No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Compatible Commands

Security Compatible Commands

ACL Compatible Commands

acl ipv6 (upgrade-compatible command)

Function

The acl ipv6 command creates an ACL6 and enters the ACL6 view.

The undo acl ipv6 command deletes an ACL.

Format

acl ipv6 [ number ] acl6-number [ name acl6-name ] [ match-order { auto | config } ]

undo acl ipv6 { all | [ number ] acl6-number | name acl6-name }

Parameters

Parameter

Description

Value

number acl6-number

Indicates the ID of an ACL6.

The value of acl6-number is an integer that ranges from 2000 to 3999. In these options,
  • ACL6s numbered from 2000 to 2999 are basic ACL6s.

  • ACL6s numbered from 3000 to 3999 are advanced ACL6s.

name acl6-name

Specifies a named ACL6.

The value of acl6-name is a string of 1 to 64 case-sensitive characters without spaces. The name starts with a letter (case-sensitive) and can contain letters, digits, and symbols such as the number sign (#), percentage symbol (%), and hyphen (-).

all

Deletes all ACL6s.

-

match-order { auto | config }

Indicates the matching order of ACL6 rules.

  • auto:

    indicates that ACL6 rules are matched based on the depth first principle.

    If the ACL rules are of the same depth first order, they are matched in ascending order of rule IDs.

  • config: indicates that ACL6 rules are matched based on the configuration order.

    The ACL6 rules are matched based on the configuration order only when the rule ID is not specified. If rule IDs are specified, the ACL6 rules are matched in ascending order of rule IDs.

If the match-order parameter is not specified when you create an ACL6, the default match order config is used.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An ACL6 is a set of rules composed of permit or deny clauses. ACL6s are mainly used in QoS. ACL6s can limit data flows to improve network performance. For example, ACL6s are configured on an enterprise network to limit video data flows, which lowers the network load and improves network performance.

Follow-up Procedure

Run the rule command to configure ACL6 rules and apply the ACL6 to services which packets need to be filtered.

Example

# Create an ACL6 named test and numbered 3100.

<HUAWEI> system-view
[HUAWEI] acl ipv6 number 3100 name test
[HUAWEI-acl6-adv-test]

acl (upgrade-compatible command)

Function

The acl command creates an ACL and enters the ACL view.

The undo acl command deletes a specified ACL.

Format

acl [ number ] acl-number [ name acl-name ]

undo acl { all | [ number ] acl-number | name acl-name }

Parameters

Parameter

Description

Value

number acl-number

Indicates the ID of an ACL.

The value of acl-number is an integer that ranges from 2000 to 5999.
  • ACLs numbered from 2000 to 2999 are basic ACLs.

  • ACLs numbered from 3000 to 3999 are advanced ACLs.

  • ACLs numbered from 4000 to 4999 are Layer 2 ACLs.

  • ACLs numbered from 5000 to 5999 are customized ACLs.

name acl-name

Specifies a named ACL.

The value of acl-name is a string of 1 to 32 case-sensitive characters without spaces. The name starts with a letter (case-sensitive) and can contain letters, digits, and symbols such as the number sign (#), percentage symbol (%), and hyphen (-).

all

Deletes all ACLs.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

An ACL consists of a list of rules. Each rule contains a permit or deny clause. Before creating an ACL rule, you must create an ACL.

Example

# Create an ACL named test and numbered 3100.

<HUAWEI> system-view
[HUAWEI] acl number 3100 name test
[HUAWEI-acl-adv-test]

rule (advanced ACL6 view) (upgrade-compatible command)

Function

The rule command adds or modifies advanced ACL6 rules.

Format

rule [ rule-id ] { deny | permit } ipv6-ah [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | dscp dscp | fragment | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | tos tos | vpn-instance vpn-instance-name ] *

rule [ rule-id ] { deny | permit } ipv6-esp [ destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | destination-ipv6-address postfix postfix-length | any } | dscp dscp | fragment | logging | precedence precedence | source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | source-ipv6-address postfix postfix-length | any } | time-range time-name | tos tos | vpn-instance vpn-instance-name ] *

Parameters

Parameter

Description

Value

rule-id

Indicates the ID of an ACL6 rule.

The value ranges from 0 to 2047.
  • If the ID of a rule is specified and the rule exists, the new rule is added to the rule with this ID, that is, the old rule is modified.
  • If the rule associated with a rule ID does not exist, a rule can be created with this rule ID and its position in the ACL is determined by the rule ID.
  • If no rule ID is specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order.

deny

Discards packets that do not match ACL rules.

-

permit

Allows packets to pass.

-

ipv6-ah

Indicates the protocol type.

-

ipv6-esp

Indicates the protocol type.

-

destination { destination-ipv6-address prefix-length | destination-ipv6-address/prefix-length | any } Indicates the destination address and prefix of a packet. destination-ipv6-address is expressed in hexadecimal notation. The value of prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any destination address.
destination destination-ipv6-address postfix postfix-length Indicates the destination address and the length of destination address postfix. destination-ipv6-address indicates the destination address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.

dscp dscp

Specifies the value of a Differentiated Services CodePoint (DSCP).

The value ranges from 0 to 63.

fragment

Indicates that the rule is valid for only non-initial fragments.

-

logging

Indicates whether to record logs for packets that meet ACL rules.

Log contents include the ACL rule ID, pass or discard of packets, type of the protocol over IP, source or destination address, source or destination port number, and number of packets.

precedence precedence

Filters packets by priority.

The value is a name or a digit that ranges from 0 to 7.

source { source-ipv6-address prefix-length | source-ipv6-address/prefix-length | any } Indicates the source address and prefix of a packet. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. prefix-length is an integer that ranges from 1 to 128. You can also use any to represent any source address.
source source-ipv6-address postfix postfix-length Indicates the source address and the length of source address postfix. source-ipv6-address indicates the source address and is expressed in hexadecimal notation. postfix-length is an integer that ranges from 1 to 64.

time-range time-name

Specifies the time range only in which ACL6 rules are effective.

time-name indicates the name of the time range.

The value is a string of 1 to 32 characters.

tos tos

Filters packets by Type of Service (ToS).

The value is a name or a digit that ranges from 0 to 15.

vpn-instance vpn-instance-name Specifies the name of a VPN instance.

The vpn-instance must already exist.

Views

Advanced ACL6 view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Advanced ACL6s classify data packets based on the source IP address, destination IP address, source port number, destination port number, and protocol type.

Prerequisites

An ACL6 has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result may be incorrect.

When you use the undo rule command to delete an ACL6 rule, the rule ID must exist. If the rule ID is unknown, you can use the display acl ipv6 command to view the rule ID.

The undo rule command deletes an ACL6 rule even if the ACL6 rule is referenced. Exercise caution when you run the undo rule command.

Example

# Create an advanced ACL6 with ID 3000 and configure a rule that allows only IPv6 ESP packets with the source IPv6 address 2030:5060::9050 and mask 64 to pass.

<HUAWEI> system-view
[HUAWEI] acl ipv6 number 3000
[HUAWEI-acl6-adv-3000] rule 0 permit ipv6-esp source 2030:5060::9050/64

Local Attack Defense Compatible Commands

blacklist (upgrade-compatible command)

Function

The blacklist command configures an ACL-based blacklist.

By default, no blacklist is configured.

Format

blacklist blacklist-id acl acl-number soft-drop

Parameters

Parameter Description Value
acl acl-number Indicates the ACL ID. The ACL referenced by a blacklist on the device can be a basic ACL, an advanced ACL, or a Layer 2 ACL. The value is an integer that ranges from 2000 to 4999.
soft-drop

Indicates that the blacklist is implemented through software.

-
blacklist-id Specifies the number of an ACL6 referenced by a blacklist.

The value is an integer that ranges from 2000 to 3999.

  • 2000 to 2999: basic ACL6s
  • 3000 to 3999: advanced ACL6s

Views

System view, Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

A maximum of 8 blacklists can be configured in an attack defense policy on the device. You can set the attributes of a blacklist by defining ACL rules.

The packets sent from users in the blacklist are discarded after reaching the device.

Example

# Reference ACL 2001 in the blacklist.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] blacklist acl 2001 soft-drop

car cpu-port (upgrade-compatible command)

Function

The car cpu-port command configures the CIR of all the packets to be sent to the CPU.

By default, the CIR value of all the packets to be sent to the CPU is 1024 kbit/s on the device.

Format

car cpu-port cir cir-rate

Parameters

Parameter

Description

Value

cir cir-rate

Sets the CIR of all the packets to be sent to the CPU.

The value is an integer that ranges from 64 to 2048, in kbit/s.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

The car cpu-port command limits the total rate of all protocol packets sent to the CPU. The car packet-type command limits the rate of packets of a specified protocol. However, the total CIR of packets of specified protocols cannot exceed the CIR of all the packets sent to the CPU.

When the CIR is exceeded, excess packets including unicast, multicast, and broadcast packets are not sent to the CPU. In addition, the unicast packets are discarded directly.

Example

# Set the CIR of all the packets to be sent to the CPU to 512 kbit/s on the device.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] car cpu-port cir 512

deny (upgrade-compatible command)

Function

The deny command sets the discard action taken for packets sent to the CPU.

The undo deny command restores the default action taken for packets sent to the CPU.

By default, the device limits the rate of protocol packets and user-defined flows based on the CAR configuration.

Format

deny packet-type bpdu

deny packet-type ftp-dynamic

deny packet-type hotlimit

deny packet-type smlk-rrpp

deny packet-type nac-dhcp

undo deny packet-type bpdu

undo deny packet-type ftp-dynamic

undo deny packet-type hotlimit

undo deny packet-type smlk-rrpp

undo deny packet-type nac-dhcp

Parameters

Parameter Description Value
packet-type bpdu Discards bpdu packets . -
packet-type ftp-dynamic Discards ftp-dynamic packets. -
packet-type hotlimit Discards hop-limit packets. -
packet-type smlk-rrpp Discards smlk-rrpp packets. -
packet-type nac-dhcp Discards nac-dhcp packets. -

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

If you run the deny and car commands for the same type of packets sent to the CPU, the command that runs later takes effect. The undo deny command restores the default action taken for packets sent to the CPU. After you run this command, the system limits the rate of packets sent to the CPU based on the configured CIR and CBS values.

Example

# Set the discard action taken for bpdu packets sent to the CPU attack in defense policy test.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] deny packet-type bpdu

Attack Defense Compatible Commands

application-apperceive default drop (upgrade-compatible command)

Function

The application-apperceive default drop command enables the device to discard the received packets when no matching application layer association policy exists.

The undo application-apperceive default drop command enables the device to deliver the received packets to the upper layer though no matching application layer association policy exists.

By default, the device is enabled to deliver the received packets to the upper layer though no matching application layer association policy exists.

Format

application-apperceive default drop

undo application-apperceive default drop

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the application-apperceive default drop command is run, if a protocol is not enabled in the system view nor in the interface view, the device discards all the packets of this protocol type.

Example

# Enable the device to discard the received packets when no matching application layer association policy exists.

<HUAWEI> system-view
[HUAWEI] application-apperceive default drop

Traffic Suppression Compatible Commands

broadcast-suppression (upgrade-compatible command)

Function

The broadcast-suppression command sets the maximum traffic rate of broadcast packets that can pass through an interface.

The undo broadcast-suppression command restores the default traffic rate of broadcast packets that can pass through an interface.

Format

broadcast-suppression { broadcast-pct | packets packets-per-second }

undo broadcast-suppression

Parameters

Parameter

Description

Value

broadcast-pct

Specifies the maximum percentage of broadcast traffic on an interface.

The value ranges from 0 to 100. The default value is 100. By default, broadcast traffic is not suppressed on interfaces.

packets packets-per-second

Specifies the maximum number of broadcast packets allowed to pass through an interface per second.

The value of packets-per-second is an integer.

Views

Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

When the traffic rate of broadcast packets exceeds the maximum value, the system discards excess broadcast packets to control the traffic rate and ensure normal operation of network services.

Example

# Set the maximum percentage of broadcast traffic to 20% of interface bandwidth on Eth-Trunk1.

<HUAWEI> system-view
[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] broadcast-suppression 20

multicast-suppression (upgrade-compatible command)

Function

The multicast-suppression command sets the maximum traffic rate of multicast packets that can pass through an interface.

The undo multicast-suppression command restores the default traffic rate of multicast packets that can pass through an interface.

Format

multicast-suppression { multicast-pct | packets packets-per-second }

undo multicast-suppression

Parameters

Parameter

Description

Value

multicast-pct

Specifies the maximum percentage of multicast traffic on an Ethernet interface.

The value ranges from 0 to 100. The default value is 100. By default, multicast traffic is not suppressed on interfaces.

packets packets-per-second

Specifies the maximum number of multicast packets allowed to pass through an interface per second.

The value of packets-per-second is an integer.

Views

Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

When the traffic rate of multicast packets exceeds the maximum value, the system discards excess multicast packets to control the traffic rate and ensure normal operation of network services.

Example

# Set the maximum percentage of multicast traffic to 20% of interface bandwidth on Eth-Trunk1.

<HUAWEI> system-view
[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] multicast-suppression 20

unicast-suppression (upgrade-compatible command)

Function

The unicast-suppression command sets the maximum traffic rate of unknown unicast packets that can pass through an interface.

The undo unicast-suppression command restores the default traffic rate of unknown unicast packets that can pass through an interface.

Format

unicast-suppression { unicast-pct | packets packets-per-second }

undo unicast-suppression

Parameters

Parameter

Description

Value

unicast-pct

Specifies maximum percentage of unknown unicast traffic on an Ethernet interface.

The value ranges from 0 to 100. The default value is 100. By default, unknown unicast traffic is not suppressed on interfaces.

packets packets-per-second

Specifies the maximum number of unknown unicast packets allowed to pass through an interface per second.

The value of packets-per-second is an integer.

Views

Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

When the traffic rate of unknown unicast packets exceeds the maximum value, the system discards excess unknown unicast packets to control the traffic rate and ensure normal operation of network services.

Example

# Set the maximum percentage of unknown unicast traffic to 20% of interface bandwidth on Eth-Trunk1.

<HUAWEI> system-view
[HUAWEI] interface eth-trunk1
[HUAWEI-Eth-Trunk1] unicast-suppression 20

storm-control action (upgrade-compatible command)

Function

The storm-control action sets the storm control action to shutdown.

The undo storm-control action command cancels the configuration.

By default, no storm control action is configured.

Format

storm-control action shutdown

undo storm-control action

Parameters

Parameter

Description

Value

shutdown

Shuts down an interface.

-

Views

Ethernet interface view, GE interface view, XGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

It is replaced by the storm-control action error-down command.

Example

# Configure the storm control action is shutdown on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] storm-control action shutdown

ARP Security Compatible Commands

arp anti-attack rate-limit (upgrade-compatible command)

Function

The arp anti-attack rate-limit command sets the maximum rate and rate limit duration of ARP packets globally, in a VLAN, or on an interface, enables the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit on an interface.

The undo arp anti-attack rate-limit command restores the default maximum rate and rate limit duration of ARP packets globally, in a VLAN, or on an interface, and allows the device to send ARP packets to the CPU again.

By default, a maximum of 100 ARP packets are allowed to pass in 1 second, and the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit is disabled.

Format

System view, VLAN view

arp anti-attack rate-limit packet-number [ interval-value ]

Interface view

arp anti-attack rate-limit packet-number [ interval-value | block timer timer ]*

undo arp anti-attack rate-limit

Parameters

Parameter

Description

Value

packet-number

Specifies the maximum rate of sending ARP packets, that is, the number of ARP packets allowed to pass through in the rate limit duration.

The value is an integer that ranges from 1 to 16384. The default value is 100.

interval-value

Specifies the rate limit duration of ARP packets.

The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.

block timer timer

Specifies the duration for blocking ARP packets.

The value is an integer that ranges from 5 to 864000, in seconds.

Views

System view, VLAN view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP packets is enabled, run the arp anti-attack rate-limit command to set the maximum rate and rate limit duration of ARP packets globally, in a VLAN, or on an interface. In the rate limit duration, if the number of received ARP packets exceeds the limit, the device discards the excess ARP packets.

If the parameter block timer timer is specified, the device discards all ARP packets received in the duration specified by timer.

Prerequisites

Rate limit on ARP packets has been enabled globally, in a VLAN, or on an interface using the arp anti-attack rate-limit enable command.

Precautions

If the maximum rate and rate limit duration are configured in the system view, VLAN view, and interface view, the device uses the configurations in the interface view, VLAN view, and system view in order.

If the maximum rate and rate limit duration are set globally or on an interface at the same time, the configurations on an interface and globally take effect in descending order of priority.

NOTE:

The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU for processing in none-block mode, and does not affect ARP packet forwarding by the chip. In block mode, only when the number of ARP packets sent to the CPU exceeds the limit, the device discards subsequent ARP packets on the interface.

Example

# Configure GE0/0/1 to allow 200 ARP packet to pass through in 10 seconds, and configure GE0/0/1 to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit 200 10 block timer 60

arp filter source (upgrade-compatible command)

Function

The arp filter source command enables ARP gateway protection for the specified IP address.

The undo arp filter source command disables ARP gateway protection for the specified IP address.

By default, ARP gateway protection is disabled.

Format

arp filter source ip-address

undo arp filter source { ip-address | all }

Parameters

Parameter Description Value
ip-address

Specifies the protected gateway IP address.

The value is in dotted decimal notation.

all

Disables ARP gateway protection for all IP addresses in the current view.

-

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, it is replaced by the arp trust source command.

DHCP Snooping Compatible Commands

dhcp option82 format (upgrade-compatible command)

Function

The dhcp option82 format command configures the format of the Option 82 field in DHCP messages.

Format

dhcp option82 [ circuit-id | remote-id ] format userdefined text

Parameters

Parameter Description Value
circuit-id Specifies the format of the circuit-id (CID). -
remote-id Specifies the format of the remote-id (RID). -
userdefined text Indicates the user-defined format of the Option 82 field. text is the user-defined character string of the Option 82 field.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp option82 format command to configure the format of the Option 82 field in DHCP messages.

Example

# Configure the user-defined string for the CID in the Option 82 field and use the hexadecimal format to encapsulate the CID type (0, indicating the hexadecimal format), length (excluding the length of the CID type and the length keyword itself), outer VLAN ID, slot ID (5 bits), subslot ID (3 bits), and port number (8 bits).

<HUAWEI> system-view
[HUAWEI] dhcp option82 circuit-id format userdefined 0 %length %svlan %5slot %3subslot %8port

dhcp snooping alarm { user-bind | mac-address | untrust-reply } enable (upgrade-compatible command)

Function

The dhcp snooping alarm enable command enables the alarm function for DHCP snooping.

The undo dhcp snooping alarm enable command disables the alarm function for DHCP snooping.

By default, the alarm function for discarded DHCP messages is disabled.

Format

dhcp snooping alarm { user-bind | mac-address | untrust-reply } { enable | [ enable ] threshold threshold }

undo dhcp snooping alarm { user-bind | mac-address | untrust-reply } { enable | [ enable ] threshold }

Parameters

Parameter Description Value
user-bind Generates an alarm when the number of DHCP messages discarded because they do not match DHCP snooping binding entries reaches the threshold. -
mac-address Generates an alarm when the number of DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address in the Ethernet frame header reaches the threshold. -
untrust-reply Generates an alarm when the number of DHCP Reply messages discarded by untrusted interfaces reaches the threshold. -
threshold threshold Specifies the alarm threshold. When the number of discarded DHCP messages reaches the threshold, an alarm is generated. The value is an integer that ranges from 1 to 1000.

Views

Ethernet interface view, GE interface view, XGE interface view, Eth-Trunk interface view, Port-group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

It is replaced by the dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } enable [ threshold threshold ] command.

Example

# On GE0/0/1, enable DHCP snooping, and enable the alarm function for DHCP snooping.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping alarm user-bind enable

dhcp snooping bind-table autosave (upgrade-compatible command)

Function

The dhcp snooping bind-table autosave command configures a device to automatically back up DHCP snooping binding entries in a specified file.

Format

dhcp snooping bind-table autosave file-name [ write-delay delay-time ]

Parameters

Parameter

Description

Value

file-name

Specifies the path for storing the file that backs up DHCP snooping binding entries and the file name. You must specify both the path and name of the file supported by the system.

The value is a string of 1 to 51 characters.

write-delay delay-time

Specifies the interval for local automatic backup of the DHCP snooping binding table.

If this parameter is not specified, the backup interval is the default value.

The value is an integer that ranges from 60 to 4294967295, in seconds. By default, the system backs up the DHCP snooping binding table every two days.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping bind-table command to back up DHCP snooping binding entries in a specified file.

Example

# Configure a device to automatically back up DHCP snooping binding entries in the file backup.tbl in the flash memory.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping bind-table autosave flash:/backup.tbl

dhcp snooping check enable (upgrade-compatible command)

Function

The dhcp snooping check enable enables the device to check DHCP messages.

The undo dhcp snooping check enable disables the device from checking DHCP messages.

By default, the device does not check DHCP messages.

Format

In the system view:

dhcp snooping check { user-bind | mac-address } enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>

undo dhcp snooping check { user-bind | mac-address } enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>

In the VLAN view, Ethernet interface view, GE interface view, XGE interface view, Eth-Trunk interface view, Port-group view:

dhcp snooping check { user-bind | mac-address } enable

undo dhcp snooping check { user-bind | mac-address } enable

Parameters

Parameter Description Value
user-bind

Check DHCP messages against the DHCP snooping binding table.

-
mac-address

Compare the MAC address in DHCP ACK or DHCP Request messages with the CHADDR value.

-
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
Enables the device to check the HCP messages from a specified VLAN to the processing unit.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The value is an integer that ranges from 1 to 4094.

Views

VLAN view, System view, Ethernet interface view, GE interface view, XGE interface view, Eth-Trunk interface view, Port-group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

After the command is used, you can check DHCP messages against the DHCP snooping binding table or Compare the MAC address in DHCP ACK or DHCP Request messages with the CHADDR value.

Example

# Enable the function of checking DHCP messages against the binding table in VLAN 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping check user-bind enable

dhcp snooping check dhcp-rate alarm enable (upgrade-compatible command)

Function

The dhcp snooping check dhcp-rate alarm enable command enables the device to generate an alarm when the number of discarded DHCP messages reaches the threshold.

By default, the device is disabled from generating an alarm when the number of discarded DHCP messages reaches the threshold.

Format

dhcp snooping check dhcp-rate alarm { enable | [ enable ] threshold threshold }

Parameters

Parameter Description Value
threshold threshold Specifies the alarm threshold for checking the rate of sending DHCP messages to the processing unit. An alarm is generated after the rate for sending DHCP messages is checked and the number of discarded DHCP messages reaches the alarm threshold. The value is an integer that ranges from 1 to 1000.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

After the alarm function is enabled, the device sends a trap message when the number of discarded DHCP messages reaches the alarm threshold.

Example

# In the system view, enable the device to generate an alarm when the number of discarded DHCP messages reaches the threshold.

<HUAWEI> system-view
[HUAWEI] dhcp snooping check dhcp-rate alarm enable

dhcp snooping check dhcp-rate enable alarm dhcp-rate enable (upgrade-compatible command)

Function

Using the dhcp snooping check dhcp-rate enable alarm dhcp-rate enable command, you can:

  • Enable the function of checking the rate of sending DHCP messages to the DHCP protocol stack.
  • Set the rate limit of sending DHCP messages to the DHCP protocol stack.
  • Enable the DHCP message discard alarm.
  • Set the alarm threshold for discarded DHCP messages.

By default, the function of checking the rate of sending DHCP messages to the DHCP stack is disabled; the rate limit of sending DHCP messages to the DHCP stack is 100 pps; the DHCP message discard alarm is disabled; the alarm threshold for discarded DHCP messages is 100.

Format

dhcp snooping check dhcp-rate { enable | [ enable ] [ rate ] rate } alarm dhcp-rate { enable | [ enable ] threshold threshold-value }

Parameters

Parameter

Description

Value

[ rate ] rate

Specifies the rate limit of sending DHCP messages to the DHCP protocol stack.

The value ranges from 1 to 100, in pps. The default value is 100.

alarm dhcp-rate enable

Enables the DHCP message discard alarm.

-

threshold threshold-value

Specifies the alarm threshold for discarded DHCP messages. After the function is enabled, an alarm is generated when the number of discarded DHCP messages reaches the alarm threshold on an interface.

The value ranges from 1 to 1000. The default value is 100.

Views

Ethernet interface view, GE interface view, XGE interface view, Eth-Trunk interface view, Port-group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

After the command is used, the DHCP message discard alarm is enabled. If the number of discarded messages reaches the alarm threshold, an alarm is generated.

Example

# On GE 0/0/1, enable the function of checking the rate of sending DHCP messages, set the rate limit of sending DHCP messages to the DHCP protocol stack to 50 pps, enable the DHCP message discard alarm, and set the alarm threshold for discarded DHCP messages to 50.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50

dhcp snooping check dhcp-rate enable alarm enable (upgrade-compatible command)

Function

Using the dhcp snooping check dhcp-rate enable alarm enable command, you can:

  • Enable the function of checking the rate of sending DHCP messages to the processing unit.
  • Set the rate limit of sending DHCP messages to the processing unit.
  • Enable the device to generate an alarm when the number of discarded DHCP messages reaches the threshold.
  • Set the alarm threshold for the number of discarded DHCP messages.

By default, the device does not check the rate of sending DHCP messages to the processing unit; the maximum rate of sending DHCP messages to the processing unit is 100 pps; the device does not generate an alarm when the number of discarded DHCP messages reaches the threshold; the alarm threshold for the number of discarded DHCP messages is 100.

Format

dhcp snooping check dhcp-rate enable [ [ rate ] rate ] alarm [ dhcp-rate ] { enable | [ enable ] threshold threshold }

Parameters

Parameter

Description

Value

[ rate ] rate

Specifies the rate limit of sending DHCP messages to the processing unit.

The value is an integer that ranges from 1 to 100, in pps. The default value is 100.

dhcp-rate

Generates an alarm when the number of discarded DHCP messages reaches the threshold.

-

threshold threshold

Specifies the alarm threshold. When the number of discarded DHCP messages reaches the threshold, an alarm is generated.

The value is an integer that ranges from 1 to 1000. The default value is 100.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

After the command is used, the DHCP message discard alarm is enabled. If the number of discarded messages reaches the alarm threshold, an alarm is generated.

Example

# Enable the function of checking the rate of sending DHCP messages to the processing unit, set the rate limit of sending DHCP messages to the processing unit to 50 pps, enable the DHCP message discard alarm, and set the alarm threshold for discarded DHCP messages to 50.

<HUAWEI> system-view
[HUAWEI] dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50

dhcp snooping check { dhcp-request | dhcp-chaddr | dhcp-giaddr | user-bind | mac-address} enable alarm (upgrade-compatible command)

Function

The dhcp snooping check { dhcp-request | dhcp-chaddr | dhcp-giaddr | user-bind | mac-address } enable alarm enable command enables the DHCP packet check and alarm function.

By default, the DHCP packet check and alarm function is disabled.

Format

dhcp snooping check { dhcp-request | dhcp-chaddr | dhcp-giaddr | user-bind | mac-address } enable alarm { dhcp-request | dhcp-chaddr | dhcp-reply | user-bind | mac-address | untrust-reply } { enable | [ enable ] threshold threshold }

Parameters

Parameter Description Value
dhcp-request or user-bind

Generates an alarm when the number of DHCP messages discarded because they do not match DHCP snooping binding entries reaches the threshold.

-
dhcp-chaddr or mac-address

Generates an alarm when the number of DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address in the Ethernet frame header reaches the threshold.

-
dhcp-reply or untrust-reply

Generates an alarm when the number of DHCP Reply messages discarded by untrusted interfaces reaches the threshold.

-
threshold threshold

Specifies the alarm threshold. When the number of discarded DHCP messages reaches the threshold, an alarm is generated.

The value is an integer that ranges from 1 to 1000.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

This function equals to the combination of the dhcp snooping check dhcp-giaddr enable, dhcp snooping check dhcp-chaddr enable, dhcp snooping check dhcp-request enable and dhcp snooping alarm threshold commands.

Example

# Enable the user-bind check function on GE0/0/1. Set the alarm threshold to 1000 for the discarded packet in the user-bind check.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 100

dhcp snooping check enable alarm enable (upgrade-compatible command)

Function

The dhcp snooping check enable alarm enable command enables the DHCP packet check and alarm function.

By default, the DHCP packet check and alarm function is disabled.

Format

dhcp snooping check { dhcp-request | dhcp-chaddr | dhcp-giaddr } enable alarm { user-bind | mac-address | untrust-reply } { enable | [ enable ] threshold threshold }

Parameters

Parameter Description Value
dhcp-request

Matches DHCP packets with entries in the binding table.

-
dhcp-chaddr

Checks whether the MAC address and CHADDR field in DHCP packets are consistent.

-
dhcp-giaddr

Checks whether the GIADDR field in DHCP packets is not zero.

-
user-bind

Generates an alarm when the number of DHCP packets discarded because they do not match DHCP snooping binding entries reaches the threshold.

-
mac-address

Generates an alarm when the number of DHCP packets discarded because the CHADDR field in the DHCP packet does not match the source MAC address in the Ethernet frame header reaches the threshold.

-
untrust-reply

Generates an alarm when the number of DHCP Reply packets discarded by untrusted interfaces reaches the threshold.

-
threshold threshold

Specifies the alarm threshold. When the number of discarded DHCP packets reaches the threshold, an alarm is generated.

The value is an integer that ranges from 1 to 1000.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade. This function equals to the combination of the dhcp snooping check dhcp-giaddr enable, dhcp snooping check dhcp-chaddr enable, dhcp snooping check dhcp-request enable, and dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } threshold threshold commands.

dhcp snooping global max-user-number (upgrade-compatible command)

Function

The dhcp snooping global max-user-number command sets the maximum number of global DHCP users.

By default, the maximum number of global DHCP users is 1024.

Format

dhcp snooping global max-user-number max-user-number

Parameters

Parameter

Description

Value

max-user-number

Specifies the maximum number of global DHCP users.

The value is an integer that ranges from 1 to 1024.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The dhcp snooping global max-user-number command takes effect only when DHCP snooping is enabled globally and is valid for only DHCP users. When the number of global DHCP users reaches the threshold set by this command, no more users can access.

You can use the dhcp snooping global max-user-number command to set the maximum number of global users.

Example

# Set the maximum number of global DHCP users to 100.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping global max-user-number 100

dhcp snooping information circuit-id (upgrade-compatible command)

Function

The dhcp snooping information circuit-id command configures the Option 82 circuit-id format.

Format

System view:

dhcp snooping information circuit-id string string

Interface view:

dhcp snooping information [ vlan vlan-id ] circuit-id string string

Parameters

Parameter

Description

Value

string string

Specifies the circuit-id format.

The value is a string of 1 to 63 characters.

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping information circuit-id command to configure the Option 82 circuit-id format.

Example

# Configure the Option 82 circuit-id format.

<HUAWEI> system-view
[HUAWEI] dhcp snooping information circuit-id string teststring

dhcp snooping information format (upgrade-compatible command)

Function

The dhcp snooping information format command configures the Option 82 field format.

Format

dhcp snooping information format { hex | ascii }

Parameters

Parameter

Description

Value

hex

Sets the Option 82 format to hexadecimal.

-

ascii

Sets the Option 82 format to ASCII.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping information format command to configure the Option 82 field format.

Example

# Set the Option 82 format to ASCII.

<HUAWEI> system-view
[HUAWEI] dhcp snooping information format ascii

dhcp snooping information remote-id (upgrade-compatible command)

Function

The dhcp snooping information remote-id command configures the Option 82 remote-id format.

Format

System view:

dhcp snooping information remote-id { sysname | string string }

Interface view:

dhcp snooping information [ vlan vlan-id ] remote-id string string

Parameters

Parameter

Description

Value

sysname

System name.

-

string string

Specifies the remote-id format.

The value is a string of 1 to 63 characters.

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping information remote-id command to configure the Option 82 remote-id format.

Example

# Configure the Option 82 remote-id format.

<HUAWEI> system-view
[HUAWEI] dhcp snooping information remote-id string teststring

dhcp snooping max-user-number global (upgrade-compatible command)

Function

The dhcp snooping max-user-number global command sets the maximum number of global DHCP users.

By default, the maximum number of global DHCP users is 1024.

Format

dhcp snooping max-user-number max-user-number global

Parameters

Parameter

Description

Value

max-user-number

Specifies the maximum number of global DHCP users.

The value is an integer that ranges from 1 to 1024.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

The command takes effect only when DHCP snooping is enabled globally and is valid for only DHCP users. When the number of global DHCP users reaches the threshold set by this command, no more users can access. You can use the command to set the maximum number of global users.

Example

# Set the maximum number of global DHCP users to 100.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping max-user-number 100 global

dhcp snooping sticky-mac (upgrade-compatible command)

Function

The dhcp snooping sticky-mac command enables the device to generate static MAC address entries based on dynamic DHCP snooping binding entries.

The undo dhcp snooping sticky-mac command disables the device from generating static MAC address entries based on dynamic DHCP snooping binding entries.

By default, the device is disabled to generate static MAC address entries based on dynamic DHCP snooping binding entries.

Format

dhcp snooping sticky-mac

undo dhcp snooping sticky-mac

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, port group view, Eth-trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Dynamic MAC address entries are learned and generated by the device, and static MAC address entries are configured by command lines. A MAC address entry consists of the MAC address, VLAN ID, and port number of a DHCP client. The device implements Layer 2 forwarding based on MAC address entries.

After the dhcp snooping sticky-mac command is executed on an interface, the device generates static MAC address entries (snooping type) of DHCP users on the interface based on the corresponding dynamic binding entries, clears all the dynamic MAC address entries on the interface, disables the interface to learn dynamic MAC address entries, and enables the device to match the source MAC address based on MAC address entries. Then only the message with the source MAC address matching the static MAC address entry can pass through the interface; otherwise, messages are discarded. Therefore, the administrator needs to manually configure static MAC address entries (the static type) for non-DHCP users on the interface so that messages sent from non-DHCP users can pass through; otherwise, DHCP messages are discarded. This prevents attacks from non-DHCP users.
NOTE:
  • If a DHCP snooping binding entry is updated, the corresponding static MAC address entry is automatically updated.

  • If you run the dhcp snooping sticky-mac command on the interface, DHCPv6 users cannot go online. Run the nd snooping enable command in the system view and interface view to enable ND snooping and the savi enable command in the system view to enable SAVI.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

The dhcp snooping sticky-mac command cannot be used with the following commands on an interface.

Command

Description

dot1x enable

Enables 802.1X authentication on an interface.

mac-authen

Enables MAC address authentication on an interface.

mac-address learning disable

Enables MAC address learning.

mac-limit

Sets the maximum number of MAC addresses to be learned.

port vlan-mapping vlan map-vlan

port vlan-mapping vlan inner-vlan

Enables VLAN mapping.

port-security enable

Enables port security.

Example

# Enable the device to generate static MAC address entries based on DHCP snooping binding entries on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping sticky-mac

dhcp snooping trusted interface no-user-binding (upgrade-compatible command)

Function

The dhcp snooping trusted interface no-user-binding command configures a trusted interface.

The undo dhcp snooping trusted interface no-user-binding command deletes a trusted interface.

By default, no trusted interface is configured.

Format

dhcp snooping trusted interface interface-type interface-number no-user-binding

undo dhcp snooping trusted interface interface-type interface-number no-user-binding

Parameters

Parameter

Description

Value

interface-type interface-number

Specifies the type and number of an interface.

-

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping trusted interface no-user-binding command to configure a trusted interface in the VLAN view.

Before using this command:
  • Enable DHCP snooping globally.
  • Add the interface to a VLAN.

This command can only be used during a configuration restoration.

Example

# Configure a trusted interface GE0/0/1 in VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping trusted interface gigabitethernet 0/0/1 no-user-binding 

dhcp snooping trusted no-user-binding (upgrade-compatible command)

Function

The dhcp snooping trusted no-user-binding command configures an interface as the trusted interface.

The undo dhcp snooping trusted no-user-binding command restores the default state of an interface.

By default, no trusted interface is configured.

Format

dhcp snooping trusted no-user-binding

undo dhcp snooping trusted no-user-binding

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

When DHCP snooping is enabled on an interface, the interface is an untrusted interface by default. After you use the dhcp snooping trusted no-user-binding command in the interface view, the interface becomes a trusted interface.

This command can only be used during a configuration restoration.

Example

# Configure a trusted interface GE0/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping trusted no-user-binding

Keychain Upgrade-compatible Commands

receive-time (upgrade-compatible command)

Function

The receive-time command makes a key act as a receive-key for the specified interval of time.

The undo receive-time command deletes the receive-time configuration.

By default, no receive-time is configured.

Format

receive-time utc start-time start-date { duration { duration-value | infinite } | { to end-time end-date } }

Parameters

Parameter Description Value
utc Specifies that the given time is in Coordinated Universal Time (UTC) format. -
start-time Specifies the start receive time. In HH:MM format. The value ranges from 00:00 to 23:59.
start-date Specifies the start date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
duration duration-value Specifies the duration of the receive time in minutes. The value ranges from 1 to 26280000.
infinite Specifies that the key will be acting as a active receive key forever from the configured start-time. -
to Acts as a separator. -
end-time Specifies the end receive time. In HH:MM format. The value ranges from 00:00 to 23:59. The end-time should be greater than the start-time.
end-date Specifies the end date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.

Views

key-id view

Default Level

2: Configuration Level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

It is replaced by the receive-time start-time start-date { duration { duration-value | infinite } | { to end-time end-date } } command.

send-time (upgrade-compatible command)

Function

The send-time command makes a key act as a send key for the specified interval of time.

The undo send-time command deletes the send-time configuration.

By default, no send-time is configured.

Format

send-time utc start-time start-date { duration { duration-value | infinite } | { to end-time end-date } }

Parameters

Parameter Description Value
utc Specifies that the given time is in Coordinated Universal Time (UTC) format. -
start-time Specifies the start send time. In HH:MM format. The value ranges from 00:00 to 23:59.
start-date Specify the start date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
duration duration-value Specifies the duration of the send time in minutes. The value ranges from 1 to 26280000.
infinite Specifies that the key will be acting as a send key forever from the configured start-time. -
to Acts as a separator. -
end-time Specifies the end send time. In HH:MM format. The value ranges from 00:00 to 23:59. The end-time should be greater than the start-time.
end-date Specifies the end date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
daily Specifies the daily send timing for the given key. -

Views

Key-ID view

Default Level

2: Configuration Level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

It is replaced by the send-time start-time start-date { duration { duration-value | infinite } | { to end-time end-date } } command.

PKI Compatible Commands

fingerprint (upgrade-compatible command)

Function

The fingerprint command configures the CA certificate fingerprint used in CA certificate authentication.

The undo fingerprint command deletes the CA certificate fingerprint used in CA certificate authentication.

By default, no CA certificate fingerprint is configured for CA certificate authentication.

Format

fingerprint sha2 fingerprint

undo fingerprint

Parameters

Parameter Description Value
sha2 Sets the digital fingerprint algorithm to SHA1. -
fingerprint

Specifies the digital fingerprint value.

This value needs to be obtained from the CA server offline. For example, from a CA server running Windows Server 2008, you can obtain the digital fingerprint at http://host:port/certsrv/mscep_admin/, in which host indicates the server's IP address and port indicates the port number.

The digital fingerprint value is a hexadecimal string of case-insensitive characters.

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

password (upgrade-compatible command)

Function

The password command sets the challenge password used for certificate application through SCEP, which is also used to revoke a certificate.

The undo password command deletes the challenge password used for certificate application through SCEP.

By default, no challenge password is configured.

Format

password simple password

undo password

Parameters

Parameter Description Value
simple password Specifies the challenge password used for certificate application through SCEP. The password is displayed in plain text. -

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

usage (upgrade-compatible command)

Function

The usage command configures the purpose description for a certificate public key.

By default, a certificate public key does not have a purpose description.

Format

usage { ike | ssl-client | ssl-server } *

Parameters

Parameter

Description

Value

ike

Specifies the usage of a key as ike. That is, the key is used to set up an IPSec tunnel.

-

ssl-client

Specifies the usage of a key as ssl-client. That is, the key is used by the SSL client to set up an SSL session.

-

ssl-server

Specifies the usage of a key as ssl-server. That is, the key is used by the SSL server to set up an SSL session.

-

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the key-usage { ike | ssl-client | ssl-server } * command.

Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000178165

Views: 41758

Downloads: 1101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next