No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S7700 and S9700 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Compatible Commands

Security Compatible Commands

ACL Compatible Commands

assign acl-mode (upgrade-compatible command)

Function

The assign acl-mode command sets the ACL resource allocation mode on an interface card.

The undo assign acl-mode command restores the default ACL resource allocation mode on an interface card.

By default, the ACL resource allocation mode is 0.

Format

assign acl-mode mode-id slot slot-id

undo assign acl-mode slot slot-id

Parameters

Parameter

Description

Value

mode-id

Specifies an ACL resource allocation mode.

The value is an integer that ranges from 0 to 4.
  • 0. Dual IPV4 and IPV6: configures the IPv4 and IPv6 ACL resource allocation mode.
  • 1. L2 IPV4: configures the Layer 2 IPv4 ACL resource allocation mode.
  • 2. L2 IPV6: configures the Layer 2 IPv6 ACL resource allocation mode.
  • 3. L2: configures the Layer 2 ACL resource allocation mode.
  • 4. IPV4: configures the IPv4 ACL resource allocation mode.

slot slot-id

Specifies the slot ID of an interface card.

The value is an integer. The value range depends on the device configuration.

Views

System view

Default Level

3: Management level

Usage Guidelines

If the default number of ACLs for IPv4, IPv6, or Layer 2 services cannot meet service requirements, you can change the ACL resource allocation mode to increase the number of ACLs for the services.

When services on a device change, the requirements for ACLs also change, and you can change the ACL resource allocation mode accordingly. Before using this command to change the ACL resource allocation mode, consider the advantage and disadvantage of the change. For example, if the ACL resource allocation mode is changed from 0 (Dual IPV4 and IPV6) to 4 (IPV4), more ACLs are supported for IPv4 services, but the number of ACLs for IPv6 and VLAN services reduces to 0.

The ACL resource allocation mode takes effect only after the interface card is reset.

Example

# Change the ACL resource allocation mode on the X1E interface card in slot 10 to mode 3.

<HUAWEI> system-view
[HUAWEI] assign acl-mode 3 slot 10 

Local Attack Defense Compatible Commands

cpu-defend linkup-car bgp enable (upgrade-compatible command)

Function

The cpu-defend linkup-car bgp enable command enables the BGP protocol association.

The undo cpu-defend linkup-car bgp enable command disables the BGP protocol association.

By default, the BGP protocol association is disabled.

Format

cpu-defend linkup-car bgp enable

undo cpu-defend linkup-car bgp enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is provided for compatibility with earlier versions.

Example

# Enable the BGP protocol association.

<HUAWEI> system-view
[HUAWEI] cpu-defend linkup-car bgp enable

deny (upgrade-compatible command)

Function

The deny command sets the discard action taken for packets sent to the CPU.

The undo deny command restores the default action taken for packets sent to the CPU.

By default, the device limits the rate of protocol packets and user-defined flows based on the CAR configuration.

Format

deny packet-type bpdu

deny packet-type ftp-dynamic

deny packet-type hotlimit

deny packet-type nac-arp

deny packet-type nac-dhcp

undo deny packet-type bpdu

undo deny packet-type ftp-dynamic

undo deny packet-type hotlimit

undo deny packet-type nac-arp

undo deny packet-type nac-dhcp

Parameters

Parameter Description Value
packet-type bpdu Discards bpdu packets . -
packet-type ftp-dynamic Discards ftp-dynamic packets. -
packet-type hotlimit Discards hop-limit packets. -
packet-type nac-arp Discards nac-arp packets. -
packet-type nac-dhcp Discards nac-dhcp packets. -

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

If you run the deny and car commands for the same type of packets sent to the CPU, the command that runs later takes effect. The undo deny command restores the default action taken for packets sent to the CPU. After you run this command, the system limits the rate of packets sent to the CPU based on the configured CIR and CBS values.

Example

# Set the discard action taken for bpdu packets sent to the CPU attack in defense policy test.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] deny packet-type bpdu

whitelist (upgrade-compatible command)

Function

The whitelist command configures an ACL-based whitelist.

By default, no whitelist is configured.

Format

whitelist acl acl-number { acl-number } &<1-4>

Parameters

Parameter Description Value
acl-number Indicates the ACL ID. The ACL referenced by a whitelist on the device can be a basic ACL, an advanced ACL, or a Layer 2 ACL. The value is an integer that ranges from 2000 to 4999.

Views

System view, Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

A maximum of 8 whitelists can be configured in an attack defense policy on the device. You can set the attributes of a whitelist by defining ACL rules.

After the packets of whitelist users reach the device, they are sent with a higher priority at a higher rate. Valid users that normally access the system and the users with the high priority can be added to the whitelist.

Example

# Reference ACL 2002 in the whitelist.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] whitelist acl 2002

queue packet-type vrrp (upgrade-compatible command)

Function

queue packet-type vrrp command sets the queue number for VRRP packets sent to the CPU.

undo queue packet-type command restores the default queue number for VRRP packets sent to the CPU.

By default, the queue number for VRRP packets sent to the CPU is 6.

Format

queue packet-type vrrp queue-value

undo queue packet-type vrrp

Parameters

Parameter

Description

Value

queue-value

Specifies the queue number of the CPU that VRRP packets are sent to.

The value is 5 or 7.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before packets are sent to the CPU, they are sent to queues of the CPU and scheduled in queues. Then the packets are processed by the CPU. The scheduling mode of a queue and the queue that packets enter determine the priority of processing packets. To flexibly set the scheduling priority of packets sent to the CPU, you can set the queue number for protocol packets sent to the CPU. A greater queue number indicates a high priority of protocol packets sent to the CPU.

Precautions

If the queue number for VRRP packets sent to the CPU has been configured in a version earlier than V200R010, the queue number is unchanged after the version is upgraded to V200R010 or later. If the queue number is not configured in a version earlier than V200R010, the default queue number is changed from 7 to 6 after the upgrade.

In V200R010 and later versions, you can only run the undo queue packet-type vrrp command to restore the default queue number for VRRP packets, but cannot reset the queue number.

Example

# Restore the default queue number for VRRP packets sent to the CPU.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] undo queue packet-type vrrp

Attack Defense Compatible Commands

application-apperceive default drop (upgrade-compatible command)

Function

The application-apperceive default drop command enables the device to discard the received packets when no matching application layer association policy exists.

The undo application-apperceive default drop command enables the device to deliver the received packets to the upper layer though no matching application layer association policy exists.

By default, the device is enabled to deliver the received packets to the upper layer though no matching application layer association policy exists.

Format

application-apperceive default drop

undo application-apperceive default drop

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the application-apperceive default drop command is run, if a protocol is not enabled in the system view nor in the interface view, the device discards all the packets of this protocol type.

Example

# Enable the device to discard the received packets when no matching application layer association policy exists.

<HUAWEI> system-view
[HUAWEI] application-apperceive default drop

Traffic Suppression Compatible Commands

storm-control action (upgrade-compatible command)

Function

The storm-control action sets the storm control action to shutdown.

The undo storm-control action command cancels the configuration.

By default, no storm control action is configured.

Format

storm-control action shutdown

undo storm-control action

Parameters

Parameter

Description

Value

shutdown

Shuts down an interface.

-

Views

Ethernet interface view, 40GE interface view, GE interface view, XGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

It is replaced by the storm-control action error-down command.

Example

# Configure the storm control action is shutdown on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] storm-control action shutdown

ARP Security Compatible Commands

arp anti-attack rate-limit (upgrade-compatible command)

Function

The arp anti-attack rate-limit command sets the maximum rate and rate limit duration of ARP packets globally, in a VLAN, or on an interface, enables the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit on an interface.

The undo arp anti-attack rate-limit command restores the default maximum rate and rate limit duration of ARP packets globally, in a VLAN, or on an interface, and allows the device to send ARP packets to the CPU again.

By default, a maximum of 100 ARP packets are allowed to pass in 1 second, and the function of discarding all ARP packets received from the interface when the rate of ARP packets exceeds the limit is disabled.

Format

System view, VLAN view

arp anti-attack rate-limit packet-number [ interval-value ]

Interface view

arp anti-attack rate-limit packet-number [ interval-value | block timer timer ]*

undo arp anti-attack rate-limit

Parameters

Parameter

Description

Value

packet-number

Specifies the maximum rate of sending ARP packets, that is, the number of ARP packets allowed to pass through in the rate limit duration.

The value is an integer that ranges from 1 to 16384. The default value is 100.

interval-value

Specifies the rate limit duration of ARP packets.

The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.

block timer timer

Specifies the duration for blocking ARP packets.

The value is an integer that ranges from 5 to 864000, in seconds.

Views

System view, VLAN view, Ethernet interface view, 40GE interface view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP packets is enabled, run the arp anti-attack rate-limit command to set the maximum rate and rate limit duration of ARP packets globally, in a VLAN, or on an interface. In the rate limit duration, if the number of received ARP packets exceeds the limit, the device discards the excess ARP packets.

If the parameter block timer timer is specified, the device discards all ARP packets received in the duration specified by timer.

Prerequisites

Rate limit on ARP packets has been enabled globally, in a VLAN, or on an interface using the arp anti-attack rate-limit enable command.

Precautions

If the maximum rate and rate limit duration are configured in the system view, VLAN view, and interface view, the device uses the configurations in the interface view, VLAN view, and system view in order.

If the maximum rate and rate limit duration are set globally or on an interface at the same time, the configurations on an interface and globally take effect in descending order of priority.

NOTE:

The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU for processing in none-block mode, and does not affect ARP packet forwarding by the chip. In block mode, only when the number of ARP packets sent to the CPU exceeds the limit, the device discards subsequent ARP packets on the interface.

Example

# Configure GE1/0/1 to allow 200 ARP packet to pass through in 10 seconds, and configure GE1/0/1 to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack rate-limit 200 10 block timer 60

arp-miss anti-attack rate-limit (upgrade-compatible command)

Function

The arp-miss anti-attack rate-limit command sets the maximum rate and rate limit duration of ARP Miss messages globally, in a VLAN, or on an interface.

The undo arp-miss anti-attack rate-limit command restores the default maximum rate and rate limit duration of ARP Miss messages globally, in a VLAN, or on an interface.

By default, the device can process a maximum of 100 ARP Miss messages in 1 second.

Format

arp-miss anti-attack rate-limit packet-number [ interval-value ]

undo arp-miss anti-attack rate-limit

Parameters

Parameter

Description

Value

packet-number

Specifies the maximum rate of ARP Miss messages, that is, the number of ARP Miss messages the device processes in the rate limit duration.

The value is an integer that ranges from 1 to 16384. The default value is 100.

interval-value

Specifies the rate limit duration of ARP Miss messages.

The value is an integer that ranges from 1 to 86400, in seconds. The default value is 1 second.

Views

System view, VLAN view, Ethernet interface view, 40GE interface view, GE interface view, XGE interface view, port group view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After rate limit on ARP Miss messages is enabled, you can set maximum rate and rate limit duration of ARP Miss messages globally, in a VLAN, or on an interface. If the number of ARP Miss messages triggered by IP packets in the rate limit duration exceeds the limit, the device discards the ARP Miss packets triggering the excess ARP Miss messages.

Prerequisites

Rate limit on ARP Miss messages has been enabled globally, in a VLAN, or on an interface using the arp-miss anti-attack rate-limit enable command.

Precautions

If rate limit on ARP Miss messages is configured in the system view, VLAN view, and interface view, the device uses the configurations in the interface view, VLAN view, and system view in order.

Example

# Configure the device to process a maximum of 200 ARP Miss messages triggered by IP packets from GE1/0/1 in 10 seconds.
<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit enable
[HUAWEI-GigabitEthernet1/0/1] arp-miss anti-attack rate-limit 200 10

arp-miss suppress (upgrade-compatible command)

Function

Using the arp-miss suppress command, you can set the suppression time for sending ARP Miss messages on the VLANIF interface.

Using the undo arp-miss suppress command, you can restore the default suppression time for sending ARP Miss messages on the VLANIF interface.

By default, the suppression time for sending ARP Miss messages is 5 seconds.

Format

arp-miss suppress suppress-time

undo arp-miss suppress

Parameters

Parameter Description Value
suppress-time Specifies the suppression time of ARP Miss messages on the VLANIF interface. The value is an integer that ranges from 5 to 30, with a step of 5.

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

After the VLANIF interface receives unreachable IP unicast packets, the packets are sent to the CPU of the main control board because the ARP entries corresponding to the packets are not found in the forwarding table. Then, the main control board sends ARP broadcast request packets to learn ARP entries. The unknown ARP packets are called ARP Miss messages.

When the main control board sends ARP request packets to learn ARP entries, it adds corresponding ARP entry. This ARP entry is called fake ARP entry, which can be viewed through the display arp interface command. The ARP entry with the incomplete attribute is called fake ARP entry. In addition, the main control board sends the fake ARP entry to the LPU. The LPU does not send ARP Miss messages after receiving the fake ARP entry.
  • If the main control board receives ARP response packets, ARP learning succeeds. The fake ARP entry becomes valid, and then is added to the forwarding table to guide forwarding for subsequent packets.
  • If the main control board does not receive ARP response packets, the destination host may be nonexistent or the fake ARP entry is deleted because of aging. If subsequent ARP Miss messages are sent continuously, ARP learning is triggered again.

The fake ARP entry is aged within five seconds and thus deleted by default. That is, the suppression time of ARP Miss messages sent to the CPU of the main control board is five seconds by default. The arp-miss suppress command is used to adjust the suppression time for sending ARP Miss messages. When a large number of fake ARP entries are generated on the device, the device is attacked by unknown packets. In this case, you can adjust the suppression time to 10 or 15 seconds to reduce the sent unknown unicast packets. The CPU usage of the main control board is thus reduced.

Example

# Set the suppression time of ARP Miss messages to 10s on VLANIF 100.

<HUAWEI> system-view
[HUAWEI] interface vlanif 100
[HUAWEI-Vlanif100] arp-miss suppress 10

DHCP Snooping Compatible Commands

dhcp option82 format (upgrade-compatible command)

Function

The dhcp option82 format command configures the format of the Option 82 field in DHCP messages.

Format

dhcp option82 [ circuit-id | remote-id ] format userdefined text

Parameters

Parameter Description Value
circuit-id Specifies the format of the circuit-id (CID). -
remote-id Specifies the format of the remote-id (RID). -
userdefined text Indicates the user-defined format of the Option 82 field. text is the user-defined character string of the Option 82 field.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp option82 format command to configure the format of the Option 82 field in DHCP messages.

Example

# Configure the user-defined string for the CID in the Option 82 field and use the hexadecimal format to encapsulate the CID type (0, indicating the hexadecimal format), length (excluding the length of the CID type and the length keyword itself), outer VLAN ID, slot ID (5 bits), subslot ID (3 bits), and port number (8 bits).

<HUAWEI> system-view
[HUAWEI] dhcp option82 circuit-id format userdefined 0 %length %svlan %5slot %3subslot %8port

dhcp snooping alarm { user-bind | mac-address | untrust-reply } enable (upgrade-compatible command)

Function

The dhcp snooping alarm enable command enables the alarm function for DHCP snooping.

The undo dhcp snooping alarm enable command disables the alarm function for DHCP snooping.

By default, the alarm function for discarded DHCP messages is disabled.

Format

dhcp snooping alarm { user-bind | mac-address | untrust-reply } { enable | [ enable ] threshold threshold }

undo dhcp snooping alarm { user-bind | mac-address | untrust-reply } { enable | [ enable ] threshold }

Parameters

Parameter Description Value
user-bind Generates an alarm when the number of DHCP messages discarded because they do not match DHCP snooping binding entries reaches the threshold. -
mac-address Generates an alarm when the number of DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address in the Ethernet frame header reaches the threshold. -
untrust-reply Generates an alarm when the number of DHCP Reply messages discarded by untrusted interfaces reaches the threshold. -
threshold threshold Specifies the alarm threshold. When the number of discarded DHCP messages reaches the threshold, an alarm is generated. The value is an integer that ranges from 1 to 1000.

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, Port-group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

It is replaced by the dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } enable [ threshold threshold ] command.

Example

# On GE1/0/1, enable DHCP snooping, and enable the alarm function for DHCP snooping.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping alarm user-bind enable

dhcp snooping bind-table autosave (upgrade-compatible command)

Function

The dhcp snooping bind-table autosave command configures a device to automatically back up DHCP snooping binding entries in a specified file.

Format

dhcp snooping bind-table autosave file-name [ write-delay delay-time ]

Parameters

Parameter

Description

Value

file-name

Specifies the path for storing the file that backs up DHCP snooping binding entries and the file name. You must specify both the path and name of the file supported by the system.

The value is a string of 1 to 51 characters.

write-delay delay-time

Specifies the interval for local automatic backup of the DHCP snooping binding table.

If this parameter is not specified, the backup interval is the default value.

The value is an integer that ranges from 60 to 4294967295, in seconds. By default, the system backs up the DHCP snooping binding table every two hours.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping bind-table command to back up DHCP snooping binding entries in a specified file.

Example

# Configure a device to automatically back up DHCP snooping binding entries in the file backup.tbl in the flash memory.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping bind-table autosave flash:/backup.tbl

dhcp snooping bind-table static (upgrade-compatible command)

Function

Using the dhcp snooping bind-table static command, you can configure the static binding entries between IP addresses and MAC addresses.

Using the undo dhcp snooping bind-table command, you can cancel the binding entries in the binding table, including the dynamic entries and the static entries.

Format

dhcp snooping bind-table static ip-address ip-address mac-address mac-address [ interface interface-type interface-number ]

undo dhcp snooping bind-table ip-address ip-address

Parameters

Parameter Description Value
ip-address ip-address Specifies the user IP address. The value is in dotted decimal notation.
mac-address mac-address Specifies the user MAC address.

The value is in H-H-H format. H contains 1 to 4 hexadecimal digits.

interface interface-type interface-number Specifies the interface type and interface number.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

You need not configure the dynamic entries in the DHCP snooping binding table. The dynamic entries can be generated after you enable DHCP snooping. But you need to configure the static entries by the dhcp snooping bind-table static interface command.

Example

# Configure the static binding entry between the IP address 10.1.1.1 and the MAC address 0028-0120-0327 in the VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping bind-table static ip-address 10.1.1.1 mac-address 0028-0120-0327

dhcp snooping check enable (upgrade-compatible command)

Function

The dhcp snooping check enable enables the device to check DHCP messages.

The undo dhcp snooping check enable disables the device from checking DHCP messages.

By default, the device does not check DHCP messages.

Format

In the system view:

dhcp snooping check { user-bind | mac-address } enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>

undo dhcp snooping check { user-bind | mac-address } enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>

In the VLAN view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, Port-group view:

dhcp snooping check { user-bind | mac-address } enable

undo dhcp snooping check { user-bind | mac-address } enable

Parameters

Parameter Description Value
user-bind

Check DHCP messages against the DHCP snooping binding table.

-
mac-address

Compare the MAC address in DHCP ACK or DHCP Request messages with the CHADDR value.

-
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
Enables the device to check the HCP messages from a specified VLAN to the processing unit.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The value is an integer that ranges from 1 to 4094.

Views

VLAN view, System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, Port-group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

After the command is used, you can check DHCP messages against the DHCP snooping binding table or Compare the MAC address in DHCP ACK or DHCP Request messages with the CHADDR value.

Example

# Enable the function of checking DHCP messages against the binding table in VLAN 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping check user-bind enable

dhcp snooping check dhcp-rate alarm enable (upgrade-compatible command)

Function

The dhcp snooping check dhcp-rate alarm enable command enables the device to generate an alarm when the number of discarded DHCP messages reaches the threshold.

By default, the device is disabled from generating an alarm when the number of discarded DHCP messages reaches the threshold.

Format

dhcp snooping check dhcp-rate alarm { enable | [ enable ] threshold threshold }

Parameters

Parameter Description Value
threshold threshold Specifies the alarm threshold for checking the rate of sending DHCP messages to the processing unit. An alarm is generated after the rate for sending DHCP messages is checked and the number of discarded DHCP messages reaches the alarm threshold. The value is an integer that ranges from 1 to 1000.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

After the alarm function is enabled, the device sends a trap message when the number of discarded DHCP messages reaches the alarm threshold.

Example

# In the system view, enable the device to generate an alarm when the number of discarded DHCP messages reaches the threshold.

<HUAWEI> system-view
[HUAWEI] dhcp snooping check dhcp-rate alarm enable

dhcp snooping check dhcp-rate enable rate (upgrade-compatible command)

Function

The dhcp snooping check dhcp-rate enable rate command enables the alarm function for checking the rate of sending DHCP packets to the DHCP stack.

Format

dhcp snooping check dhcp-rate enable rate rate [ vlan { vlanstart-id [ to vlanend_id ] } &<1-10>]

Parameters

Parameter Description Value
rate rate

Specifies the rate of sending DHCP messages to the CPU.

The value is an integer that ranges from 1 to 100.
vlan { vlanstart-id [ to vlanend-id ] }&<1-10>
Enables the device to check the rate of sending DHCP messages from a specified VLAN to the processing unit.
  • vlanstart-id specifies the first VLAN ID.
  • to vlanend-id specifies the last VLAN ID. vlanend-id must be larger than vlanstart-id.
The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping check dhcp-rate enable command to enable the alarm function for checking the rate of sending DHCP packets to the DHCP stack.

This command can only be used during a configuration restoration.

Example

# Enable DHCP packet rate check in the system view.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping check dhcp-rate enable rate 50

dhcp snooping check dhcp-rate enable alarm dhcp-rate enable (upgrade-compatible command)

Function

Using the dhcp snooping check dhcp-rate enable alarm dhcp-rate enable command, you can:

  • Enable the function of checking the rate of sending DHCP messages to the DHCP protocol stack.
  • Set the rate limit of sending DHCP messages to the DHCP protocol stack.
  • Enable the DHCP message discard alarm.
  • Set the alarm threshold for discarded DHCP messages.

By default, the function of checking the rate of sending DHCP messages to the DHCP stack is disabled; the rate limit of sending DHCP messages to the DHCP stack is 100 pps; the DHCP message discard alarm is disabled; the alarm threshold for discarded DHCP messages is 100.

Format

dhcp snooping check dhcp-rate { enable | [ enable ] [ rate ] rate } alarm dhcp-rate { enable | [ enable ] threshold threshold-value }

Parameters

Parameter

Description

Value

[ rate ] rate

Specifies the rate limit of sending DHCP messages to the DHCP protocol stack.

The value ranges from 1 to 100, in pps. The default value is 100.

alarm dhcp-rate enable

Enables the DHCP message discard alarm.

-

threshold threshold-value

Specifies the alarm threshold for discarded DHCP messages. After the function is enabled, an alarm is generated when the number of discarded DHCP messages reaches the alarm threshold on an interface.

The value ranges from 1 to 1000. The default value is 100.

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, Port-group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

After the command is used, the DHCP message discard alarm is enabled. If the number of discarded messages reaches the alarm threshold, an alarm is generated.

Example

# On GE 1/0/1, enable the function of checking the rate of sending DHCP messages, set the rate limit of sending DHCP messages to the DHCP protocol stack to 50 pps, enable the DHCP message discard alarm, and set the alarm threshold for discarded DHCP messages to 50.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50

dhcp snooping check dhcp-rate enable alarm enable (upgrade-compatible command)

Function

Using the dhcp snooping check dhcp-rate enable alarm enable command, you can:

  • Enable the function of checking the rate of sending DHCP messages to the processing unit.
  • Set the rate limit of sending DHCP messages to the processing unit.
  • Enable the device to generate an alarm when the number of discarded DHCP messages reaches the threshold.
  • Set the alarm threshold for the number of discarded DHCP messages.

By default, the device does not check the rate of sending DHCP messages to the processing unit; the maximum rate of sending DHCP messages to the processing unit is 100 pps; the device does not generate an alarm when the number of discarded DHCP messages reaches the threshold; the alarm threshold for the number of discarded DHCP messages is 100.

Format

dhcp snooping check dhcp-rate enable [ [ rate ] rate ] alarm [ dhcp-rate ] { enable | [ enable ] threshold threshold }

Parameters

Parameter

Description

Value

[ rate ] rate

Specifies the rate limit of sending DHCP messages to the processing unit.

The value is an integer that ranges from 1 to 100, in pps. The default value is 100.

dhcp-rate

Generates an alarm when the number of discarded DHCP messages reaches the threshold.

-

threshold threshold

Specifies the alarm threshold. When the number of discarded DHCP messages reaches the threshold, an alarm is generated.

The value is an integer that ranges from 1 to 1000. The default value is 100.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

After the command is used, the DHCP message discard alarm is enabled. If the number of discarded messages reaches the alarm threshold, an alarm is generated.

Example

# Enable the function of checking the rate of sending DHCP messages to the processing unit, set the rate limit of sending DHCP messages to the processing unit to 50 pps, enable the DHCP message discard alarm, and set the alarm threshold for discarded DHCP messages to 50.

<HUAWEI> system-view
[HUAWEI] dhcp snooping check dhcp-rate enable 50 alarm dhcp-rate enable threshold 50

dhcp snooping check { dhcp-request | dhcp-chaddr | dhcp-giaddr | user-bind | mac-address} enable alarm (upgrade-compatible command)

Function

The dhcp snooping check { dhcp-request | dhcp-chaddr | dhcp-giaddr | user-bind | mac-address } enable alarm enable command enables the DHCP packet check and alarm function.

By default, the DHCP packet check and alarm function is disabled.

Format

dhcp snooping check { dhcp-request | dhcp-chaddr | dhcp-giaddr | user-bind | mac-address } enable alarm { dhcp-request | dhcp-chaddr | dhcp-reply | user-bind | mac-address | untrust-reply } { enable | [ enable ] threshold threshold }

Parameters

Parameter Description Value
dhcp-request or user-bind

Generates an alarm when the number of DHCP messages discarded because they do not match DHCP snooping binding entries reaches the threshold.

-
dhcp-chaddr or mac-address

Generates an alarm when the number of DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address in the Ethernet frame header reaches the threshold.

-
dhcp-reply or untrust-reply

Generates an alarm when the number of DHCP Reply messages discarded by untrusted interfaces reaches the threshold.

-
threshold threshold

Specifies the alarm threshold. When the number of discarded DHCP messages reaches the threshold, an alarm is generated.

The value is an integer that ranges from 1 to 1000.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

This function equals to the combination of the dhcp snooping check dhcp-giaddr enable, dhcp snooping check dhcp-chaddr enable, dhcp snooping check dhcp-request enable and dhcp snooping alarm threshold commands.

Example

# Enable the user-bind check function on GE1/0/1. Set the alarm threshold to 1000 for the discarded packet in the user-bind check.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping check dhcp-request enable alarm dhcp-request enable threshold 100

dhcp snooping check enable alarm enable (upgrade-compatible command)

Function

The dhcp snooping check enable alarm enable command enables the DHCP packet check and alarm function.

By default, the DHCP packet check and alarm function is disabled.

Format

dhcp snooping check { dhcp-request | dhcp-chaddr | dhcp-giaddr } enable alarm { user-bind | mac-address | untrust-reply } { enable | [ enable ] threshold threshold }

Parameters

Parameter Description Value
dhcp-request

Matches DHCP packets with entries in the binding table.

-
dhcp-chaddr

Checks whether the MAC address and CHADDR field in DHCP packets are consistent.

-
dhcp-giaddr

Checks whether the GIADDR field in DHCP packets is not zero.

-
user-bind

Generates an alarm when the number of DHCP packets discarded because they do not match DHCP snooping binding entries reaches the threshold.

-
mac-address

Generates an alarm when the number of DHCP packets discarded because the CHADDR field in the DHCP packet does not match the source MAC address in the Ethernet frame header reaches the threshold.

-
untrust-reply

Generates an alarm when the number of DHCP Reply packets discarded by untrusted interfaces reaches the threshold.

-
threshold threshold

Specifies the alarm threshold. When the number of discarded DHCP packets reaches the threshold, an alarm is generated.

The value is an integer that ranges from 1 to 1000.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade. This function equals to the combination of the dhcp snooping check dhcp-giaddr enable, dhcp snooping check dhcp-chaddr enable, dhcp snooping check dhcp-request enable, and dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } threshold threshold commands.

dhcp snooping global max-user-number (upgrade-compatible command)

Function

The dhcp snooping global max-user-number command sets the maximum number of global DHCP users.

By default, the maximum number of global DHCP users is 32768.

Format

dhcp snooping global max-user-number max-user-number

Parameters

Parameter

Description

Value

max-user-number

Specifies the maximum number of global DHCP users.

The value is an integer that ranges from 1 to 32768.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

The dhcp snooping global max-user-number command takes effect only when DHCP snooping is enabled globally and is valid for only DHCP users. When the number of global DHCP users reaches the threshold set by this command, no more users can access.

You can use the dhcp snooping global max-user-number command to set the maximum number of global users.

Example

# Set the maximum number of global DHCP users to 100.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping global max-user-number 100

dhcp snooping information circuit-id (upgrade-compatible command)

Function

The dhcp snooping information circuit-id command configures the Option 82 circuit-id format.

Format

System view:

dhcp snooping information circuit-id string string

Interface view:

dhcp snooping information [ vlan vlan-id ] circuit-id string string

Parameters

Parameter

Description

Value

string string

Specifies the circuit-id format.

The value is a string of 1 to 63 characters.

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping information circuit-id command to configure the Option 82 circuit-id format.

Example

# Configure the Option 82 circuit-id format.

<HUAWEI> system-view
[HUAWEI] dhcp snooping information circuit-id string teststring

dhcp snooping information format (upgrade-compatible command)

Function

The dhcp snooping information format command configures the Option 82 field format.

Format

dhcp snooping information format { hex | ascii }

Parameters

Parameter

Description

Value

hex

Sets the Option 82 format to hexadecimal.

-

ascii

Sets the Option 82 format to ASCII.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping information format command to configure the Option 82 field format.

Example

# Set the Option 82 format to ASCII.

<HUAWEI> system-view
[HUAWEI] dhcp snooping information format ascii

dhcp snooping information remote-id (upgrade-compatible command)

Function

The dhcp snooping information remote-id command configures the Option 82 remote-id format.

Format

System view:

dhcp snooping information remote-id { sysname | string string }

Interface view:

dhcp snooping information [ vlan vlan-id ] remote-id string string

Parameters

Parameter

Description

Value

sysname

System name.

-

string string

Specifies the remote-id format.

The value is a string of 1 to 63 characters.

vlan vlan-id

Specifies a VLAN ID.

The value is an integer that ranges from 1 to 4094.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping information remote-id command to configure the Option 82 remote-id format.

Example

# Configure the Option 82 remote-id format.

<HUAWEI> system-view
[HUAWEI] dhcp snooping information remote-id string teststring

dhcp snooping max-user-number global (upgrade-compatible command)

Function

The dhcp snooping max-user-number global command sets the maximum number of global DHCP users.

By default, the maximum number of global DHCP users is 32768.

Format

dhcp snooping max-user-number max-user-number global

Parameters

Parameter

Description

Value

max-user-number

Specifies the maximum number of global DHCP users.

The value is an integer that ranges from 1 to 32768.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

The command takes effect only when DHCP snooping is enabled globally and is valid for only DHCP users. When the number of global DHCP users reaches the threshold set by this command, no more users can access. You can use the command to set the maximum number of global users.

Example

# Set the maximum number of global DHCP users to 100.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping max-user-number 100 global

dhcp snooping sticky-mac (upgrade-compatible command)

Function

The dhcp snooping sticky-mac command enables the device to generate static MAC address entries based on dynamic DHCP snooping binding entries.

The undo dhcp snooping sticky-mac command disables the device from generating static MAC address entries based on dynamic DHCP snooping binding entries.

By default, the device is disabled to generate static MAC address entries based on dynamic DHCP snooping binding entries.

Format

dhcp snooping sticky-mac

undo dhcp snooping sticky-mac

Parameters

None

Views

Ethernet interface view, 40GE interface view, GE interface view, XGE interface view, port group view, Eth-trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Dynamic MAC address entries are learned and generated by the device, and static MAC address entries are configured by command lines. A MAC address entry consists of the MAC address, VLAN ID, and port number of a DHCP client. The device implements Layer 2 forwarding based on MAC address entries.

After the dhcp snooping sticky-mac command is executed on an interface, the device generates static MAC address entries (snooping type) of DHCP users on the interface based on the corresponding dynamic binding entries, clears all the dynamic MAC address entries on the interface, disables the interface to learn dynamic MAC address entries, and enables the device to match the source MAC address based on MAC address entries. Then only the message with the source MAC address matching the static MAC address entry can pass through the interface; otherwise, messages are discarded. Therefore, the administrator needs to manually configure static MAC address entries (the static type) for non-DHCP users on the interface so that messages sent from non-DHCP users can pass through; otherwise, DHCP messages are discarded. This prevents attacks from non-DHCP users.
NOTE:
  • If a DHCP snooping binding entry is updated, the corresponding static MAC address entry is automatically updated.

  • If you run the dhcp snooping sticky-mac command on the interface, DHCPv6 users cannot go online. Run the nd snooping enable command in the system view and interface view to enable ND snooping and the savi enable command in the system view to enable SAVI.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

The dhcp snooping sticky-mac command cannot be used with the following commands on an interface.

Command

Description

dot1x enable

Enables 802.1X authentication on an interface.

mac-authen

Enables MAC address authentication on an interface.

mac-address learning disable

Enables MAC address learning.

mac-limit

Sets the maximum number of MAC addresses to be learned.

port vlan-mapping vlan map-vlan

port vlan-mapping vlan inner-vlan

Enables VLAN mapping.

port-security enable

Enables port security.

Example

# Enable the device to generate static MAC address entries based on DHCP snooping binding entries on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping sticky-mac

dhcp snooping trusted interface no-user-binding (upgrade-compatible command)

Function

The dhcp snooping trusted interface no-user-binding command configures a trusted interface.

The undo dhcp snooping trusted interface no-user-binding command deletes a trusted interface.

By default, no trusted interface is configured.

Format

dhcp snooping trusted interface interface-type interface-number no-user-binding

undo dhcp snooping trusted interface interface-type interface-number no-user-binding

Parameters

Parameter

Description

Value

interface-type interface-number

Specifies the type and number of an interface.

-

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

You can use the dhcp snooping trusted interface no-user-binding command to configure a trusted interface in the VLAN view.

Before using this command:
  • Enable DHCP snooping globally.
  • Add the interface to a VLAN.

This command can only be used during a configuration restoration.

Example

# Configure a trusted interface GE1/0/1 in VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping trusted interface gigabitethernet 1/0/1 no-user-binding 

dhcp snooping trusted no-user-binding (upgrade-compatible command)

Function

The dhcp snooping trusted no-user-binding command configures an interface as the trusted interface.

The undo dhcp snooping trusted no-user-binding command restores the default state of an interface.

By default, no trusted interface is configured.

Format

dhcp snooping trusted no-user-binding

undo dhcp snooping trusted no-user-binding

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

When DHCP snooping is enabled on an interface, the interface is an untrusted interface by default. After you use the dhcp snooping trusted no-user-binding command in the interface view, the interface becomes a trusted interface.

This command can only be used during a configuration restoration.

Example

# Configure a trusted interface GE1/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping trusted no-user-binding

static-bind ip-address (upgrade-compatible command)

Function

Using the static-bind ip-address command, you can bind an IP address in a global address pool on DHCP server.

By default, the IP address in a global address pool on DHCP server is not bound.

Format

static-bind ip-address ip-address [ mask { mask | mask-length } ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address to be bound.

The value is in dotted decimal notation.

mask mask

Specifies a subnet mask.

The value is in dotted decimal notation.

mask mask-length

Specifies the mask length.

The value is an integer that ranges from 0 to 32.

Views

IP address pool view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

IP Source Guard Compatible Commands

ip anti-attack source-ip equals destinetion-ip drop (upgrade-compatible command)

Function

The ip anti-attack source-ip equals destinetion-ip drop command enables the device to discard IP packets with the same source and destination IP addresses.

The undo ip anti-attack source-ip equals destinetion-ip drop command disables the device from discarding IP packets with the same source and destination IP addresses.

By default, the device does not discard IP packets with the same source and destination IP addresses.

Format

ip anti-attack source-ip equals destinetion-ip drop { all | slot slot-id }

undo ip anti-attack source-ip equals destinetion-ip drop { all | slot slot-id }

Parameters

Parameter

Description

Value

all

Indicates all boards, including MPUs and LPUs.

-

slot slot-id

Specifies the slot ID.

Set the value according to the device configuration.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Generally, IP packets with the same source and destination IP addresses can be forwarded. When you determine that the IP packets are attack packets, you can use the ip anti-attack source-ip equals destinetion-ip drop command to enable the device to discard the IP packets.

Example

# Enable the device to discard IP packets with the same source and destination IP addresses.

<HUAWEI> system-view
[HUAWEI] ip anti-attack source-ip equals destinetion-ip drop all

ip source check user-bind check-item (interface view) (upgrade-compatible command)

Function

The ip source check user-bind check-item command configures the items in an IP packet to be checked.

The undo ip source check user-bind check-item command restores the default items in an IP packet to be checked.

Format

ip source check user-bind check-item { ipv6-address | mac-address | vlan }*

undo ip source check user-bind check-item

Parameters

Parameter Description Value
ipv6-address Checks whether the IPv6 address of an IP packet matches the binding table. -
mac-address Checks whether the source MAC address of an IP packet matches a binding entry. -
vlan Checks whether the VLAN ID of an IP packet matches a binding entry. -

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

This command is valid only after the IP source guard function is enabled on the interface by the ip source check user-bind enable command.

After enabling the IP source guard function, you can run this command to configure the items in an IP packet to be checked.

If a large number of binding entries exist, wait for a period to obtain the command output.

NOTE:

This command is valid only for dynamic binding entries.

Example

# Enable the IP source guard function on the GE1/0/1, and check whether the IPv6 address of the IP packet matches the binding table.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind enable
[HUAWEI-GigabitEthernet1/0/1] ip source check user-bind check-item ipv6-address
Info: Change permit rule for dynamic snooping bind-table, please wait a minute!done. 

ip source check user-bind check-item (VLAN view) (upgrade-compatible command)

Function

The ip source check user-bind check-item command configures the items in an IP packet to be checked in a VLAN.

The undo ip source check user-bind check-item command restores the default items in an IP packet to be checked.

Format

ip source check user-bind check-item ipv6-address

undo ip source check user-bind check-item

Parameters

Parameter Description Value
ipv6-address Checks whether the IPv6 address of an IP packet matches the binding table. -

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

This command is valid only after the IP source guard function is enabled in the VLAN by the ip source check user-bind enable command.

After enabling the IP source guard function, you can run this command to configure the items in an IP packet to be checked.

If a large number of binding entries exist, wait for a period to obtain the command output.

NOTE:

This command is valid only for dynamic binding entries.

Example

# Enable the IP source guard function in VLAN 100, and check whether the IPv6 address of the IP packet matches the binding table.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] ip source check user-bind enable
[HUAWEI-vlan100] ip source check user-bind check-item ipv6-address
Info: Change permit rule for dynamic snooping bind-table, please wait a minute!done. 

Keychain Upgrade-compatible Commands

receive-time (upgrade-compatible command)

Function

The receive-time command makes a key act as a receive-key for the specified interval of time.

The undo receive-time command deletes the receive-time configuration.

By default, no receive-time is configured.

Format

receive-time utc start-time start-date { duration { duration-value | infinite } | { to end-time end-date } }

Parameters

Parameter Description Value
utc Specifies that the given time is in Coordinated Universal Time (UTC) format. -
start-time Specifies the start receive time. In HH:MM format. The value ranges from 00:00 to 23:59.
start-date Specifies the start date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
duration duration-value Specifies the duration of the receive time in minutes. The value ranges from 1 to 26280000.
infinite Specifies that the key will be acting as a active receive key forever from the configured start-time. -
to Acts as a separator. -
end-time Specifies the end receive time. In HH:MM format. The value ranges from 00:00 to 23:59. The end-time should be greater than the start-time.
end-date Specifies the end date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.

Views

key-id view

Default Level

2: Configuration Level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

It is replaced by the receive-time start-time start-date { duration { duration-value | infinite } | { to end-time end-date } } command.

send-time (upgrade-compatible command)

Function

The send-time command makes a key act as a send key for the specified interval of time.

The undo send-time command deletes the send-time configuration.

By default, no send-time is configured.

Format

send-time utc start-time start-date { duration { duration-value | infinite } | { to end-time end-date } }

Parameters

Parameter Description Value
utc Specifies that the given time is in Coordinated Universal Time (UTC) format. -
start-time Specifies the start send time. In HH:MM format. The value ranges from 00:00 to 23:59.
start-date Specify the start date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
duration duration-value Specifies the duration of the send time in minutes. The value ranges from 1 to 26280000.
infinite Specifies that the key will be acting as a send key forever from the configured start-time. -
to Acts as a separator. -
end-time Specifies the end send time. In HH:MM format. The value ranges from 00:00 to 23:59. The end-time should be greater than the start-time.
end-date Specifies the end date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
daily Specifies the daily send timing for the given key. -

Views

Key-ID view

Default Level

2: Configuration Level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

It is replaced by the send-time start-time start-date { duration { duration-value | infinite } | { to end-time end-date } } command.

PKI Compatible Commands

fingerprint (upgrade-compatible command)

Function

The fingerprint command configures the CA certificate fingerprint used in CA certificate authentication.

The undo fingerprint command deletes the CA certificate fingerprint used in CA certificate authentication.

By default, no CA certificate fingerprint is configured for CA certificate authentication.

Format

fingerprint sha2 fingerprint

undo fingerprint

Parameters

Parameter Description Value
sha2 Sets the digital fingerprint algorithm to SHA1. -
fingerprint

Specifies the digital fingerprint value.

This value needs to be obtained from the CA server offline. For example, from a CA server running Windows Server 2008, you can obtain the digital fingerprint at http://host:port/certsrv/mscep_admin/, in which host indicates the server's IP address and port indicates the port number.

The digital fingerprint value is a hexadecimal string of case-insensitive characters.

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

password (upgrade-compatible command)

Function

The password command sets the challenge password used for certificate application through SCEP, which is also used to revoke a certificate.

The undo password command deletes the challenge password used for certificate application through SCEP.

By default, no challenge password is configured.

Format

password simple password

undo password

Parameters

Parameter Description Value
simple password Specifies the challenge password used for certificate application through SCEP. The password is displayed in plain text. -

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

usage (upgrade-compatible command)

Function

The usage command configures the purpose description for a certificate public key.

By default, a certificate public key does not have a purpose description.

Format

usage { ike | ssl-client | ssl-server } *

Parameters

Parameter

Description

Value

ike

Specifies the usage of a key as ike. That is, the key is used to set up an IPSec tunnel.

-

ssl-client

Specifies the usage of a key as ssl-client. That is, the key is used by the SSL client to set up an SSL session.

-

ssl-server

Specifies the usage of a key as ssl-server. That is, the key is used by the SSL server to set up an SSL session.

-

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the key-usage { ike | ssl-client | ssl-server } * command.

Translation
Download
Updated: 2019-10-18

Document ID: EDOC1000178288

Views: 26247

Downloads: 109

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next