None
Description
Using the accounting optional command, you can enable optional accounting. Using
the undo accounting optional command, you can disable it.
By default, optional accounting is disabled.
With the accounting optional command, a user that will be disconnected otherwise
can use the network resources even when there is no available accounting server or
the communication with the current accounting server fails. This command is normally
used for the authentication without accounting.
Example
# Enable optional accounting for users in the domain huawei163.net.

[Quidway] domain huawei163.net
[Quidway-isp-huawei163.net] accounting optional
1.1.3 display connection
Syntax
display connection [ domain isp-name | interface portnum | ip ip-address | mac

mac-address | radius-scheme radius-scheme-name | hwtacacs-scheme
hwtacacs-scheme-name | ucibindex ucib-index | user-name user-name ]
View
Any view
1-2
Parameter
domain isp-name: Displays all the user connections belonging to the ISP domain
specified by isp-name, a character string not exceeding 24 characters. The specified
ISP domain must an existing one.
ip ip-address: Displays all the user connections related to the specified IP address.
mac mac-address: Displays a user connection by specifying its hexadecimal MAC

address in the format of x-x-x.
radius-scheme radius-scheme-name: Displays all the user connections connected to

the RADIUS server specified by radius-scheme-name, a character string not exceeding
32 characters.
hwtacacs-scheme hwtacacs-scheme-name: Displays all the user connections

connected to the HWTACACS server specified by hwtacacs-scheme-name, a
character string not exceeding 32 characters.
ucibindex ucib-index: Displays information on a user connection by specifying its

connection index number, that is, ucib-index ranging from 0 to 1023.
user-name user-name: Displays information on a user connection by specifying its

user name, a character string not exceeding 80 characters and excluding “/”, “:”, “*”, “?”,
“<” and “>”. The @ character can be used only once in one username. The username
without domain name (the part before @, namely the user ID) cannot exceed 24
characters.
Description
Using the display connection command, you can view the relevant information on the
specified user connection or all the connections. The output can help you troubleshoot
user connections.
By default, information about all user connections is displayed.
For the related command, see cut connection.
Example
# Display information on the connections of the user system.

<Quidway> display connection domain system
Index=0 ,Username=hfx@system
IP=188.188.188.3
Total 1 connections matched, 1 listed.
1-3
1.1.4 display domain
Syntax
display domain [ isp-name ]
View
Any view
Parameter
isp-name: Specifies the ISP domain name, with a character string not exceeding 24
characters. The specified ISP domain must be an existing one.
Description
Using the display domain command, you can view the configuration of a specified ISP
domain or display the summary information of all ISP domains.
By default, the summary of all ISP domains is displayed.
This command is used to output the configuration of a specified ISP domain or display
the summary information of all ISP domains. If an ISP domain is specified, the
configuration information will be displayed exactly the same, concerning the content
and format, as the displayed information of the display domain command. The output
information can help with ISP domain diagnosis and troubleshooting.
For the related commands, see access-limit, domain, scheme, state, display
domain.
Example
# Display information about the ISP domain gy.

<Quidway> display domain gy
The contents of Domain gy:
State = Active
TACACS Scheme = gy
Access-limit = Enable, AccessLimitMax = 10
Domain User Template:
1.1.5 display local-user
1-4
Syntax
display local-user [ domain isp-name | service-type { telnet | ssh | terminal | pad |

ftp | ppp } | state { active | block } | user-name user-name ]
View
Any view
Parameter
domain isp-name: Displays all the local users in the ISP domain specified by isp-name,
a character string not exceeding 24 characters. The specified ISP domain must be an
existing one.
service-type: Displays local users by specifying service type, which can be telnet, ssh,
terminal (terminal users logging on from Console, AUX, or Asyn port), ftp, ppp, or PAD
(X.25 PAD).
state { active | block }: Displays local users by specifying user state, where active
means users allowed to request for network services and block means the opposite.
user-name user-name: Displays a user by specifying its user-name, a character string

not exceeding 80 characters and excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character
can be used only once in one username. The username without domain name (the part
before @, namely the user ID) cannot exceed 24 characters.
Description
Using the display local-user command, you can view the relevant information on the
specified local user or all the local users. The output can help you troubleshoot faults
related to local user.
By default, information on all local users is displayed.
For the related command, see local-user.
Example
# Display the relevant information of all the local users.

<Quidway> display local-user
The contents of local user user1:
State: Active ServiceType Mask: None
Idle-Cut: Disable
Access-Limit: Disable Current AccessNum: 0
Bind location: Disable
Vlan ID: Disable
1-5
IP address: Disable
MAC address: Disable
FTP Directory: flash:
Total 1 local user(s) Matched,1 listed..
1.1.6 domain
Syntax
domain [ isp-name | default { disable | enable isp-name } ]
undo domain isp-name
View
System view
Parameter
isp-name: Specifies an ISP domain name. The name is expressed with a character
string not exceeding 24 characters, excluding “/”, “: ”, “*”, “? ”, “<”, and “>”.
default: Configures the default ISP domain. The default ISP domain of the system is
"system".
disable: Disables the configured default ISP domain. The users that have usernames
without a domain name are to be refused as a result.
enable: Enables the configured default ISP domain. It is to be appended to the

usernames that are received without domain name before they are sent to the intended
AAA servers.
Description
Using the domain command, you can configure an ISP domain or enter the view of an
existing ISP domain. Using the undo domain command, you can cancel a specified
ISP domain.
By default, the default domain in the system is "system".
ISP domain is a group of users belonging to the same ISP. Generally, for a username in
the userid@isp-name format, gw20010608@huawei163.net for example, the isp-name
(”huawei163.net” in the example) following the “@” is the ISP domain name. When an
AAA server controls user access, for an ISP user whose username is in
userid@isp-name format, the system takes the part "userid" as username for
identification and takes the part "isp-name" as domain name.
1-6
The purpose of introducing ISP domain settings is to support the application

environment with several ISP domains. In this case, an access device may have
supplicants from different ISP domains. Because the attributes of ISP users, such as
username and password structures, service types, may be different, it is necessary to
separate them by setting ISP domains. In ISP domain view, you can configure a
complete set of ISP domain attributes for each ISP domain, including an AAA scheme
(the RADIUS scheme applied).
For a router, each supplicant belongs to an ISP domain. The system supports to
configure up to 16 ISP domains.
When this command is used, if the specified ISP domain does not exist, the system will
create a new ISP domain. All the ISP domains are in the active state when they are
created.
For the related commands, see access-limit, scheme, state, and display domain.
Example
# Create a new ISP domain, huawei163.net, and enters its view.

New Domain added.
[Quidway-isp-huawei163.net]
1.1.7 ip pool
Syntax
ip pool pool-number low-ip-address [ high-ip-address ]
undo ip pool pool-number
View
System view, ISP domain view
Parameter
pool-number: Address pool number, ranging from 0 to 99.
low-ip-address and high-ip-address: The start and end IP addresses of the address
pool. The number of in-between addresses cannot exceed 1024. If end IP address is
not specified, there will be only one IP address in the pool, namely the start IP address.
1-7
Description
Using the ip pool command, you can configure a local address pool for assigning
addresses to PPP users. Using the undo ip pool command, you can delete the
specified local address pool.
By default, no local IP address pool is configured.
You can configure an IP address pool in system view and use the remote address
command in interface view to assign IP addresses from the pool to PPP users.
You can also configure an IP address pool in ISP domain view for assigning IP
addresses to PPP users in the current ISP domain. This applies to the case where an
interface serves a great amount of PPP users but with inadequate address resources
for allocation. For example, an Ethernet interface running PPPoE can accommodate
4095 users at most. However, only one address pool with up to 1024 addresses can be
configured on its Virtual Template (VT). This is obviously far from what is required. To
address the issue, you can configure address pools for ISP domains and assign
addresses from them to their PPP users.
For the related command, see remote address.
Example
# Configure the local IP address pool 0 with the address range of 129.102.0.1 to
129.102.0.10.
[Quidway-isp-huawei163.net] ip pool 0 129.102.0.1 129.102.0.10
1.1.8 level
Syntax
level level
undo level
View
Local user view
Parameter
level: Specifies user priority level, an integer ranging from 0 to 3.
1-8
Description
Using the level command, you can configure user priority level. Using the undo level
command, you can restore the default user priority level.
By default, user priority level is 0.
For the related command, see local user.
Note:
If the configured authentication mode is none authentication or password authentication, the command
level that a user can access after login depends on the priority of user interface. In the case of
authentication requiring both username and password, however, the accessible command level depends
on user priority level.
Example
# Set the priority level of the user to 3.

[Quidway-luser-huawei1] level 3
1.1.9 local-user
Syntax
local-user user-name
undo local-user { user-name | all }
View
System view
Parameter
user-name: Specifies a local username with a character string not exceeding 80

characters, excluding “/”, “:”, “*”, “?”, “<” and “>”. The @ character can be used only
once in one username. The username without domain name (the part before @,
namely the user ID) cannot exceed 24 characters. user-name is case-insensitive, so
UserA and usera are the same for example.
all: All the users.
1-9
Description
Using the local-user command, you can add a local user and enter the local user view.
Using the undo local-user command, you can remove the specified local user.
By default, no local user is configured.
For the related command, see display local-user.
Example
# Add a local user named huawei1.

[Quidway] local-user huawei1
[Quidway-luser-huawei1]
1.1.10 local-user password-display-mode
Syntax
local-user password-display-mode { cipher-force | auto }
undo local-user password-display-mode
View
System view
Parameter
cipher-force: Forced cipher mode specifies that the passwords of all the accessed
users must be displayed in cipher text.
auto: The auto mode specifies that a user is allowed to use the password command to
set a password display mode.
Description
Using the local-user password-display-mode command, you can configure the

password display mode of all the local users. Using the undo local-user
password-display-mode command, you can restore the default password display
mode of all the local users.
If cipher-force applies, the effort of specifying in the password command to display

passwords in simple text is rendered useless.
By default, auto applies when displaying passwords of local users.
For the related commands, see display local-user and password.
1-10
Example
# Force all the local users to have passwords displayed in cipher text.
[Quidway] local-user password-display-mode cipher-force
1.1.11 password
Syntax
password { simple | cipher } password
undo password
View
Local user view
Parameter
simple: Specifies to display passwords in simple text.
cipher: Specifies to display passwords in cipher text.
password: Defines a password, which is a character string of up to 16 characters if it is

in simple text or of up to 24 characters if it is in cipher text.
Description
Using the password command, you can configure a password for a local user. Using
the undo password command, you can cancel the password of the local user.
If local-user password-display-mode cipher-force applies, the effort of specifying in

the password command to display passwords in simple text is rendered useless.
For the related command, see display local-user.
Example
# Display the password of the user huawei1 in simple text, with the password being
20030422.
[Quidway-luser-huawei1] password simple 20030422
1.1.12 scheme
1-11
Syntax
scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme

hwtacacs-scheme-name [ local ] | local | none }
undo scheme { radius-scheme | hwtacacs-scheme | none }
View
ISP domain view
Parameter
radius-scheme-name: RADIUS scheme, a character string not exceeding 32

characters
hwtacacs-scheme-name: HWTACACS scheme, a character string not exceeding 32

characters
local: Local authentication
none: No authentication
Description
Using the scheme command, you can configure the AAA scheme to be referenced by
the current ISP domain. Using the undo scheme command, you can restore the
default AAA scheme.
The default AAA scheme in the system is local.
With this command the current ISP domain can reference a RADIUS/HWTACACS
scheme that has been configured.
When the radius-scheme radius-scheme-name local command or the

hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local
scheme applies as a backup scheme if the RADIUS or TACACS server is not available.
If the RADIUS or TACACS server is available, local authentication is not used.
If the local or none scheme applies as the first scheme, no RADIUS or HWTACACS
scheme can be adopted.
For the related commands, see radius scheme and hwtacacs scheme.
Example
# Specify the current ISP domain, huawei163.net, to use the RADIUS scheme Huawei.
[Quidway-isp-huawei163.net] scheme radius Huawei
1-12
# Set the authentication scheme referenced by the ISP domain Huawei to

radius-scheme rd and use the local scheme as the backup.
[Quidway-isp-huawei] scheme radius-scheme rd local
# Set the authentication scheme referenced by the ISP domain Huawei to

hwtacacs-scheme hwtac and use the local scheme as the backup.
[Quidway-isp-huawei]scheme hwtacacs-scheme hwtac local
1.1.13 service-type
Syntax
service-type { telnet | ssh | terminal | pad }
undo service-type { telnet | ssh | terminal | pad }
View
Local user view
Parameter
telnet: Authorizes the user to use the Telnet service.
ssh:Authorizes the user to use the SSH service.
terminal: Authorizes the user to use the terminal service (login from the Console, AUX
or Asyn port).
pad: Authorizes the user to use the PAD service.
Description
Using the service-type command, you can configure a service type for a particular user.
Using the undo service-type command, you can delete one or all service types
configured for the user.
By default, no service is available for the user.
For the related commands, see service-type ppp and service-type ftp.
Example
# Authorize the user to use the Telnet service.

[Quidway-luser-huawei1] service-type telnet
1-13
1.1.14 service-type ftp
Syntax
service-type ftp [ ftp-directory directory]
undo service-type ftp [ ftp-directory ]
View
Local user view
Parameter
ftp-directory directory: Specifies a directory accessible for the FTP user.
Description
Using the service-type ftp command, you can specify a directory accessible for the
FTP user. Using the undo service-type ftp command, you can restore the default
directory accessible for the FTP user.
By default, no services of any type are authorized to any user and access of
anonymous FTP users is not allowed, but a user that is granted the FTP service is
authorized to access the root directory "flash:/".
For the related commands, see service-type and service-type ppp.
Example
# Authorize the user to use the FTP service.

[Quidway-luser-huawei1] service-type ftp
1.1.15 service-type ppp
Syntax
service-type ppp [ callback-nocheck | callback-number callback-number |

call-number call-number [ subcall-number ] ]
undo service-type ppp [ callback-nocheck | callback-number | call-number ]
View
Local user view
1-14
Parameter
callback-nocheck: Specifies PPP user callback without authentication.
callback-number callback-number: Specifies a callback number.
call-number call-number: Specifies a caller number in ISDN user authentication, with a

length up to 64 bytes.
[ subcall-number ]: Specifies the sub-caller number. If included, the total length of it plus
the caller number cannot exceed 62 bytes.
Description
Using the service-type command, you can configure the callback attribute and caller
number of the PPP user. Using the undo service-type command, you can restore their
default settings.
By default, no services of any type are authorized to any users; if the PPP service is
authorized, call back without authentication applies and no callback number is
specified; and the system does not authenticate the caller number of ISDN users.
For the related commands, see service-type and service-type ftp.
Example
# Set PPP user to call back without authentication.

[Quidway-luser-huawei1] service-type ppp callback-nocheck
1.1.16 state
Syntax
state { active | block }
View
ISP domain view, local user view
Parameter
active: Configured to allow users in the current ISP domain or the current local user to
request for network services.
block: Configured to block users in the current ISP domain or the current local user to
request for network services.
1-15
Description
Using the state command, you can configure the state of the current ISP domain or
local user.
By default, both ISP domain (in ISP domain view) and local user (in local user view) are
in the active state upon their creation (in ISP domain view).
Every ISP domain can be active or blocked. If an ISP domain is configured to be active,
the supplicants in it can request for network services; whereas in the block state, its
users are disallowed to request for any network service, which does not affect the users
currently online. This is also applies to local users.
For the related command, see domain.
Example
# Set the state of the current ISP domain "huawei163.net" to block. The supplicants in
this domain cannot request for network services.
[Quidway-isp-huawei163.net] state block
# Set the state of the user "huawei1" to block.

[Quidway-luser-huawei1] state block
1.2 RADIUS Protocol Configuration Commands
1.2.1 data-flow-format
Syntax
data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-byte

| kilo-byte | mega-byte | one-packet }
undo data-flow-format
View
RADIUS view
Parameter
data: Sets data unit.
byte: Data flows are sent in bytes.
giga-byte: Data flows are sent in gigabytes.
1-16
kilo-byte: Data flows are sent in kilobytes.
mega-byte: Data flows are sent in megabytes.
packet: Sets data packet unit.
giga-packet: Data packets are sent in giga-packets.
kilo-packet: Data packets are sent in kilo-packets.
mega-packet: Data packets are sent in mega-packets.
one-packet: Data packets are sent in the units of one-packet.
Description
Using the data-flow-format command, you can configure the unit in which data flows
are sent to a RADIUS Server. Using the undo data-flow-format command, you can
restore the unit to the default setting.
By default, data flows are sent in bytes and data packets in the units of one-packet.
For the related command, see display radius.
Example
# Send data flows and packets destined for the RADIUS server "Huawei" in kilobytes
and kilo-packets.
[Quidway-radius-huawei] data-flow-format data kilo-byte packet kilo-packet
1.2.2 debugging radius
Syntax
debugging radius packet
undo debugging radius packet
View
User view
Parameter
packet: Enables packet debugging.
1-17
Description
Using the debugging radius command, you can enable RADIUS debugging. Using
the undo debugging radius command, you can disable RADIUS debugging.
By default, RADIUS debugging is disabled.
Example
# Enable RADIUS debugging.

<Quidway> debugging radius packet
1.2.3 display radius
Syntax
display radius [ radius-scheme-name ]
View
Any view
Parameter
radius-scheme-name: Specifies a RADIUS scheme with a character string not

exceeding 32 characters and excluding “/”, “:”, “*”, “?”, “<” and “>”. If no scheme is
specified, all RADIUS schemes are displayed.
Description
Using the display radius command, you can view the configuration information about
one or all RADIUS schemes.
By default, the configuration information about all RADIUS schemes is displayed.
For the related command, see radius scheme.
Example
# Display all the configuration information on the RADIUS scheme huawei.

<quidway> display radius huawei
SchemeName =huawei Index=1 Type=standard
Primary Auth IP =172.31.1.74 Port=1645 State=active
Primary Acct IP =172.31.1.74 Port=1645 State=active
Second Auth IP =0.0.0.0 Port=1812 State=block
Second Acct IP =0.0.0.0 Port=1813 State=block
1-18
Auth Server Encryption Key= test

Acct Server Encryption Key= test
Accounting method = required
TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12
Permitted send realtime PKT failed counts =5
Retry sending times of noresponse acct-stop-PKT =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =1
Table 1-1 Information about RADIUS server configuration
Field Description
SchemeName RADIUS scheme name
Index Index number of the RADIUS scheme
Type Type of the RADIUS scheme
IP address/access port number/current state of the primary
Primary Auth IP/ Port/ State
authentication server
IP address/access port number/current state of the primary
Primary Acct IP/ Port/ State
accounting server
IP address/access port number/current state of the secondary

Second Auth IP/ Port/ State
authentication server
IP address/access port number/current state of the secondary
Second Acct IP/ Port/ State
accounting server
Auth Server Encryption Key Shared key of the authentication server
Acct Server Encryption Key Shared key of the accounting server
TimeOutValue (seconds) Duration of the RADIUS server timeout timer
Permitted send realtime PKT failed The maximum number of realtime-accounting packet
counts transmission attempts
Retry sending times of noresponse The maximum number of retries allowed when sending a
acct-stop-PKT buffered stop-accounting packet
Quiet-interval(min) The interval for the primary server to resume the active state.
Username format Format of username
Data flow unit Unit of data flows
Packet unit Unit of packets
1-19
1.2.4 display radius statistics
Syntax
display radius statistics
View
Any view
Parameter
None
Description
Using the display radius statistics command, you can view the statistics information
on RADIUS packets. The displayed packet information can help you troubleshoot
RADIUS faults.
Example
# Display the statistics information on RADIUS packets.

<quidway> display radius statistics
state statistic(total=1048):
DEAD=1047 AuthProc=0 AuthSucc=0
AcctStart=0 RLTSend=0 RLTWait=1
AcctStop=0 OnLine=1 Stop=0
StateErr=0
Received and Sent packets statistic:

Sent PKT total :38 Received PKT total:2
Resend Times Resend total
1 12
2 12
Total 24
RADIUS received packets statistic:
Code= 2,Num=1 ,Err=0
Code=11,Num=0 ,Err=0
Running statistic:
1-20
RADIUS received messages statistic:

Normal auth request , Num=13 , Err=0 , Succ=13
EAP auth request , Num=0 , Err=0 , Succ=0
Account request , Num=1 , Err=0 , Succ=1
Account off request , Num=0 , Err=0 , Succ=0
PKT auth timeout , Num=36 , Err=12 , Succ=24
PKT acct_timeout , Num=0 , Err=0 , Succ=0
Realtime Account timer , Num=0 , Err=0 , Succ=0
PKT response , Num=2 , Err=0 , Succ=2
EAP reauth_request , Num=0 , Err=0 , Succ=0
PORTAL access , Num=0 , Err=0 , Succ=0
Update ack , Num=0 , Err=0 , Succ=0
PORTAL access ack , Num=0 , Err=0 , Succ=0
Session ctrl pkt , Num=0 , Err=0 , Succ=0
RADIUS sent messages statistic:
Auth accept , Num=0
Auth reject , Num=0
EAP auth replying , Num=0
Account success , Num=0
Account failure , Num=0
Cut req , Num=0
RecError_MSG_sum:0 SndMSG_Fail_sum :0
Timer_Err :0 Alloc_Mem_Err :0
State Mismatch :0 Other_Error :0
No-response-acct-stop packet =0
Discarded No-response-acct-stop packet for buffer overflow =0
1.2.5 display stop-accounting-buffer
Syntax
display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id

session-id | time-range start-time stop-time | user-name user-name }
View
Any view
Parameter
radius-scheme radius-scheme-name: Displays information on buffered

stop-accounting requests related to the RADIUS scheme specified by
1-21
radius-scheme-name, a character string not exceeding 32 characters and excluding “/”,

“:”, “*”, “?”, “<” and “>”.
session-id session-id: Displays information on the buffered stop-accounting requests

related to the session ID specified by session-id, a character string not exceeding 50
characters.
time-range start-time stop-time: Displays the buffered stop-accounting requests by the

time range of requests, which is specified by start-time and stop-time in the format of
hh:mm:ss-mm/dd/yyyy.
user-name user-name : Displays information on the buffered stop-accounting requests

by user-name, a character string not exceeding 80 characters and excluding “/”, “:”, “*”,
“?”, “<” and “>”. The @ character can be used only once in one username. The
username without domain name (the part before @, namely the user ID) cannot exceed
24 characters.
Description
Using the display stop-accounting-buffer command, you can view information on the
stop-accounting requests buffered in the router by RADIUS scheme, session ID, or
time range. The displayed packet information can help you troubleshoot RADIUS
faults.
If receiving no response after sending a stop-accounting request to a RADIUS server,

the router buffers the request packet and retransmits it. The number of allowed
transmission attempts can be set using the retry stop-accounting command.
For the related commands, see reset stop-accounting-buffer,

stop-accounting-buffer enable, and retry stop-accounting.
Example
# Display information on the buffered stop-accounting requests between 0:0:0 and

23:59:59 on August 31, 2002.
<Quidway> display stop-accounting-buffer time-range 0:0:0-08/31/2002
23:59:59-08/31/2002
Total find 0 record
1.2.6 key
Syntax
key { accounting | authentication } string
undo key { accounting | authentication }
1-22
View
RADIUS view
Parameter
accounting: Configures a shared key for encrypting RADIUS accounting packets.
authentication: Configures a shared key for encrypting RADIUS

authentication/authorization packets.
string: Shared key, a character string not exceeding 16 characters and excluding “/”, “: ”,
“*”, “? ”, “<” and “>”. By default, the key is “huawei”.
Description
Using the key command, you can configure a shared key for encrypting RADIUS
authentication/authorization or accounting packets. Using the undo key command,
you can restore the default shared key.
The RADIUS client (router system) and RADIUS server use MD5 algorithm to encrypt
the exchanged packets. The two ends verify packets using a shared key. Only when the
same key is used can both ends accept the packets from each other and give
responses. So it is necessary to ensure that the same key is set on the router and the
RADIUS server. If the authentication/authorization and accounting are performed on
two server devices with different shared keys, you must set one shared key for each.
For the related commands, see primary accounting, primary authentication, and
radius scheme.
Example
# In the RADIUS scheme “huawei”, set the shared key used for encrypting
authentication/authorization packets to “hello”.
[Quidway-radius-huawei] key authentication hello
# In the RADIUS scheme “huawei”, set the shared key for encrypting accounting
packets to “ok”.
[Quidway-radius-huawei] key accounting ok
1.2.7 nas-ip
Syntax
nas-ip ip-address
undo nas-ip
1-23
View
RADIUS view
Parameter
ip-address: IP address in dotted decimal format.
Description
Using the nas-ip command, you can set the source IP address of the network access
server (NAS, the router in this manual), so that all packets destined for the RADIUS
server carry the same source IP address. Using the undo nas-ip command, you can
cancel the configuration.
Specifying a source address for the RADIUS packets to be transmitted can avoid the
situation where the packets sent back by the RADIUS server cannot be received as the
result of a physical interface failure. The address of a loopback interface is usually used
as the source address.
By default, the source IP address of packets is the IP address of the output port.
Example
# Set the source IP address that is carried in the RADIUS packets sent by the NAS (the
router) to 10.1.1.1.
[Quidway] radius scheme test1
[Quidway-radius-test1] nas-ip 10.1.1.1
1.2.8 primary accounting
Syntax
primary accounting ip-address [ port-number ]
undo primary accounting
View
RADIUS view
Parameter
ip-address: IP address in dotted decimal format. By default, IP address of the primary

accounting server is 0.0.0.0.
1-24
port-number: UDP port number of the primary accounting server, which is ranging from
1 to 65535 and defaults to 1813.
Description
Using the primary accounting command, you can configure IP address and port
number of the primary RADIUS accounting server. Using the undo primary
accounting command, you can restore the default IP address and port number of the
primary RADIUS accounting server.
After creating a RADIUS scheme, you are supposed to configure IP address and UDP
port of each RADIUS server (primary/secondary authentication/authorization or
accounting server). The configuration of RADIUS servers is at your discretion except
that there must be at least one authentication/authorization server and one accounting
server. Besides, ensure that the RADIUS service port settings on the router are
consistent with the port settings on the RADIUS servers.
For the related commands, see key, radius scheme, and state.
Example
# Set the IP address of the primary accounting server in the RADIUS scheme “huawei”
to 10.110.1.2 and use the UDP port 1813 to provide the RADIUS accounting service.
[Quidway-radius-huawei] primary accounting 10.110.1.2 1813
1.2.9 primary authentication
Syntax
primary authentication ip-address [ port-number ]
undo primary authentication
View
RADIUS view
Parameter
ip-address: IP address in dotted decimal format. By default, the IP address of the

primary authentication/authorization server is 0.0.0.0.
port-number: UDP port number of the primary authentication/authorization server,

which is ranging from 1 to 65535 and defaults to 1812.
1-25
Description
Using the primary authentication command, you can configure IP address and port
number of the primary RADIUS authentication/authorization server. Using the undo
primary authentication command, you can restore the default IP address and port
number of the primary RADIUS authentication/authorization server.
After creating a RADIUS scheme, you are supposed to configure IP address and UDP
port of each RADIUS server (primary/secondary authentication/authorization or
accounting server). The configuration of RADIUS servers is at your discretion except
that there must be at least one authentication/authorization server and one accounting
server. Besides, ensure that the RADIUS service port settings on the router are
consistent with the port settings on the RADIUS servers.
Example
# Set IP address of the primary authentication/authorization server in the RADIUS

scheme “huawei” to 10.110.1.1 and use the UDP port 1812 to provide the RADIUS
authentication/authorization service.
[Quidway-radius-huawei] primary authentication 10.110.1.1 1812
1.2.10 radius scheme
Syntax
radius scheme radius-scheme-name
undo radius scheme radius-scheme-name
View
System view
Parameter
radius-scheme-name: RADIUS scheme name, a character string not exceeding 32

characters and excluding “/”, “:”, “*”, “?”, “<” and “>”.
Description
Using the radius scheme command, you can configure a RADIUS scheme and enter
its view. Using the undo radius scheme command, you can delete the specified
RADIUS scheme.
1-26
By default, the RADIUS scheme with the name “system” exists in the system, with all
attributes being the defaults.
RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at

least specify IP address and UDP port number of RADIUS
authentication/authorization/accounting server and the parameters necessary for the
RADIUS client (a router) to interact with the servers. You must first create a RADIUS
scheme and enter its view before you can perform RADIUS protocol configurations.
A RADIUS scheme can be referenced by several ISP domains at the same time.
The undo radius scheme command can be used to delete any RADIUS scheme
except for the default one. Note that a RADIUS scheme currently being used by any
online users cannot be removed.
For the related commands, see key, retry realtime-accounting, scheme, timer
realtime-accounting, stop-accounting-buffer enable, retry stop-accounting,
server-type, state, user-name-format, retry, display radius and display radius
statistics.
Example
# Create a RADIUS scheme named “huawei” and enter its view.

[Quidway] radius scheme huawei
[Quidway-radius-huawei]
1.2.11 radius nas-ip
Syntax
radius nas-ip ip-address
undo radius nas-ip
View
System view
Parameter
ip-address: Specifies a source IP address, which must be the address of this device. It
cannot be the address of all zeros, or a host/network address of class A, B, or C, or an
address starting with 127.
1-27
Description
Using the radius nas-ip command, you can specify the source address of the RADIUS
packet sent from NAS. Using the undo radius nas-ip command, you can restore the
default setting..
By specifying the source address of the RADIUS packet, you can avoid unreachable
packets as returned from the server upon interface failure. The source address is
normally recommended to be a loopback interface address..
By default, the source address is not specified, that is, the address of the interface
sending the packet serves as the source address.
This command specifies only one source address; therefore, the newly configured
source address may overwrite the original one.
Example
# Configure the router to send RADIUS packets from 129.10.10.1.

[Quidway] radius nas-ip 129.10.10.1
1.2.12 reset radius statistics
Syntax
reset radius statistics
View
User view
Parameter
None
Description
Using the reset radius statistics command, you can clear the statistic information
related to the RADIUS protocol.
Example
# Clear the RADIUS protocol statistics.

<Quidway> reset radius statistics
1-28
1.2.13 reset stop-accounting-buffer
Syntax
reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id

session-id | time-range start-time stop-time | user-name user-name }
View
System view
Parameter
radius-scheme radius-scheme-name: Clears the buffered stop-accounting requests

related to the RADIUS scheme specified by radius-scheme-name, a character string
not exceeding 32 characters and excluding “/”, “:”, “*”, “?”, “<” and “>”.
session-id session-id: Clears the buffered stop-accounting requests related to the

session ID specified by session-id, a character string not exceeding 50 characters.
time-range start-time stop-time: Clears the buffered stop-accounting requests by the

time range of requests, which is specified by start-time and stop-time in the format of
hh:mm:ss-mm/dd/yyyy.
user-name user-name : Clears the buffered stop-accounting requests by user-name, a

character string not exceeding 80 characters and excluding “/”, “:”, “*”, “?”, “<” and “>”.
The @ character can be used only once in one username. The username without
domain name (the part before @, namely the user ID) cannot exceed 24 characters.
Description
Using the reset stop-accounting-buffer command, you can clear the buffered
stop-accounting requests that have no responses.
If receiving no response after sending a stop-accounting request to a RADIUS server,

the router buffers the request packet and retransmits it. The number of allowed
transmission attempts can be set using the retry stop-accounting command.
You can clear the buffered stop-accounting requests by RADIUS scheme, session ID,
username, or time range.
For the related commands, see stop-accounting-buffer enable, retry

stop-accounting, and display stop-accounting-buffer.
1-29
Example
# Clear the buffered stop-accounting requests related to the user

“user0001@huawei163.net”.
<Quidway> reset stop-accounting-buffer user-name user0001@huawei163.net
# Clear the buffered stop-accounting requests in the time range 0:0:0 to 23:59:59 on
August 31, 2002.
<Quidway> reset stop-accounting-buffer time-range 0:0:0-08/31/2002
23:59:59-08/31/2002
1.2.14 retry
Syntax
retry retry-times
undo retry
View
RADIUS view
Parameter
retry-times: The maximum number of request attempts, which is ranging from 1 to 20

and defaults to 3.
Description
Using the retry command, you can configure the number of RADIUS request attempts.
Using the undo retry command, you can restore the default.
In the RADIUS protocol, UDP applies to provide unreliable transmission. If the NAS
receives no response from the current RADIUS server when the response timeout
timer expires, it has to retransmit the RADIUS request. If the number of request
attempts exceeds the specified retry-times, the NAS considers the communication with
the current RADIUS server is disconnected and turns to another RADIUS server.
Appropriately set the retry-times parameter to maintain an acceptable system response

speed.
Example
# With the RADIUS scheme "huawei", a RADIUS request can be sent up to five times.
1-30
[Quidway-radius-huawei] retry 5
1.2.15 retry realtime-accounting
Syntax
retry realtime-accounting retry-times
undo retry realtime-accounting
View
RADIUS view
Parameter
retry-times: The maximum number of real-time accounting request retries.
Description
Using the retry realtime-accounting command, you can configure the maximum
times of real-time accounting request failing to be responded. Using the undo retry
realtime-accounting command, you can restore the maximum times of real-time
accounting request failing to be responded to the default value.
RADIUS server usually checks if a user is online with timeout timer. If the RADIUS
server has not received the real-time accounting packet from NAS, it will consider that
there is line or device failure and stop accounting. Accordingly, it is necessary to
disconnect the user at NAS end and on RADIUS server synchronously when some
unexpected failure occurs. Huawei Quidway Series Routers support to set maximum
times of real-time accounting request failing to be responded. NAS will disconnect the
user if it has not received real-time accounting response from RADIUS server for some
specified times.
Suppose the response timeout timer of the RADIUS server is T and the real-time
accounting interval of NAS is t. Set T to 3, t to 12, and the maximum number of real-time
request retries to 5. With these values being configured, the NAS generates an
accounting request every 12 minutes, and retries if no response is received within 3
minutes. If no response is received after five attempts, the NAS assumes that this
accounting fails. Normally, the result of retry-times multiple by T is smaller than t.
For the related command, see radius scheme and timer realtime-accounting.
1-31
Example
# Configure the RADIUS scheme "huawei" to allow up to ten real-time accounting

request attempts.
[Quidway-radius-huawei] retry realtime-accounting 10
1.2.16 retry stop-accounting
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
RADIUS view
Parameter
retry-times: Specifies the maximal retransmission times after stop-accounting request,.

ranging from 10 to 65535. By default, the value is 500.
Description
Using the retry stop-accounting command, you can configure the maximal
retransmission times after stop-accounting request. Using the undo retry
stop-accounting command, you can restore the retransmission times to the default
value.
Because the stop-accounting request concerns account balance and will affect the
amount of charge, which is very important for both the user and ISP, NAS shall make its
best effort to send the message to RADIUS accounting server. Accordingly, if the
message from the router to RADIUS accounting server has not been responded, the
router shall save it in the local buffer and retransmit it until the server responds or
discard the messages after transmitting for specified times.
For the related commands, see reset stop-accounting-buffer, radius scheme,

display stop-accounting-buffer.
Example
# Indicate that, when stop-accounting request for the server in the RADIUS scheme
“huawei”, the router system will retransmit the packets for up to 1000 times.
[Quidway-radius-huawei] retry stop-accounting 1000
1-32
1.2.17 secondary accounting
Syntax
secondary accounting ip-address [ port-number ]
undo secondary accounting
View
RADIUS view
Parameter
ip-address: IP address, in dotted decimal format. By default, the IP address of

secondary accounting server is at 0.0.0.0.
port-number: Specifies the UDP port number, ranging from 1 to 65535. By default, the
accounting service is provided through UDP 1813.
Description
Using the secondary accounting command, you can configure the IP address and
port number for the secondary RADIUS accounting server. Using the undo secondary
accounting command, you can restore the IP address and port number to the defaults.
For detailed information, refer to the description of the primary accounting command.
Example
# Set the IP address of the secondary accounting server of RADIUS scheme, huawei,
to 10.110.1.1 and the UDP port 1813 to provide RADIUS accounting service.
[Quidway-radius-huawei] secondary accounting 10.110.1.1 1813
1.2.18 secondary authentication
Syntax
secondary authentication ip-address [ port-number ]
undo secondary authentication
View
RADIUS view
1-33
Parameter
ip-address: IP address in dotted decimal format. By default, the IP address of the

secondary authentication/authorization server is 0.0.0.0.
port-number: UDP port number, ranging from 1 to 65535. By default, the

authentication/authorization service is provided through UDP 1812
Description
Using the secondary authentication command, you can configure the IP address and
port number of the secondary RADIUS authentication/authorization server. Using the
undo secondary authentication command, you can restore the IP address and port
number to the defaults.
For detailed information, refer to the description of the primary authentication

command.
Example
# Set IP address of the secondary authentication/authorization server in the RADIUS

scheme “huawei” to 10.110.1.2 and use the UDP port 1812 to provide the RADIUS
authentication/authorization service.
[Quidway-radius-huawei] secondary authentication 10.110.1.2 1812
1.2.19 server-type
Syntax
server-type { huawei | iphotel | portal | standard }
View
RADIUS view
Parameter
huawei: Specifies the RADIUS server of Huawei type (generally CAMS), which
requires the RADIUS client (router system) and RADIUS server to interact according to
the procedures and packet format provisioned by the private RADIUS protocol of
Huawei Technologies.
1-34
iphotel: Specifies the RADIUS server of IP Hotel type, which requires the RADIUS
client end (router system) and RADIUS server to interact according to the procedures
and packet format provisioned by IP Hotel (an extension of the RADIUS protocol).
portal: Specifies the RADIUS server of portal type, which requires the RADIUS client
end (router system) and RADIUS server to interact according to the regulation and
packet format of Portal (an extension of RADIUS protocol).
standard: Specifies the RADIUS server of Standard type, which requires the RADIUS
client end (router system) and RADIUS server to interact according to the regulation
and packet format of standard RADIUS protocol (RFC 2138/2139 or newer).
Description
Using the server-type command, you can configure the RADIUS server type
supported by the router. Using the
By default, the value is standard.
Huawei Quidway Series Routers support standard RADIUS protocol and the extended
RADIUS service platforms like IP Hotel, 201+ and Portal independently developed by
Huawei Technologies. This command is used to select the supported RADIUS sever
type.
Example
# Set RADIUS server type of RADIUS scheme “huawei” to IP Hotel.

[Quidway-radius-huawei] server-type iphotel
1.2.20 state
Syntax
state { primary | secondary } { accounting | authentication } { block | active }
View
RADIUS view
Parameter
primary: Sets the state of the primary RADIUS server.
secondary: Sets the state of the secondary RADIUS server.
accounting: Sets the state of RADIUS accounting server.
1-35
authentication: Sets the state of RADIUS authentication/authorization server.
block: Sets state of the RADIUS server to block.
active: Sets state of the RADIUS server to active, namely the normal operation state.
Description
Using the state command, you can configure the state of a RADIUS server.
By default, all the RADIUS servers in every RADIUS scheme are in the state of active.
When the primary server (accounting or authentication) in a RADIUS scheme becomes

unavailable, the NAS automatically turns to the secondary server. After the primary one
recovers however, the NAS does not resume the communication with it at once; instead,
the NAS continues the communication with the secondary one and turns to the primary
one again only after the secondary one fails. To have the NAS communicate with the
primary server right after its recovery, you can manually set the state of the primary
server to active.
When both the primary and secondary servers are active or blocked, the NAS only
sends packets to the primary server.
For the related commands, see radius scheme, primary authentication, secondary
authentication, primary accounting, and secondary accounting.
Example
# Set the state of the secondary authentication server in the RADIUS scheme “huawei”
to active.
[Quidway-radius-huawei] state secondary authentication active
1.2.21 stop-accounting-buffer enable
Syntax
stop-accounting-buffer enable
undo stop-accounting-buffer enable
View
RADIUS view
Parameter
None
1-36
Description
Using the stop-accounting-buffer enable command, you can enable the router to
buffer the stop-accounting requests that have no responses. Using the undo
stop-accounting-buffer enable command, you can disable the router to buffer the
stop-accounting requests that have no responses.
By default, the router is enabled to buffer the stop-accounting requests that have no
responses.
Since the stop-accounting packet affects the charge to a user, it has importance for
both users and ISPs. Therefore, the NAS makes its best effort to send every
stop-accounting request to RADIUS accounting servers. If receiving no response after
a specified period of time, the NAS buffers and resends the packet till receiving a
response or discards the packet when the number of transmission retries reaches the
configured limit.
For the related commands, see reset stop-accounting-buffer, radius scheme, and
display stop-accounting-buffer.
Example
# In the RADIUS scheme “Huawei”, enable the router to buffer the stop-accounting
requests that have no responses.
[Quidway-radius-huawei] stop-accounting-buffer enable
1.2.22 timer quiet
Syntax
timer quiet minutes
undo timer quiet
View
RADIUS view
Parameter
minutes: Ranges from 1 to 255. By default, the primary server must wait five minutes
before it can resume the active state.
1-37
Description
Using the timer quiet command, you can set the duration that the primary server must
wait before it can resume the active state. Using the undo timer quiet command, you
can restore the default (five minutes).
Example
# Set the quiet timer for the primary server to ten minutes.
[Quidway] radius scheme test1
[Quidway-hwtacacs-test1] timer quiet 10
1.2.23 timer realtime-accounting
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
RADIUS view
Parameter
minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60

minutes and defaults to 12.
Description
Using the timer realtime-accounting command, you can configure a real-time

accounting interval. Using the undo timer realtime-accounting command, you can
restore the default interval.
The setting of real-time accounting interval is indispensable to real-time accounting.

After an interval value is set, the NAS transmits the accounting information of online
users to the RADIUS accounting server at intervals of this value.
The setting of real-time accounting interval somewhat depends on the performance of

the NAS and the RADIUS server: a shorter interval requires higher device performance.
You are therefore recommended to adopt a longer interval when there are a large
number of users (more than 1000, inclusive). The following table recommends the ratio
of minutes to the number of users.
1-38
Table 1-2 Recommended ratio of minutes to the number of users
Number of users Real-time accounting interval (minute)

1 – 99 3
100 – 499 6
500 – 999 12
≥1000 ≥15
For the related commands, see retry realtime-accounting and radius scheme.
Example
# Set the real-time accounting interval in the RADIUS scheme “huawei” to 51 minutes.
[Quidway-radius-huawei] timer realtime-accounting 51
1.2.24 timer response-timeout
Syntax
timer response-timeout seconds
undo timer response-timeout
View
RADIUS view
Parameter
seconds: RADIUS server response timeout timer, ranging from 1 to 10 seconds. By

default, the value is 3.
Description
Using the timer response-timeout command, you can configure the RADIUS server
response timer. Using the undo timer command, you can restore the default.
If the NAS receives no response from the RADIUS server after sending a RADIUS
request (authentication/authorization or accounting request) for a period of time, the
NAS resends the request, thus ensuring the user can obtain the RADIUS service. You
can specify this period by setting the RADIUS server response timeout timer, taking into
consideration the network condition and the desired system performance.
For the related commands, see radius scheme and retry.
1-39
Example
# Set the response timeout timer in the RADIUS scheme huawei to 5 seconds.
[Quidway-radius-huawei] timer response-timeout 5
1.2.25 user-name-format
Syntax
user-name-format { with-domain | without-domain }
View
RADIUS view
Parameter
with-domain: Includes the ISP domain name in the username sent to the RADIUS
server.
without-domain: Excludes the ISP domain name from the username sent to the
RADIUS server.
Description
Using the user-name-format command, you can configure the format of the username
to be sent to a RADIUS server.
By default, ISP domain name is included in the username.
The supplicants are generally named in the userid@isp-name format, of which

isp-name is used by the router to decide the ISP domain to which a supplicant belongs.
Some earlier RADIUS servers however, cannot recognize usernames including an ISP
domain name. Before sending a username including a domain name to such a RADIUS
server, the router must remove the domain name. This command is thus provided for
you to decide whether to include a domain name in a username to be sent to a RADIUS
server.
Note:
If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the
RADIUS scheme to more than one ISP domains, thus avoiding the confused situation where the RADIUS
server regards two users in different ISP domains but with the same userid as one.
1-40
Example
# Send the username without the domain name to the RADIUS servers in the RADIUS
scheme "huawei".
[Quidway-radius-huawei] user-name-format without-domain
1.3 HWTACACS Configuration Commands
1.3.1 data-flow-format
Syntax
data-flow-format data [ byte | giga-byte | kilo-byte | mega-byte ]
data-flow-format packet [ giga-packet | kilo-packet | mega-packet | one-packet ]
undo data-flow-format [ data | packet ]
View
HWTACACS view
Parameter
data: Sets data unit.
byte: Sets 'byte' as the unit of data flow.
giga-byte: Sets 'giga-byte' as the unit of data flow.
kilo-byte: Sets 'kilo-byte' as the unit of data flow.
mega-byte: Sets 'mega-byte' as the unit of data flow.
packet: Sets data packet unit.
giga-packet: Sets 'giga-packet' as the unit of packet flow.
kilo-packet: Sets 'kilo-packet' as the unit of packet flow.
mega-packet: Sets 'mega-packet' as the unit of packet flow.
one-packet: Sets 'one-packet' as the unit of packet flow.
1-41
Description
Using the data-flow-format command, you can configure the unit of data flow that is
sent to the HWTACACS server. Using the undo data-flow-format command, you can
restore the default setting.
By default, the data unit is byte and the data packet unit is one-packet.
For the related command, see display hwtacacs.
Example
# Set the unit of data flow destined for the HWTACACS server "huawei" to be kilo-byte
and the data packet unit be kilo-packet.
[Quidway- hwtacacs-huawei] data-flow-format data kilo-byte packet kilo-packet
1.3.2 debugging hwtacacs
Syntax
debugging hwtacacs { all | error | event | message | receive-packet | send-packet }
undo debugging hwtacacs { all | error | event | message | receive-packet |

send-packet }
View
User view
Parameter
all: Specifies all HWTACACS debugging.
error: Specifies error debugging.
event: Specifies event debugging.
message: Specifies message debugging.
receive-packet: Specifies incoming packet debugging.
send-packet: Specifies outgoing packet debugging.
Description
Using the debugging hwtacacs command, you can enable HWTACACS debugging.
Using the undo debugging hwtacacs command, you can disable HWTACACS
debugging.
1-42
By default, HWTACACS debugging is disabled.
Example
# Enable the event debugging of HWTACACS.

<Quidway> debugging hwtacacs event
1.3.3 display hwtacacs
Syntax
display hwtacacs [ hwtacacs-scheme-name]
View
Any view
Parameter
hwtacacs-scheme-name: Scheme name of the HWTACACS server, a string of 1 to 32

case-insensitive characters, excluding "/",":", "*", "?", "<" and ">". Void of this argument,
configuration information of all HWTACACS schemes are displayed.
Description
Using the display hwtacacs command, you can view configuration information of one
or all HWTACACS schemes.
By default, configuration information of all HWTACACS schemes is displayed.
For the related command, see hwtacacs scheme.
Example
# View configuration information of all HWTACACS schemes.

<Quidway> display hwtacacs
1.3.4 display stop-accounting-buffer
Syntax
display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
View
Any view
1-43
Parameter
hwtacacs-scheme hwtacacs-scheme-name: Displays information on buffered

stop-accounting requests related to the HWTACACS scheme specified by
hwtacacs-scheme-name, a character string not exceeding 32 characters and excluding
“/”, “:”, “*”, “?”, “<” and “>”.
Description
Using the display stop-accounting-buffer command, you can view information on the
stop-accounting requests buffered in the router.
For the related commands, see reset stop-accounting-buffer,

stop-accounting-buffer enable, and retry stop-accounting.
Example
# Display information on the buffered stop-accounting requests related to the

HWTACACS scheme “huawei".
<Quidway> display stop-accounting-buffer hwtacacs-scheme huawei
1.3.5 hwtacacs nas-ip
Syntax
hwtacacs nas-ip ip-address
undo hwtacacs nas-ip
View
System view
Parameter
ip-address: Specifies a source IP address, which must be the address of this device. It
cannot be the address of all zeros, or a host/network address of class A, B, or C, or an
address starting with 127.
Description
Using the hwtacacs nas-ip command, you can specify the source address of the
hwtacacs packet sent from NAS. Using the undo hwtacacs nas-ip command, you
can restore the default setting..
1-44
By specifying the source address of the hwtacacs packet, you can avoid unreachable
packets as returned from the server upon interface failure. The source address is
normally recommended to be a loopback interface address..
By default, the source address is not specified, that is, the address of the interface
sending the packet serves as the source address.
This command specifies only one source address; therefore, the newly configured
source address may overwrite the original one.
Example
# Configure the router to send hwtacacs packets from 129.10.10.1.

[Quidway] hwtacacs nas-ip 129.10.10.1
1.3.6 hwtacacs scheme
Syntax
hwtacacs scheme hwtacacs-scheme-name
undo hwtacacs scheme hwtacacs-scheme-name
View
System view
Parameter
hwtacacs-scheme-name: Specifies an HWTACACS server scheme, with a character

string of 1 to 32 characters.
Description
Using the hwtacacs scheme command, you can enter HWTACACS Server view. If the
specified HWTACACS server scheme does not exist, you can create a new
HWTACACS scheme. Using the .undo hwtacacs scheme command, you can delete
an HWTACACS scheme.
Example
# Create an HWTACACS scheme named "test1" and enter the relevant HWTACACS
Server view.
[Quidway] hwtacacs scheme test1
[Quidway-hwtacacs-test1]
1-45
1.3.7 key
Syntax
key { accounting | authentication | authorization } string
undo key { accounting | authentication | authorization } string
View
HWTACACS view
Parameter
accounting: Shared key of the accounting server.
authentication: Shared key of the authentication server.
authorization: Shared key of the authorization server.
string: The shared key, a string up to 16 characters excluding the characters “/”, “:”, “*”,
“?”, “<”, and “>”.
Description
Using the key command, you can configure a shared key for HWTACACS
authentication, authorization or accounting. Using the undo key command, you can
delete the configuration.
By default, no key is set.
The HWTACACS client (the router system) and HWTACACS server use MD5 algorithm
to encrypt the exchanged packets. The two ends verify packets using a shared key.
Only when the same key is used can both ends accept the packets from each other and
give responses. So it is necessary to ensure that the same key is set on the router and
the HWTACACS server. If the authentication/authorization and accounting are
performed on two server devices with different shared keys, you must set one shared
key for each.
Example
# Use “hello” as the shared key for HWTACACS accounting.

[Quidway-hwtacacs-test1] key accounting hello
1-46
1.3.8 nas-ip
Syntax
nas-ip ip-address
undo nas-ip
View
HWTACACS view
Parameter
ip-address: IP address in dotted decimal format.
Description
Using the nas-ip command, you can have all the HWTACACS packets sent by the NAS
(the router) carry the same source address. Using the undo nas-ip command, you can
delete the setting.
Specifying a source address for the HWTACACS packets to be transmitted can avoid
the situation where the packets sent back by the HWTACACS server cannot be
received as the result of a physical interface failure. The address of a loopback
interface is usually used as the source address.
By default, the source IP address of a HWTACACS packet sent by the NAS is the IP
address of the output port.
Example
# Set the source IP address carried in the HWTACACS packets that are sent by the
NAS to 10.1.1.1.
[Quidway-hwtacacs-test1] nas-ip 10.1.1.1
1.3.9 primary accounting
Syntax
primary accounting ip-address [ port ]
undo primary accounting
1-47
View
HWTACACS view
Parameter
ip-address: IP address of the server, a valid unicast address in dotted decimal format.
port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.
Description
Using the primary accounting command, you can configure a primary HWTACACS
accounting server. Using the undo primary accounting command, you can delete the
configured primary HWTACACS accounting server.
By default, IP address of HWTACACS accounting server is all zeros.
You are not allowed to assign the same IP address to both primary and secondary
accounting servers.
You can configure only one primary accounting server in a HWTACACS scheme. If you
repeatedly use this command, the latest configuration replaces the previous one.
You can remove an accounting server only when it is not being used by any active TCP
connections, and the removal impacts only packets forwarded afterwards.
Example
# Configure a primary accounting server.

[Quidway-hwtacacs-test1] primary accouting 10.163.155.12 49
1.3.10 primary authentication
Syntax
primary authentication ip-address [ port ]
undo primary authentication
View
HWTACACS view
Parameter
1-48
Description
Using the primary authentication command, you can configure a primary

HWTACACS authentication server. Using the undo primary authentication command,
you can delete the configured authentication server.
By default, IP address of HWTACACS authentication server is all zeros.
authentication servers.
You can configure only one primary authentication server in a HWTACACS scheme. If
you repeatedly use this command, the latest configuration replaces the previous one.
You can remove an authentication server only when it is not being used by any active
TCP connections, and the removal impacts only packets forwarded afterwards.
Example
# Configure a primary authentication server.

[Quidway-hwtacacs-test1] primary authentication 10.163.155.13 49
1.3.11 primary authorization
Syntax
primary authorization ip-address [ port ]
undo primary authorization
View
HWTACACS view
Parameter
1-49
Description
Using the primary authorization command, you can configure a primary HWTACACS
authorization server. Using the undo primary authorization command, you can delete
the configured primary authorization server.
By default, IP address of HWTACACS authorization server is all zeros.
authorization servers.
You can configure only one primary authorization server in a HWTACACS scheme. If
You can remove an authorization server only when it is not being used by any active
Example
# Configure a primary authorization server.

[Quidway-hwtacacs-test1] primary authorization 10.163.155.13 49
1.3.12 reset hwtacacs statistics
Syntax
reset hwtacacs statistics { accounting | authentication | authorization | all }
View
User view
Parameter
accounting: Clears all the HWTACACS accounting statistics.
authentication: Clears all the HWTACACS authentication statistics.
authorization: Clears all the HWTACACS authorization statistics.
all: Clears all statistics.
1-50
Description
Using the reset hwtacacs statistics command, you can clear HWTACACS protocol
statistics.
Example
# Clear all HWTACACS protocol statistics.

<Quidway>reset hwtacacs statistics
1.3.13 reset stop-accounting-buffer
Syntax
reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name
View
User view
Parameter
hwtacacs-scheme hwtacacs-scheme-name: Configures to delete the stop-accounting

requests from the buffer according to the specified HWTACACS scheme name. The
hwtacacs-scheme-name specifies the HWTACACS scheme name with a character
string not exceeding 32 characters, excluding “/”, “:”, “*”, “?”, “<” and “>”.
Description
Using the reset stop-accounting-buffer command, you can clear the stop-accounting
requests that have no response and are buffered on the router.
For the related commands, see stop-accounting-buffer enable, retry

stop-accounting, display stop-accounting-buffer.
Example
# Delete the buffered stop-accounting requests that are related to the HWTACACS
scheme “huawei”.
<Quidway> reset stop-accounting-buffer hwtacacs-scheme huawei
1-51
1.3.14 retry stop-accounting
Syntax
retry stop-accounting retry-times
undo retry stop-accounting
View
HWTACACS view
Parameter
retry-times: The maximum number of real-time accounting request attempts. It is in the

range 1 to 300 and defaults to 100.
Description
Using the retry stop-accounting command, you can enable stop-accounting packet
retransmission and configure the maximum number of stop-accounting request
attempts. Using the undo retry stop-accounting command, you can restore the
default setting.
By default, stop-accounting packet retransmission is enabled and up to 100 packets

are allowed to be transmitted for each request.
For the related commands, see reset stop-accounting-buffer, hwtacacs scheme,

and display stop-accounting-buffer.
Example
# Enable stop-accounting packet retransmission and allow up to 50 packets to be

transmitted for each request.
[Quidway] retry stop-accounting 50
1.3.15 secondary accounting
Syntax
secondary accounting ip-address [ port ]
undo secondary accounting
View
HWTACACS view
1-52
Parameter
Description
Using the secondary accounting command, you can configure a secondary

HWTACACS accounting server. Using the undo secondary accounting command,
you can delete the configured secondary HWTACACS accounting server.
By default, IP address of HWTACACS accounting server is all zeros.
accounting servers.
You can configure only one secondary accounting server in a HWTACACS scheme. If
You can remove an accounting server only when it is not being used by any active TCP
connections, and the removal impacts only packets forwarded afterwards.
Example
# Configure a secondary accounting server.

[Quidway-hwtacacs-test1] secondary accounting 10.163.155.12 49
1.3.16 secondary authentication
Syntax
secondary authentication ip-address [ port ]
undo secondary authentication
View
HWTACACS view
Parameter
1-53
Description
Using the secondary authentication command, you can configure a secondary

HWTACACS authentication server. Using the undo secondary authentication
command, you can delete the configured secondary authentication server.
By default, IP address of HWTACACS authentication server is all zeros.
authentication servers.
You can configure only one primary authentication server in a HWTACACS scheme. If
You can remove an authentication server only when it is not being used by any active
Example
# Configure a secondary authentication server.

[Quidway-hwtacacs-test1] secondary authentication 10.163.155.13 49
1.3.17 secondary authorization
Syntax
secondary authorization ip-address [ port ]
undo secondary authorization
View
HWTACACS view
Parameter
ip-address: IP address of the server, a legal unicast address in dotted decimal format.
port: Port number of the server, ranging from 1 to 65535. By default, it is 49.
Description
Using the secondary authorization command, you can configure a secondary

HWTACACS authorization server. Using the .undo secondary authorization
command, you can delete the configured secondary authorization server.
1-54
By default, IP address of HWTACACS authorization server is all zeros.
authorization servers.
You can configure only one primary authorization server in a HWTACACS scheme. If
You can remove an authorization server only when it is not being used by any active
Example
# Configure the secondary authorization server.

[Quidway-hwtacacs-test1] secondary authorization 10.163.155.13 49
1.3.18 timer quiet
Syntax
timer quiet minutes
undo timer quiet
View
HWTACACS view
Parameter
minutes: Ranges from 1 to 255 minutes. By default, the primary server must wait five
minutes before it resumes the active state.
Description
Using the timer quiet command, you can set the duration that a primary server must
wait before it can resume the active state. Using the undo timer quiet command, you
can restore the default (five minutes).
For the related command, see display hwtacac.
Example
# Set the quiet timer for the primary server to ten minutes.
1-55

[Quidway-hwtacacs-test1] timer quiet 10
1.3.19 timer realtime-accounting
Syntax
timer realtime-accounting minutes
undo timer realtime-accounting
View
HWTACACS view
Parameter
minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60

minutes and defaults to 12.
Description
Using the timer realtime-accounting command, you can configure a real-time

accounting interval. Using the undo timer realtime-accounting command, you can
restore the default interval.
Real-time accounting interval is necessary for real-time accounting. After an interval

value is set, the NAS transmits the accounting information of online users to the
HWTACACS accounting server at intervals of this value.
The setting of real-time accounting interval depends somewhat on the performance of

the NAS and the HWTACACS server: a shorter interval requires higher device
performance. You are therefore recommended to adopt a longer interval when there
are a large number of users (more than 1000, inclusive). The following table
recommends the ratio of minutes to the number of users.
Table 1-3 Recommended ratio of minutes to the number of users
Number of users Real-time accounting interval (minute)

1 – 99 3
100 – 499 6
500 – 999 12
≥1000 ≥15
1-56
For the related commands, see retry realtime-accounting and radius scheme.
Example
# Set the real-time accounting interval in the HWTACACS scheme “huawei” to 51

minutes.
[Quidway-hwtacacs-huawei] timer realtime-accounting 51
1.3.20 timer response-timeout
Syntax
timer response-timeout seconds
undo timer response-timeout
View
HWTACACS view
Parameter
seconds: Ranges from 1 to 300 seconds and defaults to five seconds.
Description
Using the timer response-timeout command, you can set the response timeout timer
of the HWTACACS server. Using the .undo timer response-timeout command, you
can restore the default (five seconds).
Note:
As the HWTACACS is based on TCP, either the server response timeout and or the TCP timeout may
cause disconnection to the HWTACACS server.
Example
# Set the response timeout time of the HWTACACS server to 30 seconds.

[Quidway-hwtacacs-test1] timer response-timeout 30
1-57
1.3.21 user-name-format
Syntax
user-name-format { with-domain | without-domain }
View
HWTACACS view
Parameter
with-domain: Specifies to send the username with domain name to the HWTACACS
server..
without-domain: Specifies to send the username without domain name to the

HWTACACS server.
Description
Using the user-name-format command, you can configure the username format sent
to the HWTACACS server.
By default, HWTACACS scheme acknowledges that the username sent to it includes

ISP domain name..
The supplicants are generally named in "userid@isp-name" format. The part following
“@” is the ISP domain name. The router will put the users into certain ISP domains
according to the domain names. However, some earlier HWTACACS servers reject the
username including ISP domain name. In this case, the username will be sent to the
HWTACACS server after its domain name is removed. Accordingly, the router provides
this command to decide whether the username to be sent to HWTACACS server
carries ISP domain name or not.
Note:
If a HWTACACS scheme is configured to reject usernames including ISP domain names, the HWTACACS
scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the HWTACACS
server will regard two users in different ISP domains as the same user by mistake, if they have the same
username (excluding their respective domain names.)
For the related commands, see hwtacacs scheme.
1-58
Example
# Specify to send the username without domain name to the HWTACACS scheme
"huawei".
[Quidway-hwtacacs-huawei ] user-name-format without-domain
1-59
Command Manual – Security Chapter 2 Access Control List Configuration
VRP3.4 Commands
Chapter 2 Access Control List Configuration

Commands
2.1 ACL Configuration Commands
2.1.1 acl
Syntax
acl number acl-number [ match-order { config | auto } ]
undo acl { number acl-number | all }
View
System View
Parameter
number: Defines a number-typed ACL (access control list). Interface-based ACL

ranges from 1000 to 1999; basic ACL ranges from 2000 to 2999; advanced ACL ranges
from 3000 to 3999; and MAC-based ACL ranges from 4000 to 4999.
acl-number: ACL number, with the range 1000 to 1999 for interface-based ACLs, 2000
to 2999 for basic ACLs, 3000 to 3999 for advanced ACLs, and 4000 to 4999 for
MAC-based ACLs.
match-order: Indicates the order in which rules are configured.
config: Indicates to match the rule according to configuration order that the user
configured them.
auto: Indicates to match the rule in automatic order (in accordance with "Depth first"
principle.)
all: Deletes all ACLs.
Description
Using the acl command, you can create an access control list and enter ACL view.
Using the undo acl command, you can delete an access control list.
2-1
VRP3.4 Commands
An access control list consists of a list of rules that are described by a series of permit
or deny sub-sentences. Several rule lists form an ACL. Before configuring the rules for
an access control list, you should create the access control list first.
Example
# Create an ACL numbered 2000.

[Quidway] acl number 2000
[Quidway-acl-basic-2000]
2.1.2 display acl
Syntax
display acl { all | acl-number }
View
Any view
Parameter
all: All ACL rules.
acl-number: ACL expressed by number.
Description
Using the display acl command, you can view the rules of access control list.
The rule match order defaults to config or the configuration order. If it applies, the
display command does not show information on the match order. If the match order
auto applies, the display command shows that.
Example
# Display the contents of ACL 2000 rule.

[Quidway-acl-basic-2000] display acl 2000
Basic ACL 2000, 2 rules,
rule 1 permit (0 times matched)
rule 2 permit source 1.1.1.1 0 (0 times matched)
2-2
VRP3.4 Commands
2.1.3 reset acl counter
Syntax
reset acl counter { all | acl-number }
View
User View
Parameter
acl-number: ACL expressed by number.
all: All ACL rules.
Description
Using the reset acl counter command, you can clear the statistics of access control
list.
Example
# Reset the statistics of access control list 1000.

<Quidway> reset acl counter 1000
2.1.4 rule
Syntax
rule [ rule-id ] { permit | deny } interface { interface-name | any } [ time-range

time-name ] [ logging ]
1) Create or delete a rule of a basic access control list.

rule [ rule-id ] { permit | deny } [ source source-addr source-wildcard | any ]
[ time-range time-name ] [ logging ] [ fragment ] [ vpn-instance vpn-instance-name ]
undo rule rule-id [ source ] [ time-range ] [ logging ] [ fragment ] [ vpn-instance

vpn-instance-name ]
2) Create or delete a rule of an advanced access control list.
rule [ rule-id ] { permit | deny } protocol [ source source-addr source-wildcard | any ]
[ destination dest-addr dest-wildcard | any ] [ source-port operator port1 [ port2 ] ]
[ destination-port operator port1 [ port2 ] ] [ icmp-type { icmp-message | icmp-type
icmp-code } ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ]
[ fragment ] [ vpn-instance vpn-instance-name ]
2-3
VRP3.4 Commands
undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ]

[ icmp-type ] [ precedence ] [ tos ] [ time-range ] [ logging ] [ fragment ]
[ vpn-instance vpn-instance-name ]
3) Create or delete a rule of an interface-based ACL rule.
rule [ rule-id ] { permit | deny } interface { interface-name | any } [ time-range
time-name ] [ logging ]
undo rule rule-id [ time-range time-name ] [ logging ]

4) Add/delete a MAC-based ACL rule
rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ]
[ source-mac sour-addr source-mask ] [ dest-mac dest-addr dest-mask ]
undo rule rule-id [ time-range time-name ] [ logging ]
View
ACL view
Parameter
In the rule command:
rule-id: ID of an ACL rule, optional, ranging from 0 to 127. If you specify a rule-id, and
the ACL rule related to the ID already exists, the newly defined rule will overwrite the
existing rule, just as editing the existing ACL rule. If the rule-id you specify does not
exist, a new rule number with the specified rule-id will be created. If you do not specify
the rule-id, A new rule will be created and the system will assign a rule-id to the ACL
rule automatically.
deny: Discards matched packets.
permit: Permits matched packets.
protocol: Protocol type over IP expressed by name or number. The number range is
from 0 to 255, and the name range covers gre, icmp, igmp, ip, ipinip, ospf, tcp and udp.
source: Optional, specify source address information of ACL rule. If it is not configured,
it indicates that any source address of the packets matches.
source-addr: Source IP address of packets in dotted decimal format. Or use "any" to

represent the source address 0.0.0.0 with the wildcard 255.255.255.255.
source-wildcard: Source address wildcard in dotted decimal format. Inputting “0”

indicates that the wildcard is 0.0.0.0. It represents a host with the address specified by
parameter sour-addr.
2-4
VRP3.4 Commands
destination: Optional, specify destination address information of ACL rule. If it is not

configured, it indicates that any destination address of the packets matches.
dest-addr: Destination IP address of packets in dotted decimal format. Or use "any" to

represent the destination address 0.0.0.0 with the wildcard 255.255.255.255.
dest-wildcard: Destination address wildcard in dotted decimal format. Inputting “0”

indicates that the wildcard is 0.0.0.0. It represents a host with the address specified by
parameter dest-addr.
source-port: Optional, specify source port information of UDP or TCP packets, valid
only when the protocol specified by the rule is TCP or UDP. If it is not specified, it
indicates that any source port information of TCP/UDP packets matches.
destination-port: Optional, specify destination port information of UDP or TCP packets,

valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it
indicates that any destination port information of TCP/UDP packets matches.
operator: Optional, comparison between port number of source or destination address.

Their names and meanings are as follows: lt (lower than), gt (greater than), eq (equal
to), neq (not equal to) and range (between). If the operator is range, two port numbers
should follow it. Others only need one port number.
port: Optional, port number of TCP or UDP, expressed by name or number. The number
range is from 0 to 65535.
icmp-type: Optional, specify ICMP packet type and ICMP message code, only valid
when packet protocol is ICMP. If it is not configured, it indicates any ICMP packet
matches.
icmp-type: ICMP packet can be filtered according to ICMP message type. It is a number
ranging from 0 to 255.
icmp-code: ICMP packets that can be filtered according to ICMP message type can
also be filtered according to message code. It is a number ranging from 0 to 255.
icmp-message: ICMP packets can be filtered according to ICMP message type or

ICMP message code.
precedence: Optional, a number ranging from 0 to 7, or a name. Packets can be

filtered according to precedence field.
tos: Optional, a number ranging from 0 to 15 or a name. Packets can be filtered

according to type of service.
logging: Optional, indicating whether to log qualified packets. The log contents include
sequence number of ACL rule, packets passed or discarded, upper layer protocol type
over IP, source/destination address, source/destination port number, and number of
packets.
2-5
VRP3.4 Commands
time-name: Specifies that the ACL is valid in this time range.
fragment: Specifies that this rule is only valid for the fragment packets that are not the
first fragment. When this parameter is contained, it indicates that the rule is only valid
for the fragment packets that are not the first fragment.
interface:Specify the interface information of the packets. If it is not specified, it

indicates that all interfaces match.
interface-name: Specifies packets to enter from the interface.
Any: Any interface.
vpn-instance: Optional parameter specifying the vpn-instance to which the packets

belongs. If it is not specified, the ACL rule will be valid for the packets in all the
vpn-instances. If it is specified, the ACL rule will be valid only for the specified
vpn-instance.
vpn-instance-name: Specifies the name of a vpn-instance that existed.
In the undo rule command:
rule-id: ID of an ACL rule, it should be an existing ACL rule number. If the command is
not followed by other parameters, this ACL rule will be deleted completely; otherwise,
only part of information related to this ACL rule will be deleted.
source: Optional. Only the information settings related to the source address part of
the ACL rule number will be deleted.
destination: Optional. Only the information setting related to the destination address
part of the ACL rule number will be deleted.
source-port: Optional. Only the information setting related to the source port part of the
ACL rule number will be deleted, valid only when the protocol is TCP or UDP.
destination-port: Optional. Only the information setting related to the destination port
part of the ACL rule number will be deleted, valid only when the protocol is TCP or UDP.
icmp-type: Optional. Only the information setting related to ICMP type and message
code part of the ACL rule number will be deleted, valid only when the protocol is ICMP.
precedence: Optional. Only the setting of precedence configuration of the ACL rule will
be deleted.
tos: Optional. Only related tos setting corresponding to the ACL rule will be deleted.
time-range: Optional. Only the setting corresponding to the time range part of the ACL
rule will be deleted.
logging: Optional. Only the setting corresponding to the logging part of the ACL rule
will be deleted.
2-6
VRP3.4 Commands
fragment: Optional. Only the setting corresponding to the validity of non-first packets
fragmentation of the ACL rule will be deleted.
vpn-instance: Optional parameter. If it has been specified, the deletion operation will
delete only the settings involved the vpn-instance in the specified ACL rule.
type-code: Type of the Data frame, a 16-bit hexadecimal number corresponds to the
type-code field in Ethernet_II and Ethernet_SNAP frames.
type-mask: A 16-bit hexadecimal number used for specifying the mask bits.
lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number.
lsap-mask: LSAP mask, a 16-bit hexadecimal number used to specify mask bits.
sour-addr: Source MAC address in the format of xxxx-xxxx-xxxx, used to match the
source address of a packet.
sour-mask: Source MAC address mask.
dest-addr: Destination MAC address in the format of xxxx-xxxx-xxxx, Used to match the
destination address of a packet.
dest-mask: Destination MAC address mask.
Description
Using the rule command, you can add a rule in current ACL view. Using the undo rule
command, you can delete a rule.
The rule ID is needed when you try to delete a rule. If you do not know the ID, using the
display acl command to find it out.
Example
# Create ACL 3001 and add a rule to deny RIP packets.

[Quidway-acl-adv-3001] rule deny udp destination-port eq rip
# Add a rule to permit hosts in the network segment 129.9.0.0 to send WWW packet to
hosts in the network segment 202.38.160.0.
[Quidway-acl-adv-3001] rule permit tcp source 129.9.0.0 0.0.255.255
destination 202.38.160.0 0.0.0.255 destination-port eq www
# Add a rule to deny the WWW access (80) from the host in network segment 129.9.0.0
to the host in network segment 202.38.160.0, and log events that violate the rule.
[Quidway-acl-adv-3001] rule deny tcp source 129.9.0.0 0.0.255.255 destination
202.38.160. 0 0.0.0.255 eq www logging
2-7
VRP3.4 Commands
# Add a rule to permit the WWW access (80) from the host in network segment
129.9.8.0 to the host in network segment 202.38.160.0.
[Quidway-acl-adv-3001] rule permit tcp source 129.9.8.0 0.0.0.255 destination
202.38.160.0 0.0.0.255 destination-port eq www
# Add a rule to prohibit all hosts from establishing Telnet (23) connection to the host
with the IP address 202.38.160.1.
[Quidway-acl-adv-3001] rule deny tcp destination 202.38.160.1 0
destination-port eq telnet
# Add a rule to prohibit create UDP connections with port number greater than 128 from
the hosts in network segment 129.9.8.0 to the hosts in network segment 202.38.160.0
[Quidway-acl-adv-3001] rule deny udp source 129.9.8.0 0.0.0.255 destination
202.38.160.0 0.0.0.255 destination-port gt 128
# Add a rule, denying the packets carrying the source address 1.1.1.1 from VPN vrf1.
[Quidway-acl-adv-3001] rule deny ip source 1.1.1.1 vpn-instance vrf1
2.2 Time-range Configuration Commands
2.2.1 display time-range
Syntax
display time-range { all | time-name }
View
Any view
Parameter
time-name: Name of the time range.
all: Displays all the configured time ranges.
Description
Using the display time-range command, you can view the configuration and the status
of time range. For the active time range at present, it displays "active" and for the
inactive time range, it displays "inactive".
Since there is a time deviation when the system updates acl status, which is about 1
minute, but display time-range will display the information of time range at the current
time exactly. Thus, the following case may happen: use the command display
2-8
VRP3.4 Commands
time-range to find that a time range is activated but the acl that should be active in the
time range is inactive. This case is normal.
Example
# Display all time ranges.

[Quidway] display time-range all
# Display the time range named trname.

[Quidway] display time-range trname
Current time is 02:49:36 2/15/2003 Saturday
Time-range : trname ( Inactive )
14:00 to 16:00 off-day from 00:00 12/1/2002 to 00:00 12/1/2003
2.2.2 time-range
Syntax
time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2

date2 ]
undo time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to

time2 date2 ]
View
System view
Parameter
time-name: Name of time range.
start-time: Start time of a time range, in the format of HH:MM.
end-time: End time of a time range, in the format of HH:MM.
days: Indicates on which day of a week the time range is valid or from which day in a
week the time range is valid. The following parameters can be input:
Number (0 to 6);
Monday to Sunday (Monday, Tuesday, Wednesday, Thursday, Friday, Saturday,

Sunday);
Working-day, from Monday to Friday;
Off-day, including Saturday and Sunday;
Daily, including the seven days of a week.
2-9
VRP3.4 Commands
from time1 date1: Optional, which is used to indicate the start time and date. The input
format of time is hh:mm, which is shown in 24-hour notation. The range of hh is from 0
to 23 and the range of mm is from 0 to 59. The input format of date is MM/DD/YYYY. DD
can be in the value range from 1 to 31. MM is one number in the range form 1 to 12 and
YYYY is a 4-digit number. If no start time is set, it means that there is no restriction on
start time and only the end time should be considered.
to time2 date2: Optional. It is used to indicate the end time and date. In addition, the
input format of time and date is the same with that of the start time. The end time must
be greater than the start time. If the end time is not set, it will be the maximum time that
the system can set.
Description
Using the time-range command, you can specify a time range. Using the undo
time-range command, you can delete a time range.
A time range consists of 2 parts, the first is the periodic time range within one week
described by the parameters start-time and end-time, depending on the parameter
days to specify on which day it is valid; the second is the time range specified by from
and to, which can be used to emphasize in what time range the periodical time range is
valid.
You can configure multiple time ranges with the same time-name, which are in “OR”
relationship.
Example
# Configure the time range valid at 0:0 on Jan. 1, 2003, always valid.
[Quidway] time-range test from 0:0 1/1/2003
# Configure the time range valid between 14:00 and 16:00 in every weekend from
20:00 on Apr.01, 2003 to 20:00 on Dec.10, 2003.
[Quidway] time test 14:00 to 16:00 off-day from 20:00 04/01/2003 to 20:00
12/10/2003
# Configure the time range valid between 8:00 and 18:00 in each working day.
[Quidway] time-range test 8:00 to 18:00 working-day
# Configure the time range valid between 14:00 and 18:00 in each weekend day.
[Quidway] time-range test 14:00 to 18:00 off-day
2-10
VRP3.4 Chapter 3 Firewall Configuration Commands
Chapter 3 Firewall Configuration Commands
3.1 Packet Filtering Firewall Configuration Commands
3.1.1 debugging firewall
Syntax
debugging firewall { all | icmp | tcp | udp | fragments-inspect | others } [ interface

interface-name ]
undo debugging firewall { all | icmp | tcp | udp | fragments-inspect | others }

[ interface interface-name ]
View
User view
Parameter
icmp: Debugging information of ICMP packet filtering.
tcp: Debugging information of TCP packet filtering.
udp: Debugging information of UDP packet filtering.
fragments-inspect: Fragment debugging information.
others: Debugging information of all the other packets except ICMP, TCP and UDP.
interface interface-name: Debugging information of the corresponding packets

passing the interface. The debugging information of all the interfaces will be displayed if
this parameter is not configured.
all: Debugging information of all the packets.
Description
Using the debugging firewall command, you can enable the information debugging of
the firewall packet filtering. Using the undo debugging firewall command, you can
disable the information debugging of the firewall packet filtering.
By default, all the information debugging of the firewall is disabled.
3-1
For the related command, see display debugging.
Example
# Enable the debugging information about UDP packet filtering.

[Quidway] debugging firewall udp
3.1.2 display firewall-statistics
Syntax
display firewall-statistics { all | interface interface-name | fragments-inspect }
View
Any view
Parameter
all: Displays the filtering packet statistics of all the interfaces.
interface: Displays the filtering packet statistics of a certain interface.
interface-name: Name of the interface.
fragments-inspect: Displays the fragment inspection information.
Description
Using the display firewall-statistics command, you can view the firewall statistics.
For the related command, see firewall fragments-inspect.
Example
# Display the information of fragment inspection.

<Quidway> display firewall-statistics fragments-inspect
Fragments inspection is enabled.
The high-watermark for clamping is 10000.
The low-watermark for clamping is 1000.
Current records for fragments inspection is 0.
3.1.3 firewall default
Syntax
firewall default { permit | deny }
3-2
View
System view
Parameter
permit: Default filter rule is permitting packets to pass.
deny: Default filter rule is denying packets to pass.
Description
Using the firewall default command, you can configure the default filtering rule of the
firewall, whether to be “permit” or “deny”.
By default, the system permits packets.
Example
# Set the default filtering rule of the firewall to “deny”.

[Quidway] firewall default deny
3.1.4 firewall enable
Syntax
firewall enable
undo firewall enable
View
System view
Parameter
none.
Description
Using the firewall enable command, you can enable the firewall. Using the undo
firewall enable command, you can disable the firewall.
By default, the firewall is disabled.
Example
# Enables the firewall
3-3
[Quidway] firewall enable
3.1.5 firewall fragments-inspect
Syntax
firewall fragments-inspect
undo firewall fragments-inspect
View
System view
Parameter
none
Description
Using the firewall fragments-inspect command, you can enable fragment inspection
switch. Using the undo firewall fragments-inspect command, you can disable
fragment inspection switch.
By default, fragment inspection switch is disabled.
This command is the premise of realizing exact match. Only after fragment inspection
switch is enabled, can fragment exact match be implemented. Packet filtering firewall
will record the status of a fragment, and perform the exact matching to advanced ACL
rules according to the information beyond the layer 3 (IP layer).
Packet filtering firewall will consume some system resources for recording the fragment
status. If the exact match mode is not used, you are recommended to disable this
function so as to improve the running efficiency of system and reduce the system cost.
Only when the fragment packet inspection is enabled, can the exact match really take
effect.
For the related commands, see display firewall fragments-inspect and firewall
packet-filter.
Example
# Enable the fragment inspection switches

[Quidway] firewall fragments-inspect
3.1.6 firewall fragments-inspect { high | low }
3-4
Syntax
firewall fragments-inspect { high | low } { default | number }
undo firewall fragments-inspect { high | low }
View
System view
Parameter
high number: Specifies the high threshold of the fragment status records. It is in the
range from 100 to 10000.
low number: Specifies the low threshold of the fragment status records. It is in the
range from 100 to 10000.
default: Default number of fragment status records. The default high threshold of the
fragment status records is 2000 and the default low threshold of the fragment status
records is 1500.
Description
Using the firewall fragments-inspect { high | low } command, you can configure the
high and low thresholds of records for fragment inspection. Using the undo firewall
fragments-inspect { high | low } command, you can restore the default high and low
thresholds.
If fragment inspection switch is enabled and exact match filtering is applied, the
executing efficiency of the packet filtering will be slightly reduced. The more matching
entries are configured, the more the efficiency is reduced. Therefore, the (high and low)
thresholds should be set. When the number of fragment status records reaches the
high threshold, those status entries first reserved will be deleted till the number of
records is below the low threshold.
The low threshold must be no greater than the high threshold.
For the related commands, see display firewall-statistics fragments-inspect and

firewall packet-filter.
Example
# Configure the high threshold for fragment packet inspection to 3000 and configure the
low threshold to the default value.
[Quidway] firewall fragments-inspect high 3000
[Quidway] firewall fragments-inspect low default
3-5
3.1.7 firewall packet-filter
Syntax
firewall packet-filter acl-number { inbound | outbound } [ match-fragments

{ normally | exactly } ]
undo firewall packet-filter acl-number { inbound | outbound }
View
Interface view
Parameter
acl-number: Serial number of access control list rule.
inbound: Filters the packet received from the interface.
outbound: Filters the packet forwarded from the interface.
match-fragments: Specify the matching mode of fragments. This parameter can only
be applied to advanced ACLs.
Packet-filtering on VRP platform can filter fragment packets, which matches and filters
all fragment packets on the third layer (IP layer) by source IP address, destination IP
address etc. It also provides standard matching and exact matching for advanced ACL
rules that contain extended information such as TCP/UDP port number and type of
ICMP. The standard matching matches information of the third layer, Information that is
not of the third layer will be ignored. The exact matching matches packets according to
all advanced ACL rules. To do this, the firewall must be able to store the state of the first
fragment packet to get the whole matching information of the followed fragments. The
standard matching is the default.
normally: Normal matching mode, the default mode.
exactly: Exact matching mode.
Description
Using the firewall packet-filter command, you can apply the access control list to the
corresponding interface. Using the undo firewall packet-filter command, you can
delete the corresponding setting.
Interface-based ACL (namely ACL rule with sequence number from 1000 to 1999) can
only use the parameter outbound.
3-6
Packet-filtering on VRP platform can filter fragment packets, which matches and filters
all fragment packets on the third layer (IP layer) by source IP address, destination IP
address etc. It also provides standard matching and exact matching for advanced ACL
rules that contain extended information such as TCP/UDP port number and type of
ICMP. The standard matching matches information of the third layer, Information that is
not of the third layer will be ignored. The exact matching matches packets according to
all advanced ACL rules. To do this, the firewall must be able to store the state of the first
fragment packet to get the whole matching information of the followed fragments. The
standard matching is the default.
For related command, see acl, display acl and firewall fragments-inspect.
Example
# Apply ACL 1001 to the Serial1/0/0 interface to filter the packets forwarded by the
interface.
[Quidway-Serial1/0/0] firewall packet-filter 1001 outbound
3.1.8 reset firewall-statistics
Syntax
reset firewall-statistics { all | interface interface-name }
View
User view
Parameter
all: Clears the filtering packet statistics of all the interfaces.
interface: Clears the filtering packet statistics of a certain interface.
interface-name: Name of the interface.
Description
Using the reset firewall-statistics command, you can clear the firewall statistics.
Example
# Clear filtering packet statistics of the interface E3/1/0.

[Quidway] reset firewall-statistics interface e3/1/0
3.2 ASPF Configuration Commands
3-7
3.2.1 aging-time
Syntax
aging-time { syn | fin | tcp | udp }
undo aging-time { syn | fin | tcp | udp }
View
ASPF policy view
Parameter
The default timeout time of SYN, FIN, TCP and UDP is 30s, 5s, 3600s and 30s
respectively.
Description
Using the aging-time command, you can configure SYN status waiting timeout value
and FIN status waiting timeout value of TCP, session entry idle timeout value of TCP
and UDP. Using the undo aging-time command, you can restore the default value.
Before the aging-time expires, the system will retain the connections and the sessions
that have been set up.
For related commands, see display aspf all, display aspf policy, display aspf
session and display aspf interface.
Example
# Configure SYN status waiting timeout value of TCP as 20 seconds.

[Quidway-aspf-policy-1] aging-time syn 20
# Configure FIN status waiting timeout value of FIN as 10 seconds.

[Quidway-aspf-policy-1] aging-time fin 10
# Configure TCP idle timeout value as 3000 seconds.

[Quidway-aspf-policy-1] aging-time tcp 3000
# Configure UDP idle timeout value as 110 seconds.

[Quidway-aspf-policy-1] aging-time udp 110
3.2.2 aspf-policy
3-8
Syntax
aspf-policy aspf-policy-number
undo aspf-policy aspf-policy-number
View
System view
Parameter
aspf-policy-number: ASPF policy number, ranging from 1 to 99.
Description
Using the aspf-policy command, you can define an ASPF policy. For a defined policy,
the policy can be invoked through its policy number.
Example
# Define an ASPF policy and enter ASPF view.

[Quidway] aspf-policy 1
[Quidway-aspf-policy-1]
3.2.3 debugging aspf
Syntax
debugging aspf { all | verbose | events | ftp | h323 | http | rtsp | session | smtp | tcp
| timers | udp }
undo debugging aspf { all | verbose | events | ftp | h323 | http | rtsp | session |
smtp | tcp | timers | udp }
View
User view
Parameter
all: All ASPF debugging switch.
verbose: Detailed debugging switch.
events: Event debugging switch.
ftp: Debugging switch for FTP detect information .
3-9
h323: Debugging switch for H.323 information detection.
http: Debugging switch for HTTP information detection.
rtsp: Debugging switch for RSTP information detection.
session: Debugging switch for Session information .
smtp: Debugging switch for SMTP information detection.
tcp : Debugging switch for TCP information detection.
timers: Debugging switch for Timer information .
udp: Debugging switch for UDP information detection.
Description
Using the debugging aspf command, you can enable ASPF debugging function.
Using the undo debugging aspf command, you can disable ASPF debugging
function.
By default, ASPF debugging function is disabled.
For the related commands, see display aspf all, display aspf policy, display aspf
Example
# Open all the switches of debugging aspf

<Quidway> debugging aspf all
3.2.4 detect
Syntax
detect protocol [ java-blocking acl-number ] [ aging-time seconds ]
undo detect protocol
View
ASPF policy view
Parameter
protocol: Name of the protocol supported by ASPF. It can be an application layer

protocol of ftp, http, h323, smtp, or rtsp, or a transport layer protocol of tcp or udp.
3-10
seconds: Configures the idle timeout time of the protocol, ranging from 10 to 43200
seconds. The default TCP-based timeout time is 3600 seconds, and the default
UDP-based timeout time is 30 seconds.
java-blocking: Configures to block the Java Applets to specified network segment

packets, valid only when the protocol is HTTP.
acl-number: Basic ACL number, ranging from 2000 to 2999.
Description
Using the detect command, you can specify ASPF policy for application layer protocols.
Using the undo detect command, you can cancel the configuration.
When the protocol is HTTP, Java blocking is permitted.
If both application layer protocol specific detection and generic TCP/UDP-based

detection are configured, the former has priority.
ASPF uses the timeout mechanism to manage session state information of protocols
so that it can decide when to stop managing the state information of a session or delete
a session that cannot be set up normally. The timeout time setting is a global setting
applicable to all sessions; it can protect system resources against malicious
occupation.
For related commands, see display aspf all, display aspf policy, display aspf
Example
# Configure to specify an ASPF policy for HTTP protocol with policy number 2000. At
the same time, permit Java blocking and set ACL1 to make ASPF able to filter Java
Applets from destination server 10.1.1.1.
[Quidway-acl-basic-2000] rule deny source 10.1.1.1 0
[Quidway-acl-basic-2000] rule permit any
[Quidway-acl-basic-2000] quit
[Quidway] aspf-policy 1
[Quidway-aspf-policy-1] detect http java-blocking 2000
3.2.5 display aspf all
Syntax
display aspf all
3-11
View
Any view
Parameter
none
Description
Using the display aspf all command, you can view the information of all ASPF policies
and sessions.
Example
# View the information of ASPF policy and session.

[Quidway] display aspf all
[ASPF Policy 1]
Session audit trail: disabled
tcp synwait-time: 30 sec
tcp finwait-time: 5 sec
tcp idle-time: 3600 sec
udp idle-time: 30 sec
h323 timeout: 3600
tcp timeout: 33
[Interface Configuration]
Interface: Ethernet0/0/0
Inbound ASPF policy: none
Outbound ASPF policy: 1
Table 3-1 ASPF configuration information
Item Description
Session audit trail: disabled The session logging function is disabled.
tcp syn wait-time TCP connected SYN status timeout value is 30 seconds.
tcp finnwait-time TCP connection FIN status timeout value is 5 seconds.
tcp idle-time Timeout for the idle-time of TCP session is 3600 seconds.
udp idle-time Timeout for the idle-time of UDP session is 30 seconds.
Detect the HTTP traffic and filter the Java Applets from some particular
http java-blocking 1 timeout sites by using ACL 1. The HTTP timeout time is set to 3000 seconds.
“h323 timeout” indicates the timeout time of the h323 session entry.
3-12
Item Description
The policy inspects h323 traffic. The timeout time of h323 is 3600
h323 timeout
seconds.
tcp timeout The policy inspects tcp traffic. The timeout time of tcp is 33 seconds.
No ASPF policy is configured in inbound direction of the interface
Inbound ASPF policy
Ethernet0/0/0.
ASPF policy 1 is configured in outbound direction of the interface

outbound ASPF policy
Ethernet0/0/0.
3.2.6 display aspf interface
Syntax
display aspf interface
View
Any view
Parameter
none
Description
Using the display aspf interface command, you can view the interface configuration of
the inspection policy.
Example
# View the interface configuration of the inspection policy.

<Quidway> display aspf interface
[Interface Configuration]
Inbound ASPF policy: none
Outbound ASPF policy: 1
3-13
Table 3-2 ASPF interface configuration information
Item Description
No ASPF policy is configured in inbound direction of the interface
Inbound ASPF policy
Ethernet0/0/0.
ASPF policy 1 is configured in outbound direction of the interface
outbound ASPF policy
Ethernet0/0/0.
3.2.7 display aspf policy
Syntax
display aspf policy aspf-policy-number
View
Any view
Parameter
aspf-policy-number: ASPF policy number, ranging from 1 to 99.
Description
Using the the display aspf policy command, you can view the configuration of a
specific inspection policy.
Example
# Display the configuration information of the inspection policy with policy number of 1.
[Quidway] display aspf policy 1
[ASPF Policy 1]
Session audit trail: disabled
tcp synwait-time: 30 sec
tcp finwait-time: 5 sec
tcp idle-time: 3600 sec
udp idle-time: 30 sec
h323 timeout: 3600
tcp timeout: 33
3.2.8 display aspf session
3-14
Syntax
display aspf session [ verbose ]
View
Any view
Parameter
verbose: Displays the detail information of the sessions.
Description
Using the display aspf session command, you can view the information of the ASPF
sessions.
Example
# Display information on current ASPF sessions.

[Quidway] display aspf session
[Established Sessions]
Session Initiator Responder Application Status
212BA84 169.254.1.121:1427 169.254.1.52:0 ftp-data TCP_DOWN
2B738C4 169.254.1.121:1426 169.254.1.52:21 ftp FTP_CONXN_UP
# Display detailed information of current ASPF sessions.

[Quidway] display aspf session verbose
[ Established Sessions ]
[ Session 0xC7E2B4 ]
(192.168.0.1:2125)=>(13.1.0.5:2093) h245-media-control H245_OPEN
SessNum: 229, TransProt: 6,
AppProt: 21
Prev: 0x0, Next: 0x0,
Child: 0xCA9EA4,
Parent: 0x0
SynNode: 0x0, FinNode: 0x0
Interface: Ethernet1/0/0,
Direction: outbound
Bytes/Packets sent (initiator:responder) [1339/15 : 1309/12]
Tcp SeqNum/AckNum [352115193/62885460 : 62885456/352115193]
Timeout 00:02:00(120),
3-15
Table 3-3 Information of current ASPF sessions
Item Description
TransProt: 6 Transport layer protocol is numbered 6, which means that TCP is used.
AppProt: 21 Application layer protocol uses port 21, which means that the sessions
are FTP sessions
Interface: Ethernet1/0/0 ASPF policy is applied in outbound direction of the interface
Ethernet1/0/0
Direction: outbound
Bytes/Packets sent Bytes/Packets transmitted between the originating and responding
sides of the connection
Timeout 00:02:00(120) Timeout time set for the protocol is 120 seconds
3.2.9 display port-mapping
Syntax
display port-mapping [ application-name | port port-number ]
View
Any view
Parameter
application-name: Specifies the name of application for PAM. Optional applications

include ftp, http, h323, smtp and rtsp.
port-number: Port number in the range from 0 to 65535.
Description
Using the display port-mapping command, you can view PAM information.
For the related command, see port-mapping.
Example
# Display all PAM information.

[Quidway] display port-mapping
3.2.10 firewall aspf
3-16
Syntax
firewall aspf aspf-policy-number { inbound | outbound }
undo firewall aspf aspf-policy-number { inbound | outbound }
View
Interface view
Parameter
aspf-policy-number: ASPF policy number used on the interface.
inbound: Applies ASPF policy in inbound direction of the interface.
outbound: Applies ASPF policy in outbound direction of the interface.
Description
Using the firewall aspf command, you can apply ASPF policy in specified direction to
an interface. Using the undo firewall aspf command, you can delete the applied ASPF
policy on the interface.
There are two concepts is ASPF: inbound interface and outbound interface. If the router
connects with both intranet and internet, and uses ASPF to protect the servers of
intranet, the router interface connected with intranet is regarded as inbound interface
and that connected with internet is regarded as outbound interface.
When ASPF is applied on outbound interface, ASPF will refuse the access of intranet
from internet users, but the returning packets of intranet users accessing internet can
pass the detection of ASPF.
Example
# Configure ASPF firewall function in outbound direction of the interface ethernet1/0/0.

[Quidway-Ethernet1/0/0] firewall aspf 1 outbound
3.2.11 log enable
Syntax
log enable
undo log enable
3-17
View
ASPF policy view
Description
Using the log enable command, you can enable ASPF session logging function. Using
the undo log enable command, you can disable logging function.
By default, session logging function is disabled.
ASPF provides enhanced session logging function, which can log all connections,
including connection time, source address, destination address, port in use and
transmitted bytes number.
For related command, see display aspf all, display aspf policy, display aspf
session, display aspf interface.
Example
# Enable ASPF session logging function.

[Quidway-aspf-policy-1] log enable
3.2.12 port-mapping
Syntax
port-mapping application-name port port-number [ acl acl-number ]
undo port-mapping [ application-name port port-number [ acl acl-number ] ]
View
System view
Parameter
application-name: Specifies the name of the application for PAM. Optional applications
include ftp, http, h323, smtp and rtsp.
port-number: Port number, ranging from 0 to 65535.
acl-number: Number of basic ACL, which is in the range from 2000 to 2999.
3-18
Description
Using the port-mapping command, you can establish a mapping from the port to
application layer protocol. Using the undo port-mapping command, you can delete
the PAM ingress defined by the user.
PAM supports two mapping mechanisms: general port mapping and host port mapping
based on basic ACL. The former is to establish the mapping relation between a
user-defined port number and an application protocol. For example, mapping the port
8080 to the HTTP will make all the TCP packets destined to 8080 be regarded as HTTP
packets. The latter is to map the self-defined port number to the application protocol for
the packets from some specific hosts. For example, you can map the TCP packets
using the port 8080, which destine to the hosts residing on the segment 1.1.0.0 to be
the HTTP packets. The range of hosts will be specified by the basic ACL.
For the same port, general port mapping and host port mapping based on basic ACL
cannot be configured at the same time.
For the related command, see display port-mapping.
Example
# Map port 3456 to FTP service, with this configuration, all the data flows destined to
port 3456 will be regarded as FTP data flows.
[Quidway] port-mapping ftp port 3456
3-19
VRP3.4 Chapter 4 IPSec Configuration Commands
Chapter 4 IPSec Configuration Commands
4.1 IPSec Configuration Commands
4.1.1 ah authentication-algorithm
Syntax
ah authentication-algorithm { md5 | sha1 }
undo ah authentication-algorithm
View
IPSec proposal view
Parameter
md5: MD5 algorithm is adopted.
sha1: SHA1 algorithm is adopted.
Description
Using the ah authentication-algorithm command, you can set the authentication

algorithm adopted by Authentication Header protocol in IPSec proposal. Using the
undo ah authentication-algorithm command, you can restore the default setting.
By default, the md5 authentication algorithm is adopted by Authentication Header

protocol in IPSec proposal.
AH proposal can’t be used to encrypt, but to authenticate.
MD5 algorithm uses the 128-bit key, and SHA1 uses the 160-bit key. By comparison,
MD5 is faster than SHA1, while SHA1 is securer than MD5.
The IPSec proposal adopted by the security policy at both ends of the security tunnel
must be set as using the same authentication algorithm.
Can the AH authentication algorithm be configured only if AH or AH-ESP security

protocol was selected by executing the transform command.
For the related commands, see ipsec proposal, proposal, sa sip and transform.
4-1
Example
# Set IPSec proposal using AH and SHA1.

[Quidway] ipsec proposal prop1
[Quidway-ipsec-proposal- prop1] transform ah
[Quidway-ipsec-proposal- prop1] ah authentication-algorithm sha1
4.1.2 debugging ipsec
Syntax
debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] |

parameters ip-address protocol spi-number ] | misc }
undo debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] |

View
User view
Parameter
all: Displays all debugging information.
sa: Displays debugging information of SA.
packet: Displays debugging information of IPSec packets.
policy policy-name: Displays debugging information of IPSec policy whose name is

policy-name.
seq-number: Displays debugging information of IPSec policy whose sequence number

is seq-number.
parameters: Displays debugging information of a SA whose remote address is

ip-address, Security protocol is protocol, and SPI is spi-number.
misc: Displays other debugging information of IPSec.
Description
Using the debugging ipsec command, you can turn IPSec debugging on, Using the
undo debugging ipsec command, you can turn IPSec debugging off.
By default, IPSec debugging is off.
4-2
Example
# Enable IPSec SA debugging function.

<Quidway> debugging ipsec sa
4.1.3 display ipsec policy
Syntax
display ipsec policy [ brief | name policy-name [ seq-number ] ]
View
Any view
Parameter
brief: Displays brief information about all the ipsec policies.
name: Displays information of the ipsec policy with the name policy-name and
sequence number seq-number.
policy-name: Name of an ipsec policy.
seq-number: Sequence number of an ipsec policy.
If no argument has been specified, the details of all the IPSec policies will be displayed.
If name policy-name has been specified but seq-number has not, the information of the
specified IPSec policy group will be listed out.
Description
Using the display ipsec policy command, you can view information about the ipsec
policy.
The brief keyword is used for displaying brief information about all the ipsec policies,
whose display format is the brief format (see the following example). The brief
command can be used to quickly display all the ipsec policies. Brief information
includes: name and sequence number, negotiation mode, access control list, proposal,
local address, and remote address.
The other command words are used to display the detailed information about the ipsec
policy, whose display format is the detailed format (refer to the following example).
For the related commands, see ipsec policy(system view).
4-3
Example
# View brief information about all the ipsec policies.

<Quidway> display ipsec policy brief
Ipsec-policy-Name Mode acl Local Address Remote Address
policy1-100 manual 2000 150.1.1.2 150.1.1.1
test-300 isakmp 2200 202.38.160.66
Table 4-1 Brief information of IPSec policy
Item Description
Ipsec-policy-Name name and sequence number of an ipsec policy
Mode negotiation method used by an ipsec policy
acl access control list used by an ipsec policy
Local Address local IP address
Remote Address remote IP address
# View information about all the ipsec policies

[Quidway] display ipsec policy
===========================================
IPsec Policy Group: "policy_isakmp"
Using interface: {Ethernet1/0/0}
===========================================
--------------------------------------------
IPsec policy name: "policy_isakmp"
sequence number: 10
mode: isakmp
--------------------------------------------
security data flow : 100
tunnel remote address: 162.105.10.2
PFS (Y/N): N
proposal name: prop1
ipsec sa local duration(time based): 3600 seconds
ipsec sa local duration(traffic based): 1843200 kilobytes
===========================================
IPsec Policy Group: "policy_man"
Using interface: {Ethernet1/0/1}
===========================================
-----------------------------------------
IPsec policy name: "policy_man"
sequence number: 10
4-4
mode: manual
-----------------------------------------
security data flow : 100
tunnel local address: 162.105.10.1
tunnel remote address: 162.105.10.2
proposal name: prop1
inbound ah setting:
ah spi: 12345 (0x3039)
ah string-key:
ah authentication hex key : 1234567890123456789012345678901234567890
inbound esp setting:
esp spi: 23456 (0x5ba0)
esp string-key:
esp encryption hex key:
1234567890abcdef1234567890abcdef1234567812345678
esp authentication hex key: 1234567890abcdef1234567890abcdef
outbound ah setting:
ah spi: 54321 (0xd431)
ah string-key:
ah authtication hex key: 1122334455667788990011223344556677889900
outbound esp setting:
esp spi: 65432 (0xff98)
esp string-key:
esp encryption hex key:
11223344556677889900aabbccddeeff1234567812345678
esp authentication hex key: 11223344556677889900aabbccddeeff
Table 4-2 Detailed information of IPSec ipsec policy
Item Description
ipsec policy name, sequence number and negotiation method of an ipsec policy
security data flow access control list used by an ipsec policy
proposal name name of the proposal used by an ipsec policy
inbound/outbound ah/esp settings of inbound/outbound ends using AH/ESP, including SPI
setting and key
tunnel Local Address local IP address
tunnel Remote Address remote IP address
PFS (Y/N) Whether using PFS(Perfect Forward Security) or not
4-5
4.1.4 display ipsec policy-template
Syntax
display ipsec policy-template [ brief | name template-name [ seq-number ] ]
View
Any view
Parameter
brief: Displays brief information about all the ipsec policy templates.
name: Displays information of the ipsec policy template with the name template-name
and sequence number seq-number.
template-name: Name of an ipsec policy template.
seq-number: Sequence number of an ipsec policy template. If seq-number is not

specified, then the information about all the ipsec policy templates named
template-name is shown.
If no parameter is specified, then the detail information about all the ipsec policy
templates will be displayed. If name template-name has been specified but
seq-number has not, the information of the specified IPSec policy template group will
be listed out.
Description
Using the display ipsec policy-template command, you can view information about
the ipsec policy template.
Parameter brief is for showing brief information about all the ipsec policy templates,
whose display format is the brief format (see the following example). It can be used to
quickly display all the ipsec policy templates. Brief information includes: template name
and sequence number, access control list, and remote address.
Any of the sub-commands can be used to display detail information of the IPSec policy
template.
For the related commands, see ipsec policy-template.
Example
# View brief information about all the ipsec policy templates.

[Quidway] display ipsec policy-template brief
4-6
Policy-template-Name acl Remote-Address

------------------------------------------------------
test-tplt300 2200
Table 4-3 Brief information of IPSec policy template
Item Description
Policy-template-Name name, sequence number of an ipsec policy template
acl access control list used by an ipsec policy template
Remote Address remote IP address
4.1.5 display ipsec proposal
Syntax
display ipsec proposal [ proposal-name ]
View
Any view
Parameter
proposal-name: Name of the proposal.
Description
Using the display ipsec proposal command, you can view information about the
proposal.
If the name of the proposal is not specified, then information about all the proposals will
be shown.
For the related commands, see ipsec proposal, display ipsec sa and display ipsec
policy.
Example
# View all the proposals.

[Quidway] display ipsec proposal
Ipsec proposal name: prop2
encapsulation mode: tunnel
transform: ah-new
ah protocol: authentication-algorithm sha1-hmac-96
4-7
Ipsec proposal name: prop1

encapsulation mode: transport
transform: esp-new
esp protocol: authentication-algorithm md5-hmac96, encryption des
Table 4-4 IPSec proposal information
Item Description
Ipsec proposal
name of the proposal
name
encapsulation
modes used by proposal, including two types: transport mode and tunnel mode
mode
transform security protocols used by proposal, including two types: AH and ESP
ah protocol the authentication-algorithm used by AH: md5 | sha1
the authentication-algorithm and encryption method used by ESP respectively:
esp protocol
MD5 and DES
4.1.6 display ipsec sa
Syntax
display ipsec sa [ brief | remote ip-address | policy policy-name [ seq-number ] |

duration ]
View
Any view
Parameter
brief: Displays brief information about all the SAs.
remote: Displays information about the SA with remote address as ip-address.
ip-address: Specifys the remote address in dotted decimal format.
policy: Displays information about the SA created by the ipsec policy whose name is
policy-name.
policy-name: Specifys the name of the ipsec policy.
seq-number: Specifys the sequence number of the ipsec policy.
duration: Global sa duration to be shown.
4-8
Description
Using the display ipsec sa command, you can view the relevant information about the
SA.
The command with brief parameter shows brief information about all the SAs, whose
display format is the brief format (refer to the following example). Brief information
includes source address, destination address, SPI, protocol, and algorithm. A display
beginning with "E" in the algorithm stands for the encryption algorithm, and a display
beginning with "A" stands for the authentication algorithm. The brief command can be
used to quickly display all the SAs already set up.
The commands with remote and policy parameters both display the detailed
information about the SA. The display mode: part of the information about the ipsec
policy is shown first and then the detailed information of the SA in this ipsec policy.
The command with duration parameter shows the global sa duration, including
"time-based" and "traffic-based" sa duration. Referring to the following examples.
Information of all the SAs will be shown when no parameter is specified.
For the related commands, see reset ipsec sa, ipsec sa duration, display ipsec sa
and display ipsec policy.
Example
# View brief information about all the SAs.

<Quidway> display ipsec sa brief
Src Address Dst Address SPI Protocol Algorithm
10.1.1.1 10.1.1.2 300 ESP E:DES; A:HMAC-MD5-96
10.1.1.2 10.1.1.1 400 ESP E:DES; A:HMAC-MD5-96
Table 4-5 Brief information of IPSec SA
Item Description
Src Address Local IP address
Dst Address Remote Ip address
SPI security parameter index
Protocol security protocol used by IPSec
The authentication algorithm and encryption algorithm used by the security
Algorithm protocol. A display beginning with "E" in the algorithm stands for the encryption
algorithm, and a display beginning with "A" stands for the authentication algorithm.
# View the global duration of SA.
4-9
[Quidway] display ipsec sa duration

ipsec sa global duration (traffic based): 1843200 kilobytes
ipsec sa global duration (time based): 3600 seconds
# View information of all the SAs.

[Quidway] display ipsec sa
===============================
path MTU: 1500
===============================
----------------------------------
IPsec policy name: "policy_isakmp"
sequence number: 10
mode: isakmp
----------------------------------
connection id: 4
in use settings = {tunnel}
tunnel local : 162.105.10.1
tunnel remote : 162.105.10.2
[inbound ah SAs]
spi: 3752719292 (0xdfadf3bc)
transform: AH-SHA1HMAC96
sa remaining key duration (bytes/sec): (1887436384/3594)
max received sequence-number: 4
[inbound esp SAs]
spi: 74180629 (0x46be815)
transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
max received sequence-number: 4
[outbound esp SAs]
spi: 1394075637 (0x5317e7f5)
transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
max sent sequence-number: 5
[outbound ah SAs]
spi: 2132905296 (0x7f218d50)
transform: AH-SHA1HMAC96
max sent sequence-number: 5
4-10
Table 4-6 Detailed information of IPSec SA
Item Description
Interface Interface using ipsec policy
path MTU Maximum IP packet length sent from the interface
ipsec policy used, including name, sequence number and negotiation
ipsec policy
method
connection id security channel identifier
in use settings IPSec mode, including two types: transport mode and tunnel mode
tunnel local local IP address
tunnel remote remote IP address
inbound SA information of the inbound end
transform proposal used by the ipsec policy
sa remaining key
rest sa duration of SA
duration
max received maximum sequence number of the received packets (the anti-replay
sequence-number function provided by the security protocol)
outbound SA information of the outbound end

max sent maximum sequence number of the sent packets (the anti-replay function
sequence-number provided by the security protocol)
4.1.7 display ipsec statistics
Syntax
display ipsec statistics
View
Any view
Parameter
none
Description
Using the display ipsec statistics command, you can view the IPSec packet statistics
information, including the input and output security packet statistics, bytes, number of
packets discarded and detailed description of discarded packets.
4-11
For the related command, see reset ipsec statistics.
Example
# View IPSec packet statistics.

<Quidway> display ipsec statistics
the security packet statistics:
input/output security packets: 5124/8231
input/output security bytes: 52348/64356
input/output dropped security packets: 0/0
dropped security packet detail:
no enough memory: 0
can't find SA: 0
queue is full: 0
authen failed: 0
invalid length: 0
replay packet: 0
too long packet: 0
invalid SA: 0
Table 4-7 IPSec packet statistics
Item Description
input/output security packets input/output packets under the security protection
input/output security bytes input/output bytes under the security protection
input/output discarded security input/output packets under the security protection discarded
packets by the router
4.1.8 encapsulation-mode
Syntax
encapsulation-mode { transport | tunnel }
undo encapsulation-mode
View
IPSec proposal view
Parameter
transport: Sets that the encapsulation mode of IP packets is transport mode.
4-12
tunnel: Sets that the encapsulation mode of IP packets is tunnel mode.
Description
Using the encapsulation-mode command, you can set the encapsulation mode that
the security protocol applies to IP packets, which can be transport or tunnel. Using the
undo encapsulation-mode command, you can restore it to the default.
By default, tunnel mode is used.
There are two encapsulation modes where IPSec is used to encrypt and authenticate
IP packets: transport mode and tunnel mode. In transport mode, IPSec does not
encapsulate a new header into the IP packet. The both ends of security tunnel is of
source and destination of original packets. In tunnel mode, IPSec protects the whole IP
packet, and adds a new IP header in the front part of the IP packet. The source and
destination addresses of the new IP header are the IP addresses of both ends of the
tunnel.
Generally, the tunnel mode is used between two security gateways (routers). A packet
encrypted in a security gateway can only be decrypted in another security gateway. So
an IP packet needs to be encrypted in tunnel mode, that is, a new IP header is added;
the IP packet encapsulated in tunnel mode is sent to another security gateway before it
is decrypted.
The transport mode is suitable for communication between two hosts, or for
communication between a host and a security gateway (like the network management
communication between the gateway workstation and a router). In transport mode, two
devices responsible for encrypting and decrypting packets must be the original sender
and receiver of the packet. Most of the data traffic between two security gateways is not
of the security gateway’s own. So the transport mode is not ofen used between security
gateways.
The proposal used by the ipsec policies set at both ends of the security tunnel must be
set as having the same packet encapsulation mode.
For the related commands, see ah authentication-algorithm, ipsec proposal, esp

encryption-algorithm, esp authentication-algorithm, proposal and transform.
Example
# Set the proposal whose name is prop2 as using the transport mode to encapsulate IP
packets.
[Quidway-ipsec-proposal- prop2] encapsulation-mode transport
4-13
4.1.9 esp authentication-algorithm
Syntax
esp authentication-algorithm { md5 | sha1 }
undo esp authentication-algorithm
View
IPSec proposal configuration view
Parameter
md5: Use MD5 algorithm with the length of the key 128 bits.
sha1: Use SHA1 algorithm with the length of the key 160 bits.
Description
Using the esp authentication-algorithm command, you can set the authentication
algorithm used by ESP. Using the undo esp authentication-algorithm command, you
can set ESP not to authenticate packets.
By default, MD5 algorithm is used.
MD5 is faster than SHA1, while SHA1 is securer than MD5.
ESP permits a packet to be encrypted or authenticated or both.
The encryption and authentication algorithm used by ESP cannot be set to vacant at
the same time.
The undo esp authentication-algorithm command is not used to restore the

authentication algorithm to the default; instead it is used to set the authentication
algorithm to vacant, i.e. not authentication. When the encryption algorithm is not vacant,
the undo esp authentication-algorithm command is valid.
The proposal used by the ipsec policies set at both ends of the security tunnel must be
set as having the same authentication algorithm.
For the related commands, see ipsec proposal, esp encryption-algorithm,

proposal, sa encryption-hex and transform.
Example
# Set a proposal that adopts ESP, and uses SHA1.

4-14
[Quidway-ipsec-proposal- prop1] transform esp

[Quidway-ipsec-proposal- prop1] esp authentication-algorithm sha1
4.1.10 esp encryption-algorithm
Syntax
esp encryption-algorithm { 3des | des | aes }
undo esp encryption-algorithm
View
IPSec proposal view
Parameter
des: Data Encryption Standard (DES), a universal encryption algorithm with the length
of the key being 56 bits.
3des: 3DES (Triple DES), another universal encryption algorithm with the length of the
key being 168 bits.
aes: AES (Advanced Encryption Standard), an encryption algorithm conforming to

the IETF standards. 128-bit key can be implemented on VRP..
Description
Using the esp encryption-algorithm command, you can set the encryption algorithm
adopted by ESP. Using the undo esp encryption-algorithm command, you can set
the ESP not to encrypt packets.
By default, DES algorithm is used.
3DES can meet the requirement of high confidentiality and security, but it is
comparatively slow. And DES can satisfy the normal security requirements.
ESP permits a packet to be encrypted or authenticated or both.
The encryption and authentication methods used by ESP cannot be set to a vacant
value at the same time. The undo esp encryption-algorithm command can take
effect only if the authentication algorithm is not null.
For the related commands, see ipsec proposal, esp authentication-algorithm,

proposal, sa encryption-hex and transform.
4-15
Example
# Set ESP to use 3DES.

[Quidway-ipsec-proposal-prop1] transform esp
[Quidway-ipsec-proposal-prop1] esp encryption-algorithm 3des
4.1.11 ipsec policy(interface view)
Syntax
ipsec policy policy-name
undo ipsec policy
View
Interface view
Parameter
policy-name: Specifies the name of an ipsec policy group applied at the interface. The
ipsec policy group with name policy-name should be configured in system view.
Description
Using the ipsec policy(interface view) command, you can apply an ipsec policy group
with the name policy-name at the interface,. Using the undo ipsec policy(interface
view) command, you can cancel the ipsec policy group so as to disable the IPSec
function of the interface.
At an interface, only one ipsec policy group can be applied. An ipsec policy group can
be applied at multiple interfaces.
When a packet is sent from an interface, it searches for each ipsec policy in the ipsec
policy group by number in an ascending order. If the packet matches an access control
list used by an ipsec policy, then this ipsec policy is used to process the packet;
otherwise it continues to search for the next ipsec policy. If the packet does not match
any of the access control lists used by all the ipsec policies, it will be directly transmitted
(that is, IPSec will not protect the packet).
To prevent transmitting any unencrypted packet from the interface, it is necessary to

use the firewall together with IPSec; the firewall is for dropping all the packets that do
not need to be encrypted.
For the related command, see ipsec policy(system view).
4-16
Example
# Apply an ipsec policy whose name is policy1 to interface Serial 4/1/2.

[Quidway] interface serial 4/1/2
[Quidway-Serial4/1/2] ipsec policy policy1
4.1.12 ipsec policy (system view)
Syntax
ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ]
undo ipsec policy policy-name [ seq-number ]
View
System view
Parameter
policy-name: Name of the ipsec policy. The naming rule is: the length of the name is 1
to 15 characters, the name is case insensitive and the characters can be English
characters or numbers, cannot include “-”.
seq-number: Sequence number of the ipsec policy, ranging 1 to 10000, with lower
value indicating higher sequence priority.
manual: Sets up SA manually.
isakmp: Sets up SA through IKE negotiation.
template: Dynamically sets up SA by using policy template. The policy-name

discussed here will reference template-name which is a created policy template thus
named.
template-name: Name of the template.
Description
Using the ipsec policy command, you can establish or modify an ipsec policy, and
enter ipsec policy view. Using the undo ipsec policy policy-name command, you can
delete an ipsec policy group whose name is policy-name. Using the undo ipsec policy
policy-name seq-number command. you can delete an ipsec policy whose name is
policy-name and sequence number is seq-number.
By default, no ipsec policy exists.
4-17
To establish an ipsec policy, it is necessary to specify the negotiation mode (manual or

isakmp). To modify the ipsec policy, it is not necessary to specify a negotiation mode.
Once the ipsec policy is established, its negotiation mode cannot be modified. For
example: if an ipsec policy is established in manual mode, it cannot be changed to
isakmp mode--this ipsec policy must be deleted and then recreated, if appropriate, with
the negotiation mode being isakmp.
Ipsec policies with the same name constitute an ipsec policy group. The name and
sequence number are used together to define a unique ipsec policy. In an ipsec policy
group, at most 100 ipsec policies can be set. In an ipsec policy, the smaller the
sequence number of an ipsec policy is, the higher is its preference. Apply an ipsec
policy group at an interface means applying all ipsec policies in the group
simultaneously, so that different data streams can be protected by adopting different
SAs.
Using the ipsec policy policy-name seq-number isakmp template template-name

command, you can establish an ipsec policy according the template through IKE
negotiation. Before using this command, the template should have been created.
During the negotiation and policy matching, the parameters defined in the template
should be compliant, the other parameters are decided by the initiator. The proposal
must be defined in policy template, other parameters are optional.
Note that IKE will not use a policy with a template argument to initiate a negotiation.
Rather, it uses such a policy to response the negotiation initiated by its peer.
For the related commands, see ipsec policy (interface view), security acl, tunnel
local, tunnel remote, sa duration, proposal, display ipsec policy, ipsec
policy-template, and ike-peer.
Example
# Set an ipsec policy whose name is newpolicy1, sequence number is 100, and
negotiation mode is isakmp.
[Quidway] ipsec policy newpolicy1 100 isakmp
[Quidway-ipsec-policy-isakmp-newpolicy1-100]
4.1.13 ipsec policy-template
Syntax
ipsec policy-template policy-name seq-number
undo ipsec policy-template policy-name [ seq-number ]
4-18
View
System view
Parameter
policy-name: Name of the ipsec policy. The naming rule is as follows: length is 1 to 15
bytes, the name is case insensitive and the characters can be English characters or
numbers, cannot include “-”.
seq-number: Serial number of the ipsec policy, ranging 1 to 10000. In one ipsec policy
group, the smaller the serial number of the ipsec policy, the higher the preference.
Description
Using the ipsec policy-template command, you can establish or modify an ipsec
policy template, and enter ipsec policy view. Using the undo ipsec policy-template
policy-name command, you can delete the ipsec policy group named policy-name.
Using the undo ipsec policy-template policy-name seq-number command, you can
delete an ipsec policy with the name policy-name and the serial number seq-number.
By default, no ipsec policy template exists.
A policy template that has been created with the name being template-name can be
referenced by the ipsec policy policy-name seq-number isakmp template
template-name command to create an IPSec policy.
The IPSec policy template and the security policy of IPSec IPSAMP negotiation share
the same kinds of arguments, including the referenced IPSec proposal, the protected
traffic, PFS feature, lifetime, and the address of the remote tunnel end. However, you
should note that the proposal argument is compulsory to be configured whereas other
arguments are optional. If an IPSec policy template is used for the policy match
operation undertaken in an IKE negotiation, the configured arguments must be
matched, and the settings of the initiator will be used if the corresponding arguments
have not been configured.
For the related commands, see ipsec policy, security acl, tunnel local, tunnel
remote, proposal, display ipsec policy, and ike-peer.
Example
# Establish an ipsec policy template with the name template1 and the serial number
100.
[Quidway] ipsec policy-template template1 100
[Quidway-ipsec-policy-template- template1-100]
4-19
4.1.14 ipsec proposal
Syntax
ipsec proposal proposal-name
undo ipsec proposal proposal-name
View
System view
Parameter
proposal-name: Name of the specified proposal. The naming rule is: the length of the
name is 1 to 15 characters, case insensitive.
Description
Using the ipsec proposal proposal-name command, you can establish or modify a
proposal named proposal-name, and enter IPSec proposal view. Using the undo ipsec
proposal proposal-name command, you can delete the proposal named
proposal-name.
By default, no proposal exists.
This proposal is a combination of the security protocol, encryption and authentication

algorithm and packet encapsulation format for implementing IPSec protection.
An ipsec policy determines the protocol, algorithm and encapsulation mode to be

adopted by the use of the proposal. Before the ipsec policy uses a proposal, this
proposal must has already been set up.
After a new IPSec proposal is established by using the ipsec proposal command, the
ESP protocol, DES encryption algorithm and MD5 authentication algorithm are adopted
by default.
For the related commands, see ah authentication-algorithm, esp

encryption-algorithm, esp authentication-algorithm, encapsulation-mode,
proposal, display ipsec proposal and transform.
Example
# Establish a proposal named newprop1.

[Quidway] ipsec proposal newprop1
4-20
4.1.15 ipsec sa global-duration
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
View
System view
Parameter
time-based seconds: Time-based global SA duration in second, ranging 30 to 604800

seconds. It is 3600 seconds (1 hour) by default.
traffic-based kilobytes: Traffic-based global SA duration in kilobyte, ranging 256 to

4194303 kilobytes. It is 1843200 kilobytes by default and when the traffic reaches this
value, the duration expires.
Description
Using the ipsec sa global-duration command, you can set a global SA duration. Using
the undo ipsec sa global-duration command, you can restore to the default setting of
the global SA duration.
When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured
with its own duration, the system will use the global SA duration specified by this
command to negotiate with the peer. If the IPSec policy is configured with its own
duration, the system will use the duration of the IPSec policy to negotiate with the peer.
When IKE negotiates to set up an SA for IPSec, the smaller one of the lifetime set
locally and that proposed by the remote is selected.
There are two types of SA duration: time-based (in seconds) and traffic-based (in
kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is
accounted according to the total traffic that can be processed by this SA,, and the SA is
invalid when the set value is exceeded. No matter which one of the two types expires
first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new
SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid.
Modifying the global SA duration will not affect a map that has individually set up its own
SA duration, or an SA already set up. But the modified global SA duration will be used to
set up a new SA in the future IKE negotiation.
The SA duration does not function for an SA manually set up, that is, the SA manually
set up will never be invalidated.
4-21
For the related commands, see sa duration and display ipsec sa duration.
Example
# Set the global SA duration to 2 hours.

[Quidway] ipsec sa global-duration time-based 7200
# Set the global SA duration to 10M bytes transmitted.

[Quidway] ipsec sa global-duration traffic-based 10000
4.1.16 pfs
Syntax
pfs { dh-group1 | dh-group2 }
undo pfs
View
IPSec policy view, IPSec policy template view
Parameter
dh-group1: Specifies that the 768-bit Diffie-Hellman group is used.
dh-group2: Specifies that the 1024-bit Diffie-Hellman group is used.
Description
Using the pfs command, you can set the Perfect Forward Secrecy (PFS) feature for the
IPSec policy to initiate the negotiation. Using the undo pfs command, you can set not
to use the PFS feature during the negotiation.
By default, no PFS feature is used.
The command is used to add a PFS exchange process when IPSec uses the ipsec
policy to initiate a negotiation. This additional key exchange is performed during the
phase 2 negotiation so as to enhance the communication safety. The DH group
specified by the local and remote ends must be consistent, otherwise the negotiation
will fail.
Can this command be used only when the security alliance is established through IKE
style.
For the related commands, see ipsec policy-template, ipsec policy(system view),
ipsec policy(interface view), tunnel local, tunnel remote, sa duration and
proposal.
4-22
Example
# Set that PFS must be used when negotiating through ipsec policy shanghai 200.
[Quidway] ipsec policy shanghai 200 isakmp
[Quidway-ipsec-policy-isakmp-shanghai-200] pfs group1
4.1.17 proposal
Syntax
proposal proposal-name1 [ proposal-name2...proposal-name6 ]
undo proposal [ proposal-name ]
View
Parameter
proposal-name1,…, proposal-name6: Name of the proposals adopted.
Description
Using the proposal command, you can set the proposal used by the IPSec policy.
Using the undo proposal command, you can cancel the proposal used by the IPSec
policy.
By default, no proposal is used.
Before using this command, the corresponding IPSec proposal must has been
configured.
If set up in manual mode, an SA can only use one proposal. And if a proposal is already
set, it needs to be deleted by using the undo proposal command before a new one
can be set.
If set up in isakmp mode, an SA can use six proposals at most. IKE negotiation will
search for the completely matching proposal at both ends of the security tunnel.
If it is the IPSec template, each template can use six proposals at most, and the IKE
negotiation will search for the completely matching proposal.
For the related commands, see ipsec proposal, ipsec policy(system view), ipsec
policy(interface view), security acl, tunnel local and tunnel remote.
4-23
Example
# Set a proposal with name prop1, adopting ESP and the default algorithm, and sets an
IPSec policy as using a proposal name prop1.
[Quidway-ipsec-proposal-prop1] transform esp
[Quidway-ipsec-proposal-prop1] quit
[Quidway] ipsec policy policy1 100 manual
[Quidway-ipsec-policy-manual-policy1-100] proposal prop1
4.1.18 reset ipsec sa
Syntax
reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters

dest-addr protocol spi ]
View
User view
Parameter
remote ip-address: Specifies remote address, in dotted decimal format.
policy: Specifies the IPSec policy.
policy-name: Specifies the name of the IPSec policy. The naming rule is as follows:
length is 1 to 15 characters, case sensitive, and the character can be English character
or number.
seq-number: Optional parameter specifying the serial number of the ipsec policy. If no
seq-number is specified, the IPSec policy refers to all the policies in the IPSec policy
group named policy-name.
parameters: Defines a Security Association (SA) by the destination address, security

protocol and SPI.
dest-address: Specifies the destination address in the dotted decimal IP address

format.
protocol: Specifies the security protocol by inputting the key word ah or esp, case
insensitive. ah indicates the Authentication Header protocol and esp indicates
Encapsulating Security Payload.
spi: Specifies the security parameter index (SPI), ranging 256 to 4294967295.
4-24
Description
Using the reset ipsec sa command, you can delete an SA already set up (manually or
through IKE negotiation). If no parameter (remote, policy, parameters) is specified, all
the SA will be deleted.
An SA is uniquely identified by a triplet of IP address, security protocol and SPI. A SA

can be set up either manually or through Internet Key Exchange (IKE) negotiation.
If an SA set up manually is deleted, the system will automatically set up a new SA

according to the parameter manually set up.
If a packet re-triggers IKE negotiation after an SA set up through IKE negotiation is

deleted, IKE will reestablish an SA through negotiation.
The keyword parameters will take effect only after the spi of the outbound SA is
defined. Because SAs appear in pairs, the inbound SA will also be deleted after the
outbound SA is deleted.
For the related command, see display ipsec sa.
Example
# Delete all the SAs.

<Quidway> reset ipsec sa
# Delete an SA whose remote IP address is 10.1.1.2.

<Quidway> reset ipsec sa remote 10.1.1.2
# Delete all the SAs in policy1.

<Quidway> reset ipsec sa policy policy1
# Delete the SA of the ipsec policy with the name policy1 and the serial number 10.
<Quidway> reset ipsec sa policy policy1 10
# Delete an SA whose remote IP address is 10.1.1.2, security protocol is AH, and SPI is
10000
<Quidway> reset ipsec sa parameters 10.1.1.2 ah 10000
4.1.19 reset ipsec statistics
Syntax
reset ipsec statistics
View
User view
4-25
Parameter
none
Description
Using the reset ipsec statistics command, you can clear IPSec message statistics,
and set all the statistics to zero.
For the related command, see display ipsec statistics.
Example
# Clear IPSec message statistics.

<Quidway> reset ipsec statistics
4.1.20 sa authentication-hex
Syntax
sa authentication-hex { inbound | outbound } { ah | esp } hex-key
undo sa authentication-hex { inbound | outbound } { ah | esp }
View
IPSec policy view in manual mode
Parameter
inbound: Configures the authentication-hex parameter for the inbound SA. IPSec
uses the inbound SA for processing the packet in the inbound direction (received).
outbound: Configures the authentication-hex parameter for the outbound SA. IPSec
uses the outbound SA for processing the packet in the outbound direction (sent).
ah: Sets the authentication-hex parameter for the SA using AH. If the IPSec proposal
used by the ipsec policy adopts AH, the ah key word is used here to set the AH relevant
parameter of the SA.
esp: Sets the authentication-hex parameter for the SA using ESP. If the IPSec
proposal used by the ipsec policy adopts ESP, the esp key word is used here to set the
ESP relevant parameter of the SA.
hex-key: Specifies a key for the SA input in the hex format. If MD5 is used, then input a
16-byte key; if SHA1 is used, input a 20-byte key.
4-26
Description
Using the sa authentication-hex command, you can set the SA authentication key
manually for the ipsec policy of manual mode. Using the undo sa authentication-hex
command, you can delete the SA authentication key already set.
This command is only used for the ipsec policy in manual mode.
For the ipsec policy in isakmp mode, it is unnecessary to set the SA parameter
manually. IKE will automatically negotiate the SA parameter and establish a SA.
When configuring the SA of manual mode, the SA parameters of inbound and

outbound directions must be set separately.
The SA parameters set at both ends of the security tunnel must be fully matching. The
SPI and key for the SA input at the local end must be the same as those output at the
remote. The SA SPI and key output at the local end must be the same as those input at
the remote.
There are two methods for inputting the key: hex and character string. For the character
string key and hex string key, the last set one will be adopted. At both ends of a security
tunnel, the key should be input by the same method. If the key is input in character
string at one end, and it is input in hex at the other end, then a security tunnel cannot be
set up correctly.
For the related commands, see ipsec policy (system view), ipsec policy (interface
view), security acl , tunnel local, tunnel remote, sa duration and proposal.
Example
# Set SPI of the inbound SA to 10000, key to 0x112233445566778899aabbccddeeff00;

sets the SPI of the outbound SA to 20000, and its key to
0xaabbccddeeff001100aabbccddeeff00 in the ipsec policy using AH and MD5.
[Quidway] ipsec proposal prop_ah
[Quidway-ipsec-proposal-prop_ah] transform ah
[Quidway-ipsec-proposal-prop_ah] ah authentication-algorithm md5
[Quidway-ipsec-proposal-prop_ah] quit
[Quidway] ipsec policy tianjin 100 manual
[Quidway-ipsec-policy-manual-tianjin-100] proposal prop_ah
[Quidway-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000
[Quidway-ipsec-policy-manual-tianjin-100] sa authentication-hex inbound ah
112233445566778899aabbccddeeff00
[Quidway-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000
[Quidway-ipsec-policy-manual-tianjin-100] sa authentication-hex outbound ah
aabbccddeeff001100aabbccddeeff00
4-27
4.1.21 sa duration
Syntax
sa duration { traffic-based kilobytes | time-based seconds }
undo sa duration { traffic-based | time-based }
View
Parameter
time-based seconds: Time-based SA duration in second, ranging 30 to 604800

seconds. It is 3600 seconds (1 hour) by default.
traffic-based kilobytes: Traffic-based SA duration in kilobyte, ranging 256 to 4194303

kilobytes. It is 1843200 kilobytes by default.
Description
Using the sa duration command, you can set a SA duration of the ipsec policy. Using
the undo sa duration command, you can cancel the SA duration, i.e., restore the use
of the global SA duration.
When IKE negotiates to establish a SA, if the adopted IPSec policy is not configured
with its own duration, the system will use the global SA duration to negotiate with the
peer. If the IPSec policy is configured with its own duration, the system will use the
duration of the IPSec policy to negotiate with the peer. When IKE negotiates to set up
an SA for IPSec, the shorter one of the lifetime set locally and that proposed by the
remote is selected.
There are two types of SA duration: time-based (in seconds) and traffic-based (in
kilobytes) lifetimes. The traffic-based SA duration, that is, the valid time of the SA is
accounted according to the total traffic that can be processed by this SA, and the SA is
invalid when the set value is exceeded. No matter which one of the two types expires
first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new
SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid.
The SA duration does not function for an SA manually set up, that is, the SA manually
set up will never be invalidated.
For the related commands, see ipsec sa global-duration, ipsec policy(system view),
ipsec policy(interface view), security acl, tunnel local, tunnel remote and
proposal.
4-28
Example
# Set the Sa duration for the ipsec policy shenzhen 100 to 2 hours, that is, 7200
seconds.
[Quidway] ipsec policy shenzhen 100 isakmp
[Quidway-ipsec-policy-isakmp-shenzhen-100] sa duration time-based 7200
# Set the Sa duration for the ipsec policy shenzhen 100 to 20M bytes, that is, the SA is
overtime when the traffic exceeds 20000 kilobytes.
[Quidway] ipsec policy shenzhen 100 isakmp
[Quidway-ipsec-policy-isakmp-shenzhen-100] sa duration traffic-based 20000
4.1.22 sa encryption-hex
Syntax
sa encryption-hex { inbound | outbound } esp hex-key
undo sa encryption-hex { inbound | outbound } esp
View
Parameter
inbound: Sets the encryption-hex parameter for the inbound SA. IPSec uses the
inbound SA for processing the packet in the inbound direction (received).
outbound: Sets the encryption-hex parameter for outbound SA. IPSec uses the
outbound SA for processing the packet in the outbound direction (sent).
esp: Sets the encryption-hex parameter for the SA using ESP. If the IPSec proposal
used by the ipsec policy adopts ESP, the esp key word is used here to set the ESP
relevant parameter of the SA.
hex-key: Specifies a key for the SA input in the hex format. When applied in ESP, if DES
is used, then input a 8-byte key; if 3DES is used, then input a 24-byte key.
Description
Using the sa encryption-hex command, you can set the SA encryption key manually
for the ipsec policy of manual mode. Using the undo sa encryption-hex command,
you can delete the SA parameter already set.
This command is only used for the ipsec policy in manual mode. It is used to set the SA
parameter manually and establish a SA manually.
4-29
manually, and this command is invalid. IKE will automatically negotiate the SA
parameter and establish a SA.

the remote.
For the related commands, see ipsec policy(system view), ipsec policy(interface
Example
# Set the SPI of the inbound SA to 10000, and the key to 0x1234567890abcdef; set the
SPI of the outbound SA to 20000, and its key to 0xabcdefabcdef1234 in the ipsec policy
using ESP and DES.
[Quidway] ipsec proposal prop_esp
[Quidway-ipsec-proposal-prop_esp] transform esp
[Quidway-ipsec-proposal-prop_esp] ah encryption-algorithm des
[Quidway-ipsec-proposal-prop_esp] quit
[Quidway-ipsec-policy-manual-tianjin-100] proposal prop_esp
[Quidway-ipsec-policy-manual-tianjin-100] sa spi inbound esp 1001
[Quidway-ipsec-policy-manual-tianjin-100] sa encryption-hex inbound esp
1234567890abcdef
[Quidway-ipsec-policy-manual-tianjin-100] sa spi outbound esp 2001
[Quidway-ipsec-policy-manual-tianjin-100] sa encryption-hex outbound esp
abcdefabcdef1234
4.1.23 sa spi
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
View
4-30
Parameter
inbound: Sets the spi parameter for the inbound SA. IPSec uses the inbound SA for
processing the packet in the inbound direction (received).
outbound: Sets the spi parameter for outbound SA. IPSec uses the outbound SA for
processing the packet in the outbound direction (sent).
ah: Sets the spi parameter for the SA using AH. If the IPSec proposal set used by the
ipsec policy adopts AH, the ah key word is used here to set the spi relevant parameter
of the SA.
esp: Sets the spi parameter for the SA using ESP. If the IPSec proposal set used by the
ipsec policy adopts ESP, the esp key word is used here to set the spi relevant
parameter of the SA.
spi-number: Security Parameter Index (SPI) in the triplet identification of the SA,
ranging 256 to 4294967295. The triplet identification of the SA, which appears as SPI,
destination address, and protocol number, must be unique.
Description
Using the sa spi command, you can set the SA SPI manually for the ipsec policy of
manual mode. Using the undo sa spi command, you can delete the SA SPI already
set.

the remote.
Example
# Set the SPI of the inbound SA to 10000, set the SPI of the outbound SA to 20000, in
the ipsec policy using AH and MD5.
4-31

4.1.24 sa string-key
Syntax
sa string-key { inbound | outbound } { ah | esp } string-key
undo sa string-key { inbound | outbound } { ah | esp }
View
Parameter
inbound: Sets the string-key parameter for the inbound SA. IPSec uses the inbound
SA for processing the packet in the inbound direction (received).
outbound: Sets the string-key parameter for the outbound SA. IPSec uses the
outbound SA for processing the packet in the outbound direction (sent).
ah: Sets the string-key parameter for the SA using AH. If the IPSec proposal set used
by the ipsec policy adopts AH, the ah key word is used here to set the string-key
relevant parameter of the SA.
esp: Sets the string-key parameter for the SA using ESP. If the IPSec proposal set
used by the ipsec policy adopts ESP, the esp key word is used here to set the
string-key relevant parameter of the SA.
string-key: Specifies the key for an SA input in the character string format, with a length
ranging 1 to 256 characters. For different algorithms, you can input character strings of
any length in the specified range, and the system will generate keys meeting the
algorithm requirements automatically according to the input character strings. As for
ESP, the system will automatically generate the key for the authentication algorithm
and that for the encryption algorithm at the same time.
4-32
Description
Using the sa string-key command, you can set the SA parameter manually for the
ipsec policy of manual mode. Using the undo sa string-key command, you can delete
the SA parameter already set.

outbound directions must be set separately
the remote.
There are two methods for inputting the key: hex and character string. To input a
hexadecimal key, use the sa authentication-hex command. For the character string
key and hex string key, the last set one will be adopted. At both ends of a security tunnel,
the key should be input by the same method. If the key is input in character string at one
end, and it is input in hex at the other end, then a security tunnel cannot be set up
correctly.
Example
# Set the SPI of the inbound SA to 10000, and the key string to abcdef; sets the SPI of
the outbound SA to 20000, and its key string to efcdab in the ipsec policy using AH and
MD5.
[Quidway-ipsec-policy-manual-tianjin-100] sa string-key abcdef
[Quidway-ipsec-policy-manual-tianjin-100] sa string-key efcdab
4-33
4.1.25 security acl
Syntax
security acl acl-number
undo security acl
View
Parameter
acl-number: Specifies the number of the access control list used by the ipsec policy,
ranging 3000 to 3999.
Description
Using the security acl command, you can set an access control list to be used by the
ipsec policy. Using the undo security acl command, you can remove the access
control list used by the ipsec policy.
By default, no ACL has been specified for the IPSec policies.
The data flow that will be protected by the IPSec policy is confined by the ACL in this
command. According to the rules in the ACL, IPSec determines which packets need
security protection and which do not. The packet permitted by the access control list will
be protected, and a packet denied by the access control list will not be protected. The
denied packets are sent out derectly without IPSec protection.
view), tunnel local, tunnel remote, sa duration and proposal.
Example
# Set the ipsec policy as using access control list 3001.

[Quidway-acl-adv-3001] rule permit tcp source 10.1.1.1 0.0.0.255 destination
10.1.1.2 0.0.0.255
[Quidway] ipsec policy beijing 100 manual
[Quidway-ipsec-policy-manual-beijing-100] security acl 3001
4.1.26 transform
4-34
Syntax
transform { ah | ah-esp | esp }
undo transform
View
IPSec proposal view
Parameter
ah: Uses AH protocol specified in RFC2402.
ah-esp: Uses ESP specified in RFC2406 to protect the packets and then use AH
protocol specified in RFC2402 to authenticate packets.
esp: Uses ESP specified in RFC2406.
Description
Using the transform command, you can set a security protocol used by a proposal.
Using the undo transform command, you can restore the default security protocol.
By default, esp, that is, the ESP specified in RFC2406 is used.
If ESP is adopted, the default encryption algorithm is DES and the authentication
algorithm is MD5.
If AH is adopted, the default authentication algorithm is MD5.
If the parameter ah-esp is specified, the default authentication algorithm for AH is MD5
and the default encryption algorithm for ESP is DES without authentication.
AH protocol provides data authentication, data integrity check and anti-replay function.
ESP protocol provides data authentication, data integrity check, anti-replay function
and data encryption.
While establishing a SA manually, the proposals used by the ipsec policy set at both
ends of the security tunnel must be set as using the same security protocol.
The following figure illustrates the data encapsulation formats of different security
protocols in the transport mode and the tunnel mode.
4-35
Transfer
Security mode transport tunnel
protocol
ah IP AH data IP AH IP data
esp IP ESP data ESP-T IP ESP IP data ESP-T
ah-esp IP AH ESP data ESP-T IP AH ESP IP data ESP-T
Figure 4-1 Data encapsulation formats of security protocols
“data” in the figure is the original IP datagram.
For the related commands, see ah authentication-algorithm, ipsec proposal, esp

encryption-algorithm, esp authentication-algorithm, encapsulation-mode and
proposal.
Example
# Set a proposal using AH.

[Quidway-ipsec-proposal-prop1] transform ah
4.1.27 tunnel local
Syntax
tunnel local ip-address
undo tunnel local
View
Parameter
ip-address: Local address in dotted decimal format.
Description
Using the tunnel local command, you can set the local address of an ipsec policy.
Using the undo tunnel local command, you can delete the local address set in the
ipsec policy.
By default, the local address of an ipsec policy is not configured.
4-36
It is not necessary to set a local address for an ipsec policy in isakmp mode, so this
command is invalid in this situation. IKE can automatically obtain the local address from
the interface where this ipsec policy is applied.
As for the ipsec policy in manual mode, it is necessary to set the local address before
the SA can be established. A security tunnel is set up between the local and remote end,
so the local address and remote address must be correctly configured before a security
tunnel can be set up.
view), security acl , tunnel remote, sa duration and proposal.
Example
# Set the local address for the ipsec policy, which is applied at serial 4/1/2 whose IP
address is 10.0.0.1.
[Quidway] ipsec policy guangzhou 100 manual
[Quidway-ipsec-policy-manual-guangzhou-100] tunnel local 10.0.0.1
[Quidway-ipsec-policy-manual-guangzhou-100] quit
[Quidway] interface serial 4/1/2
[Quidway-if-Serial4/1/2] ipsec policy guangzhou
4.1.28 tunnel remote
Syntax
tunnel remote ip-address
undo tunnel remote [ ip-address ]
View
Manually-established IPSec policy view
Parameter
ip-address: Remote address in dotted decimal format.
Description
Using the tunnel remote command, you can set the remote address of an ipsec policy.
Using the undo tunnel remote command, you can delete the remote address in the
ipsec policy.
By default, the remote address of an ipsec policy is not configured.
4-37
For the ipsec policy in manual mode, only one remote address can be set. If a remote
address is already set, this existing address must be deleted before a new one can be
set.
The security tunnel is established between the local and remote ends. The remote
address must be set correctly on both ends of the security tunnel.
view), security acl , tunnel local, sa duration, proposal.
Example
# Set the remote address of the ipsec policy to 10.1.1.2.

[Quidway] ipsec policy shanghai 10 manual
[Quidway-ipsec-policy-shanghai-10] tunnel remote 10.1.1.2
4.2 Encryption Card Configuration Commands
4.2.1 debugging encrypt-card
Syntax
debugging encrypt-card {all | command | error | misc | packet | sa} [ slot-id ]
debugging encrypt-card host {all | command | error | misc | packet | sa}
View
Any view
Parameter
all: Enables all debugging on the encryption card.
command: Enables command debugging on the encryption card.
error: Enables error debugging on the encryption card.
misc: Enables other debugging on the encryption card.
packet: Enables packet debugging on the encryption card.
sa: Enables security association (SA) debugging on the encryption card.
host: Enables host debugging on the encryption card.
slot-id: Slot ID for the encryption card, whose range depends on the slot number on the
router. It is in 3-dimentional format, for example, x/y/z, where x stands for slot ID on the
4-38
router, y and z are fixed to 0 for the encryption card. If you do not specify a value for the
parameter, the system will display the log of all encryption cards.If you input nothing
here, your operation will run to all encryption cards.
Description
Using the debugging encrypt-card command, you can enable debugging on the
encryption card. Using the undo debugging ipsec command, you can disable
debugging on the encryption card.
The command is only available on the encryption card.
Example
# Enable command debugging on the encryption card at slot 5/0/0.

[Router] debugging encrypt-card command 5/0/0
debugging ipsec
Syntax
debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] |

undo debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] |

View
User view
Parameter
all: Displays all debugging information.
sa: Displays debugging information of SA.
packet: Displays debugging information of IPSec packets.
policy policy-name: Displays debugging information of IPSec policy whose name is

policy-name.
seq-number: Displays debugging information of IPSec policy whose sequence number

is seq-number.
parameters: Displays debugging information of a SA whose remote address is

ip-address, Security protocol is protocol, and SPI is spi-number.
misc: Displays other debugging information of IPSec.
4-39
Description
Using the debugging ipsec command, you can turn IPSec debugging on, Using the
undo debugging ipsec command, you can turn IPSec debugging off.
By default, IPSec debugging is off.
Example
# Enable IPSec SA debugging function.

<Quidway> debugging ipsec sa
4.2.2 display encrypt-card sa
Syntax
display encrypt-card sa [ slot-id ]
View
Any view
Parameter
Description
Using the display encrypt-card sa command, you can view SA information.
These kinds of information shall be displayed: SA proposal name, local address,

remote address, remaining SA remaining key duration, schedule performance index
(SPI), slot ID and other similar information.
Example
# Display all SA information on the encryption card at slot 5/0/0.

[Router] display encrypt-card sa 5/0/0
AH SAs
proposal: ESP-AUTH-SHA1HMAC96
4-40
local address: 20.0.0.2

remote address: 20.0.0.1
sa remaining key duration (bytes/sec): 1887435992/2401
spi: 1081108020 (0x40706634)
Uses Encrypt5/0
ESP SAs
proposal: ESP-ENCRYPT-3DES
spi: 891512401 (0x35236651)
Uses Encrypt5/0/0
ESP SAs
proposal: ESP-ENCRYPT-3DES
spi: 3024247997 (0xb4425cbd)
Uses Encrypt5/0/0
AH SAs
spi: 2937733563 (0xaf1a41bb)
Uses Encrypt5/0/0
4.2.3 display encrypt-card statistics
Syntax
display encrypt-card statistics [ slot-id ]
View
Any view
4-41
Parameter
Description
Using the display encrypt-card statistics command, you can view statistics on the
encryption cards.
The statistics includes the processing information of ESP/AH packets on the encryption
card. More details are displayed in the following example.
If the slot ID you type in is greater than the available slot number on the router, the error
information “Invalid encrypt-card slot-id” shallwill be prompted.
For the related command, see reset encrypt-card statistic.
Example
# Display the statistics on the encryption card at slot 5/0/0.

[Router] display encrypt-card statistics 5/0/0
Encrypt5/0/0 security packets statistics :
input/output security packets: 8/4
input/output security bytes: 1472/604
dropped security packet detail:
no enough memory: 0
can't find SA: 0
queue is full: 0
authentication is failed: 0
wrong length: 0
replay packet: 0
too long packet: 0
wrong SA: 0
invalid proposal: 0
invalid protocol: 0
buffer error: 0
wrap error: 0
crypto error: 0
pad error: 0
4-42
4.2.4 display encrypt-card syslog
Syntax
display encrypt-card syslog [ slot-id ]
View
Any view
Parameter
router, y and z are fixed to 0 for the encryption card. If you input nothing heredo not
specify a value for the parameter, the system will display the log of all encryption
cardsyour operation will run to all encryption cards.
Description
Using the display encrypt-card syslog command, you can view the current system
log on the encryption cards.
If the slot ID you type in is greater than the available slot number on the router, the error
information “Invalid encrypt-card slot-id” shall be prompted.
For the related command, see encrypt-card set syslog.
Example
# Display the system log on the encryption card at slot 5/0/0.

[Router] display encrypt-card syslog 5/0/0
Date: 2004-03-27, Time: 11:45 Encrypt5/0/0 : receive time config cmd.

Date: 2004-03-27, Time: 11:50 Encrypt5/0/0 : receive add tdb cmd.
Date: 2004-03-27, Time: 11:50 Encrypt5/0/0 : receive link tdb cmd.
Date: 2004-03-27, Time: 11:50 Encrypt5/0/0 : receive link tdb cmd.
4.2.5 display interface encrypt
4-43
Syntax
display interface encrypt [ slot-id ]
View
Any view
Parameter
Description
Using the display interface encrypt command, you can view the information about the
ports on the encryption cards.
With this command, you can view the status of the encryption card, total countnumber
of packets transmitted or received on it, maximum countnumber of packets dropped per
second, information during the last five seconds.
For the related command, see interface encrypt.
Example
# Display the port information on the encryption card at slot 5/0/0.

[Router] display interface Encrypt 5/0/0
Description : Encrypt5/0/0 Interface
Protocol Status: READY
Driver Status : READY
Total Statistics
Packets sent to card : 10
Packets received from card : 9
Bytes sent to card : 1216
Bytes received from card : 584
Dropped packets : 0
Statistics during last 5 seconds
Packets sent to card : 0
Packets received from card : 0
Bytes sent to card : 0
4-44
Bytes received from card : 0

Dropped packets : 0
4.2.6 encrypt-card backuped
Syntax
encrypt-card backuped
undo encrypt-card backuped
View
Any view
Parameter
None
Description
Using the encrypt-card backuped command, you can enable backup function for the
encryption card. Using the undo encrypt-card backuped command, you can disable
backup function for the encryption card.
This command is only available on the encryption card.
For the IPSec SA implemented by the encryption card, if the card is normal, IPSec is
processed by the card. If the card is faultyfails, backup function is enabled on the card
and the selected encryption/authentication algorithms for the SA are supported by the
IPSec module on VRP platform, IPSec shall be implemented by the IPSec module on
VRP platform. In the event that the selected algorithms are not supported by the IPSec
module, the system drops packets.
Example
# Enable backup function for the encryption card.

[Router] encrypt-card backuped
4.2.7 interface encrypt
Syntax
interface encrypt [ slot-id ]
4-45
View
System view
Parameter
router, y and z are fixed to 0 for the encryption card.
Description
Using the interface encrypt command, you can enter encryption card interface mode.
In encryption card interface mode, you only can the shutdown and undo shutdown
commands, respectively to shut down the encryption card or turn the card up.
Example
# Enter the interface mode of the encryption card at slot 5/0/0.

[Router] interface encrypt 5/0/0
[Router-Encrypt5/0/0]
4.2.8 ipsec card-proposal
Syntax
ipsec card-proposal proposal-name
undo ipsec card-proposal proposal-name
View
System view
Parameter
proposal-name: Name of the SA proposal view, a string of less than 32 characters. It is

case-sensitive.
Description
Using the ipsec card-proposal command, you can create an SA proposal for the
encryption card and enter the corresponding view. Using the undo ipsec
card-proposal command, you can delete an SA proposal of the encryption card.
4-46
This command is used in encryption card SA proposal view (the corresponding

encryption/decryption/authentication are implemented on the encryption card),
whereas the host software is also compatible with host proposal view (the ipsec
proposal command), in which the encryption/decryption/authentication are
implemented by the host. In encryption card SA proposal view, you can also specify the
slot ID of the encryption card for the SA proposal, with the use encrypt card command,
while other configurations are identical with the ipsec proposal command.
After completing SA proposal configuration, you need to return to system view using the
quit command, so that you can initiate other configuration.
Example
# Create the SA proposal “card” using the encryption card at slot 5/0/0, configure
security and encryption algorithm.
[Router] ipsec card-proposal card
[Router-ipsec-card-proposal] use encrypt-card 5/0/0
[Router-ipsec-card-proposal-card] transform ah-esp
[Router-ipsec-card-proposal-card] ah authentication-algorithm sha1
[Router-ipsec-card-proposal-card] esp authentication-algorithm sha1
[Router-ipsec-card-proposal-card] esp encryption-algorithm 3des
[Router-ipsec-card-proposal-card] quit
[Router]
4.2.9 reset counters encrypt
Syntax
reset counters encrypt [ slot-id ]
View
User view
Parameter
Description
Using the reset counters encrypt command, you can clear the statistics on the
encryption card.
4-47
The statistics record all the information starting from normal operation of the encryption
card, while system debugging requires statistics of a specific time period for fault
analysis. Then you may need to reset the existing statistics and get the statistics of a
required time period.
For the related commands, see ipsec card-proposal and display encrypt-card sa.
Example
# Clear the statistics on the encryption card on the slot 5/0/0.

[Router] reset counters encrypt-card 5/0/0
4.2.10 reset encrypt-card sa
Syntax
reset encrypt-card sa [ slot-id ]
View
User view
Parameter
Description
Using the reset encrypt-card sa command, you can clear the SAs on the encryption
card.
You may need to clear the SA database information stored on the encryption card, to
output only the required information during debugging.
For the related commands, see ipsec card-proposal and display encrypt-card sa.
Example
# Clear the SAs on the encryption card on the slot 5/0/0.

[Router] reset encrypt-card sa 5/0/0
4-48
4.2.11 reset encrypt-card statistics
Syntax
reset encrypt-card statistics [ slot-id ]
View
User view
Parameter
Description
Using the reset encrypt-card statistics command, you can clear the statistics during
processing of the encryption card.
The statistics record all the protocol processing information from the last rebooting,
including counts of incoming/outgoing ESP/AH packets, dropped packets, failed
authentications, erroneous SAs, invalid SA proposals, invalid protocols.
For the related command, see display encrypt-card statistic.
Example
# Clear the processing statistics on the encryption card on the slot 5/0/0.
[Router] reset encrypt-card statistic 5/0/0
4.2.12 reset encrypt-card syslog
Syntax
reset encrypt-card syslog [ slot-id ]
View
User view
4-49
Parameter
Description
Using the reset encrypt-card syslog command, you can clear all the logging
information on the encryption card.
The encryption card records all logging history information. And all the information
(including those obsolete items) shall be reported for every query, which imposes
somewhat difficulties to log monitoring and locating. Then you may need to clear the log
buffer of the encryption card.
For the related commands, see display encrypt-card syslog.
Example
# Clear all the logging information on the encryption card on the slot 5/0/0.
[Router] reset encrypt-card syslog 5/0
4.2.13 snmp-agent trap enable encrypt-card
Syntax
snmp-agen trap enable encrypt-card
undo snmp-agen trap enable encrypt-card
View
System view
Parameter
None
Description
Using the snmp-agen trap enable encrypt-card command, you can enable SNMP
agent trap function on the encryption card. Using the undo snmp-agent trap enable
encrypt-card command, you can disable SNMP agent trap function on the card.
4-50
When combined with appropriate NM configuration, the trap function allow you to view
the information about card rebooting, status transition and packet loss processing on
the Console of the NM station or router.
Example
# Enable the trap function on the encryption card.

[Router] snmp-agent trap enable encrypt-card
4.2.14 use encrypt-card
Syntax
use encrypt-card [ slot-id ]
undo use encrypt-card [ slot-id ]
View
Card SA proposal view
Parameter
Description
Using the use encrypt-card command, you can specify the SA proposal uses the
encryption card at a designated slot. Using the undo use encrypt-card command,
you can remove the configuration.
One SA proposal can only be processed by a single encryption card, but one single
encryption card can process different SA proposals.
For the related command, see ipsec card-proposal.
Example
Refer to the example of the ipsec card-proposal command.
4-51
VRP3.4 Chapter 5 IKE Configuration Commands
Chapter 5 IKE Configuration Commands
5.1 IKE Configuration Commands
5.1.1 authentication-algorithm
Syntax
authentication-algorithm { md5 | sha }
undo authentication-algorithm
View
IKE proposal view
Parameter
md5: Selects the authentication algorithm: HMAC-MD5.
sha: Selects the authentication algorithm: HMAC-SHA1.
Description
Using the authentication-algorithm command, you can select the authentication

algorithm for an IKE proposal. Using the undo authentication-algorithm command,
you can restore the authentication algorithm for an IKE proposal to the default.
By default, HMAC-SHA1 authentication algorithm is used.
For the related commands, see ike proposal, display ike proposal.
Example
# Set HMAC-MD5 as the authentication algorithm for IKE proposal 10.

[Quidway] ike proposal 10
[Quidway-ike-proposal-10] authentication-algorithm md5
5.1.2 authentication-method
5-1
Syntax
authentication-method { pre-share | rsa-signature }
undo authentication-method
View
IKE proposal view
Parameter
pre-share: Specifies the pre-shared key authentication as the Internet Key Exchange
(IKE) proposal authentication method.
rsa-signature: specifies to authenticate through PKI digital signature.
Description
Using the authentication-method command, you can select the authentication

method used by an IKE proposal. Using the undo authentication-method command,
you can restore the authentication method used by an IKE proposal to the default.
By default, the authentication method used by an IKE proposal is pre-shared key

authentication.
You can specify an authentication method for an IKE policy. So far, two methods are
available: pre-shared key and PKI (rsa-signature).
Authentication key must be configured to adopt the pre-shared key authentication

method.
For the related commands, see ike pre-shared-key, ike proposal, display ike
proposal, pki domain, and pki entity.
Note:
For more information on configuring PKI, refer to “PKI Configuration” in this manual.
Example
# Specify pre-shared key authentication as the authentication method for IKE proposal
10.
[Quidway-ike-proposal-10] authentication-method pre-share
5-2
5.1.3 debugging ike
Syntax
debugging ike { all | error | exchange | message | misc | transport}
undo debugging ike { all | error | exchange | message | misc | transport}
View
User view
Parameter
all: All IKE debugging functions.
error: IKE error debugging information.
exchange: IKE exchange mode debugging information.
message: IKE message debugging information.
misc: All the other IKE debugging information.
transport: IKE transport debugging information.
Description
Using the debugging ike command, you can enable IKE debugging. Using the undo
debugging ike command, you can disable IKE debugging.
By default, IKE debugging is disabled.
Example
# Enable IKE error debugging.

<Quidway> debugging ike error
5.1.4 dh
Syntax
dh { group1 | group2 }
undo dh
View
IKE proposal view
5-3
Parameter
group1: Selects group1, that is, the 768-bit Diffie-Hellman group.
group2: Selects group2, that is, the 1024-bit Diffie-Hellman group.
Description
Using the dh command, you can select the Diffie-Hellman group for an IKE proposal.
Using the undo dh command, you can restore the Diffie-Hellman group for an IKE
proposal to the default.
By default, group1, that is, 768-bit Diffie-Hellman group is used.
For the related commands, see ike proposal, display ike proposal.
Example
# Specify 768-bit Diffie-Hellman for IKE proposal 10.

[Quidway-ike-proposal-10] dh group1
5.1.5 display ike proposal
Syntax
display ike proposal
View
Any view
Parameter
none
Description
Using the display ike proposal command, you can view the parameters configured for
each IKE proposal.
This command shows IKE proposals in the sequence of the priority.
For the related commands, see authentication-method, ike proposal,

encryption-algorithm, authentication-algorithm, dh and sa duration.
5-4
Example
# View the IKE proposal information after two IKE proposals are configured.
[Quidway] display ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
--------------------------------------------------------------------------
-
10 PRE_SHARED SHA DES_CBC MODP_1024 5000
11 PRE_SHARED MD5 DES_CBC MODP_768 50000
default PRE_SHARED SHA DES_CBC MODP_768 86400
5.1.6 display ike sa
Syntax
display ike sa
View
Any view
Parameter
none
Description
Using the display ike sa command, you can view the current security tunnels
established by IKE.
For the related command, see ike proposal.
Example
# View the security tunnels established by IKE.

[Quidway] display ike sa
conn-id remote flag phase doi
1 202.38.0.2 RD|ST 1 IPSEC
2 202.38.0.2 RD|ST 2 IPSEC
flag meaning:
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO-TIMEOUT
The descriptions of the items displayed are listed in the following table.
5-5
Table 5-1 Display information of IKE SA
Item Description
conn-id Security channel ID
remote Remote IP address of this SA
Display the status of this SA
RD (READY) means this SA has been established successfully
ST (STAYALIVE) means that SA duration is negotiated, and this SA will be refreshed in
fixed interval.
RL (REPLACED) means that this SA has been replaced by a new one, and will be
flag automatically deleted after a period of time.
FD (FADING) means this SA has been soft timeout, but is still in use, and will be deleted
at the time of hard timeout.
TO (TIMEOUT) means this SA have not received any keepalive packet after previous
keepalive timeout occurred. If this SA receives no keepalive packet till next keepalive
timeout occurs, this SA will be deleted.
Phase of the SA:

Phase 1: a phase of establishing security channel to communicate, ISAKMP SA will be
phase established in the phase;
Phase 2: a phase of negotiating security service, IPSec SA will be established in the
phase.
doi Domain of Interpretation
5.1.7 encryption-algorithm
Syntax
encryption-algorithm { des-cbc | 3des-cbc }
undo encryption-algorithm
View
IKE proposal view
Parameter
des-cbc: Selects the 56-bit DES-CBC encryption algorithm for an IKE proposal. DES
algorithm adopts 56-bit keys for encryption.
3des-cbc: Setss the encryption algorithm to the 3DES algorithm in CBC mode. The
3DES algorithm uses 168-bit keys for encryption.
5-6
Description
Using the encryption command, you can specify the encryption algorithm for an IKE
proposal. Using the undo encryption command, you can restore to the default.
By default, 56-bit DES-CBC encryption algorithm is used.
For the related commands, see ike proposal and display ike proposal.
Example
# Specify the 56-bit DES-CBC encryption algorithm for IKE proposal 10.
[Quidway-ike-proposal-10] encryption-algorithm des-cbc
5.1.8 exchange-mode
Syntax
exchange-mode [ aggressive | main ]
undo exchange-mode
View
IKE-peer view
Parameter
aggressive: Aggressive mode
main: Main mode.
Description
Using the exchange-mode command, you can select an IKE negotiation mode. Using
the undo exchange-mode command, you can restore the default negotiation mode.
By default, main mode is adopted.
In main mode, you can only use IP address to perform IKE negotiation and to create an
SA. It is applicable to the situation in which both end of a tunnel have fixed IP
addresses.
In IKE aggressive mode, you can use both IP addresses and name to perform IKE
negotiation and to create an SA. If the user at one end of a security tunnel obtains IP
address automatically (for example, a dial-up user), IKE negotiation mode must be set
5-7
to aggressive. In this case, you can create an SA as long as the username and
password are correct.
For the related command, see id-type.
Example
# Adopt the main mode for IKE negotiation.

[Router] ike peer new_peer
[RouterA-ike-peer-new_peer] exchange-mode main
5.1.9 id-type
Syntax
id-type [ ip | name ]
undo id-type
View
IKE-peer view
Parameter
ip: Selects IP address as the ID used in IKE negotiation.
name: Selects name as the ID used in IKE negotiation.
Description
Using the id-type command, you can select the type of ID used in IKE negotiation.
Using the undo id-type command, you can restore the default setting. By default, IP
address is the ID used in IKE negotiation.
In main mode, you can only use IP address to perform IKE negotiation and to create an
SA.
In aggressive mode, you can use both IP address and name to perform Ike negotiation
and to create an SA.
For the related command, see ike local-name.
Example
# Set name as the ID used in IKE negotiation.

5-8
[Router-ike-peer-new_peer] id-type name
5.1.10 ike local-name
Syntax
ike local-name name
undo ike local-name
View
System view
Parameter
name: Name of the local GW in IKE negotiation, which contains 1 to 32 characters.
Description
Using the ike local-name command, you can set the name of the local GW. Using the
undo ike local-name command, you can restore the default name of the local GW. By
default, router name is used as the name of the local GW.
If the initiator uses the GW name to perform IKE negotiation (id-type name is used),
you must configure the ike local-name command on the local device.
For the related command, see remote-name.
Example
# Identify the local GW by the configured name “beijing_VPN”

[Router] ike local-name beijing_VPN
5.1.11 ike peer (system view)
Syntax
ike peer peer-name
undo ike peer peer-name
View
System view
5-9
Parameter
peer-name: IKE peer name, which can be a string of up to 15 characters.
Description
Using the ike peer command, you can configure an IKE peer and access IKE-peer view.
Using the undo ike peer command, you can delete an IKE peer.
Example
# Configure an IKE peer “new_peer” and access its view.

[Quidway-ike-peer-new_peer]
5.1.12 ike peer (IPSec policy view, IPSec policy template view)
Syntax
ike peer peer-name
undo ike peer peer-name
View
Parameter
peer-name: IKE peer name, which is a string of up to 15 characters.
Description
Using the ike peer command, you can quote an IKE peer in an IPSec policy or IPSec
policy template. Using the undo ike peer command, you can remove the quoted IKE
peer from the IPSec policy or IPSec policy template.
For the related command, see ipsec policy.
Example
# Quote an IKE peer in the IPSec policy.

[Router-ipsec-policy-isakmp-policy-10] ike peer new_peer
5.1.13 ike proposal
5-10
Syntax
ike proposal proposal-number
undo ike proposal proposal-number
View
System view
Parameter
proposal-number: IKE proposal number, ranging from 1 to 100. This value also stands
for the priority. A smaller value stands for a higher priority. When perform an IKE
negotiation, the system matches IKE proposals by the proposal number, the one with
the smallest proposal number first.Description
Using the ike proposal command, you can define an IKE proposal. Using the undo ike
proposal command, you can delete an IKE proposal.
The system provides a default IKE proposal with the lowest priority.
Executing this command in system view will enter the IKE proposal view, where you
can set parameters such as authentication method, encryption algorithm,
authentication algorithm, DH group ID, and sa duration for this IKE proposal using the
authentication-method, encryption-algirithm, dh, authentication-algorithm, and
sa duration command.
The Default IKE proposal has the following default parameters:
Encryption algorithm: DES-CBC
Authentication algorithm: HMAC-SHA1
Authentication method: Pre-Shared Key
DH group ID: MODP_768
SA duration: 86400 seconds
These parameters will be used to establish a security tunnel once these parameters are
confirmed by the both sides of the negotiation.
Both sides of the negotiation can be configured more then one IKE proposal. During the
negotiation, the IKE proposals in both sides are selected to match one by one, by turns
of their priority level. The parameters that must be same during the match are
encryption algorithm, authentication algorithm, authentication method, and DH group.
The sa duration is decided by the initiator of the negotiation, needing no agreement.
5-11
For the related commands, see authentication-algorithm, encryption-algorithm, dh,

authentication-algorithm, sa duration, display crypto isakmp policy.
Example
# Define IKE proposal 10.

[Quidway-ike-proposal-10] authentication-algorithm md5
[Quidway-ike-proposal-10] authentication-method pre-share
[Quidway-ike-proposal-10] sa duration 5000
5.1.14 ike sa keepalive-timer interval
Syntax
ike sa keepalive-timer interval seconds
undo ike sa keepalive-timer interval
View
System view
Parameter
seconds: Specifies the interval for sending Keepalive packet to the remote end through
ISAKMP SA. It can be set to a value in the range 20 to 28800.
Description
Using the ike sa keepalive-timer interval command, you can configure the interval for
sending Keepalive packet to the remote end through ISAKMP SA. Using the undo ike
sa keepalive-timer interval command, you can disable the function.
By default, this function is disabled.
This command is used to configure the interval for sending Keepalive packet to the
remote end through ISAKMP SA. IKE maintains the link state of the ISAKMP SA by
using the Keepalive packet. In general, if a timeout is configured at the remote end by
using the ike sa keepalive-timer timeout command, an interval for sending Keepalive
packet must be configured at the local end. When the remote end in the configured
timeout time does not receive the Keepalive packet, the ISAKMP SA with the TIMEOUT
flag and the IPSec SA corresponding to it will be deleted, and otherwise the ISAKMP
SA without the TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout
should be longer than the interval for sending the Keepalive packet during
configuration.
5-12
For the related command, see ike sa keepalive-timer timeout.
Example
# Configure the interval as 20 seconds for the local end to send Keepalive packet to the
remote end.
[Quidway] ike sa keepalive-timer interval 20
5.1.15 ike sa keepalive-timer timeout
Syntax
ike sa keepalive-timer timeout seconds
undo ike sa keepalive-timer timeout
View
System view
Parameter
seconds: Specifies the timeout for ISAKMP SA to wait for the Keepalive packet. It can
be set to a value in the range 20 to 28800.
Description
Using the ike sa keepalive-timer timeout command, you can configure a timeout for
ISAKMP SA to wait for the Keepalive packet. Using the undo ike sa keepalive-timer
timeout command, you can disable the function.
By default, this function is disabled.
This command is used to configure the timeout for the remote end to send the
Keepalive packet. IKE maintains the link state of the ISAKMP SA by using the
Keepalive packet. When the remote end in the configured timeout does not receive the
Keepalive packet, the ISAKMP SA with the TIMEOUT flag and the IPSec SA
corresponding to it will be deleted, and otherwise the ISAKMP SA without the
TIMEOUT flag will be marked as TIMEOUT. Thus the configured timeout should be
longer than the interval for sending the Keepalive packet during configuration.
Generally, packets will not be lost for more than three consecutive times in the network,
so the timeout can be configured as three times of the interval set for the remote end to
send Keepalive packets.
For the related command, see ike sa keepalive-timer interval.
5-13
Example
# Configure the timeout as 20 seconds for the local end to wait for the remote end to
send the Keepalive packet.
[Quidway] ike sa keepalive-timer timeout 20
5.1.16 local
Syntax
local { multi-subnet | single-subnet }
undo local
View
IKE-peer view
Parameter
multi-subnet: Sets the subnet type to multiple.
single-subnet: Sets the subnet type to single.
Description
Using the local command, you can configure the subnet type in IKE negotiation. Using
the undo local command, you can restore the default subnet type. You can use this
command to enable interoperability between the router and a Netscreen device.
The default is single-subnet.
Example
# Set the subnet type in IKE negotiation to multiple.

[Router-ike-peer-xhy] local multi-subnet
5.1.17 local-address
Syntax
local-address ip-address
undo local-address
5-14
View
IKE-peer view
Parameter
ip-address: IP address of the local GW in IKE negotiation.
Description
Using the local-address command, you can configure the IP address of the local GW in
IKE negotiation. Using the undo local-address command, you can delete the IP
address of the local GW.
Normally, you don’t need to configure the local-address command, unless you want to
specify a special address for the local GW.
Example
# Set the IP address of the local GW to 1.1.1.1.

[Router-ike-peer-xhy] local-address 1.1.1.1
5.1.18 max-connections
Syntax
max-connections number
undo max-connections
View
IKE-peer view
Parameter
number: Maximum number of connections. It is in the range 1 to 1000 and defaults to 1.
Description
Using the max-connections command, you can configure the maximum number of
connections that the IKE peer allows. Using the undo max-connections command,
you can restore the default maximum number of connections that the IKE peer allows,
that is, 1.
5-15
Example
# Configure the maximum number of connections that an IKE peer allows.

[Router-ike-peer-new_peer] max-connections 10
5.1.19 nat traversal
Syntax
nat traversal
undo nat traversal
View
IKE-peer view
Parameter
None
Description
Using the nat traversal command, you can configure the NAT traversal function of
IKE/IPSec. Using the undo nat traversal command, you can disable the NAT traversal
function of IKE/IPSec.
This command fits for the application that the NAT GW functionality is included in the
VPN tunnel constructed by IKE/IPSec.
To save IP address space, ISPs often add NAT gateways to public networks, so as to
allocate private IP addresses to users. This may lead to IPSec/IKE tunnel having both
public network address and private network address at both ends. Hence you must
enable NAT traversal at the private network end, so as to ensure normal negotiation
and establishment for the tunnel.
Example
# Enable the NAT traversal function.

[Router-ike-peer-new_peer] nat traversal
5.1.20 pre-shared-key
5-16
Syntax
pre-shared-key key
undo pre-shared-key
View
IKE-peer view
Parameter
key: Specifies a pre-shared key, which is a string of 1 to 128 characters.
Description
Using the pre-shared-key command, you can configure a pre-shared key to be used in
IKE negotiation. Using the undo pre-shared-key command, you can remove the
pre-shared key used in IKE negotiation.
Example
# Set the pre-shared key used in IKE negotiation to “abcde”.

[Router-ike-peer-new_peer] pre-shared-key abcde
5.1.21 peer
Syntax
peer { multi-subnet | single-subnet }
undo peer
View
IKE-peer view
Parameter
multi-subnet: Sets the subnet type to multiple.
single-subnet: Sets the subnet type to single.
5-17
Description
Using the peer command, you can configure the subnet type in IKE negotiation. Using
the undo peer command, you can restore the default subnet type. You can use this
command to enable interoperability between the router and a Netscreen device.
The default is single-subnet.
Example
# Set the subnet type in IKE negotiation to multiple.

[Router-ike-peer-xhy] peer multi-subnet
5.1.22 remote-address
Syntax
remote-address ip-address
undo remote-address
View
IKE-peer view
Parameter
ip-address: IP address, which can be the address of a network segment.
Description
Using the remote-address command, you can configure IP address of the remote GW.
Using the undo remote-address command, you can delete IP address of the remote
GW.
If the initiator uses its IP address in IKE negotiation (that is, id-type ip is used), it sends
its IP address to the peer as its identity, whereas the peer uses the address configured
using the remote-address ip-address command to authenticate the initiator. To pass
authentication, this address must be the same one configured using the
local-address command on the initiator.
Example
# Set IP address of the remote GW to 10.0.0.1.

[Router-ike-peer-new_peer] remote-address 10.0.0.1
5-18
5.1.23 remote-name
Syntax
remote-name name
undo remote-name
View
IKE-peer view
Parameter
name: Specifies a name for the peer in IKE negotiation. It is a string of 1 to 32

characters.
Description
Using the remote-name command, you can specify a name for the remote GW. Using
the undo remote-name command, you can remove the remote GW.
If the initiator uses its GW name in IKE negotiation (that is, id-type name is used), it
sends the name to the peer as its identity, whereas the peer uses the username
configured using the remote-name name command to authenticate the initiator. To
pass authentication, this remote name must be the same one configured using the ike
local-name command on the gateway at the initiator end.
Example
# Set the name of the remote GW to “beijing”.

[Router-ike-peer-new_peer] remote-name beijing
5.1.24 reset ike sa
Syntax
reset ike sa [ connection-id ]
View
User view
5-19
Parameter
connection-id: Specifies the SA to be deleted. If this parameter is not specified, all the
SAs at phase 1 will be deleted.
Description
Using the reset ike sa command, you can delete the security tunnel set up by IKE.
If connection-id is not specified, all the SAs at phase 1 will be deleted. If ISAKMP SA at
phase 1 exists when deleting the local security tunnel, a Delete Message notification
will be sent to the remote under the protection of this security tunnel to notify the remote
to delete the corresponding SA.
IKE uses ISAKMP of two phases: phase 1 or ISAKMP SA to establish SA, phase 2 or
IPSec SA to negotiate and establish IPSec SA, using the former established SA.
For the related command, see display ike sa.
Example
# Delete the security tunnel to 202.38.0.2.

<Quidway> display ike sa
1 202.38.0.2 RD|ST 1 IPSEC
2 202.38.0.2 RD|ST 2 IPSEC
flag meaning:
RD--READY ST--STAYALIVE RT--REPLACED FD--FADING
<Quidway> reset ike sa 2
<Quidway> display ike sa
2 202.38.0.2 RD|ST 2 IPSEC
flag meaning:
RD--READY ST--STAYALIVE RT--REPLACED FD—FADING
Caution:
If the SA of phase 1 is deleted first, the remote end cannot be informed of clearing the SA database when
deleting the SA of phase 2.
5-20
5.1.25 sa duration
Syntax
sa duration seconds
undo sa duration
View
IKE proposal view
Parameter
seconds: Specifies the ISAKMP Sa duration. When the sa duration expires, ISAKMP
SA will update automatically. It can be set to a value in the range 60 to 604800 seconds.
Description
Using the sa duration command, you can specify the ISAKMP Sa duration for an IKE
proposal. Using the undo sa duration command, you can restore it to the default.
By default, the value of ISAKMP Sa duration is 86400 seconds (one day).
Before the sa duration for a SA expires, a new SA will be negotiated for replacing the
existing SA, and the old SA will be automatically cleared when the Sa duration expires.
For the related commands, see ike proposal and display ike proposal.
Example
# Specify the ISAKMP Sa duration for IKE proposal 10 as 600 seconds (10 minutes).
[Quidway-ike-proposal-10] sa duration 600
5-21
VRP3.4 Chapter 6 PKI Configuration Commands
Chapter 6 PKI Configuration Commands
6.1 PKI Domain Configuration Commands
6.1.1 ca identifier
Syntax
ca identifier name
undo ca identifier
View
PKI domain view
Parameter
name: CA identifier this device trusts, within the range of 1 to 63 characters
Description
Using the ca identifier command, you can specify the CA this device trusts and have
the "name" CA bound with this device. Using the undo ca identifier command, you
can delete the CA this device trusts.
By default, no trusted CA is specified.
Before the CA is deleted, the request, retrieval, revocation and polling of this certificate
are all carried out through it.
Example
# Specify the name of the CA this device trusts

[RouterCA-pki-domain-1] ca identifier new-ca
6.1.2 certificate request from
Syntax
certificate request from { ca | ra } entity entity-name
6-1
undo certificate request from { ca | ra }
View
PKI domain view
Parameter
ca: indicates that the entity registers by CA for certificate request;
ra: indicates that the entity registers by RA for certificate request;
entity entity-name: name of the entity under certificate request. Within the range of 1 to
15 characters, it shall be identical with that defined by the pki entity command.
Description
Using the certificate request from command, you can choose between CA and RA to
register for certificate request. Using the undo certificate request from command,
you can undo the selection registration agent.
RA offers an extension to the CA certificate issue management. It takes charge of the

input and verification of the applicant information as well as the certificate issuing. But it
supports no signature function. Within some minor PKI systems, there is no RA and its
functions are implemented through CA.
By default, no registration agent is specified. PKI security policy recommends RA as

registration agent.
For related command, see pki entity.
Example
# Specify that the entity registers by CA for certificate request

[RouterCA-pki-domain-1] certificate request from ca entity new-entity
[RouterCA-pki-domain-1] undo certificate request from ca
6.1.3 certificate request mode
Syntax
certificate request mode { manual | auto }
undo certificate request mode
View
PKI domain view
6-2
Parameter
manual: refers to the manual certificate request mode;
auto: refers to the auto certificate request mode.
Description
Using the certificate request mode command, you can decide between the manual or
the auto request mode. Using the undo certificate request mode command, you can
restore the default request mode.
Auto mode enables the auto delivery of certificate request when there is no certificate
or when the current certificate is about to expire. While manual mode requires manual
operation in the request process.
By default, certificate request is carried out manually.
For related command, see pki request certificate.
Example
# Set the request mode to Auto

[RouterCA-pki-domain-1] certificate request mode auto
[RouterCA-pki-domain-1] undo certificate request mode
6.1.4 certificate request polling
Syntax
certificate request polling { interval minutes | count count }
undo certificate request polling { interval | count }
View
PKI domain view
Parameter
minutes: renders the interval between two polls. Specified in minutes, it ranges from 5
to 60 minutes, and by default, it is 20 minutes;
count: indicates the retry times. It ranges from 1 to 100, and by default, is 50.
6-3
Description
Using the certificate request polling command, you can specify the interval between
two polls and the retry times. Using the undo certificate request polling command,
you can restore the default parameters.
When the request is delivered, if CA requires manual authentication, it takes a long time
before the certificate issuing. The client therefore needs to periodically poll the request
for the timely acquisition of the certificate after being authorized.
For related command, see display pki certificate.
Example
# Specify the interval between two polls and the retry times
[RouterCA-pki-domain-1] certificate request polling interval 15
[RouterCA-pki-domain-1] certificate request polling count 40
6.1.5 certificate request url
Syntax
certificate request url string
undo certificate request url
View
PKI domain view
Parameter
string: refers to the server URL of the registration authority. Ranging from 1 to 255
characters, it composes server location and CA CGI command interface script location
in the format of http: //server_location /ca_script_location. Thereamong,
server_location is generally expressed as IP address, which if is to be replaced by
server name, DNS needs to be configured for the conversion match between IP
addresses and server names.
Description
Using the certificate request url command, you can specify the server URL for
certificate request through SCEP protocol. SCEP is a protocol specialized in the
communication with authentication authorities. Using the undo certificate request url
command, you can delete the concerned location setting.
6-4
By default, no server URL is specified.
Example
# Specify the server location for certificate request

[RouterCA-pki-domain-1] certificate request url http: //169.254.0.100/
certsrv/mscep/mscep.dll
6.1.6 crl update period
Syntax
crl update period { default | days }
undo crl update period
View
PKI domain view
Parameter
default: identical with the validity period of CRL
days: number of days
Description
Using the crl update period command, you can specify the update period of CRL,
which is the interval between local downloads of CRLs from CRL access server. Using
the undo crl update period command, you can restore the default CRL update period.
By default, it updates according to CRL validity period.
Example
# Specify CRL update period

[RouterCA-pki-domain-1] crl update period 20
6.1.7 crl url
Syntax
crl url url-string
undo crl url
6-5
View
PKI domain view
Parameter
url-string: refers to the distribution point location of CRL. Ranging from 1 to 255
characters, it is in the format of ldap: //server_location. Thereamong, server_location is
generally expressed as IP address, which if is to be replaced by server name, DNS
needs to be configured for the match between IP addresses and server names.
Description
Using the crl url command, you can specify the distribution point URL for CRL. Using
the undo crl url command, you can undo the specification.
By default, no CRL distribution point URL is specified.
Example
# Specify the URL location of CRL database

[RouterCA-pki-domain-1] crl url ldap: // 169.254.0 30
6.1.8 ldap server
Syntax
ldap server ip ip-address [ port port-num ] [ version version-number ]
undo ldap server ip
View
PKI domain view
Parameter
ip-address: IP address of LDAP server;
port-num: port number of LDAP server, ranging from 1 to 65535. By default, it is 389.
version-number: LDAP version number, alternatively 2 or 3. By default, it is 2.
6-6
Description
Using the ldap server ip command, you can configure the LDAP server IP address and
the port. Using the undo ldap server ip command, you can cancel the related
configuration.
By default, no LDAP server IP address or port is configured.
Example
# Specify the LDAP server address

[RouterCA-pki-domain-1] ldap server ip 169.254.0 30
6.1.9 pki domain
Syntax
pki domain name
undo pki domain name
View
Any view
Parameter
name: PKI domain name specified for the quotation of other commands, indicating the
PKI domain this device belongs to. It can contain 1 to 15 characters.
Description
Using the pki domain command, you can enter PKI domain view, and configure the
parameters of LDAP server and for certificate request and authentication. Using the
undo pki domain command to delete the specified PKI domain.
By default, no PKI domain name is specified.
Example
# Enter PKI domain view

[RouterCA] pki domain 1
[RouterCA-pki-domain-1]
6-7
6.2 PKI Entity Configuration Commands
6.2.1 fqdn
Syntax
fqdn name-str
undo fqdn
View
PKI entity view
Parameter
name-str: FQDN of an entity, within the range of 1 to 255 characters
Description
Using the fqdn command, you can specify the FQDN of an entity. Using the undo fqdn
command, you can delete the entity FQDN.
By default, no entity FQDN is specified.
FQDN (Fully Qualified Domain Name) is the unique identifier an entity has in the
network, like email address. It can be resolved into IP address, usually in the form of
user.domain.
Example
# Configure the FQDN of an entity

[RouterCA-pki-entity-1] fqdn pki.huawei-3com.com
6.2.2 common-name
Syntax
common-name name-str
undo common-name
View
PKI entity view
6-8
Parameter
name-str: common name of an entity, within the range of 1 to 31 character
Description
Using the common-name command, you can specify the common name of an entity,
take User name for example. Using the undo common-name command, you can
delete the common name of this entity.
By default, no common name is specified for any entity.
Example
# Configure the common name of an entity

[RouterCA-pki-entity-1] common-name pki test
6.2.3 country
Syntax
country country-code-str
undo country
View
PKI entity view
Parameter
country-code-str: country code of 2 bytes
Description
Using the country command, you can specify the code of the country the entity
belongs to. It is a standard 2-byte code, e.g., CN for China. Using the undo country
command, you can delete the country code of this entity.
By default, no country code is specified for any entity.
Example
# Set the country code of an entity

[RouterCA-pki-entity-1] country CN
6-9
6.2.4 ip
Syntax
ip ip-address
undo ip
View
PKI entity view
Parameter
ip-address: IP address of an entity in the form of dotted decimal like A.B.C.D
Description
Using the ip command, you can specify the IP address of an entity. Using the undo ip
command, you can delete the specified IP address.
By default, no entity IP address is specified.
Example
# Configure the IP address of an entity

[RouterCA-pki-entity-1] ip 161.12.2.3
6.2.5 locality
Syntax
locality locality-str
undo locality
View
PKI entity view
Parameter
locality-str: name of the geographical locality of an entity, in the range of 1~31

characters
6-10
Description
Using the locality command, you can name the geographical locality of an entity, by a
city for example. Using the undo locality command, you can cancel the mentioned
naming operation.
By default, no geographical locality is specified for any entity.
Example
# Configure the name of the city where the entity lies

[RouterCA-pki-entity-1] locality bei jing
6.2.6 organization
Syntax
organization org-str
undo organization
View
PKI entity view
Parameter
org-str: organization name in the range of 1~31 characters
Description
Using the organization command, you can specify the name of the organization the
entity belongs to. Using the undo organization command, you can delete that name.
By default, no organization name is specified for any entity.
Example
# Configure the name of the organization to which an entity belongs

[RouterCA-pki-entity-1] organization hua wei – 3com
6.2.7 organizational-unit
Syntax
organizational-unit org-unit-str
6-11
undo organizational-unit
View
PKI entity view
Parameter
org-unit-str: organization unit name in the range of 1~31 characters
Description
Using the organizational-unit command, you can specify the name of the organization
unit to which this entity belongs. Using the undo organizational-unit command, you
can delete the specified organization unit name.
By default, no organization unit name is specified for any entity.
Example
# Configure the name of the organization unit to which an entity belongs

[RouterCA-pki-entity-1] organizational-unit soft plat
6.2.8 state
Syntax
state state-str
undo state
View
PKI entity view
Parameter
state-str: state name within the range of 1~31 characters
Description
Using the state command, you can clarify the name of the state where an entity lies.
Using the undo state command, you can cancel the previous operation.
By default, the state of an entity is not specified.
6-12
Example
# Specify the state where an entity lies

[RouterCA-pki-entity-1] state bei jing
6.2.9 pki entity
Syntax
pki entity name-str
undo pki entity name-str
View
Any view
Parameter
name-str: device-related unique character string of identification. Specified when being

quoted, it shall be within the range of 1~15 characters.
Description
Using the pki entity command, you can name a PKI entity and enter PKI entity view.
Using the undo pki entity command, you can delete the name and cancel all
configurations under the name space.
A variety of attributes can be configured in PKI entity view. name-str plays only for the
convenience in being quoted by other commands. No field of certificate is concerned.
By default, entity name is not specified.
Example
# Enter PKI entity view

[RouterCA] pki entity en
[RouterCA-pki-entity-en]
6.3 PKI Certificate Operation Commands
6.3.1 pki delete certificate
6-13
Syntax
pki delete certificate { local | ca }
View
Any view
Parameter
local: indicates the deletion of all local certificates that are locally stored;
ca: indicates the deletion of all CA certificates that are locally stored.
Description
Using the pki delete certificate command, you can delete the locally stored
certificates.
Example
# Delete the local certificates

[RouterCA] pki delete certificate local
6.3.2 pki request certificate
Syntax
pki request certificate domain-name [ password ] [ pem ]
View
Any view
Parameter
domain-name: contains CA or RA related information. It is configured by using the pki

domain command.
password: optionally involved in certificate revocation;
pem: optionally involved in the printing of the certificate requests that can be in outband
modes such as phone, disk, and e-mail.
6-14
Description
Using the pki request certificate command, you can deliver certificate request
through SCEP to CA for the generated RSA key pair. If SCEP fails to go through normal
communication, you can print the local certificate request in base64 format using the
optional parameter "pem", copy it, and send one to CA in an outband mode.
This operation is not saved within the configuration.
For related command, see pki domain.
Example
# Manually apply for a certificate

[RouterCA] pki request certificate 1
# Display the request information for local certificates

[RouterCA] pki request certificate 1 pem
6.3.3 pki retrieval certificate
Syntax
pki retrieval certificate { local | ca } domain domain-name
View
Any view
Parameter
local: indicates the download of a local certificate;
ca: indicates the download of a CA certificate;

domain command.
Description
Using the pki retrieval certificate command, you can download a certificate from the
certificate issuing server.
Example
# Retrieve a certificate
6-15
[RouterCA] pki retrieval certificate ca domain 1
6.3.4 pki retrieval crl
Syntax
pki retrieval crl domain domain-name
View
Any view
Parameter

domain command.
Description
Using the pki retrieval crl command, you can obtain the latest CRL from CRL server
for the verification of the validity of a current certificate.
Example
# Retrieve a CRL
[RouterCA] pki retrieval crl domain 1
6.3.5 pki validation certificate
Syntax
pki validation certificate { local | ca } domain domain-name
View
Any view
Parameter
local: indicates the validation of a local certificate;
ca: indicates the validation of a CA certificate;
domain-name: specifies the domain of the certificate about to be verified. It is

configured by using the pki domain command.
6-16
Description
Using the pki validation certificate command, you can verify the validity of a
certificate. The focus is to check the CA signature on the certificate, and to make sure
that the certificate is still within the validity period and beyond revocation. All certificates
with authentic signatures of CA can pass the validation, since it is believed that CA
never issues fake certificates.
Example
# Verify the validity of a certificate

[RouterCA] pki validation certificate domain 1
6.4 PKI Displaying and Debugging Commands
6.4.1 debugging pki certificate
Syntax
debugging pki { request | retrieval | verify | error }
undo debugging pki { request | retrieval | verify | error }
View
Any view
Parameter
request: debugging in certificate request;
retrieval: debugging in certificate retrieval;
verify: debugging in certification validation;
error: debugging in error cases
Description
Using the debugging pki command, you can enable PKI debugging functions. Using
the undo debugging pki command, you can disable PKI debugging functions.
Unexpected problems do occur during the device operation. Debugging commands

enable the optional output and print of debugging information, facilitating the network
monitor and fault diagnosis for the network operators and developers.
6-17
By default, all PKI debugging functions are disabled.
Example
# Enable the debugging function related to errors in PKI certificate operation

[RouterCA] debugging pki error
[RouterCA] pki delete certificate ca
Certificate enroll failed!
Cannot get the CA/RA certificate when creating the x509 Request
# Enable the debugging function for PKI certificate retrieval

[RouterCA] debugging pki retrieval
[RouterCA] pki retrieval certificate local domain 1
Retrievaling CA/RA certificates. Please wait a while......
We receive 3 certificates.
The trusted CA's finger print is:
MD5 fingerprint: 74C9 B71D 406B DDB3 F74A 96BC E05B 40E9
SHA1 fingerprint: 770E 2937 4E32 ACD4 4ACC 7CF1 0FF0 6FB8 6C34 E24A
Is the finger print correct?(Y/N): y
Saving the CA/RA certificate to flash.....................Done!
# Enable the debugging function for PKI certificate request

[RouterCA] debugging pki request
Create PKCS#10 request: token seen: CN=pki test
Create PKCS#10 request: CN=pki test added
Create PKCS#10 request: subject dn set to '/CN=pki test'
Certificate Request:
…..
dir_name: certsrv/mscep/mscep.dll
host_name: 169.254.0.100
SCEP transaction id: 58D41D0C5A7B1E21C5F4A008B580B1A1
PKCS#7 envelope: creating inner PKCS#7
PKCS#7 envelope: data payload size: 297 bytes
data payload:
….
PKCS#7 envelope: successfully encrypted payload
PKCS#7 envelope: size 667 bytes
PKCS#7 envelope: creating outer PKCS#7
PKCS#7 envelope: signature added successfully
6-18
PKCS#7 envelope: adding signed attributes

PKCS#7 envelope: adding string attribute transId
PKCS#7 envelope: adding string attribute messageType
PKCS#7 envelope: adding octet attribute senderNonce
PKCS#7 envelope: PKCS#7 data written successfully
PKCS#7 envelope: applying base64 encoding
PKCS#7 envelope: base64 encoded payload size: 2145 bytes
SCEP send message: IP = 0xa9fe0064
SCEP send message: Server returned status code
Valid response from server
PKCS#7 develope: reading outer PKCS#7
PKCS#7 develope: PKCS#7 payload size: 1872 bytes
PKCS#7 develope: PKCS#7 contains 1276 bytes of enveloped data
PKCS#7 develope: verifying signature
PKCS#7 develope: signature ok
PKCS#7 develope: finding signed attributes
PKCS#7 develope: finding attribute transId
PKCS#7 develope: allocating 32 bytes for attribute
PKCS#7 develope: reply transaction id: 58D41D0C5A7B1E21C5F4A008B580B1A1
PKCS#7 develope: finding attribute messageType

PKCS#7 develope: reply message type is good
PKCS#7 develope: finding attribute senderNonce
PKCS#7 develope: senderNonce in reply: :
a6341944 28d9b544 a4755d9a ba320d35

PKCS#7 develope: finding attribute recipientNonce
PKCS#7 develope: recipientNonce in reply: :
b98da9c3 20b638c5 634f4924 65f804d9

PKCS#7 develope: finding attribute pkiStatus
PKCS#7 develope: pkistatus SUCCESS
PKCS#7 develope: reading inner PKCS#7
PKCS#7 develope: decrypting inner PKCS#7
PKCS#7 develope: PKCS#7 payload size: 1003 bytes
PKI Get the Signed Certificates:
subject: / CN=pki test
6-19
issuer:
/emailAddress=myca@huawei.com/C=CN/ST=Beijing/L=Beijing/O=hw3c/OU=bjs/
CN=myca
Key usage: general purpose
# Enable the debugging function for PKI certificate validation

[RouterCA] debugging pki validation
[RouterCA] pki validation certificate local domain 1
Verify certificate......
Serial Number:
101E266A 00000000 006B
Issuer:
emailAddress=myca@huawei.com
C=CN
ST=Beijing
L=Beijing
O=hw3c
OU=bjs
CN=myca
Subject:
C=CN
ST=bei jing
O=hua wei - 3com
CN=pki test
Verify result: ok
Table 6-1 Description of PKI debugging information fields
Field Description
Create PKCS#10 request Encapsulation of entity request in PKCS#10 format
PKCS#7 envelope Data encapsulation in PKCS#7 encryption format
inner PKCS#7 PKCS#7 encryption of datagram
outer PKCS#7 Signing of PKCS#7 datagram
PKCS#7 develope De-encapsulation of PKCS#7 encrypted packet
host_name Host name of registration server
dir_name CGI script directory of registration server
data payload Data payload
token seen DN information of an entity
pkistatus PKI certificate operation status
SUCCESS Succeeded
6-20
Field Description
FAILURE Failed
PENDING Waiting for procession
fingerprint Usually the signature of CA
base64 encoded A data encoding mode
x509 Request Request for certificates in standard X509 format
Key usage Encryption, signature, and other common usages
Issuer Certificate issuer
Subject The entity that delivers certificate request
The entity sends a certificate operation packet to CA through
SCEP send message
SCEP
Signed Certificates Certificates signed by CA
6.4.2 display pki certificate
Syntax
display pki certificate { local | ca | request-status } [ domain domain-name ]
View
Any view
Parameter
local: indicates the display of all local certificates;
ca: indicates the display of all CA certificates;
request-status: refers to the status of the certificate request after being delivered;
domain-name: represents the domain of the certificate about to be verified. It is

Description
Using the display pki certificate command, you can display and browse through the
certificate.
For related commands, see pki retrieval certificate, pki domain, and certificate
request polling.
6-21
Example
# Display the local certificates

[RouterCA] display pki certificate local domain 1
Data:
Version: 3 (0x2)
Serial Number:
10B7D4E3 00010000 0086
Signature Algorithm: md5WithRSAEncryption
Issuer:
emailAddress=myca@huawei.com
C=CN
ST=Beijing
L=Beijing
O=hw3c
OU=bjs
CN=new-ca
Validity
Not Before: Jan 13 08: 57: 21 2004 GMT
Not After : Jan 20 09: 07: 21 2005 GMT
Subject:
C=CN
ST=beijing
L=beijing
CN=pki test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00D41D1F …
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS: hyf.huawei-3com.com
… …
Signature Algorithm: md5WithRSAEncryption
A3A5A447 4D08387D …
6.4.3 display pki crl
Syntax
display pki crl [ domain domain-name ]
6-22
View
Any view
Parameter
domain-name: represents the domain of the certificate about to be verified. It is

Description
Using the display pki crl command, you can display and browse through the locally
saved CRL.
For related commands, see pki retrieval crl, and pki domain.
Example
# Display a CRL
[RouterCA] display pki crl domain 1
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer:
C=CN
O=h3c
OU=soft
CN=A Test Root
Last Update: Jan 5 08: 44: 19 2004 GMT
Next Update: Jan 5 21: 42: 13 2004 GMT
CRL extensions:
X509v3 CRL Number: 2
X509v3 Authority Key Identifier:
keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC
Revoked Certificates:
Serial Number: 05a234448E…
Revocation Date: Sep 6 12:33:22 2004 GMT
CRL entry extensions:……
Serial Number: 05a278445E…
Revocation Date: Sep 7 12:33:22 2004 GMT
CRL entry extensions:…
6-23

VRP3.4 Command - Manual 09 - Security

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

VRP3.4 Command - Manual 09 - Security

Caricato da

Copyright:

Formati disponibili

Command Manual – Security

VRP3.4 Table of Contents

Chapter 1 AAA and RADIUS/HWTACACS Protocol Configuration Commands...................... 1-1

1.2.19 server-type .......................................................................................................... 1-34

Chapter 2 Access Control List Configuration Commands........................................................ 2-1

Chapter 3 Firewall Configuration Commands ............................................................................ 3-1

3.1.3 firewall default ......................................................................................................... 3-2

Chapter 4 IPSec Configuration Commands................................................................................ 4-1

4.1.22 sa encryption-hex................................................................................................ 4-29

Chapter 5 IKE Configuration Commands.................................................................................... 5-1

5.1.19 nat traversal......................................................................................................... 5-16

Chapter 6 PKI Configuration Commands.................................................................................... 6-1

Chapter 1 AAA and RADIUS/HWTACACS Protocol

1.1 AAA Configuration Commands

access-limit { disable | enable max-user-number }

ISP domain view

disable: No limit to the supplicant number in the current ISP domain.

enable max-user-number: Specifies the maximum supplicant number in the current

# Set a limit of 500 supplicants for the ISP domain huawei163.net.

1.1.2 accounting optional

undo accounting optional

ISP domain view

By default, optional accounting is disabled.

# Enable optional accounting for users in the domain huawei163.net.

1.1.3 display connection

display connection [ domain isp-name | interface portnum | ip ip-address | mac

mac mac-address: Displays a user connection by specifying its hexadecimal MAC

radius-scheme radius-scheme-name: Displays all the user connections connected to

hwtacacs-scheme hwtacacs-scheme-name: Displays all the user connections

ucibindex ucib-index: Displays information on a user connection by specifying its

user-name user-name: Displays information on a user connection by specifying its

By default, information about all user connections is displayed.

For the related command, see cut connection.

# Display information on the connections of the user system.

Total 1 connections matched, 1 listed.

1.1.4 display domain

display domain [ isp-name ]

By default, the summary of all ISP domains is displayed.

# Display information about the ISP domain gy.

1.1.5 display local-user

display local-user [ domain isp-name | service-type { telnet | ssh | terminal | pad |

user-name user-name: Displays a user by specifying its user-name, a character string

By default, information on all local users is displayed.

For the related command, see local-user.

# Display the relevant information of all the local users.

Total 1 local user(s) Matched,1 listed..

domain [ isp-name | default { disable | enable isp-name } ]

undo domain isp-name

enable: Enables the configured default ISP domain. It is to be appended to the

By default, the default domain in the system is "system".

The purpose of introducing ISP domain settings is to support the application

# Create a new ISP domain, huawei163.net, and enters its view.

ip pool pool-number low-ip-address [ high-ip-address ]

undo ip pool pool-number

System view, ISP domain view

pool-number: Address pool number, ranging from 0 to 99.

By default, no local IP address pool is configured.

For the related command, see remote address.

Local user view

level: Specifies user priority level, an integer ranging from 0 to 3.

By default, user priority level is 0.

For the related command, see local user.