No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Security Compatible Commands

Security Compatible Commands

ACL Compatible Commands

assign acl-mode (upgrade-compatible command)

Function

The assign acl-mode command sets the ACL resource allocation mode on an interface card.

The undo assign acl-mode command restores the default ACL resource allocation mode on an interface card.

By default, the ACL resource allocation mode is 0.

Format

assign acl-mode mode-id slot slot-id

undo assign acl-mode slot slot-id

Parameters

Parameter

Description

Value

mode-id

Specifies an ACL resource allocation mode.

The value is an integer that ranges from 0 to 4.
  • 0. Dual IPV4 and IPV6: configures the IPv4 and IPv6 ACL resource allocation mode.
  • 1. L2 IPV4: configures the Layer 2 IPv4 ACL resource allocation mode.
  • 2. L2 IPV6: configures the Layer 2 IPv6 ACL resource allocation mode.
  • 3. L2: configures the Layer 2 ACL resource allocation mode.
  • 4. IPV4: configures the IPv4 ACL resource allocation mode.

slot slot-id

Specifies the slot ID of an interface card.

The value is an integer. The value range depends on the device configuration.

Views

System view

Default Level

3: Management level

Usage Guidelines

If the default number of ACLs for IPv4, IPv6, or Layer 2 services cannot meet service requirements, you can change the ACL resource allocation mode to increase the number of ACLs for the services.

When services on a device change, the requirements for ACLs also change, and you can change the ACL resource allocation mode accordingly. Before using this command to change the ACL resource allocation mode, consider the advantage and disadvantage of the change. For example, if the ACL resource allocation mode is changed from 0 (Dual IPV4 and IPV6) to 4 (IPV4), more ACLs are supported for IPv4 services, but the number of ACLs for IPv6 and VLAN services reduces to 0.

The ACL resource allocation mode takes effect only after the interface card is reset.

Example

# Change the ACL resource allocation mode on the X1E interface card in slot 10 to mode 3.

<HUAWEI> system-view
[HUAWEI] assign acl-mode 3 slot 10 

Local Attack Defense Compatible Commands

deny (upgrade-compatible command)

Function

The deny command sets the discard action taken for packets sent to the CPU.

The undo deny command restores the default action taken for packets sent to the CPU.

By default, the device limits the rate of protocol packets and user-defined flows based on the CAR configuration.

Format

deny packet-type hotlimit

deny packet-type nac-arp

deny packet-type nac-dhcp

undo deny packet-type hotlimit

undo deny packet-type nac-arp

undo deny packet-type nac-dhcp

Parameters

Parameter Description Value
packet-type hotlimit Discards hop-limit packets. -
packet-type nac-arp Discards nac-arp packets. -
packet-type nac-dhcp Discards nac-dhcp packets. -

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

If you run the deny and car commands for the same type of packets sent to the CPU, the command that runs later takes effect. The undo deny command restores the default action taken for packets sent to the CPU. After you run this command, the system limits the rate of packets sent to the CPU based on the configured CIR and CBS values.

Example

# Set the discard action taken for bpdu packets sent to the CPU attack in defense policy test.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test 
[HUAWEI-cpu-defend-policy-test] deny packet-type bpdu

whitelist (upgrade-compatible command)

Function

The whitelist command configures an ACL-based whitelist.

By default, no whitelist is configured.

Format

whitelist acl acl-number { acl-number } &<1-4>

Parameters

Parameter Description Value
acl-number Indicates the ACL ID. The ACL referenced by a whitelist on the device can be a basic ACL, an advanced ACL, or a Layer 2 ACL. The value is an integer that ranges from 2000 to 4999.

Views

System view, Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

A maximum of 8 whitelists can be configured in an attack defense policy on the device. You can set the attributes of a whitelist by defining ACL rules.

After the packets of whitelist users reach the device, they are sent with a higher priority at a higher rate. Valid users that normally access the system and the users with the high priority can be added to the whitelist.

Example

# Reference ACL 2002 in the whitelist.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] whitelist acl 2002

queue packet-type vrrp (upgrade-compatible command)

Function

queue packet-type vrrp command sets the queue number for VRRP packets sent to the CPU.

undo queue packet-type command restores the default queue number for VRRP packets sent to the CPU.

By default, the queue number for VRRP packets sent to the CPU is 6.

Format

queue packet-type vrrp queue-value

undo queue packet-type vrrp

Parameters

Parameter

Description

Value

queue-value

Specifies the queue number of the CPU that VRRP packets are sent to.

The value is 5 or 7.

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before packets are sent to the CPU, they are sent to queues of the CPU and scheduled in queues. Then the packets are processed by the CPU. The scheduling mode of a queue and the queue that packets enter determine the priority of processing packets. To flexibly set the scheduling priority of packets sent to the CPU, you can set the queue number for protocol packets sent to the CPU. A greater queue number indicates a high priority of protocol packets sent to the CPU.

Precautions

If the queue number for VRRP packets sent to the CPU has been configured in a version earlier than V200R010, the queue number is unchanged after the version is upgraded to V200R010 or later. If the queue number is not configured in a version earlier than V200R010, the default queue number is changed from 7 to 6 after the upgrade.

In V200R010 and later versions, you can only run the undo queue packet-type vrrp command to restore the default queue number for VRRP packets, but cannot reset the queue number.

Example

# Restore the default queue number for VRRP packets sent to the CPU.

<HUAWEI> system-view
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] undo queue packet-type vrrp

Traffic Suppression Compatible Commands

storm-control action (upgrade-compatible command)

Function

The storm-control action sets the storm control action to shutdown.

The undo storm-control action command cancels the configuration.

By default, no storm control action is configured.

Format

storm-control action shutdown

undo storm-control action

Parameters

Parameter

Description

Value

shutdown

Shuts down an interface.

-

Views

40GE interface view, GE interface view, XGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

This command is available to aid upgrade compatibility. It can be run when it is entered in full.

It is replaced by the storm-control action error-down command.

Example

# Configure the storm control action is shutdown on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] storm-control action shutdown

Keychain Upgrade-compatible Commands

receive-time (upgrade-compatible command)

Function

The receive-time command makes a key act as a receive-key for the specified interval of time.

The undo receive-time command deletes the receive-time configuration.

By default, no receive-time is configured.

Format

receive-time utc start-time start-date { duration { duration-value | infinite } | { to end-time end-date } }

Parameters

Parameter Description Value
utc Specifies that the given time is in Coordinated Universal Time (UTC) format. -
start-time Specifies the start receive time. In HH:MM format. The value ranges from 00:00 to 23:59.
start-date Specifies the start date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
duration duration-value Specifies the duration of the receive time in minutes. The value ranges from 1 to 26280000.
infinite Specifies that the key will be acting as a active receive key forever from the configured start-time. -
to Acts as a separator. -
end-time Specifies the end receive time. In HH:MM format. The value ranges from 00:00 to 23:59. The end-time should be greater than the start-time.
end-date Specifies the end date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.

Views

key-id view

Default Level

2: Configuration Level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

It is replaced by the receive-time start-time start-date { duration { duration-value | infinite } | { to end-time end-date } } command.

send-time (upgrade-compatible command)

Function

The send-time command makes a key act as a send key for the specified interval of time.

By default, no send-time is configured.

Format

send-time utc start-time start-date { duration { duration-value | infinite } | { to end-time end-date } }

Parameters

Parameter Description Value
utc Specifies that the given time is in Coordinated Universal Time (UTC) format. -
start-time Specifies the start send time. In HH:MM format. The value ranges from 00:00 to 23:59.
start-date Specify the start date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
duration duration-value Specifies the duration of the send time in minutes. The value ranges from 1 to 26280000.
infinite Specifies that the key will be acting as a send key forever from the configured start-time. -
to Acts as a separator. -
end-time Specifies the end send time. In HH:MM format. The value ranges from 00:00 to 23:59. The end-time should be greater than the start-time.
end-date Specifies the end date. In YYYY-MM-DD format. The value ranges from 1970-01-01 to 2050-12-31.
daily Specifies the daily send timing for the given key. -

Views

Key-ID view

Default Level

2: Configuration Level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

It is replaced by the send-time start-time start-date { duration { duration-value | infinite } | { to end-time end-date } } command.

PKI Compatible Commands

fingerprint (upgrade-compatible command)

Function

The fingerprint command configures the CA certificate fingerprint used in CA certificate authentication.

The undo fingerprint command deletes the CA certificate fingerprint used in CA certificate authentication.

By default, no CA certificate fingerprint is configured for CA certificate authentication.

Format

fingerprint sha2 fingerprint

undo fingerprint

Parameters

Parameter Description Value
sha2 Sets the digital fingerprint algorithm to SHA1. -
fingerprint

Specifies the digital fingerprint value.

This value needs to be obtained from the CA server offline. For example, from a CA server running Windows Server 2008, you can obtain the digital fingerprint at http://host:port/certsrv/mscep_admin/, in which host indicates the server's IP address and port indicates the port number.

The digital fingerprint value is a hexadecimal string of case-insensitive characters.

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

password (upgrade-compatible command)

Function

The password command sets the challenge password used for certificate application through SCEP, which is also used to revoke a certificate.

The undo password command deletes the challenge password used for certificate application through SCEP.

By default, no challenge password is configured.

Format

password simple password

undo password

Parameters

Parameter Description Value
simple password Specifies the challenge password used for certificate application through SCEP. The password is displayed in plain text. -

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

usage (upgrade-compatible command)

Function

The usage command configures the purpose description for a certificate public key.

By default, a certificate public key does not have a purpose description.

Format

usage { ike | ssl-client | ssl-server } *

Parameters

Parameter

Description

Value

ike

Specifies the usage of a key as ike. That is, the key is used to set up an IPSec tunnel.

-

ssl-client

Specifies the usage of a key as ssl-client. That is, the key is used by the SSL client to set up an SSL session.

-

ssl-server

Specifies the usage of a key as ssl-server. That is, the key is used by the SSL server to set up an SSL session.

-

Views

PKI realm view

Default Level

3: Management level

Usage Guidelines

This command is available to aid upgrade compatibility. It can only be run during the configuration restoration phase of the upgrade.

After the upgrade, this command is no longer supported, and it is replaced by the key-usage { ike | ssl-client | ssl-server } * command.

Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 126273

Downloads: 88

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next